IETF Logo Mail Archive

RE: Is "Version Greasing" a new benfit or a new obstacle?

"Border, John" <John.Border@hughes.com> Wed, 10 April 2019 16:59 UTC

Return-Path: <prvs=2003edf348=john.border@hughes.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F5781203E2 for <quic@ietfa.amsl.com>; Wed, 10 Apr 2019 09:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.337
X-Spam-Level:
X-Spam-Status: No, score=-1.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.363, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hughes.com header.b=N8bsdjBj; dkim=pass (1024-bit key) header.d=hughes.com header.b=LYPongOc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkCKB8Ehnshg for <quic@ietfa.amsl.com>; Wed, 10 Apr 2019 09:59:00 -0700 (PDT)
Received: from mx0a-00115402.pphosted.com (mx0a-00115402.pphosted.com [148.163.150.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 838581203DE for <quic@ietf.org>; Wed, 10 Apr 2019 09:59:00 -0700 (PDT)
Received: from pps.filterd (m0118426.ppops.net [127.0.0.1]) by mx0a-00115402.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3AGqHg7023466; Wed, 10 Apr 2019 16:58:54 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hughes.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=3152018; bh=9SuBwA7wUpsgNS/foITRCqQ/7j0Ocn8WGKKgRyzaQsc=; b=N8bsdjBj0p3MRp6qaN0AgG3FVLlKOvWIwGZG0pxPFIT1uHPMdCHnEwQdgzNVbWx1RiMn hojbERS2IZO57ulbMjrHXNov4Ix48x1NvCFK069sY89pa/ym2fMiIHRozNEMu3i+7M/0 QEA5KSTNmC76E58BV0O8hsqZojlE32g8TPQLcVtTtrxW0IdRKlT4kdHsraSjlJ8rhpHX igbFdEYcRVzdYbNrIL8ptMm8uSUJ3LEldQ62wRU+C/Fx4I0WRk9jXIEJ0SKSWlH7Uol5 6rba3dDT+JyzqHt077hDwX9ql2mWlFG6VgwIiiPcswXAwM7B0qw9dTFr3cJE+nIg2XJS Xw==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp2050.outbound.protection.outlook.com [104.47.38.50]) by mx0a-00115402.pphosted.com with ESMTP id 2rsm1xr5sp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 10 Apr 2019 16:58:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hughes.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9SuBwA7wUpsgNS/foITRCqQ/7j0Ocn8WGKKgRyzaQsc=; b=LYPongOcKz5ZK1L6qVHT4YDnV0JXVW68n71Rnj4g5117GgvB/H7ilUBVNUyRi2bNnLy+BHGHYglkGLe+5xzv8gZJwdAfGg4WtGpd0yNNTQzIjhNmsgR+FPR0k/PJ95y3dt57pDbiqMdtB+LXLerKSPejXc+sTv7m6q0MtpFOKtQ=
Received: from BL0PR11MB3394.namprd11.prod.outlook.com (10.167.240.87) by BL0PR11MB3346.namprd11.prod.outlook.com (10.167.235.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.14; Wed, 10 Apr 2019 16:58:49 +0000
Received: from BL0PR11MB3394.namprd11.prod.outlook.com ([fe80::4c34:8995:92f3:5e3]) by BL0PR11MB3394.namprd11.prod.outlook.com ([fe80::4c34:8995:92f3:5e3%3]) with mapi id 15.20.1771.016; Wed, 10 Apr 2019 16:58:49 +0000
From: "Border, John" <John.Border@hughes.com>
To: Roberto Peon <fenix@fb.com>, G Fairhurst <gorry@erg.abdn.ac.uk>, "quic@ietf.org" <quic@ietf.org>
Subject: RE: Is "Version Greasing" a new benfit or a new obstacle?
Thread-Topic: Is "Version Greasing" a new benfit or a new obstacle?
Thread-Index: AQHU73o1HANarzJfIkWJiL5ZcFMTo6Y1nGCAgAABHIA=
Date: Wed, 10 Apr 2019 16:58:49 +0000
Message-ID: <BL0PR11MB3394294313F8F54A3D0CF4A3902E0@BL0PR11MB3394.namprd11.prod.outlook.com>
References: <5CADADDD.7010005@erg.abdn.ac.uk> <EBF1BF30-62A5-4659-8AEC-0D5B3F2D65C6@fb.com>
In-Reply-To: <EBF1BF30-62A5-4659-8AEC-0D5B3F2D65C6@fb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [139.85.223.11]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0775a791-d588-42b8-77fe-08d6bdd5cdc8
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:BL0PR11MB3346;
x-ms-traffictypediagnostic: BL0PR11MB3346:
x-microsoft-antispam-prvs: <BL0PR11MB3346F690D8D00FED0729F627902E0@BL0PR11MB3346.namprd11.prod.outlook.com>
x-forefront-prvs: 00032065B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(346002)(136003)(376002)(366004)(13464003)(199004)(189003)(5024004)(305945005)(14444005)(5660300002)(476003)(52536014)(14454004)(74316002)(229853002)(66066001)(256004)(72206003)(6506007)(6436002)(53546011)(97736004)(86362001)(102836004)(478600001)(25786009)(486006)(6246003)(7696005)(8936002)(33656002)(110136005)(6116002)(99286004)(9686003)(3846002)(55016002)(2906002)(316002)(26005)(8676002)(446003)(11346002)(71190400001)(76176011)(71200400001)(7736002)(105586002)(106356001)(53936002)(186003)(81166006)(81156014)(68736007)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR11MB3346; H:BL0PR11MB3394.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: hughes.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: AIkufeRUL93c1bgpp/RP5Q0NEDJCpL0ZNyECIKoIaNzOB11iJRFM311Pqv48qOGQpuuPixZcZQZGX9gKxo1+iod97A/sTf2TbjiG8nOjJKXBf5oJj+wcD+HAZa0tZaj/0+66tBsQKF0tMGtkl+0jSA4k65AYa1Ua7neiU3AGSTilhWlQM0fgyHjVeq0jopVMUZkG4aQxOLLpGE+HAvDgNcdOETvvDmpNpeSsj8D7wDnopViWhGdhc26wu6LKtrK54rO82l+bwRkxP7oNXpN7UZXa/9gwmUSXZdV2/2m2i11ctZ2esmdawnt0WSIeUzOFJrWBUvRVaR7AdKqa9cWMr54WjNaH9F2IpbxrJMko6Yt2wofOsOYvXFvY8EGru376ARimrYPlJCxeNy2qjLtvV4EI9Msfv1eu5W9hs/GBZ7U=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: hughes.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0775a791-d588-42b8-77fe-08d6bdd5cdc8
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2019 16:58:49.6574 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e1f3187-4610-4ce2-bad1-b92f4ba36ab3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3346
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-10_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904100114
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/7wjYeJlwhFi_LQjkaHSDSXpDUEA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 16:59:03 -0000

