IETF Logo Mail Archive

RE: Is "Version Greasing" a new benfit or a new obstacle?

Praveen Balasubramanian <pravb@microsoft.com> Fri, 12 April 2019 16:28 UTC

Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2801201B6 for <quic@ietfa.amsl.com>; Fri, 12 Apr 2019 09:28:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OC0wv6oc7iSw for <quic@ietfa.amsl.com>; Fri, 12 Apr 2019 09:28:18 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730133.outbound.protection.outlook.com [40.107.73.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF61F1202E7 for <quic@ietf.org>; Fri, 12 Apr 2019 09:28:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KwHeuEFdZhJdSRmWeXEBh3S6LdS6ElMNpR/eekL5xmY=; b=Qb6qBIfMJL31qbA/2WHzPA7T01U/GD/HwIr6yqCjB/w1GrcOR4My9T0QJIMaLndEcRPiukG5hCsZsFiNphYM9e21tcfT685jTcklWdM9C6si6lZ55Mp4vwWqJZHi0xdvl032sIm5XSrdXuCLKztlYGDRWbByd8EowVha3/ZzVBQ=
Received: from MW2PR2101MB1049.namprd21.prod.outlook.com (52.132.149.13) by MW2PR2101MB1132.namprd21.prod.outlook.com (52.132.146.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.8; Fri, 12 Apr 2019 16:28:15 +0000
Received: from MW2PR2101MB1049.namprd21.prod.outlook.com ([fe80::c999:100b:9952:f8f6]) by MW2PR2101MB1049.namprd21.prod.outlook.com ([fe80::c999:100b:9952:f8f6%5]) with mapi id 15.20.1813.000; Fri, 12 Apr 2019 16:28:15 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: Roberto Peon <fenix@fb.com>, Christian Huitema <huitema@huitema.net>, Ian Swett <ianswett@google.com>
CC: "Gorry (erg)" <gorry@erg.abdn.ac.uk>, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, "quic@ietf.org" <quic@ietf.org>, "Border, John" <john.border@hughes.com>
Subject: RE: Is "Version Greasing" a new benfit or a new obstacle?
Thread-Topic: Is "Version Greasing" a new benfit or a new obstacle?
Thread-Index: AQHU73o0AOSUW1ZVWEa1WA8MStgy7KY1nGCAgAACAYCAAAdsgIAADYwAgAAcxQCAAMrxAIAABNWAgAIQK4CAAADVYIAAAPyAgAAEgoCAAACngIAAAFbg
Date: Fri, 12 Apr 2019 16:28:15 +0000
Message-ID: <MW2PR2101MB10498605DC0F1FC3905865F4B6280@MW2PR2101MB1049.namprd21.prod.outlook.com>
References: <5CADADDD.7010005@erg.abdn.ac.uk> <EBF1BF30-62A5-4659-8AEC-0D5B3F2D65C6@fb.com> <BL0PR11MB3394294313F8F54A3D0CF4A3902E0@BL0PR11MB3394.namprd11.prod.outlook.com> <CAN1APdcm0hnT_Mu7D7x5QM6pApOQw1RdWCBkgY16bd5YWNtFkA@mail.gmail.com> <9084B09D-5E13-49FA-BA93-0D7276CDE420@erg.abdn.ac.uk> <CAN1APdeSF0-_N=mb1xkoe_qLwoVqP+X9_Wawi=Zu__6wdHtbOQ@mail.gmail.com> <699E2135-A3CE-4D33-91F6-D3C96E66674F@ericsson.com> <CAN1APde2SO6fkNzyznbv2-xNuXkkuC=bN3p8xRgwmRAmsZxrgA@mail.gmail.com> <MW2PR2101MB104902B6BC7C67D8688EA852B6280@MW2PR2101MB1049.namprd21.prod.outlook.com> <MW2PR2101MB104996C29680DF7B79230C8CB6280@MW2PR2101MB1049.namprd21.prod.outlook.com> <CAKcm_gMwcwZ0VzK4vDt-sCQctHVrwOm9ekPPi3O3Y2UnRrZaBw@mail.gmail.com> <02f27c4e-2d1e-29ab-6891-236442436a3c@huitema.net> <9C6D92FF-7635-48BD-A65B-FAB4B544476D@fb.com>
In-Reply-To: <9C6D92FF-7635-48BD-A65B-FAB4B544476D@fb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-originating-ip: [2001:4898:80e8:0:21b3:7b4b:b4a3:c3bf]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ed65b2a-516c-46b8-5fde-08d6bf63dd6d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:MW2PR2101MB1132;
x-ms-traffictypediagnostic: MW2PR2101MB1132:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MW2PR2101MB1132A9F99D4A6D53E5F87CE2B6280@MW2PR2101MB1132.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0005B05917
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(346002)(136003)(376002)(366004)(199004)(189003)(8676002)(9686003)(86612001)(316002)(55016002)(25786009)(6306002)(4326008)(54896002)(10290500003)(229853002)(7696005)(99286004)(86362001)(54906003)(53936002)(110136005)(93886005)(14444005)(790700001)(6116002)(14454004)(2906002)(6436002)(71200400001)(10090500001)(71190400001)(5660300002)(256004)(6246003)(236005)(478600001)(66574012)(22452003)(52536014)(8990500004)(11346002)(486006)(97736004)(446003)(476003)(102836004)(6506007)(53546011)(68736007)(76176011)(186003)(74316002)(8936002)(81166006)(7736002)(46003)(33656002)(106356001)(81156014)(105586002); DIR:OUT; SFP:1102; SCL:1; SRVR:MW2PR2101MB1132; H:MW2PR2101MB1049.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: inxANhLtlXhormO087aE6ySK+1+xDnLtfv2j0dViE0gU1ajAJvAZ+OHcv0Td/k0PW/00jPDL+oNHaq/f5m6sAve7PD9VgOIYm6/J63MXQv+A/w2PGEnwsdJiuz17iCvwUqkveEoaKNzswc5W84pv1EVQOudnVQAGzgy9ZCITpihQvHbs9vd0kH/vkBO45ijscAt3HT0lCGaweGBIMxVwongFnAtQ6YQR04jSGUlnBqGsC+yCSmAqo99dNJiqvLXhkgdql/LSdzUD0ddmUMZGjhKYUgEyY2DK/SAZAvjjaFJLCVwLxSiHy9ACst1AQJMn9ZUX3kVkQBA6wB/iHTk3eqdyXWh/H3ohnV3jUH2V3VKMi8zdTKAXE6oGiCjFu4UrpkAz9zfHOEidHMDaNnRtK15CpfHCbwZ403sDYtOGW2A=
Content-Type: multipart/alternative; boundary="_000_MW2PR2101MB10498605DC0F1FC3905865F4B6280MW2PR2101MB1049_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ed65b2a-516c-46b8-5fde-08d6bf63dd6d
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2019 16:28:15.6644 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1132
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QcGt6QjU23R3QOKPUaHJuimQ9lY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 16:28:21 -0000

