IETF Logo Mail Archive

Re: QUIC ossification

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Wed, 13 February 2019 17:14 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C388124BAA for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 09:14:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGCTp9sHjvtj for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 09:14:02 -0800 (PST)
Received: from mail-it1-x12d.google.com (mail-it1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2030E1200B3 for <quic@ietf.org>; Wed, 13 Feb 2019 09:14:02 -0800 (PST)
Received: by mail-it1-x12d.google.com with SMTP id z20so7351769itc.3 for <quic@ietf.org>; Wed, 13 Feb 2019 09:14:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=SM6GMMl/Pldll5V9LkuHQdsXm6d3D1dGJsnXJVqoAfI=; b=m7BhVgjWv9opOsaVvhwyUjEVWuMnsI/NBNWOd6YKrWSz8Tl42qfaGXtENS09eRqyrW zVsTj1NAA1PoJLdD+DLVc4rH4A5BqKn10sNtKdvKbB0NAnO9lznUVUaoiTqEMjOA6Juu C0tSL0s3hzqAdKlCLoRrDvHhII9Q7NrbKpOjUoyR9ZGQFuEnmXoiHlIGB3qWnSV+ZuTo ISjwHFyymxjgJUIS9/VNKORnc2OrXiCHEVziuIT3ONX7ooE7Xf/zmcKE4uqICJA8e0Yq Ec/TRw9+Lim4QS6vgtuNczQORmnM7F5+D/6/DI+48ppFkUElnaUfuKnXT9tB5zL+XBL8 Yibw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=SM6GMMl/Pldll5V9LkuHQdsXm6d3D1dGJsnXJVqoAfI=; b=rY8C2m5dq8UplNNrMxZD2tXM0Qd28gEEJyX/Mt7bXAKBEjVtbIZQ9Raq0FVcAJeeYr VbEo1Z5p5medZWrqWhfQqTZFU7B1Ybjdoof+dV0znuIsl3+UIKF4jXTkF9q8O65s+Xah asd5zpRTJX94lSELJ1o8EkOlOI37fIjtuxmzf23bfTU/Kj00zBnuORFM8hYiYJJ7T0gj fawV+mSyQP+rikBPfB7fGG6BygHYlhbRF3DVxWOqg1eU2TmWvxsPTn1IjgGdZZRyK7WS XwspwO3BgZybpzEn+SFbv6BoHOqI1SFWs7rr39Q0MIbdqEH27kpQrhSjU7OCGA1oQRr1 tbBA==
X-Gm-Message-State: AHQUAuYgtmS818yR1IG/QClnw6aMTdZAOsKhhOTGq15vakRkyFWE8B9h cwkmvPpCAT7lCYNgYCT8qx+WTkdCIT/Sd2S8p4k=
X-Google-Smtp-Source: AHgI3Ibm4fQWHsBPltJoU80ZxRoNHpIYK3BH+STrNIJ6qA77+RL5fBAzWVQirH2qGqTAywJrxZ3Endjf43keii4vSx8=
X-Received: by 2002:a05:660c:81a:: with SMTP id j26mr847830itk.70.1550078041291; Wed, 13 Feb 2019 09:14:01 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 13 Feb 2019 09:14:00 -0800
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CAKcm_gMmxeHHN3dtH9kby_En96oPwTqrfHE=wpqy5Z0YbX4png@mail.gmail.com>
References: <CAM4esxTm0GiXnow4Vyv0UX6kFW4U3zJgVrN_JzD31Sm6sxoYGg@mail.gmail.com> <1550007332.441557.1656692832.0E5412AE@webmail.messagingengine.com> <9425344B-D72F-474D-A549-AA2453E57F19@fb.com> <CAPDSy+5LikoojquLhaW58DbJ3VrGXUViaD0aHcTkxBJGzFjgQA@mail.gmail.com> <47E7A834-B6CD-4D73-BF49-8768A48CADF0@fb.com> <CAM4esxThzPJUxU7R5-CY-ZcgmqhYdPFMoM5Fg17vN-Hsk_pJ8A@mail.gmail.com> <CAKcm_gMmxeHHN3dtH9kby_En96oPwTqrfHE=wpqy5Z0YbX4png@mail.gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Wed, 13 Feb 2019 09:14:00 -0800
Message-ID: <CAN1APdegy8n3+8J-pkgB6f-SNxHtju9p1Hiyct2tHWQ0KyeiGg@mail.gmail.com>
Subject: Re: QUIC ossification
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Martin Duke <martin.h.duke@gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, "quic@ietf.org" <quic@ietf.org>, David Benjamin <davidben@google.com>, Roberto Peon <fenix@fb.com>, Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000067ffc0581c9ab3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/sMl1HqCujlj1m8GJh3AmBg-tHXA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 17:14:04 -0000

There is the risk that middle boxes learn that versions mean nothing, and
that they are all the same, akin to crying wolf.

If it also mutated transport parameters and other observables, it would
start being a defence.

Alas, once 1.0 hits, things are back to normal.
So I doubt this exercise would be worthwhile.

But, I don’t have any strong opinion.

On 13 February 2019 at 17.56.47, Ian Swett (
ianswett=40google.com@dmarc.ietf.org) wrote:

Previously David Benjamin suggested spinning a new version of QUIC in
Chrome for every Chrome milestone with the only change being the version
number and the Initial keys.  I'd be curious how the WG feels about that
idea?

