Re: QUIC handshake challenges -- Share your experiences
Christian Huitema <huitema@huitema.net> Thu, 30 March 2023 18:10 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5B63C13AE45 for <quic@ietfa.amsl.com>; Thu, 30 Mar 2023 11:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WYIwOUyHZivs for <quic@ietfa.amsl.com>; Thu, 30 Mar 2023 11:10:47 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C2D4C13AE44 for <quic@ietf.org>; Thu, 30 Mar 2023 11:10:47 -0700 (PDT)
Received: from xse175.mail2web.com ([66.113.196.175] helo=xse.mail2web.com) by mx194.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1phwjO-000MBH-T6 for quic@ietf.org; Thu, 30 Mar 2023 20:10:43 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4PnWgL0lQhzBDn for <quic@ietf.org>; Thu, 30 Mar 2023 11:10:38 -0700 (PDT)
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1phwjN-0006SL-TI for quic@ietf.org; Thu, 30 Mar 2023 11:10:37 -0700
Received: (qmail 12972 invoked from network); 30 Mar 2023 18:10:37 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.128]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <martenseemann@gmail.com>; 30 Mar 2023 18:10:36 -0000
Message-ID: <65cb067f-018f-0054-8341-d11e12edcfe0@huitema.net>
Date: Thu, 30 Mar 2023 11:10:36 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US
To: Marten Seemann <martenseemann@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, Marcin Nawrocki <marcin.nawrocki@fu-berlin.de>, quic@ietf.org
References: <7fbc535a-e1ab-e030-5093-7ac809634b3c@fu-berlin.de> <a8c308e8-9f0f-480c-b48d-45534a9199b1@app.fastmail.com> <61a59c9a-80a8-8c73-78cf-0b321ede733f@huitema.net> <CAOYVs2qCZ3j8=DVpe6U1Vee85vdVEzaKMV4PSY_TUQ7sb2gwYw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: QUIC handshake challenges -- Share your experiences
In-Reply-To: <CAOYVs2qCZ3j8=DVpe6U1Vee85vdVEzaKMV4PSY_TUQ7sb2gwYw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: 66.113.196.175
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.14)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/I825ERm31BZYGQaXj/nLkPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCJqW uEpO4ItHHXGAVdbfvifmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaNBKcdTdc91qyPxC6lUXydRQ6V51u76v35b1wNe/MvdIGJbru JOg8mXBDknF2Wo5I2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEEIgtEXyXj6S3SDvReMcV 8TXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7iff8pZ9ure3k2YtJj4Q8Z7A0f3z/1Q8sscmUhpL2Sr2G4n6oltWc3dJ/HAz5FO9Ir9 Ety2NPe3twEmFxsob19YoYYpy78/ZfTpWFqEVNffsiyZvdx3ZJDsPzrvEdt+b8mxX4OQOI/UQ6jn FfMBgzwOSHunMg5j/UO+IMRndiIcriLHWcbtSnN5dmDWGj6Xjz3ZcpPgEJKLbDyaC/LdLvvYpeJk m/jcTPea+o5U0QlFgfpVB9v9zY0h8asEYmbGGsJD9ySC20IzFkBtfP+lFUR4NEcccfsCfKWPqiZd Li+gsb13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/f-iw1p0c4HEcN-WfMW20ZM7mOX8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 18:10:49 -0000
On 3/30/2023 11:00 AM, Marten Seemann wrote: > Christian, I don't think that's correct. We discussed this during our work > on RFC 9000, and there's section 8.1 addresses exactly that problem: > >> Loss of an Initial or Handshake packet from the server can cause a > deadlock if the client does not send additional Initial or Handshake > packets. A deadlock could occur when the server reaches its > anti-amplification limit and the client has received acknowledgments for > all the data it has sent. In this case, when the client has no reason to > send additional packets, the server will be unable to send more data > because it has not validated the client's address. To prevent this > deadlock, clients MUST send a packet on a Probe Timeout (PTO); see Section > 6.2 of [QUIC-RECOVERY]. Specifically, the client MUST send an Initial > packet in a UDP datagram that contains at least 1200 bytes if it does not > have Handshake keys, and otherwise send a Handshake packet. I think my objection sums up to "server will need