Re. Encoding in CID. Then it needs to be standardized and if it is standardized what’s the point in greasing? Let’s not ignore the smaller services who use the cloud i.e. people deploying say NGINX web servers in AWS, Azure or GCP. Not every QUIC deployment is a large first party service which controls all aspects how LB and DDoS are done. In public clouds LB and DDoS protection are network functions (services) and are middleboxes under a completely different administrative domain.

Christian, this is about source address validation by the middlebox. This is how it works for TCP (think SYN cookies) and we need to have parity for QUIC. When under attack, short header packets will be dropped for addresses that have not been validated, but this is the same for non-SYN packets for TCP. I don’t understand how invariants can be used here. If we don’t have parity for DoS protection in network then QUIC traffic will be rate limited which is going to be really bad for performance. FWIW there is already DoS traffic that looks like QUIC.

From: Roberto Peon <fenix@fb.com>
Sent: Friday, April 12, 2019 9:16 AM
To: Christian Huitema <huitema@huitema.net>; Ian Swett <ianswett@google.com>; Praveen Balasubramanian <pravb@microsoft.com>
Cc: Gorry (erg) <gorry@erg.abdn.ac.uk>; Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>; Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>; quic@ietf.org; Border, John <john.border@hughes.com>
Subject: Re: Is "Version Greasing" a new benfit or a new obstacle?

For any large deployment, I suspect they’ll need LB.

For most kinds of LB-ing, I’d expect the LB system to either directly or indirectly be involved in choosing/vending connection IDs.

If it is involved in vending/choosing connection IDs, it can encode version information into the CID.

-=R

From: Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>>
Date: Friday, April 12, 2019 at 9:13 AM
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org<mailto:ianswett=40google.com@dmarc.ietf.org>>, Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org<mailto:pravb=40microsoft.com@dmarc.ietf.org>>
Cc: "Gorry (erg)" <gorry@erg.abdn.ac.uk<mailto:gorry@erg.abdn.ac.uk>>, Roberto Peon <fenix@fb.com<mailto:fenix@fb.com>>, Mirja Kuehlewind <mirja.kuehlewind@ericsson.com<mailto:mirja.kuehlewind@ericsson.com>>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com<mailto:mikkelfj@gmail.com>>, "quic@ietf.org<mailto:quic@ietf.org>" <quic@ietf.org<mailto:quic@ietf.org>>, "Border, John" <john.border@hughes.com<mailto:john.border@hughes.com>>
Subject: Re: Is "Version Greasing" a new benfit or a new obstacle?



On 4/12/2019 8:57 AM, Ian Swett wrote:
From: Praveen Balasubramanian
...
Version greasing will create problems for DDoS protection. The DDoS protection middlebox will have to treat all traffic with unknown version numbers as plain old QUIC and rate limit it. Any solution that requires per connection state to track version numbers doesn’t scale. Especially in the cloud scenario customers bring their own web servers so this makes any opt-out solution not good enough. So I do think this is an obstacle for many deployments.

Don't we have an example of middle-box ossification just there?

Praveen's example points to the perils of the "shortest path" approach to middle-box design. Taking the shortest path means finding something that works now, and once you have found it deploy it without worry about consequences -- which very often include ossification. If the DDOS protection box looks for "QUIC versions that it knows" and just rate limits the other types of packets, then the box will by design prevent deployment of versions that it does not know.

I assume that big organizations like Azure will update their protections once a new version is out, but the experience shows that many other organizations don't. And even when they do, the focus on published versions will block experimenting with new versions, not to mention interfering with other features like connection migration. I take Praveen's example as an argument why we should in fact standardize version greasing, precisely to avoid this "shortest path middle-box design".

In the case of DDOS protection, I will point out that DDOS protection also needs to work with short header packets, which do not carry any version number. In order to avoid DDOS by short header packets, the boxes have to be able to distinguish between packets that belong to authorized connections and packets that don't. And if you do that, then you don't really need to look at the version numbers, you can simply rely on the invariants.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email