I understand why people want to come down on the side of preventing ossification.  But, things have changed.  There are a lot of more negative consequences now when people unnecessarily block things.  I think operators would put a lot of pressure on vendors to not do it now and to fix it if they did "by accident".  Of course, I am only one operator.  It would be nice to hear from others...



John


-----Original Message-----
From: QUIC <quic-bounces@ietf.org> On Behalf Of Roberto Peon
Sent: Wednesday, April 10, 2019 12:52 PM
To: G Fairhurst <gorry@erg.abdn.ac.uk>; quic@ietf.org
Subject: Re: Is "Version Greasing" a new benfit or a new obstacle?

WARNING: The sender of this email could not be validated and may not match the person in the "From" field.

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


You're kinda between a rock-and-a-hard-place either way:

  - We've seen how much fun ossification is in TCP and HTTP. If the thing is observable, it will be ossified seems to be the lesson. A lot of the reason why QUIC was started in the first place was because of the inability to improve TCP due to this ossification.
  - OTOH, there is the fear of unknown/unobservable which might cause operators to block things, whether predictably or not.

My opinion is that it is better to start with preventing ossification, and then if that results in too large a percentage of operators blocking things, to re-evaluate.

My guesses:
IP+port tuples and traffic patterns are still observable (for better and worse), which implies operators will still have significant tools for managing traffic. I believe that these are acted on/matched (ML or not) regardless of any other data presented. In other words, I have a doubt that stating the version in an observable way will prevent the use of such tools.

Most problems I've seen associated with implementations rather than protocol versions (though when the latter happens it is pretty severe). If you believe this assertion, then acting on protocol version is less interesting than attempting to act based on implementation fingerprints.
-=R


On 4/10/19, 1:48 AM, "QUIC on behalf of G Fairhurst" <quic-bounces@ietf.org on behalf of gorry@erg.abdn.ac.uk> wrote:

    Obscuring the version of a protocol seems like a major design design
    decision for wider use cases. So, I'm trying to understand the
    motivation for version greasing.

    (1) I know there were instances where some early versions of QUIC were
    blocked due to an uninitentional matching of the header. Is there
    evidence of intentional attempts to block updates to protocols?

    (2) Thinking about operating a network that cares about user support and
    protection from unwanted traffic, I would expect that there would be
    cases where traffic pattern anomolies are found and the appropriate
    thing would be to try to determine if a new protocol had been deployed
    and monitor it, if not, then the next most obvious thing could be to
    block all unexpected traffic, that seems like a decision to hide the
    version could increase ossification for new versions in these cases.

    (3) Similarly, if a threat is known to impact only a specific (older)
    version, it would seem to motivate a drop of that traffic that seeks to
    use that version, while still permitting other traffic. Forcing version
    detection to use pattern matching/ML will lead to less predictable
    outcomes, or blocking based on address, etc.

    (4) This obfusticates the most basic piece of reporting information used
    for support. It hides the extent of deployment of the current protocol
    version and prevlance of old implementations.

    (5) On the support, if a problem only emerges when a particular version
    is used with a particular address, then this helps pinpoint the issues.
    Matching client versions to servers is much more of an issue if the user
    community uses a wide range of servers (less so, I expect for major
    providers: google, facebook, etc, etc), but significant when there is a
    use of a diverse set of external sites and sites with their own load
    balancers, etc and a need to manage interactions with L2 services.

    I am intersted in knowing if this is likely to benefit or be a new obstacle?

    Gorry

v2.23.0 | Report a Bug | By Email