to trust that the client will send a packet on a Probe Timeout (PTO)". If the client does, then fine. But if it doesn't, then the server is stuck. > The easiest solution to the problem is to just send an ACK, but not the > certificate. This might mean sending a few additional bytes, but as I've > said in the meeting today, those won't suddenly make this an interesting > amplification vector. I would advise bundling a PING with the ACK in that case. Seems better than risking being stuck waiting for the PTO to elapse. > Starting with a slightly higher RTT estimate is also not the end of the > world, especially if you're using a loss-based congestion controller that > will cause queues to build up at the bottleneck link during the connection. It is definitely not a huge issue. The initial handshake provides an early estimate of the RTT, which of course will need to be refined with further measurements. -- Christian Huitema > > > > On Fri, 31 Mar 2023 at 00:40, Christian Huitema <huitema@huitema.net> wrote: > >> >> >> On 3/30/2023 12:37 AM, Martin Thomson wrote: >>> On Thu, Mar 30, 2023, at 15:57, Marcin Nawrocki wrote: >>>> Unfortunately, I ran out of time before presenting the third challenge: >>>> An Initial containing both, the ACK and ServerHello, can skew the RTT >>>> estimation of the client for some deployments (e.g., CDNs). This is >>>> because the QUIC server can be separate from the process that has >>>> access to TLS material, so there is a noticeable delay for fetching the >>>> required TLS data. >>> >>> Yes, this will affect RTT estimates, but the effect will wash out over >> time. The net effect is an inflated RTT estimate. >>> >>> You can maybe correct for this using ACK Delay. >>> >>>> Opinions on how to deal with this? Some CDNs split the Initial ACK and >>>> Initial ServerHello into two packets, leading to more padding bytes. >>>> Please see my slides 15-21 [1] for more information. >>> >>> I believe that some people already do this split, yes. I would prefer >> that servers use subcerts for this: >> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts >>> >> >> There is another issue. It is a bit risky for the server to send the ACK >> Initial before the client IP is validated. If the server ACKs the >> client's initial packets, the client does not need to send any further >> traffic until it has received the server hello. If the server hello is >> lost, the server will have to resend it, and it will have to do so >> within the amplification budget -- which in some cases may not be possible. >> >> There are potential workarounds of course. For example, the server could >> bundle a PING with the ACK, to force the client to send more initial >> packets and thus complete address validation. >> >> We may also lift the requirement that all server initial packets be >> padded to 1200 bytes, which would allow for better use of the >> amplification budget. But that's for QUIC v3... >> >> -- Christian Huitema >> >> >
- QUIC handshake challenges -- Share your experienc… Marcin Nawrocki
- Re: QUIC handshake challenges -- Share your exper… Martin Thomson
- Re: QUIC handshake challenges -- Share your exper… Christian Huitema
- Re: QUIC handshake challenges -- Share your exper… Marten Seemann
- Re: QUIC handshake challenges -- Share your exper… Christian Huitema
- Re: QUIC handshake challenges -- Share your exper… Martin Thomson
- Re: QUIC handshake challenges -- Share your exper… Marcin Nawrocki
- Re: QUIC handshake challenges -- Share your exper… Martin Thomson
- Re: QUIC handshake challenges -- Share your exper… Paul Vixie
- Re: QUIC handshake challenges -- Share your exper… Luke Curley
- Re: QUIC handshake challenges -- Share your exper… Christian Huitema
- Re: QUIC handshake challenges -- Share your exper… Michael Tuexen
- Re: QUIC handshake challenges -- Share your exper… Christian Huitema