Re: The future of qlog

Martin Duke <martin.h.duke@gmail.com> Sat, 20 March 2021 18:19 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E788E3A27D5 for <quic@ietfa.amsl.com>; Sat, 20 Mar 2021 11:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0wbK6V-kVrr for <quic@ietfa.amsl.com>; Sat, 20 Mar 2021 11:19:02 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7567E3A27D3 for <quic@ietf.org>; Sat, 20 Mar 2021 11:19:02 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id t6so11085015ilp.11 for <quic@ietf.org>; Sat, 20 Mar 2021 11:19:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qnJUh2rAvpJDde5VMUOOI9DBt/4qFk3rtnDBwAC9vsk=; b=lJmBtnv2IKGdEC1j6kVA3eeFKGPUmmIznlS7ymEwLh2yWHwOeSKIF+SczPVOi1Ky3L AcaEwFduOZYMyfr1uXNupE/kNgb6lH7Gg37RpRzMoDX4KRAAbXun8P1JJtNhwXZo1ihm rRn3+hWdhOjRgXAyrw3cbyEhoMgsJvuGBUouQgevaRsOI1uuo7jP4c9q7jR22UG6Kinu tOMUMCEtXvYNiiyYB9Fb/0aA2ffZNtGnwzvjU0ZZlpmX/wqMr6xjFoBzvrc/bwSQXKdf XCzW+TSm7b8LZaP1BytcvgukU52YhAufXTJKEWAIe7eRl17gjYF2yzyuueKYrlG8AV/K lCjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qnJUh2rAvpJDde5VMUOOI9DBt/4qFk3rtnDBwAC9vsk=; b=CLjsx2kUdJHtSeUKZeu9fmEy486GAgQH4Jvx2NRgzw1rbZdDUtRzh6vweCFITog5DV P99l6NP0l374bbOGb41XOnew1OLOmGgbTsdJUySQtEc7Epnm04STrKFVNJCyTCyFOIJA 72JFkgmIeUuU0kENowlBdrB72cZq60xbhy540bFws4Mariw62RtrDv9epzCHdx2JuCIU iAcswtU5IYJLAt3LWzr/vIVvThscJPjNTz84zmCg9kjsIcoWKAYds6dV7XgjOrgqsfJH /E9mCuZ//bNpaJcTBScIcV8tjohkGYpXyDGYBx5Hciz70vUvYIjioaj31uQLd3i9eu5x IpnQ==
X-Gm-Message-State: AOAM532RmkEEPoCH1PLeswgQxGyGrmWqkRGdJ+9yArCm4iUM6Pw6g/8y /BIiYhP/l+xPB4kiVhsddpxZUYva906gYPf3gRM=
X-Google-Smtp-Source: ABdhPJxs+uaJJ7gV8w9UOuwmOuj50rmz+2ivvkZ8q0PsrpRoFyifnj3DadUcEpiXXt5zsIxD7rFPLgKnMyEzirKAC5E=
X-Received: by 2002:a05:6e02:1e03:: with SMTP id g3mr1403722ila.249.1616264341050; Sat, 20 Mar 2021 11:19:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAC7UV9bZiuw7a9j2A2uMGB+kh+aP00+Ud5y0XqjRRcCh4MGE=A@mail.gmail.com> <CAC7UV9bYMqsNfb=Hm1Ma-3yqRY7wXwVQKhogi7zpxPtpREoy3w@mail.gmail.com> <CALGR9oZaOmsH-wLZA_-ykmDvL-kHKnVJ9uzk8PARGG+fqqUF-Q@mail.gmail.com> <CAM4esxQG1Y5RnopTd9L-0dBRA9T2LtyaMnLT9iOsoN7wEH2wAg@mail.gmail.com> <CACpbDcfK1Q3-QdVhBneFiupSeBmOiDTU8TCS+NVmSvh8wpN9qA@mail.gmail.com> <CAC7UV9aUYhq1v2i+HtVBvAYuNB_wRAyRW+Rgt9kOHW6hY-sxVA@mail.gmail.com>
In-Reply-To: <CAC7UV9aUYhq1v2i+HtVBvAYuNB_wRAyRW+Rgt9kOHW6hY-sxVA@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Sat, 20 Mar 2021 11:18:58 -0700
Message-ID: <CAM4esxSizistCNtJyW0=wBJ2hYyrzdb97R+_5SQ=nCYKar38jg@mail.gmail.com>
Subject: Re: The future of qlog
To: Robin MARX <robin.marx=40uhasselt.be@dmarc.ietf.org>
Cc: IETF QUIC WG <quic@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000e95a2005bdfbdda1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/p06bbuMd5hyQGkgd3EU3ZNHhFvM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2021 18:19:06 -0000

Hi Robin,

The sense of the IESG is that you should pursue all qlog drafts in QUICWG,
with occasional readouts to other parties as you describe.

