IETF Logo Mail Archive

[saag] Re: The state of QUIC (Re: Re: [radext] Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S.)

Watson Ladd <watsonbladd@gmail.com> Sat, 18 May 2024 12:28 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D60C14F61E; Sat, 18 May 2024 05:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMuQr2i8RMg5; Sat, 18 May 2024 05:28:42 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD445C14F61C; Sat, 18 May 2024 05:28:42 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-4201986d60aso8698525e9.3; Sat, 18 May 2024 05:28:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1716035321; x=1716640121; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vK+IRDbeJMoJtNpe2uTW5GZUu/MVx7+wRGSGVIVjdb4=; b=NDIC3WcNTB1Qxr84D8vwfG6KXbajMQ1poDZrYnz9qhpqWQY/itDtF/kUv0l4vk2Y1v zlCiuCsKtY7CsB7/yB7AMDmZfFy1Sa1uwhofkyMjWbMm1YzbUXPEiWDQB3arJ5GzUCaH u4URnxQEBhEKPc4XTox+ixC3TyFH5p6aC7yiV0tQwfzVuYcnSB9cVX9/qsnEEZkgp3Mp CyOMJe/vJ1PtHLnNUrOReDpOnifiTSjmnsaAVt2wI8x/MiECTRSaZ3Gh+3ZQ7iHMfVk1 8XiJa2yVBTA5tCzs0MXpoMuX8LzIhBJMXBbrwGfywGOrFZqKuKbgAKOgvq3+rUo97zyq 48sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716035321; x=1716640121; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vK+IRDbeJMoJtNpe2uTW5GZUu/MVx7+wRGSGVIVjdb4=; b=Lhjr+pf7peV5RF2IudYJq6MgK0aFBMBZxn6dmfs/fA8mRM5rZ0FIk43y9Hw7vvVT9i xigFtRa/81ayiUXj1n6002h0TiZ0p5J2Z1BA4XcgzSua1lqiJq9fxgsKtfU5NNkeGDc7 xeJ68qeUGsknZFtTtbtNVs6npFtaLn27Ft4DYbCcP1Ti4DIRIBG+G9zakyUrIDpd4K8o d08pM54mWFaeBaU1KTxC6U0ilrOFqotJAknERi6XK4kmpNn/2+zUm6UTzMV9tGLk81Qf 0zsVhW1fU4C0qoOr1ZysGBqaLr1I9w4XMOnxKTgXWaBwA/R43RxzrY10i9UHD6GZnnZM VSaA==
X-Forwarded-Encrypted: i=1; AJvYcCUaKj+S1JEP/WxIDw+3SuTwoQ697pzKqiPCXa4uCGjxfLtdgDkWFJg+3o24m405gBJlOOsIXAajd3CWCzcR/zNNqPO6FMfO0Fr/664eRzE=
X-Gm-Message-State: AOJu0Yx7beLGpjy+FK3gceHaDfv0RujWvxjAnuV5Yh4h1QbA2JiivjrK czkc9k+6llLr6BOKNcOk7HFBJHJw+PJ1ANMSYG3mgMqe1QP3H+U90wZGi+35j8EfLHAoY98lqhn S/Du+A6E8UN+NvkzVuc511D7NRdE=
X-Google-Smtp-Source: AGHT+IEKrP6PrUL/lEKKFkFSnlFxHbBpL/A/eE+qf9fYNpmNt00TmgwqyQT+2sKkToKKqnc4BLMNckfHpA0IkEw1tcU=
X-Received: by 2002:a05:600c:314e:b0:41b:c024:8e88 with SMTP id 5b1f17b1804b1-41fead6ac48mr174798415e9.33.1716035320452; Sat, 18 May 2024 05:28:40 -0700 (PDT)
MIME-Version: 1.0
References: <F204515C-E1AB-439D-8A54-A3FE835FD7B2@deployingradius.com> <GVXPR07MB967845D3EE17F6167BBDC1FA89EE2@GVXPR07MB9678.eurprd07.prod.outlook.com> <75BF00CE-136C-4B95-A0EB-D65E2DA00037@deployingradius.com> <CACsn0c=s3jpRGx34JD5vPHtvMERztCaviP5Qs26eny58ue9QVA@mail.gmail.com> <CA+HOLVDnU_bHe__2yox-MKwaV_=6nPGrt84VZhMJXGb0mgD1fg@mail.gmail.com> <GVXPR07MB967875737AEFF67D471850B889EE2@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967875737AEFF67D471850B889EE2@GVXPR07MB9678.eurprd07.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 18 May 2024 08:28:28 -0400
Message-ID: <CACsn0ckf_gQBhgKGrPXf6s_iTFJ7Mhfa3zn4nrcp3Nj5FwRXKQ@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 7VSDDAVDDNYRJNY344G25HBM2RLU3HM3
X-Message-ID-Hash: 7VSDDAVDDNYRJNY344G25HBM2RLU3HM3
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-saag.ietf.org-0; header-match-saag.ietf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF SAAG <saag@ietf.org>, "radext@ietf.org" <radext@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [saag] Re: The state of QUIC (Re: Re: [radext] Cyber Official Speaks Out, Reveals Mobile Network Attacks in U.S.)
List-Id: Security Area Advisory Group <saag.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/2a2Hsvg7bmMFQXFqBte-mBcjEk0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Owner: <mailto:saag-owner@ietf.org>
List-Post: <mailto:saag@ietf.org>
List-Subscribe: <mailto:saag-join@ietf.org>
List-Unsubscribe: <mailto:saag-leave@ietf.org>

On Fri, May 17, 2024 at 1:41 PM John Mattsson
<john.mattsson@ericsson.com> wrote:
>
> Watson Ladd:
>
> >Their implementation efforts will take years to bear fruit
>
>
>
> I remember the controversy you talk about, but reading the OpenSSL blog it seems like OpenSSL 3.4 which will release no later than 31 October 2024 will more or less complete the implementation of QUIC in OpenSSL. Do you think that implementation will have significant problems?

I think a new, relatively untested implementation of a very complex
protocol (and an incomplete one at that: no H/3) will have issues. I'm
not sure I've been impressed OpenSSL's quality code and thoughtful API
design, but that's besides the main point:

Even if the implementation had no issues, QUIC (on Unix systems)
changes the relation between the kernel visible objects (sockets), and
requests and connections. While you could write an HTTP/1.1 server
that has one process do accept, then fork a worker that drives TLS and
blocks to handle requests, QUIC makes that (very limited)
implementation strategy no longer viable. Instead the server has to
concurrently accept new requests, manage internal connection state,
and answer requests that exist while getting packets on one UDP
socket. Writing concurrent programs in C is hard. Adapting existing
ones to be concurrent is even harder.

Sincerely,
Watson Ladd

v2.40.4 | Report a Bug | By Email | System Status