IETF Logo Mail Archive

Re: QUIC ossification

"Martin Thomson" <mt@lowentropy.net> Fri, 22 February 2019 23:06 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31487128CF3 for <quic@ietfa.amsl.com>; Fri, 22 Feb 2019 15:06:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=qq1RGOwt; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=JoRviApy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWpQocjb3Alf for <quic@ietfa.amsl.com>; Fri, 22 Feb 2019 15:06:51 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D396128BCC for <quic@ietf.org>; Fri, 22 Feb 2019 15:06:51 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 66E3822152; Fri, 22 Feb 2019 18:06:50 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Fri, 22 Feb 2019 18:06:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:in-reply-to:references:date:from:to:cc:subject :content-type:content-transfer-encoding; s=fm1; bh=SFmS8BXAmLz7B za9YDVvFL70P+Spy3tRVxS5Cvs5Uy0=; b=qq1RGOwtmPGjkKIuXD4rJi2TmMt+H abwOZqOiLxKviqBUcjTxuCnq8KwvFCpeUtdM7o0NXW52O2IkDurTtleQFP3CVwTI uH4NiZVR8hl4qO157QTxCsfRP3rJc2qjQ2wKqSj+kgWNApNqVVSnN/Pl4CiBzo9/ QdGSGvAkKHs/LN49xAqnTGrfTrwyRmOY62htGQKJxW25iAF5jeYbT86zUih+XbhW RxzG4Z69rQ+MlO0c0iE9zjzP44uEo+EntvNrfqyhrNvBpgAW1XeAuQDlvD+Gy2W3 ivdQTlmqbw51UqNZbgfW/ZTReOOMQAy3fMnnPwap/NNtlvucwdp/MPfbQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=SFmS8BXAmLz7Bza9YDVvFL70P+Spy3tRVxS5Cvs5Uy0=; b=JoRviApy s/kOJlvLZ/22mCmbx60i5HLpIt6UVPsHwlfXgK7eZnC5cfPwcWAop6GskrJrrw3J gR8ilzym2xlsIDWqQwTGQxtIghtPLSG5gP28UZSeMlTvvfT/gbczYKjwsRitD8XF htFIq8RKDrsgBuKlHLKed4WVdc969/3O1xNyXrgqc+z/RNTwUA4cQTTiGH/qel+n P28AKUfAnxlG05DseybFU7Zvfm400A57N1sICl1SFrKnnu3nZLtAEoYBhE6kA8Ld ebBX4ZZctZBLJNUnpScP6BBL2Gx0uM2v+KsHynCPaGIVVPyR+zFAmelU6zaRiG5O VnKiuX3miNrcrw==
X-ME-Sender: <xms:iYBwXC6ceHdlke11Q73IKePYS2YwlxpXaccQPb48Gwnmx-DzcrLyNA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddruddtgddujeduucdltddurdegtdelrddttd dmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfquhht necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfofgr rhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenuc frrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvthenucev lhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:iYBwXOekgbisOQrUD-7jBnuDF3OZWNDDzL_lGhy6wm35-mvbNTFdHA> <xmx:iYBwXCa_NFDKfrVPAVb9SPWixVF-QxSQUl1Z-oBp0c8ejxRriYGxNQ> <xmx:iYBwXEKlGz69y0q0-ACTvZPWsYSmt2huRgTYqN8KhCljI5DwSYBbAw> <xmx:ioBwXDLODu191hsVhlxvKmcMaMkfkB5b8B966AeTiZU9c6ak08McKw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B90C17C1EB; Fri, 22 Feb 2019 18:06:49 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-895-g0d23ba6-fmstable-20190213v1
X-Me-Personality: 92534000
Message-Id: <50fa8e3a-a997-4c09-ba38-b8cdcde3b27c@www.fastmail.com>
In-Reply-To: <DAC9E580-909C-4E9E-82E0-A6AB22CADA24@fb.com>
References: <f76aa399-f35d-46c5-b6a7-043d8704a90e@www.fastmail.com> <CACpbDcf_temqJ3EesvboKt280m-TEucMqa-NpYW7-UC5r0p1mQ@mail.gmail.com> <783327C4-3877-48F4-A41A-5987458C39B7@fb.com> <CACpbDccFRWeSYFGu7cjdsrWAnE_6KbhpPMZJ9kzN1KviAfEGJQ@mail.gmail.com> <067D562F-AC7C-463D-9C4D-D5ECF4D50FC9@trammell.ch> <C9BC63FD-9BE2-47B8-8D1C-EC27CEDF4D42@trammell.ch> <CACpbDcf+eE_bO4ZN3vjBmrrJ2oB4-yCZ2WVEX6vkxjKJOmk6ww@mail.gmail.com> <CAAedzxqD8UL39vaxRrugLZR38hXPK9gB8PqPi=kmG2D=eUpcmg@mail.gmail.com> <DAC9E580-909C-4E9E-82E0-A6AB22CADA24@fb.com>
Date: Fri, 22 Feb 2019 18:06:46 -0500
From: Martin Thomson <mt@lowentropy.net>
To: Roberto Peon <fenix@fb.com>
Cc: QUIC WG <quic@ietf.org>
Subject: Re: QUIC ossification
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/fPXzUnuKcIciIxg1-Cn7LLhLSXs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 23:06:54 -0000