Thanks
Martin

On Thu, Mar 18, 2021 at 4:42 AM Robin MARX <robin.marx=
40uhasselt.be@dmarc.ietf.org> wrote:

> Hello everyone,
>
> As you may have noticed, the "qlog roadshow" suggested by Martin Duke a
> few months ago actually took place last week,
> with me boring people with 6 qlog presentations in various wg's and rg's
> (dispatch, opsawg, saag, tsvwg, iccrg, and maprg).
> In case you still missed it, the two main variations of slides are in the
> datatracker [1][2].
>
> The goal was mainly to introduce the work to the wider IETF, to gather
> feedback and to gauge outside interest in expanding/generalizing qlog to
> other protocols/use cases.
>
> While I feel the presentations were generally well-received, and that
> people understood the value proposition,
> there did not seem to be a huge amount of interest from new people to
> contribute to the effort directly,
> nor did I for example hear strong feedback that qlog should be a general,
> cross-protocol effort from the start (e.g., in its own wg).
>
> As such, it seems the current proposal of adopting both the qlog documents
> (the main schema and the QUIC/H3 event definitions draft)
> in the QUIC wg, and to keep focusing on applying qlog to QUIC/H3 first, is
> indeed the best way forward in the short term.
> It was suggested however, to also bring periodic updates to other
> groups/areas (e.g., via the mailing list),
> as not all people interested would be willing to participate in the QUIC
> wg just for the general aspects of qlog.
>
>
> We also received some valuable feedback/discussion on points that I feel
> are important for qlog in general and that we could/should take into
> account moving forward.
> I have summarized the (in my opinion) most important ones below:
>
> a) The point was raised that "the IETF does not standardize APIs" and that
> qlog might reflect too much of concrete APIs to make sense standardizing
> it.
> While I and several other commenters disagreed with this, I do feel it
> shows that it should be stated clearly early on what exactly we're defining
> with qlog
> (the events, the mapping to various serialization formats, method(s) of
> transferring qlog, methods of accessing/requesting qlog files,
> recommendations for logging/retention of privacy-sensitive data, best
> practices for logging, expected tooling behaviour,...).
> A related point made was that the result should still allow for
> non-defined information to be reflected in qlog (e.g., custom events)
>
> b) As expected, much of the feedback was on the importance of the privacy
> aspects of qlog and the fact that this is maybe somewhat under-defined for
> logging/tracing in general (e.g., in PCAP files).
> One person remarked that defining logging events would also trigger/force
> people to think (more) about the privacy impact of a given approach and
> about (logging) data retention policies.
> Another good remark was around perception: it must be clear that while
> qlog helps analyze behaviour of encrypted protocols, it does not intend to
> subvert the core privacy/security properties of these protocols.
>
> c) There was discussion about two different types of format: 1) the
> serialization format of the qlog events, and 2) the format used to describe
> events in the documents.
> 1) For the first, we currently use JSON and NDJSON, where it was remarked
> that NDJSON is not an IETF standard.
> The most popular suggestions for serialization formats were JSON, JSON-C
> and CBOR. Interoperability with PCAP should also be considered.
> Several people also mentioned the requirement to encrypt the logs
> themselves, for which the COSE [3] project could be used.
