IETF Logo Mail Archive

Re: QUIC handshake challenges -- Share your experiences

Marten Seemann <martenseemann@gmail.com> Thu, 30 March 2023 18:00 UTC

Return-Path: <martenseemann@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 968A0C14CE5D for <quic@ietfa.amsl.com>; Thu, 30 Mar 2023 11:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QCB6Pjd1GG-g for <quic@ietfa.amsl.com>; Thu, 30 Mar 2023 11:00:22 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA44CC15153C for <quic@ietf.org>; Thu, 30 Mar 2023 11:00:22 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id h8so79806457ede.8 for <quic@ietf.org>; Thu, 30 Mar 2023 11:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680199220; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nfDmAN49tDgFYm2+REhQgctZKTHrLzYBEfaFVBZBQd8=; b=dttb628/u7uuG1TZvVccwgJPPVJHFhzjX0zjXQK3RGdKk8rNSGqR0XsDo17PjleHgj 5nvssW8idCmsvDIRsCNU6mPqy7DZ25fnu6lAQzAv+q6xLxO56cDigp+dZ0Ar6pe/X9lM aWE0hqG+dUgsv01rDA8TZFdA/nSfp+Yf0oCFbg2R2sT17+4yRjkLQ9VBBNYcEovoqWfz tdIt59O9p9DhoEidKJ/IwTDGgiz9pB8DkqIrQpjmIkEPgqojhAWVG3U/iroBxad8kAlA jXoSZGSsujSzt9CxIMYxgOIMYSg41JZUHEUgniFbUQS5WOmkVplEguzaPw1JUyWyLz9E GVXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680199220; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nfDmAN49tDgFYm2+REhQgctZKTHrLzYBEfaFVBZBQd8=; b=QiyMKPs2KL9To4gMNffrzkoDX0dWpJ/kGeviYfCyxLqVaX4FfrcWNKO+VlhN4rgvMn Pw5qrv9Yd1s4OEThN/C519Y6bKUeE6SuU4tldakl5DCXhfixR/cbwtevDO3oXtdWa1qR gO4khw1P7+6ZFqGdXCyUv50nc4rQOy5dbfiynp+4ORY0lUdVfnwIL/DEp1N6WEa+kVXn aiCmUwIhuhSfJdnQYhECxBYonlGCzCYo/azQUoFduSWD+qk+R44/TX4neQlIJtgRTNJ9 VbU6dh0u7/1SmK+n4bz6JQFU5KaDUkqrTN64PKGJAkVgZWfRTT5QSsR6cXt2JK/pKQuc j4ew==
X-Gm-Message-State: AAQBX9ewL5kNmGhtxQZnlXf0IPWipOPhWc3WxYe2bLXdj3kMJu+vK/O1 byt5lQp01TkA/0JOHutIeNVvVoWeMh2VUcmsjOw=
X-Google-Smtp-Source: AKy350bNkZkG0fDkshLs70hv77llRSCJKr2excGORJQZwAD9KdhdFkq5FZD1xow4gw8nGSZSUOMjO/jOwHKsCYIn4b8=
X-Received: by 2002:a17:906:37c8:b0:934:b5d6:14d0 with SMTP id o8-20020a17090637c800b00934b5d614d0mr12838164ejc.2.1680199220018; Thu, 30 Mar 2023 11:00:20 -0700 (PDT)
MIME-Version: 1.0
References: <7fbc535a-e1ab-e030-5093-7ac809634b3c@fu-berlin.de> <a8c308e8-9f0f-480c-b48d-45534a9199b1@app.fastmail.com> <61a59c9a-80a8-8c73-78cf-0b321ede733f@huitema.net>
In-Reply-To: <61a59c9a-80a8-8c73-78cf-0b321ede733f@huitema.net>
From: Marten Seemann <martenseemann@gmail.com>
Date: Fri, 31 Mar 2023 03:00:08 +0900
Message-ID: <CAOYVs2qCZ3j8=DVpe6U1Vee85vdVEzaKMV4PSY_TUQ7sb2gwYw@mail.gmail.com>
Subject: Re: QUIC handshake challenges -- Share your experiences
To: Christian Huitema <huitema@huitema.net>
Cc: Martin Thomson <mt@lowentropy.net>, Marcin Nawrocki <marcin.nawrocki@fu-berlin.de>, quic@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a941ec05f821dd2d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/yUsWRzxlbkmG0EgjB607U5n1IvY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2023 18:00:26 -0000

Christian, I don't think that's correct. We discussed this during our work
on RFC 9000, and there's section 8.1 addresses exactly that problem:

> Loss of an Initial or Handshake packet from the server can cause a
deadlock if the client does not send additional Initial or Handshake
packets. A deadlock could occur when the server reaches its
anti-amplification limit and the client has received acknowledgments for
all the data it has sent. In this case, when the client has no reason to
send additional packets, the server will be unable to send more data
because it has not validated the client's address. To prevent this
deadlock, clients MUST send a packet on a Probe Timeout (PTO); see Section
6.2 of [QUIC-RECOVERY]. Specifically, the client MUST send an Initial
packet in a UDP datagram that contains at least 1200 bytes if it does not
have Handshake keys, and otherwise send a Handshake packet.

The easiest solution to the problem is to just send an ACK, but not the
certificate. This might mean sending a few additional bytes, but as I've
said in the meeting today, those won't suddenly make this an interesting
amplification vector.
Starting with a slightly higher RTT estimate is also not the end of the
world, especially if you're using a loss-based congestion controller that
will cause queues to build up at the bottleneck link during the connection.



On Fri, 31 Mar 2023 at 00:40, Christian Huitema <huitema@huitema.net> wrote:

>
>
> On 3/30/2023 12:37 AM, Martin Thomson wrote:
> > On Thu, Mar 30, 2023, at 15:57, Marcin Nawrocki wrote:
> >> Unfortunately, I ran out of time before presenting the third challenge:
> >> An Initial containing both, the ACK and ServerHello, can skew the RTT
> >> estimation of the client for some deployments (e.g., CDNs). This is
> >> because the QUIC server can be separate from the process that has
> >> access to TLS material, so there is a noticeable delay for fetching the
> >> required TLS data.
> >
> > Yes, this will affect RTT estimates, but the effect will wash out over
> time.  The net effect is an inflated RTT estimate.
> >
> > You can maybe correct for this using ACK Delay.
> >
> >> Opinions on how to deal with this? Some CDNs split the Initial ACK and
> >> Initial ServerHello into two packets, leading to more padding bytes.
> >> Please see my slides 15-21 [1] for more information.
> >
> > I believe that some people already do this split, yes.  I would prefer
> that servers use subcerts for this:
> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts
> >
>
> There is another issue. It is a bit risky for the server to send the ACK
> Initial before the client IP is validated. If the server ACKs the
> client's initial packets, the client does not need to send any further
> traffic until it has received the server hello. If the server hello is
> lost, the server will have to resend it, and it will have to do so
> within the amplification budget -- which in some cases may not be possible.
>
> There are potential workarounds of course. For example, the server could
> bundle a PING with the ACK, to force the client to send more initial
> packets and thus complete address validation.
>
> We may also lift the requirement that all server initial packets be
> padded to 1200 bytes, which would allow for better use of the
> amplification budget. But that's for QUIC v3...
>
> -- Christian Huitema
>
>

v2.23.0 | Report a Bug | By Email