Re: QUIC Chrome Error with GSUITE & QUIC transport draft publication ETA
Gyan Mishra <hayabusagsm@gmail.com> Sun, 05 January 2020 01:10 UTC
Return-Path: <hayabusagsm@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82EE612008F for <quic@ietfa.amsl.com>; Sat, 4 Jan 2020 17:10:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id niPX3EUVKTWb for <quic@ietfa.amsl.com>; Sat, 4 Jan 2020 17:10:32 -0800 (PST)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E3C612008D for <quic@ietf.org>; Sat, 4 Jan 2020 17:10:32 -0800 (PST)
Received: by mail-il1-x133.google.com with SMTP id x5so39577355ila.6 for <quic@ietf.org>; Sat, 04 Jan 2020 17:10:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KwXpU0uA0PUzKwpTt99P4vWYZO3zNziln9IENtNrWBc=; b=VVS9RDaApnhS6hPBs0xf5i+qm84UCtQLvJeLtU7SXuoplUtuTFGOUTS6DvqGMg4mHm 0b42ynp1BwtH/bE7PRkezFUjso6YYUdwKmDCjIRNkBvNAhoBol6w4gplXRA/jRP9ltca RfFoeJqdMRQc/16PBxSZrnKq1CEptr0RUZky+x1jBzgeMeCHHSQ7QWH/coLTtWgbTx2Y 6nistPQj6dUi2nNCkVazdCwPPihyjc3YKdsQRqpKLCF0lV6UUdjqe0cIRE2oTrJB226b 6cwoZ+kY4QyMlLNAmGB9VYEvmx43cP4cSU4mRrrryj6Z7yAugkRcIbFVb896nRb8ylbg gUNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KwXpU0uA0PUzKwpTt99P4vWYZO3zNziln9IENtNrWBc=; b=LNcgeuEkp6uNpK5L5bQUw4Skb0oEt7G+MRC57+RONxNxgBsDIxVDPAHyNIEdaXiCmc 4wcBl+KYgvwbPcGyro+JWsl7TUjpwqWV+EorAMhQWFhQsOfNS4V2PmhPBFqzGxXCJnG0 7w+OSlmN5joo3bt8h1dsJxh2kDwZTz/8PyhhhHledTS4gmWCOQpXatYoNImCR8UObiJj fpy1XkM4zffbnsP8hghr/Cvf1+Z5St2V8UKMrLk9ZyFxfx3YhXI9xphc2qpBR7FcZM2s VBeZ91nyd3bTwF2QnBuD1kn37UPcxa4vPVVbkEXbbKEYptXkNEoZ6d2J5yKO+MKCkbr9 MxnA==
X-Gm-Message-State: APjAAAWtFoydRkEU4FBp5LUoypbdMCOr5aWYN3zOCg6GMAft3RSvKx5X 3OnyVDv8rW326qpWDBuLe/lzxAAKcio+MauKedQ=
X-Google-Smtp-Source: APXvYqwSO6dmRwF1hJjlbX/arErVAzA8wscQq/ZyQt+/FQvVJKhqxrlS++t+FSbOqo4iKOtgTne2177Q1NaMGafTCL0=
X-Received: by 2002:a92:4e:: with SMTP id 75mr79885886ila.276.1578186631757; Sat, 04 Jan 2020 17:10:31 -0800 (PST)
MIME-Version: 1.0
References: <CABNhwV28q_3VfgNUCBqGHCpNbyMH8bewkND7_aX5DnsKF52K6Q@mail.gmail.com> <CACpbDcdmT4Qk5FW-OnKhcbCjWSDrSr16ug201rCyJT_fMvdCVQ@mail.gmail.com>
In-Reply-To: <CACpbDcdmT4Qk5FW-OnKhcbCjWSDrSr16ug201rCyJT_fMvdCVQ@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Sat, 04 Jan 2020 20:10:21 -0500
Message-ID: <CABNhwV2TcS_6s+PJrdmcwiTGasUoQDiuATU57Eysc27nX13V1w@mail.gmail.com>
Subject: Re: QUIC Chrome Error with GSUITE & QUIC transport draft publication ETA
To: Jana Iyengar <jri.ietf@gmail.com>
Cc: "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000934581059b5a35ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/iT9B4fqwoKM3rdjp4OV8nChWE3Y>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jan 2020 01:10:34 -0000
Thanks Jana! Gyan On Sat, Jan 4, 2020 at 7:51 PM Jana Iyengar <jri.ietf@gmail.com> wrote: > Gyan, > > Firewalls that relied on gQUIC signatures to detect QUIC packets are not > going to be able to detect IETF QUIC. You should discuss specific Chrome > errors you are seeing as a result of this on the proto-quic@chromium.org > mailing list. > > - jana > > On Sat, Jan 4, 2020 at 8:13 AM Gyan Mishra <hayabusagsm@gmail.com> wrote: > >> QUIC WG, >> >> We had some issues at work recently with Chrome and getting QUIC error. >> The issue appears to be related to our DMZ firewalls blocking QUIC. >> >> I believe GQUIC was working but was somehow bypassing the firewalls >> logging ; but then when google switched to using QUIC IETF standard I >> believe that’s when we started seeing the chrome error. >> >> Below is an email I sent at work as an overview of QUIC and >> recommendations on how to resolve the QUIC error. >> >> Please provide me any feedback and suggestions on how to best resolve >> this issue. >> >> We use GSUITE at work which uses QUIC and we noticed all traffic to >> GSUITE was using QUIC over IPV6. We have our network infrastructure >> enterprise fully dual