RE: Proposal: Increase QUIC Amplification Limit to 5x
Nick Banks <nibanks@microsoft.com> Wed, 31 July 2024 11:57 UTC
Return-Path: <nibanks@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADD32C151068 for <quic@ietfa.amsl.com>; Wed, 31 Jul 2024 04:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.252
X-Spam-Level:
X-Spam-Status: No, score=-7.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxK5swfE2DZk for <quic@ietfa.amsl.com>; Wed, 31 Jul 2024 04:56:57 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2104.outbound.protection.outlook.com [40.107.223.104]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC048C14F6FC for <quic@ietf.org>; Wed, 31 Jul 2024 04:56:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dWPLL68ceXEbLkcRtyKMWVcMKlw7GZqWccWfeUc/3Gd+8EJW6k1SeseYGkgMvp8CjlPi/24lLBx6I+d+qgpqAhilNJq0zKaI962oJvBXHbhRZDRgM0BOOmIepj048RcLJh6FVlwnchlsfeOj9IXP92jG+X2UqnSa5u5rejyZno9sm0hKDSzyNaT6btrzkiSrAkDsoLmwKonxxJHvQ7YuquPTf48oHgOVVRYWlyMJvohWsOKoB/vADBhJs5aWvCuYQ63d9EiUZ0f0CoXByImXS0jfSKkb9zSXuPF9wGmrT6xoCnxkpJiWyOaBaEhxB0xdUDY5GunxpxwqQUdsYX6PgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qIOOuGTqk1g9ZQ1wTscIrLWtmEsPuGa+kP148DmzSMI=; b=NwY1f9VvUHAv6U31o7ys396dQGt83/GSH0bLO00h5UqFWRYSKGmT10nMthie5ZebDYOX8GJIlpinzyxPcnAW3i20+4LD1Qz9fW08ytP4pi6+vw2NZDZ3LOhtiLuuTDmJfzbK28RS1dTzFpeXdHir2bO4HNvaSAD8pabU2gx3n7wbR0WZj2Je8ACU1CS6IVRrn+Q9HiEdl4wVNIhCbHrk816RJSy+355WLJG4bz0+M/h6fGMCGP5LcB4Nu1NvnlXA4ch4Yl3YuKM/x2z0eRKIo1VsBWV6kAb0W4gZrJDvatqbqJ0nYLtMmINk7fJ8uY4zAP6Ai2SYZxv4JtDY8WiUWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qIOOuGTqk1g9ZQ1wTscIrLWtmEsPuGa+kP148DmzSMI=; b=CFchNptDF9fAyQ8kwC8wJ3v9Uf0XtibWz7/ZRHr2x29H0TticpHjic+W9HX88JYc/VWZa+knEWf33CZ5ieN9/9QnkAxefn7UafYSeFy+yyRiZzmWHmuXKdmHnjjaVbFcSQMvn84eSl0JfCa9FnruWJ8crRoPaESWgye/QRYPaXY=
Received: from BL1PR21MB3115.namprd21.prod.outlook.com (2603:10b6:208:393::15) by SA3PR21MB3961.namprd21.prod.outlook.com (2603:10b6:806:2fe::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.3; Wed, 31 Jul 2024 11:56:53 +0000
Received: from BL1PR21MB3115.namprd21.prod.outlook.com ([fe80::21cb:9db7:d2a6:f5e2]) by BL1PR21MB3115.namprd21.prod.outlook.com ([fe80::21cb:9db7:d2a6:f5e2%5]) with mapi id 15.20.7849.002; Wed, 31 Jul 2024 11:56:53 +0000
From: Nick Banks <nibanks@microsoft.com>
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, IETF QUIC WG <quic@ietf.org>
Subject: RE: Proposal: Increase QUIC Amplification Limit to 5x
Thread-Topic: Proposal: Increase QUIC Amplification Limit to 5x
Thread-Index: AdriijZ1pCmLiPsHR82ehJiwiMM47gAWcZ+AABb71iA=
Date: Wed, 31 Jul 2024 11:56:52 +0000
Message-ID: <BL1PR21MB3115761BE3D6EDAC95892B87B3B12@BL1PR21MB3115.namprd21.prod.outlook.com>
References: <BL1PR21MB31152570F4497EBE91B3AF9FB3B02@BL1PR21MB3115.namprd21.prod.outlook.com> <4aac2fae-ddc6-453c-b974-751a7a37967c@redbarn.org>
In-Reply-To: <4aac2fae-ddc6-453c-b974-751a7a37967c@redbarn.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=aa527d01-600e-4353-a210-90920f05fc56;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-31T11:51:04Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BL1PR21MB3115:EE_|SA3PR21MB3961:EE_