> It was also again remarked that there is a dichotomy between "ease of use"
> and "efficiency for logging at high speeds":
> qlog can potentially focus on the first, as applications can log
> efficiently in a (custom) binary format that is later transformed to qlog
> if needed.
> 2) For the second, we currently use an ad-hoc dialect of TypeScript, which
> I would agree is sub-optimal.
> The most suggested alternative was YANG, though I am aware that has as
> many staunch opponents as it has supporters.
> If JSON/CBOR is chosen as main target format, CDDL potentially seems like
> a good candidate.
>
> d) The most concrete (immediate) interest for extending qlog to other
> protocols seemed to be for TCP (with DTLS also being mentioned several
> times).
> This led to a new effort looking into supporting qlog output for Netflix's
> FreeBSD TCP "blackbox" tools [4][5], which already exfiltrate e.g.,
> congestion control info from the TCP stack.
> This is in parallel to another ongoing effort to extract TCP info from the
> Linux kernel using eBPF [6].
>
> e) Experience with using qlog for logging (aggregated) measurements (at
> middleboxes (e.g., in the Spindump project [7])),
> suggests that we might need to take a more high-level view at what exactly
> constitutes a qlog "event" semantically [8].
>
>
> At this point, we were not planning to change the current drafts [9] to
> e.g., CBOR or CDDL prior to the adoption call in the QUIC wg, nor to
> include things like privacy guidance.
> The main change that is planned is splitting up the QUIC and HTTP/3 events
> into their own separate documents (as they are now combined in a single
> draft).
> If people feel that other changes are necessary prior to considering
> adoption, please let us know.
>
> With best regards,
> Robin
>
>
> [1]:
> https://datatracker.ietf.org/meeting/110/materials/slides-110-tsvwg-sessa-61-qlog-for-ietf-transports-00
> [2]:
> https://datatracker.ietf.org/meeting/110/materials/slides-110-iccrg-qlog-structured-endpoint-logging-for-encrypted-protocols-00
> [3]: https://tools.ietf.org/html/rfc8152
> [4]: https://github.com/Netflix/bbparse
> [5]: https://github.com/uoaerg/tcpqlog
> [6]: https://github.com/nrybowski/quicSim-docker
> [7]: https://github.com/EricssonResearch/spindump
> [8]: https://github.com/quiclog/internet-drafts/issues/139
> [9]: https://github.com/quiclog/internet-drafts
>
>
> On Thu, 3 Dec 2020 at 06:14, Jana Iyengar <jri.ietf@gmail.com> wrote:
>
>>
>> Thanks again, Robin, for doing this work.
>>
>> I strongly vote for option A -- keep it in QUIC.
>>
>> I think the most value for this would be in QUIC, primarily because
>> that's where people are actively adopting and using it. I would be
>> reluctant to make this broader yet, if only because our problem at the IETF
>> usually isn't that we have too few people with opinions on data formats
>> (and the color of each field).
>>
>> Practically, we already have multiple QUIC/H3 implementations emitting
>> qlog - and some of them already have feedback on how to extend it to be
>> more useful - so I would suggest that getting meaningful implementation
>> experience is going to be easiest with QUIC/H3 right now. Once it's done
>> for QUIC/H3, I would then do the generalization after as a next step, with
>> other use cases if and where there's interest. RFC numbers are cheap, and
>> you have versioning in this thing. The split you have is fine, and it
>> allows you to generalize this later. But keeping this discussion local to
>> the QUIC WG will be super useful as a first step.
>>
>> - jana
>>
>> On Wed, Nov 25, 2020 at 4:00 PM Martin Duke <martin.h.duke@gmail.com>
>> wrote:
>>
>>> Splitting HTTP/3 and QUIC into separate documents, so they can evolve
>>> separately makes, sense, though I would be comfortable with them both
>>> remaining in QUICWG for now.
>>>
>>> As an AD, I will facilitate a discussion with other areas about the main
>>> schema. Robin, it might be useful for you to go on a roadshow at IETF 110
>>> to pitch it to other areas to see if there's wider IETF energy to pursue
>>> qlog extensions. If so, the case for putting the main schema outside quicwg
>>> is pretty strong.
