IETF Logo Mail Archive

Re: QUIC handshake challenges -- Share your experiences

Christian Huitema <huitema@huitema.net> Thu, 30 March 2023 18:10 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5B63C13AE45 for <quic@ietfa.amsl.com>; Thu, 30 Mar 2023 11:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WYIwOUyHZivs for <quic@ietfa.amsl.com>; Thu, 30 Mar 2023 11:10:47 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C2D4C13AE44 for <quic@ietf.org>; Thu, 30 Mar 2023 11:10:47 -0700 (PDT)
Received: from xse175.mail2web.com ([66.113.196.175] helo=xse.mail2web.com) by mx194.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1phwjO-000MBH-T6 for quic@ietf.org; Thu, 30 Mar 2023 20:10:43 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4PnWgL0lQhzBDn for <quic@ietf.org>; Thu, 30 Mar 2023 11:10:38 -0700 (PDT)
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1phwjN-0006SL-TI for quic@ietf.org; Thu, 30 Mar 2023 11:10:37 -0700
Received: (qmail 12972 invoked from network); 30 Mar 2023 18:10:37 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.128]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <martenseemann@gmail.com>; 30 Mar 2023 18:10:36 -0000
Message-ID: <65cb067f-018f-0054-8341-d11e12edcfe0@huitema.net>
Date: Thu, 30 Mar 2023 11:10:36 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US
To: Marten Seemann <martenseemann@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, Marcin Nawrocki <marcin.nawrocki@fu-berlin.de>, quic@ietf.org
References: <7fbc535a-e1ab-e030-5093-7ac809634b3c@fu-berlin.de> <a8c308e8-9f0f-480c-b48d-45534a9199b1@app.fastmail.com> <61a59c9a-80a8-8c73-78cf-0b321ede733f@huitema.net> <CAOYVs2qCZ3j8=DVpe6U1Vee85vdVEzaKMV4PSY_TUQ7sb2gwYw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: QUIC handshake challenges -- Share your experiences
In-Reply-To: <CAOYVs2qCZ3j8=DVpe6U1Vee85vdVEzaKMV4PSY_TUQ7sb2gwYw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.196.175
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.14)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/I825ERm31BZYGQaXj/nLkPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCJqW uEpO4ItHHXGAVdbfvifmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaNBKcdTdc91qyPxC6lUXydRQ6V51u76v35b1wNe/MvdIGJbru JOg8mXBDknF2Wo5I2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEEIgtEXyXj6S3SDvReMcV 8TXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7iff8pZ9ure3k2YtJj4Q8Z7A0f3z/1Q8sscmUhpL2Sr2G4n6oltWc3dJ/HAz5FO9Ir9 Ety2NPe3twEmFxsob19YoYYpy78/ZfTpWFqEVNffsiyZvdx3ZJDsPzrvEdt+b8mxX4OQOI/UQ6jn FfMBgzwOSHunMg5j/UO+IMRndiIcriLHWcbtSnN5dmDWGj6Xjz3ZcpPgEJKLbDyaC/LdLvvYpeJk m/jcTPea+o5U0QlFgfpVB9v9zY0h8asEYmbGGsJD9ySC20IzFkBtfP+lFUR4NEcccfsCfKWPqiZd Li+gsb13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/f-iw1p0c4HEcN-WfMW20ZM7mOX8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 18:10:49 -0000


On 3/30/2023 11:00 AM, Marten Seemann wrote:
> Christian, I don't think that's correct. We discussed this during our work
> on RFC 9000, and there's section 8.1 addresses exactly that problem:
> 
>> Loss of an Initial or Handshake packet from the server can cause a
> deadlock if the client does not send additional Initial or Handshake
> packets. A deadlock could occur when the server reaches its
> anti-amplification limit and the client has received acknowledgments for
> all the data it has sent. In this case, when the client has no reason to
> send additional packets, the server will be unable to send more data
> because it has not validated the client's address. To prevent this
> deadlock, clients MUST send a packet on a Probe Timeout (PTO); see Section
> 6.2 of [QUIC-RECOVERY]. Specifically, the client MUST send an Initial
> packet in a UDP datagram that contains at least 1200 bytes if it does not
> have Handshake keys, and otherwise send a Handshake packet.

I think my objection sums up to "server will need to trust that the 
client will send a packet on a Probe Timeout (PTO)". If the client does, 
then fine. But if it doesn't, then the server is stuck.


> The easiest solution to the problem is to just send an ACK, but not the
> certificate. This might mean sending a few additional bytes, but as I've
> said in the meeting today, those won't suddenly make this an interesting
> amplification vector.

I would advise bundling a PING with the ACK in that case. Seems better 
than risking being stuck waiting for the PTO to elapse.

> Starting with a slightly higher RTT estimate is also not the end of the
> world, especially if you're using a loss-based congestion controller that
> will cause queues to build up at the bottleneck link during the connection.

It is definitely not a huge issue. The initial handshake provides an 
early estimate of the RTT, which of course will need to be refined with 
further measurements.

-- Christian Huitema

> 
> 
> 
> On Fri, 31 Mar 2023 at 00:40, Christian Huitema <huitema@huitema.net> wrote:
> 
>>
>>
>> On 3/30/2023 12:37 AM, Martin Thomson wrote:
>>> On Thu, Mar 30, 2023, at 15:57, Marcin Nawrocki wrote:
>>>> Unfortunately, I ran out of time before presenting the third challenge:
>>>> An Initial containing both, the ACK and ServerHello, can skew the RTT
>>>> estimation of the client for some deployments (e.g., CDNs). This is
>>>> because the QUIC server can be separate from the process that has
>>>> access to TLS material, so there is a noticeable delay for fetching the
>>>> required TLS data.
>>>
>>> Yes, this will affect RTT estimates, but the effect will wash out over
>> time.  The net effect is an inflated RTT estimate.
>>>
>>> You can maybe correct for this using ACK Delay.
>>>
>>>> Opinions on how to deal with this? Some CDNs split the Initial ACK and
>>>> Initial ServerHello into two packets, leading to more padding bytes.
>>>> Please see my slides 15-21 [1] for more information.
>>>
>>> I believe that some people already do this split, yes.  I would prefer
>> that servers use subcerts for this:
>> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts
>>>
>>
>> There is another issue. It is a bit risky for the server to send the ACK
>> Initial before the client IP is validated. If the server ACKs the
>> client's initial packets, the client does not need to send any further
>> traffic until it has received the server hello. If the server hello is
>> lost, the server will have to resend it, and it will have to do so
>> within the amplification budget -- which in some cases may not be possible.
>>
>> There are potential workarounds of course. For example, the server could
>> bundle a PING with the ACK, to force the client to send more initial
>> packets and thus complete address validation.
>>
>> We may also lift the requirement that all server initial packets be
>> padded to 1200 bytes, which would allow for better use of the
>> amplification budget. But that's for QUIC v3...
>>
>> -- Christian Huitema
>>
>>
>

v2.23.0 | Report a Bug | By Email