IETF Logo Mail Archive

RE: Unidirectional streams PR

"Lubashev, Igor" <ilubashe@akamai.com> Mon, 10 July 2017 16:11 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A24921317C4 for <quic@ietfa.amsl.com>; Mon, 10 Jul 2017 09:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0tkMMU4M4ZZ for <quic@ietfa.amsl.com>; Mon, 10 Jul 2017 09:11:33 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F39D1317CF for <quic@ietf.org>; Mon, 10 Jul 2017 09:11:33 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v6AG7mrH011784; Mon, 10 Jul 2017 17:11:23 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=GdqsMO7hYsjvNEevrmvZceNQPWHQC0EpPXune1whJ9k=; b=Y9CysV27mBuYWxR0BgD/JKcUlWsp6rxI+xaqfHWUDSFSI+4FSDBqqQwcmGu7mXYp0DcS uDSlzMvpl6Fr4tBXC1OtHVtrlI8vwq1WwlklUbogtTSsCdNZSe3Poy9tOukkWJJPPR3p hh+XSCcoKlkpKUyVa4+JvuXPLxx6iWuUHLHFB7kpYfGJKMnua4CMmU3AH32jz2saLE6e PYZqn4Do14OjDpRLo1nc3D8aBBvMpW8EmlXTmxmGcLRWr5ycCJLpsEnmwhE/qoDXgOsN zXfeAc+IYMsBmzY0qUe4ZIuPSH8pBSCmu4Mm11ULD/wWbPFC/8DZ+kQJd71I+O4s+JMj rg==
Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2bjvdtrdf6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 10 Jul 2017 17:11:22 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v6AG7PD0016245; Mon, 10 Jul 2017 12:11:21 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2bjtqu4t1d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 10 Jul 2017 12:11:20 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 10 Jul 2017 12:11:19 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1263.000; Mon, 10 Jul 2017 12:11:19 -0400
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: Martin Duke <martin.h.duke@gmail.com>, Jana Iyengar <jri@google.com>
CC: Subodh Iyengar <subodh@fb.com>, Mike Bishop <Michael.Bishop@microsoft.com>, Dmitri Tikhonov <dtikhonov@litespeedtech.com>, Ian Swett <ianswett@google.com>, Jo Kulik <jokulik@google.com>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, "Swindells, Thomas (Nokia - GB/Cambridge, UK)" <thomas.swindells@nokia.com>, Kazuho Oku <kazuhooku@gmail.com>
Subject: RE: Unidirectional streams PR
Thread-Topic: Unidirectional streams PR
Thread-Index: AQHS7K8qFJcNmOfPnkGlJjRXQ/9soKI0ttCAgATMZACAAP5zgIAAEIwAgAAHqgCAAA02gIAAfdKAgAARSAD//8GgUIAAXnCAgAm2IgCAAS8I8IAAXHQAgAJThYCAAALJgIAAPzkAgAQQ/8A=
Date: Mon, 10 Jul 2017 16:11:19 +0000
Message-ID: <65e83cb364f74446b83873ab61b4295a@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <CAN1APdc_ckZu39ZZTETv04iZieogoE_NQCBR-n0jHrC-9dM7Aw@mail.gmail.com> <5d69489d-8f46-ebbe-4e5c-fa6c02ffd8dd@huitema.net> <CAF4GZgBm7525i2GxiN-Pv66g0WqbDH==fRXN27=7ursNA70w1Q@mail.gmail.com> <20170628124221.GA15608@ubuntu-dmitri> <CAN1APdc3YO4-FEc6C--PzFGxzQiAUeBZ96HkjtjS1RR0qigrzw@mail.gmail.com> <CAE=ybzNtSZx9-bj9-n-ieLMB=YvJCjCExugvA3_JPVrdEEqK9A@mail.gmail.com> <DB5PR07MB123748F2AB7374DAC0CC9E1484DD0@DB5PR07MB1237.eurprd07.prod.outlook.com> <MWHPR21MB0141BD23011EB26F882C864787DD0@MWHPR21MB0141.namprd21.prod.outlook.com> <CABkgnnXEq9-jxedU_Rmi4XQ+t0SNUOAMbyWXcnhyLKz+OzP2CQ@mail.gmail.com> <2240c2a68910453e97fc50d42e8a1d4f@usma1ex-dag1mb5.msg.corp.akamai.com> <CAKcm_gMb9PkBKhTRF3ue2KGgwHgKN8rsanD8rqqr_wUFJ3GNZQ@mail.gmail.com> <CANatvzyKsi=+V1rYSjYwtkuGnui=V_1f0bbq1iCB36p2GJXDbQ@mail.gmail.com> <ab4e5580e8c14a8a9f2eecc87e8c9976@usma1ex-dag1mb5.msg.corp.akamai.com> <MWHPR15MB14552E4F7BB6BE5FB43A58FDB6D50@MWHPR15MB1455.namprd15.prod.outlook.com> <CAM4esxRN55ht7NUn6hd37L1F+G+vWYks23St4XbihL9T1mwt0g@mail.gmail.com> <CAGD1bZYuAX==a_V-d1wUTdGRCA21c-sGqQ-p6EiTQPQoDrBpSg@mail.gmail.com> <CAM4esxRCEHmsgSorRZ11CbwjfnyD4iTi1yzBien2LF04qafpvw@mail.gmail.com>
In-Reply-To: <CAM4esxRCEHmsgSorRZ11CbwjfnyD4iTi1yzBien2LF04qafpvw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.38.68]
Content-Type: multipart/alternative; boundary="_000_65e83cb364f74446b83873ab61b4295ausma1exdag1mb5msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-10_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1707100285
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-10_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1707100286
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/x3pOc6-ec-1QQdfuW98LGb-_adM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2017 16:11:34 -0000