>>>
>>> On Mon, Nov 23, 2020 at 12:14 PM Lucas Pardue <
>>> lucaspardue.24.7@gmail.com> wrote:
>>>
>>>> Thanks Robin!
>>>>
>>>> I have some responses in line.
>>>>
>>>> On Mon, Nov 23, 2020 at 7:05 PM Robin MARX <robin.marx@uhasselt.be>
>>>> wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> I was happy to see a large amount of support from you all for qlog at
>>>>> the QUIC wg meeting last week [0]!
>>>>> While it seemed there was consensus that it would benefit from a more
>>>>> formal adoption, it wasn't entirely clear if this should be in the QUIC wg.
>>>>>
>>>>> (I am also CC'ing the HTTP wg via Lucas Pardue, who thought this would
>>>>> somewhat concern them as well)
>>>>>
>>>>> To recap, qlog consists of two parts:
>>>>> 1) the main schema, which is protocol agnostic and mostly defines the
>>>>> serialization and container format [1]
>>>>> 2) the QUIC and HTTP/3 specific events [2]
>>>>>
>>>>
>>>> Yes sorry HTTP folks blame me for your additional email traffic. The
>>>> reason I thought the discussion on qlog was pertinent to the HTTP WG is
>>>> because one of the major places I've found benefit is in analyzing stream
>>>> multiplexing using qvis. This has particularly been useful for developing
>>>> an implementation of Extensible Priorities in an HTTP/3 stack. The most
>>>> mature way to get qlog for HTTP/2 stacks would be to define qlog schemas
>>>> for TCP, TLS and HTTP/2.
>>>>
>>>> There are potentially other application mappings. As was discussed at
>>>> the IETF 109 session, I think congestion control is going to be something
>>>> that benefits from logging and tooling. Is there an interest in making qlog
>>>> work the same for a CCA across TCP and QUIC? I suspect that might drive
>>>> some opinion of what to do here.
>>>>
>>>>
>>>>> I can see roughly 3 main options and would like additional feedback on
>>>>> which people want:
>>>>> A) Adopt both in QUIC wg for now, bring them to ~full maturity for
>>>>> QUIC and H3, and then see if/how to generalize later (it seemed to me most
>>>>> were leaning to this side last week)
>>>>> B) Adopt document [2] in QUIC wg and find another place for [1],
>>>>> either in an existing wg or a new one via BOF by IETF 110 (what happens if
>>>>> that fails though?)
>>>>> C) Find an existing wg or do a BOF for both [1] and [2] together by
>>>>> IETF 110 (not sure this has enough traction outside of QUIC wg?)
>>>>>
>>>>>
>>>> Option A seems the most pragmatic given where we are. But the more I
>>>> think about things, the more concerned I get that a focus on QUIC stifles
>>>> the innovation of other qlog use cases simply because they fall out of the
>>>> scope of permitted discussion. So far, the main schema discussion has
>>>> rightly focused on more operational concerns like serialization format, we
>>>> should also let people with interest and expertise in this area flourish if
>>>> possible. Finally, I also have a concern that the combined QUIC & HTTP/3
>>>> schema becomes difficult to manage once we hand the reigns of HTTP/3 back.
>>>>
>>>> So I don't have a personal strong decision yet. But I'd like to
>>>> consider an Option D that splits the QUIC & HTTP/3 schema, with each WG
>>>> getting first refusal for adoption. Meanwhile, we continue to discuss the
>>>> main schema.
>>>>
>>>> Cheers
>>>> Lucas
>>>>
>>>>
>
> --
>
> dr. Robin Marx
> Postdoc researcher - Web protocols
> Expertise centre for Digital Media
>
> T +32(0)11 26 84 79 - GSM +32(0)497 72 86 94
>
> www.uhasselt.be
> Universiteit Hasselt - Campus Diepenbeek
> Agoralaan Gebouw D - B-3590 Diepenbeek
> Kantoor EDM-2.05
>
>
>