x-ms-office365-filtering-correlation-id: 454bd0b1-b739-4b17-3a7a-08dcb157de51
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|3613699012|38070700018;
x-microsoft-antispam-message-info: si9PFh6sPMjipq/YPBah5KTM64i0uGvk42uTqzdaZOvPPHT0FUL1TQKNVa/4n/KGpIhx2JKMhLy4zuehPD6X2gAUj5o9jfjNKMpoRAxiYOzxCXrU2+MRwb+UjoFQbzavb9llHQfKzvllf393dAtv2dOvuELvY3XKYed17emRxvXu6t4qnNN8N7iPSlFYAcgDPIyOhOa8/1nFomsHeZGUj22MhJSCAMl8IWLeydCN6BSwuwksxKesQlmBhUmaYij3agA31Sp+mCZsAiWN08ydeDFKVA//2ldXUzj7ws0vCsijCIiCEGYXwPkDAvmJqIohBIDdend6omM+MM3OUoF6byM5vv1JCH+vgpmwIvenURj3Zss25EQjQRMcFbbl4TIyyCeBbq2yZ/6k8BvAZ6f+oDf7Lcg7D2/Qp1x9Km1Mb7HFWYj6gJgOvH9cbmz5v+Q5JeFHoD8IUxnzYdX7bu0+V3VFG2PZjxjvWENgtHn3BvlM9laqccoQ4L4r7/qG/FKcvmUlVreg4EEjjYCQOIlyFo1ohZjglrkLPiBLHUaoU/b7zgS+kv8uD+X83YuaYvToinXWbjddnfsT1I6QDTkfzpyOCpSewIM/1id3jyQw5EwK0KTJJ/QFscXbIGU7eqTZkBINIT77otTjm8bih9NAndWBiidkd7w8L6p4Bx5rLqlcj/9nsiMRqc7Zw4J86nvqNR/rKlK1QUGpXH48zCtr2WizPP+4JBlS4tY9/hjlGKGje2S8fqR/lu3p2QmArX5++RKMdNC0kVGl0pHazeu84zRAqDWzUBrJr8KTdUQN7GK150rZVzyy6KWoXLAOEQfb70mvu8n0gBZnsbG4XOFb/CNhMNXP6aBjf3iLArs12JEJEyAnis2Y1zF/e9LJArfEAsxmteih+mXJWn2xRNqnmKNClww5jClMfgfFcTeiUi5h9cFOi2I1z4gI7NQPIl+7gooD/P6SpQeja2jGd0XeI2izDwfuotVsB5S2UD7tn+DVqPVrlau5cK7d0cwVXhjaqkO+fyUyduyvEAa+5NjoOUY39JDcJaR2s6AKQDYCL5xZltc4Yk5rY32YpIZy1pyZNxgbAI5MFefdeCeO8PtmuZU/5QkzcJSOdk//BFw9PbxCFVc1tGrx323oMz6vhRYZb0b6hBHzdpOnXNOsYP84zbBknx9JnbFRkXqBJNeTSrnL3dZWHJt/PsJri4MDPQjIricX4z2N2p4gcsAWYqfWgLeyU1eAP5IQxdpiSmm1u3QJpip9MYNdCzafbYO0OW7iGP0CP4AvPhFqeCziB2MU13sFS52Vonpa9bXK5ka5Hum7uC/d1QpxQYrTAv1HGNvnKvfVDiLuOntSdOpmGXeaDWpfQvj6MxFc+Jjyer6Xb2w8HjwE1ju7vhJurQAf/Fhi
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BL1PR21MB3115.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(3613699012)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 13AAsg0k8BAdht/B70q9f0Srsxz6NpJs6tisACcYkePYRiluPYRf4UGZgz9oapgKm2WFKWGLJ9KI98sqz6pd+gOdVKUttuJyJfskMaP4iBogJrbnY4nKj70My/z6wr+lAoIBGvgk/gSgIZisQk7tQEgxnivREquIVuOqP7DNn2zd0Y0cuFTBDD/rAf4yfl9jg8mz/IdQX3aHdndss4js48Vgrhc5TIzwwRjzZQ1zEF7dDINmzl1omYxWoGwfC9JiCe0g98+xOVeSH7+jECmAl9y2Rt9QPOzaLjV34S5hXBtWr72vvK2VVd1yBZglxSz+TC2YEMjm9sRepSS9yZusstyMOz2ZaiirnIg6TsJaodwiEsfuPnuCAGDK16B/8tKQRjB+sVUG9PptVulgKZm6qBp/Yi6LvBJxnqybGji2Wjmfhn2jJ2iYEMvyWfW/p5ayYl//nh2LxW+p8wsoXGi810lOC51kKoogWkKuaNIkyO/LHL0SgHwpOeX1DP1B/2HZgtkqR9aiVBxTs1TxBYEybeUO5K8FtAB4TDUSPC9cHjNchjAASEMl6CdjUTJqV4WTjV7eXq3DhCGYKEJCna6KCGnazsBR2viqU+gyLcXLRBDeYESzVymww6N39IZYr3HpDiG3UcHPgZ6A/TF3z1h4jIWWSnVO2yHy6UPtaUPXAgr7a/PZal00CCw17DLn+Al7phQJmQlqKmFvmcB6IN+sMSXUK/QAblxbptoGWPKjwJEdfuK86tFKad0Kj4XSd3Hjc501ZyJl8Dn8K/j/ILoQG2gvslV4/VXUWR5eS08mG2zZPBwQGZpXuxiHDgWGNIlN498H9iijxhdjlkxlyLHiKBYn4s2p9OgPxlGP93l5gyGq7ZnH3Z2H/QFE9ykijLcnNnFbg3uUchX6kn6fQhA9y/vaJfUYj/hl9qhIEdR1KCvoqp4eUjladdfy9hI6wD9xq26YTVjV92NjyQJtNlY5eHQonnnW+CysKyW9UxSLzekmHk1SxiiGFd+5sHX1Po8+JUEPLg+i/30mP9MlUy9Pc6ShHYj/RdQJesnKkNgioZyMaxJPFSblihdeH8J5WkSS5gwLXAOR6EmpQeObsbK+Wd4F2mbAv1Yexo+vlBVOgTbfDz6gV2HYRKCrF6Nz/OkYY/auCuUWsa7g0WuWtRsyiTGXbUJctnNejwNaW0lUQRskjuDqNf7/QbeM8Rnr//Gv2aNUK+LqZ5wVgkX4fOaF0IpZKyAIs47uaTR1+G70Xbk6ARics0Dn/xnaNIKMPP90RQKPlZBNAqBcwFDEJpFnh5AE1uHwiPq5ZVdlFIHt0KyXyZ8NRss7sUFPG51or8Jodhd6BvvyLdhkEIqoR+vDmA88RELXwsOMJvXbQW/uXUZv6MDn0fjo11oTeZG4A7akb6ctpcAVZ/84U4bdJfmpGbMQ0r7rKX/68cwFEBFqkwyve76EVNBAnIa5oLNPUqhNro4KNWulNp9mR/yPL2gOB1hSQPPWJvWY7eTndECTbnRw0qUKnptDKJEluDnrdHW3j7v7Lp6N90TT/xO+5cDl55oqjENToGYOhbcJ3Tmv+rpZ1AvxqEeJchMRp5Q2W+eE
Content-Type: multipart/alternative; boundary="_000_BL1PR21MB3115761BE3D6EDAC95892B87B3B12BL1PR21MB3115namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL1PR21MB3115.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 454bd0b1-b739-4b17-3a7a-08dcb157de51
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2024 11:56:52.9294 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tCoK4owRzHc040+bZkRC7XBk5T55AclxRpf8HYZRXQguOsRjGROjGaK4inoO8crqNsNN1QbWvFB4wyL8HuzGWg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR21MB3961
Message-ID-Hash: WITA6ZM5JPMLHIFEGJO4EIKCZ4OZFFLQ
X-Message-ID-Hash: WITA6ZM5JPMLHIFEGJO4EIKCZ4OZFFLQ
X-MailFrom: nibanks@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-quic.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/tbrl-xvjmCNQT3BkNdzEZB34U9g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Owner: <mailto:quic-owner@ietf.org>
List-Post: <mailto:quic@ietf.org>
List-Subscribe: <mailto:quic-join@ietf.org>
List-Unsubscribe: <mailto:quic-leave@ietf.org>
As Matthias pointed out, generally the issue here is certificate sizes. And while I agree that we should work to get those smaller, there is minimal control we have over that. Updating certificates can be a pretty slow process as it often requires a lot of processes to be updated as well (at least at MSFT). But, to your question Paul, it doesn't matter what we set the limit for those servers/stacks that are already ignoring it. There's no protocol police, so they do what they want anyways (and as you can see a majority do already). That being said, I don't expect by us increasing the limit they will go out and choose to get even bigger certificates. So, I don't expect increasing the limit to make servers go even bigger. It's more of a selfish question about updating our stack (and anyone else who currently follows the rules) to be more inline with what it seems the rest of the industry is practically doing anyways. The 3x number was pretty arbitrarily picked originally, and I don't see a practically big difference between 3x and 5x in the end (especially considering some of the protocols amplification factors out there today already). Thanks, - Nick Sent from Outlook<http://aka.ms/weboutlook> From: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org> Sent: Tuesday, July 30, 2024 8:53 PM To: IETF QUIC WG <quic@ietf.org>; Nick Banks <nibanks@microsoft.com> Subject: Re: Proposal: Increase QUIC Amplification Limit to 5x Do we know a reason why the system's behavior won't