Re: Going STEK-less with QUIC?

Christian Huitema <huitema@huitema.net> Wed, 28 July 2021 01:55 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6C233A161A for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 18:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.891
X-Spam-Level:
X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgBuQbS7zn2P for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 18:55:52 -0700 (PDT)
Received: from mx36-out20.antispamcloud.com (mx36-out20.antispamcloud.com [209.126.121.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70C63A1616 for <quic@ietf.org>; Tue, 27 Jul 2021 18:55:52 -0700 (PDT)
Received: from xse165.mail2web.com ([66.113.196.165] helo=xse.mail2web.com) by mx133.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m8YnT-0000WB-NF for quic@ietf.org; Wed, 28 Jul 2021 03:55:49 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4GZGvv1bPJz9lH for <quic@ietf.org>; Tue, 27 Jul 2021 18:55:39 -0700 (PDT)
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m8YnL-0007WB-2r for quic@ietf.org; Tue, 27 Jul 2021 18:55:39 -0700
Received: (qmail 13553 invoked from network); 28 Jul 2021 01:55:38 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 28 Jul 2021 01:55:38 -0000
To: Martin Thomson <mt@lowentropy.net>, quic@ietf.org
References: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net> <CANatvzxBKNf+YdNLPwG=QpZv33o0Mp7uRU+N4JQUpYfbDypQkQ@mail.gmail.com> <b89f83f8-951d-4407-a12c-9d9e85e46fe0@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: Going STEK-less with QUIC?
Message-ID: <9beffffb-e7a6-1c57-be8d-a56f3ef2f1e9@huitema.net>
Date: Tue, 27 Jul 2021 18:55:37 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <b89f83f8-951d-4407-a12c-9d9e85e46fe0@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.165
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCMcN CcLSEJnQlWPYY2+CbgfmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imcapebr0kNyYC289u5HlaNj1BQ6V51u76v35b1wNe/MvdKAGdwU TZKlze5ERymXAD3v2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7jZ1h/HfDRQ5Ig8VhPsPE8NaP2gA77cO7WeI9Ftai6fusDXp7t2nLqCQxvxn0YNWXvW vvdfK7hyDPpb9TQkjr9ZDRojSVizNl0ce/s7u0P9b9Tml6eOMCV9kYYwkPx6ZsXvIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfJe5TElG23AiHJ9yWi6O0YBUoFIvD3sIcP1fhJPM6B/8RcQv JEo8HrK5lyI41cXYk5QES4fJfpBcnX+nVsQ5EuaJ+dym1L8cD17Js0v4cp1M2zyYtmsJ4SOU5cVL weLwwTcKVNeVJ9BXyu9+ceCqThTYg2px1fSoqxQCCHnLMo/m9VKh99btUAanjnMCAH2co+fBoeG+ Hs0afhsY/5zhNYWRVYKU9W9tbmVXJBqdHHDmZEKhyNAv1N35kYWaEdgLurFV5oTvAcwA4rM3FkfW 8/1kE/e7sUnsVpINvARNxpFO
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/yR6kRx3oeTsv0px9oEWPUKfOObI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 01:55:57 -0000

On 7/27/2021 6:28 PM, Martin Thomson wrote:

> On Wed, Jul 28, 2021, at 09:02, Kazuho Oku wrote:
>> [...] I think the same result can be achieved in practice
>> by designing a format of NEW_TOKEN tokens that is to be shared by the
>> load balancer and the server. That token would contain the server-id.
>> When the load balancer receives an Initial packet conveying such a
>> token, it can parse the server-id contained in that token, and forward
>> the packet to the specified backend.
> Yep, that would work.  And the load balancer might choose not to honour the server selection choice if that instance was looking a little overloaded.
>
> In other words, no standard needed in all cases, but maybe another something for QUIC-LB to manage.

It is a matter of expectations. Suppose that the server goes STEK-less. 
It is only capable of honoring 0-RTT if the resumed session is routed to 
the same server as the initial server. Yes, the clients can unilaterally 
decide to reuse one of the NEW TOKENS as Initial CID, no new standard 
required there. But if they don't, and pick a random ID, the resumed 
connections will arrive at a random server, and 0-RTT will fail. So, if 
we want to encourage the "new token as initial" behavior, we may want to 
write something.

-- Christian Huitema