Leaving the specifics of the proposal aside for the moment, the problem here is that we have no shared context AND we want to ensure that legitimate endpoints don't have to go to extreme measures to get the information they need.  A little obfuscation might get us somewhere (esp. if we are willing to burn either more octets or part of our existing space), but let's try to focus on what we think we're going to achieve by doing something here.

Funny that TLS are concurrently talking about hiding the existence of ESNI, which has so many of the same constraints: you have to standardize the semantics so that it can be decoded, but you would rather that only the intended recipient was able to read it.  In both cases, the answer is that you lose because you have no shared keys that would enable the only thing that we know works (crypto).  (I haven't ingested Stephen's long email there, maybe he has a brilliant idea for breaking the deadlock, but I doubt that it will help us here, because at least with ESNI you *maybe* have a key and it seems to be using crypto.)

On Fri, Feb 22, 2019, at 13:35, Roberto Peon wrote:
>  
> This would be “fun” (i.e. somewhat hard) to attempt to match via simple 
> filtering rules :
>  When expressed in-the-clear, version is expressed as two var-ints, 
> which are summed and modulo 2^16
> 
>  
> i.e.
>  version = (decodeVarInt() + decodeVarInt()) % (1 << 16) 
>  -=R
> 
>  
>  
> 
>  
>  
> *From: *Erik Kline <ek@loon.co>
>  *Reply-To: *"ek@loon.co" <ek@loon.co>
>  *Date: *Thursday, February 21, 2019 at 10:02 PM
>  *To: *Jana Iyengar <jri.ietf@gmail.com>
>  *Cc: *"Brian Trammell (IETF)" <ietf@trammell.ch>, QUIC WG 
> <quic@ietf.org>, Roberto Peon <fenix@fb.com>, Martin Thomson 
> <mt@lowentropy.net>
>  *Subject: *Re: QUIC ossification
> 
>  
>  
>  
>  
> 
>  
>  
>  
>  
>  
> 
>  
>  
>  
> 
>  
>  
>  
> On Thu, 21 Feb 2019 at 20:24, Jana Iyengar <jri.ietf@gmail.com> wrote:
> 
>  
>   
> >  
> > Brian, 
> 
> >  
> >  
> >  
> 
> >  
> >  
> >  
> > I agree that there are potentially other models as well, but the one we know from experience is the naive one. We should at least protect against the one model we know, naive or not. I'll note that it quickly gets difficult to come up with measures if we assume a smarter ossifier.
> 
> >  
> >  
> >   
>  
>  
> 
>  
>  
>  
> You would pretty much have to move version negotiation bits (and 
> subsequent protocol differences) to underneath the crypto umbrella, 
> wouldn't you? Negotiating a newer version would have to be like 
> negotiating some extensions, or something, I would think...
> 
>  
>  
>  
>  
> 
>  
>   
> >  
> >  
> > - jana
> 
> >  
> >  
> >  
> >  
> 
> >  
> >  
> >  
> > On Tue, Feb 19, 2019 at 11:03 PM Brian Trammell (IETF) <ietf@trammell.ch> wrote:
> 
> >  
> >   
> >> (oops, hit send too soon...)
> >>  
> >>  > On 20 Feb 2019, at 07:58, Brian Trammell (IETF) <ietf@trammell.ch> wrote:
> >>  > 
> >>  > hi Jana,
> >>  > 
> >>  > The middlebox adaptation model that this proposal addresses seems limited to middleboxes built based on naive traffic analysis and pre-QUIC assumptions about wire images. This is admittedly the model behind one of Google's experiences with QUIC middlebox breakage, and the one we seem most concerned with because by definition we cannot fix it by writing things in documents.
> >>  
> >>  I don't think these are the only things we're concerned about though. Concerns about partitioning VN space have a less naive model in mind: here we think more about default-deny firewalls that have been told that some versions of QUIC are okay but all others are not. As noted before I personally cannot think of a reason an operator would want to do this -- if you've already decided to allow a protocol with low observability and built-in extensibility as a design goal on your network, does the exact flavor really matter all that much? -- but it's a checkbox on the firewall feature list so yeah, I suppose someone will ship it.
> >>  
> >>  Are there other middlebox adaptation models we are concerned about here?
> >>  
> >>  Cheers,
> >>  
> >>  Brian
> >>  
> >>  
> >>  >> On 20 Feb 2019, at 00:17, Jana Iyengar <jri.ietf@gmail.com> wrote:
> >>  >> 
> >>  >> Roberto -- yes, that's basically what I'm proposing too, just one variant of how to go about doing it dynamically over time.