On Wed, Feb 13, 2019 at 11:17 AM Martin Duke <martin.h.duke@gmail.com>
wrote:

> I agree that a fast v2 would help here. However, it's hard to count on a
> fast IETF process, and even then the middlebox can be pretty dumb and still
> drop version > 2.
>
> I agree that David's scheme, by having the Initial be a v1 packet, may get
> that one through. But then you have subsequent long headers with the new
> version, which may still end badly.
>
> I don't see a good solution here, right now. Although it shouldn't be
> written in the spec, the working group should have some sort of contingency
> plan for how to proceed if the version field ossifies.
>
> On Tue, Feb 12, 2019 at 4:21 PM Roberto Peon <fenix@fb.com> wrote:
>
>> I don’t have an opinion on how version is negotiated yet.
>> I’m not convinced it is easy to get right. It may be more correct for me
>> to say that I’m convinced it is reasonable difficult to get right because
>> it is the most important of the various invariants.
>>
>> I also suspect that you need more than one way to do it, e.g. in-band and
>> out-of-band (which could be in-band in a V2 to allow for upgrade to
>> something else). Then does a client cache the version? For how long/where?
>> Per IP? Hostname? (blah blah.. etc. etc.)
>>
>> I can say that the ALPN and NPN approaches each had their positives and
>> negatives, and in the end, having something like either is probably good
>> enough.
>>
>> Rather than an opinion on how it should be done, I have an opinion that
>> we need to add this soon, as a V2.
>>
>> -=R
>>
>>
>>
>> *From:* David Schinazi <dschinazi.ietf@gmail.com>
>> *Date:* Tuesday, February 12, 2019 at 4:13 PM
>> *To:* Roberto Peon <fenix@fb.com>
>> *Cc:* Martin Thomson <mt@lowentropy.net>, "quic@ietf.org" <quic@ietf.org>
>> *Subject:* Re: QUIC ossification
>>
>>
>>
>> I think we may be able to limit ossification of version numbers by adding
>> some GREASE to the (upcoming) in-band compatible version upgrade extension
>> (what used to be EKR's PR). The idea of that extension is that the client
>> sends a QUICv1 initial containing a transport parameter indicating it
>> supports this extension and what versions of QUIC it supports. The server
>> can then send its replies with a new QUIC version number. Back to GREASE:
>> one option here would be for us to burn some versions for "v1 compatible
>> version negotiation greasing" (similar but different to 0x?a?a?a?a) and
>> servers can in-band upgrade to those versions. But we could also do that in
>> the reverse direction: the servers advertise support for one of these in
>> Alt-Svc and clients send their Initial to that version, and the server can
>> then perform in-band version change to v1, to another of these versions, or
>> just keep the client's version for the life of this connection. This will
>> cause ossifying middleboxes to break these connections.
>>
>>
>>
>> Thoughts?
>>
>>
>>
>> David
>>
>>
>>
>> On Tue, Feb 12, 2019 at 2:15 PM Roberto Peon <fenix@fb.com> wrote:
>>
>> My fear/experience around this is why I'd strongly recommend doing a QUIC
>> V2 as soon as possible where the delta from V1 -> V2 is limited to *solely*
>> what is necessary for version negotiation.
>>
>> We can simultaneously have a V3 conversation which would  include
>> whatever else we decide we need to change/add as a separate conversation
>> which depends on V2.
>>
>> -=R
>>
>> On 2/12/19, 1:36 PM, "QUIC on behalf of Martin Thomson" <
>> quic-bounces@ietf.org on behalf of mt@lowentropy.net> wrote:
>>
>>     On Wed, Feb 13, 2019, at 08:18, Martin Duke wrote:
>>     > 1) Version. I can't think of any immediate negative consequences
>> for a
>>     > middlebox that drops any long header with a version > 1. TLS 1.3
>> had to
>>     > surrender to this problem by hiding the version elsewhere.
>>     >
>>     > We might avoid this by routinely coalescing long headers with random
>>     > version fields to connection-critical packets. Beyond that, I'm out
>> of
>>     > great ideas. If we don't have a robust defense against this, we
>> ought to
>>     > put some thought into how to deploy a v2 if the version fields is
>>     > inoperable.
>>
>>     As Mike points out, the Length field is version-specific, so there is
>> no real defense here other than - as many have suggested - using the
>> version field actively.  That means shipping another version.  In a sense,
>> the fact that Google are still not on the same version gives us some time,
>> but it could mean that we might want to look toward having the "add version
>> negotiation and fallback protection" draft define a version rather than an
>> extension.
>>
>>     > 2) Client Transport Parameters. Initial Keys will help a little
>> bit, but in
>>     > TLS1.3 CCS still sorta exists because middleboxes are inspecting
>> packets so
>>     > deeply. It's not viable for v2 to have the same transport
>> parameters; it's
>>     > only slightly less gross to send v2 client TPs in some later
>> message and
>>     > have to send a fairly bulky "fake" set of v1 TPs in the client
>> hello to get
>>     > through the network.
>>
>>     I'm not concerned about transport parameters if the above issue is
>> fixed.  TLS had no real issues with extensions, and it looks like we
>> already have the start of a pipeline of extensions coming.  v2 can share
>> the transport parameter extension, unless we decide to change the format in
>> a non-compatible way.
>>
>>     (Note: CCS in TLS 1.3 only exists because middleboxes were inspecting
>> a lot, yes, but it also indicates that they weren't inspecting enough,
>> because the compatibility hack we have wouldn't work if they did a proper
>> job.)
>>
>>
>>

v2.23.0 | Report a Bug | By Email