  *   I guess one question is if passing STREAM frames whole (at most changing the stream ID) is stateless for the middlebox.

Just passing frames may be mostly stateless (in far as streams are concerned) – it is just transient RAM to buffer and account for the streams before the frames are delivered.  In fact, the proxy may not need to strictly pass the STREAM frames but can re-frame the data it has buffered.  One thing the proxy would not be able to do is stream state validation and would pass on invalid frames to endpoints.


A related question is how would a proxy (or a middlebox) identify QUIC traffic as QUIC and not some random UDP traffic?  We’ve had a magic byte in the header but lost it in the header update.  We still have a port number, but that is likely application-specific, unless we add something to ClientInitial to identify an application.


From: Martin Duke [mailto:martin.h.duke@gmail.com]
Sent: Friday, July 07, 2017 4:45 PM
To: Jana Iyengar <jri@google.com>
Cc: Subodh Iyengar <subodh@fb.com>; Mike Bishop <Michael.Bishop@microsoft.com>; Dmitri Tikhonov <dtikhonov@litespeedtech.com>; Ian Swett <ianswett@google.com>; Lubashev, Igor <ilubashe@akamai.com>; Jo Kulik <jokulik@google.com>; Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>; QUIC WG <quic@ietf.org>; Martin Thomson <martin.thomson@gmail.com>; Swindells, Thomas (Nokia - GB/Cambridge, UK) <thomas.swindells@nokia.com>; Kazuho Oku <kazuhooku@gmail.com>
Subject: Re: Unidirectional streams PR

As I understand it, QUIC's contract with the upper layer includes streams, so any such middlebox would maintain state for each stream. In general, these middleboxes will support awareness of most L7s, and users will turn it on.

The exceptions are probably kind of corner-case-ish. Perhaps there's a new application directly on top of QUIC that the middlebox doesn't understand natively. In that case, with no FIN the middlebox would be forced to hold stream state until the end of the connection.  I guess one question is if passing STREAM frames whole (at most changing the stream ID) is stateless for the middlebox.

Also, I'm not clear where we ended up on silent close. If we're indeed expecting endpoints to see that all the streams are closed to begin the shutdown, then we have to see that all the streams are closed.

On Fri, Jul 7, 2017 at 9:58 AM, Jana Iyengar <jri@google.com<mailto:jri@google.com>> wrote:
On Fri, Jul 7, 2017 at 9:48 AM, Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>> wrote:


On Wed, Jul 5, 2017 at 10:16 PM, Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:
> Without such a signal, a generic proxy that is not aware of your application internals is not able to know when to send the FIN
I see, this use case does make somewhat sense, however I'm curious if someone has a concrete use case for a generic QUIC proxy which is not aware of the application protocol at all. In TCP this was more common for middleboxes to do because there was no end to end encryption of the transport, however QUIC is encrypted. Even with cases when we tunneling protocols at our end, we usually have some knowledge of the app that we are running because we need to route them differently to different backends. I was mostly thinking that proxies would at least have some knowledge about HTTP/2 or app protocols.

Some load balancers (including ours) terminate the transport connection. Being trusted middleboxes, they have the certificates and this sort of thing works in principle.

That said, in such a case it's entirely feasible to implement HTTP/2 on the middlebox as well.

If these middleboxes terminate the transport connection for QUIC, would they need to understand stream semantics? Or would they simply terminate the QUIC connection, but relay the STREAM frames without any changes?
I'll note that all transports after TCP have two general parts to them -- the packet transport part, and the application semantics part. Middleboxes are usually interested in the "lower half" of the transport - the packet transport part.

That said, I'm not opposed to having an explicit bit. I'm also wondering if there's a real use case, or if we're provisioning for the future here.

- jana

However, I think we should look forward to the day where QUIC is implemented in kernel space and HTTP/2 (and everything else) remains an application. I imagine counting on all applications to do this kind of garbage collection could cause problems.

v2.23.0 | Report a Bug | By Email