stacked and since google URIs are all dual stacked as >> well ; since IPv6 is preferred over IPv4 by default with windows ; all the >> GSUITE traffic was now using QUIC over IPv6. >> >> Has anyone else had any encounter with this scenario where they are using >> GSUITE and are dual stacked and are seeing all GSUITE traffic use IPv6. >> >> Also what is the appropriate ETA of when the QUIC transport draft will be >> approved standard RFC. >> >> ——email below related to google chrome QUIC error and remediation—— >> >> What was the patch that was applied to the default silo firewalls that >> was deployed. >> >> Was the patch for QUIC support? >> >> Also were we seeing QUIC or GQUIC being logged and dropped on the >> firewall? >> >> Below is some information related to QUIC and how the protocol works: >> >> G-QUIC was the protocol developed by google to improve and secure all web >> traffic. >> >> QUIC is the IETF standard version of the protocol. >> >> QUIC protocol brief: >> >> QUIC was designed to be low overhead and robust and secure by default to >> eliminate issues with traditional TCP and improving transaction response >> times. >> >> QUIC provides a secure default transport using TLS 1.3 by replacing the >> TLS record layer with its own framing format while keeping the same TLS >> handshake. >> >> QUIC improves head of line blocking issues with HTTP/2 which multiplexes >> multiple http requests into the same TCP connection. >> >> QUIC transport stream is delivered just as the acronym states “quick udp >> internet connections” over udp instead of traditional TCP.. >> > >> >> https://www.google.com/amp/s/blog.cloudflare.com/the-road-to-quic/amp/ >> >> >> Wireshark is able to decode and differentiate both G-QUIC and QUIC. >> >> QUIC has an IETF WG which I am part of as development of standards for >> quic transport protocol. >> >> At this time QUIC transport is maturing but is still in draft state >> awaiting WG Last call and IESG review and final reviews before publication >> as an RFC. >> >> Some vendors have started early adoption of the protocol. We should >> reach out to Checkpoint to see if they support QUIC. >> >> Chrome has QUIC enabled by default. At this time google sites such as >> YouTube and GSUITE apps are the only web URIs that have QUIC protocol >> enabled on the server for client/server communication to use QUIC. >> >> QUIC IETF Draft: >> https://tools.ietf.org/pdf/draft-ietf-quic-transport-24.pdf >> >> For security reasons If the firewall and security appliances don’t >> support QUIC then it is recommend to disable QUIC. >> >> How to disable QUIC on chrome: >> https://kinsta.com/knowledgebase/err_quic_protocol_error/ >> >> >> If Checkpoint does support QUIC I would recommend to keep it enabled as >> it improves web performance and is more secure than traditional TCP. >> >> ———end email————- >> >> Kind regards, >> >> Gyan Mishra >> Verizon Communications (VZ) >> Cell 301 502-1347 >> -- >> >> Gyan S. Mishra >> >> IT Network Engineering & Technology >> >> Verizon Communications Inc. (VZ) >> >> 13101 Columbia Pike >> <https://www.google.com/maps/search/13101+Columbia+Pike?entry=gmail&source=g> >> FDC1 3rd Floor >> >> Silver Spring, MD 20904 >> >> United States >> >> Phone: 301 502-1347 >> >> Email: gyan.s.mishra@verizon.com >> >> www.linkedin.com/in/networking-technologies-consultant >> >> -- Gyan S. Mishra IT Network Engineering & Technology Verizon Communications Inc. (VZ) 13101 Columbia Pike FDC1 3rd Floor Silver Spring, MD 20904 United States Phone: 301 502-1347 Email: gyan.s.mishra@verizon.com www.linkedin.com/in/networking-technologies-consultant
- QUIC Chrome Error with GSUITE & QUIC transport dr… Gyan Mishra
- Re: QUIC Chrome Error with GSUITE & QUIC transpor… Jana Iyengar
- Re: QUIC Chrome Error with GSUITE & QUIC transpor… Gyan Mishra