> >>  >> 
> >>  >> On Tue, Feb 19, 2019 at 3:14 PM Roberto Peon <fenix@fb.com> wrote:
> >>  >> As others have intimated in some form or another, you can also use multiple numbers to express “version 1”.
> >>  >> 
> >>  >> 
> >>  >> For instance, pick 64 (or some similar constant) random numbers, and call them all version 1.
> >>  >> -=R
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> From: QUIC <quic-bounces@ietf.org> on behalf of Jana Iyengar <jri.ietf@gmail.com>
> >>  >> Date: Tuesday, February 19, 2019 at 3:10 PM
> >>  >> To: Martin Thomson <mt@lowentropy.net>
> >>  >> Cc: QUIC WG <quic@ietf.org>
> >>  >> Subject: Re: QUIC ossification
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> On Tue, Feb 19, 2019 at 7:52 AM Martin Thomson <mt@lowentropy.net> wrote: 
> >>  >> 
> >>  >> I don't think that there is much value in using two version numbers to refer to the same protocol. But even if we did, as long as we didn't establish any pattern in doing so, that couldn't be used against us. So I might tentatively agree that 0x1 == 0x2 would be inadvisable, there is no strong need to do anything special with the first version. Any attempt to profile QUIC will be done with full knowledge of the version number we pick, so randomness doesn't serve any real purpose. Subsequent versions might need to use a randomized value, but we can make that decision then.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> I figured that making all version assignments random instead of special-casing 0x1 made it simpler to reason about and uniform to code for, but I actually don't care about the IANA assignment for v1 for the reason you note. v1 will be one specific bit-pattern on the wire to start of with, and that can just as well be 0x1. It still does segregate the space, but we can't do anything about it anyways - it'll be 0x1 or some other random number getting special treatment.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> The problem of course being that as long as v1 remains, we might find places that no other version does. The QUIC "magic number" will be whatever we pick, and we can't prevent someone from fixating on that.. We'll convince those people in the same way they will be convinced to open up UDP for QUIC version 1: by making a QUIC version 2 worth enabling.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> That was the entire point of having alternate and preferred versions to 0x1. If we have downgrade protection in place, and if there are those who try alternate version numbers for v1, that gives us what we need at the endpoints. I believe that there would be interest at some major vendors to do this at some endpoints. Presumably, we can convince Google to do something, since it has been bit by mbox ossification in the past. I am operating on the premise that we have buy in from a few major providers.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> IANA is for me a publication venue where these alternate versions are published and other clients/servers interested in keeping the ecosystem from ossifying can use these alternate versions as well.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> I completely get the don't segregate thing. But to - I think - Mikkel's point about experimentation without permission, I do think that squatting is a perfectly sound approach in a space this big. TLS people do it in a much smaller space. As long squatters pick random values, they do so infrequently, and they get IANA registrations for codepoints relatively soon afterwards, the risk of collision is low. Randomness here is useful - but primarily as a collision-avoidance technique. The TLS extension codepoint 26 is a great example of why. Keeping the bar on registrations low (FCFS is a reasonable policy) would also have the effect of making the pool of apparent versions larger, which might be more effective than any other strategy we might employ.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  >> I'm totally fine with experimentation without permission, and using random to avoid collision. My point was entirely about using alternate on-wire version numbers for v1. Nothing here about new or experimental versions.
> >>  >> 
> >>  >> 
> >>  >> 
> >>  > 
> 
> >>   
> >   
>  
>  
>

v2.23.0 | Report a Bug | By Email