move beyond the new limit the same way it moved beyond the old one? If it's some bizarre kind of leaky bucket let's have the showdown now rather than later when everything is larger and ossification has begun. p vixie On Jul 30, 2024 07:16, Nick Banks <nibanks=40microsoft.com@dmarc.ietf.org<mailto:nibanks=40microsoft.com@dmarc.ietf.org>> wrote: Hello Folks, We've had this discussion on Slack in the past, and I wanted to bring it here to get some additional feedback. As some of you know, I have a project on GitHub (microsoft/quicreach<https://github.com/microsoft/quicreach>) that is a simple ping-like reachability tool for QUIC, and I run a periodic action to test the top 5000 hostnames for QUIC-reachability and then breaks the handshake down by whether it (a) requires multiple round trips, (b) exceeds the specified amplification limit or (c) connects in 1-RTT under the limit. It produces this dashboard<https://microsoft.github.io/quicreach/>: [cid:image001.png@01DAE268.3B37CDC0] The main point in sending this email is to focus on the large percentage of servers that are ignoring the 3x amplification limit today, and what we should do (if anything) about that. I ran a quick experiment (PR<https://github.com/microsoft/quicreach/pull/243>) this morning to test how the breakdown would look if we had different amplification limits (3x<https://github.com/microsoft/quicreach/actions/runs/10161649574/job/28100572606#step:6:1>, 4x<https://github.com/microsoft/quicreach/actions/runs/10162466467/job/28103201648#step:6:1>, 5x<https://github.com/microsoft/quicreach/actions/runs/10162939158/job/28104656720#step:6:1>) and found that if we used a 5x limit we would find ourselves in a place where most servers are now under the limit. [cid:image002.png@01DAE268.3B37CDC0] So, my ask to the group is if we should more officially bless a 5x limit as 'Ok' for servers to use. This would more impact those servers that currently take multiple round trips because they are correctly enforcing the 3x limit on themselves, resulting in longer handshake times. If we say they can/should change their logic from 3x to 5x, then their handshake times will improve, and largely things will speed up for clients when using QUIC. Personally, I'd like to update MsQuic to use this new limit based on this data, but I wanted to get a feel from the group first. Thanks, - Nick Sent from Outlook<http://aka.ms/weboutlook>
- Proposal: Increase QUIC Amplification Limit to 5x Nick Banks
- RE: Proposal: Increase QUIC Amplification Limit t… Nick Banks
- Re: Proposal: Increase QUIC Amplification Limit t… Matthias Waehlisch
- Re: Proposal: Increase QUIC Amplification Limit t… Paul Vixie
- Re: Proposal: Increase QUIC Amplification Limit t… Christian Huitema
- Re: Proposal: Increase QUIC Amplification Limit t… Ian Swett
- RE: Proposal: Increase QUIC Amplification Limit t… Nick Banks
- Re: Proposal: Increase QUIC Amplification Limit t… Martin Thomson
- Re: Proposal: Increase QUIC Amplification Limit t… Roberto Peon