Re: [TLS] ALPS and TLS 1.3 half-RTT data
Martin Thomson <mt@lowentropy.net> Thu, 10 December 2020 06:01 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155B33A040B for <tls@ietfa.amsl.com>; Wed, 9 Dec 2020 22:01:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=CXg92xpi; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=BGqhzDnf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZ_XxqrgmsFl for <tls@ietfa.amsl.com>; Wed, 9 Dec 2020 22:01:18 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C72A3A03F2 for <tls@ietf.org>; Wed, 9 Dec 2020 22:01:17 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 383E45C00E2; Thu, 10 Dec 2020 01:01:17 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Thu, 10 Dec 2020 01:01:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm1; bh=epLnxGiGaTVeKTZigTcLTR5mdUQE e60xnQ6gJ0RP2Hg=; b=CXg92xpi8WzEIP+Sls+UhIk+adFYmTSxQsk0aHvuWMtP TakyLqwJhb02JS/kG8XLh49lD+prXmtKuQx6id5CzbNn4o3xWWkeg3WNbSFkSL0R ImBe314jSQNzLo8y6SC8H7i9GO5FI06gj40dmlq6SukR1cNSoi8NOFk0Sqwcd695 BBEqzJPBApDUlPdHEIgzkntwMK1EQKxjE3ZnXlFNDwdy2xYSYxSCLJMzFd2y30U0 Nd0nrEhMO1HSk5Y4bNvZpZ+RKmzntiOGmP4WsHxpVYfMgrLlz7o0MsBwaDy3U+mO ar51rZFm8mCE5NnRZLLTv6ziqBzGix1H33lpa0HqdA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=epLnxG iGaTVeKTZigTcLTR5mdUQEe60xnQ6gJ0RP2Hg=; b=BGqhzDnf3PXyELt+lQndjg ZQWRipSkQUE2yq5AP9AL1f8F+svaWu1pDPUph659HtCy9W0NrUBRGubnxcHg3m74 nwN6LajG8bK3i7TFwNBYTzFUk0ley2Kbfxsd2KlQ95Z71CV6e+/6u6uBUty7aCs4 ll/tSFd9C4QqwK6c8SpZ7tCzIaorqQPDVKkkDjUBJ39nXTx81shDdVsOfcy4CYQT TmszYIhkMfBCqjB0GV5AU8rHvSYEhmGEaFr4MTffkFITtN91j7yHPtAbcc/KxeLF gBN2yZeY0hRTGvD2hzs+9tf6N4ExaL8JlG5x1ulrcOXzSe2bqgsTWvEpBBdL4T0Q ==
X-ME-Sender: <xms:rLnRX5ZSEG2W-MBtDUIP8KxpuxIaYfWQmTNdPJzCVsaRIyIIjfC6lQ> <xme:rLnRXwYKZJh41imHpfcu6tHB8F_uxzvxqIge5e9xhwtwofgbl5ugqmHBFSIfWE9YW UcxQ5xlHteu8fI8Ms8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudejledgkeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepleehfeegudelvdetvdefudefgedvveffveehteduteehudfffffg teefleevfefhnecuffhomhgrihhnpehhthhtphefrdhlihhkvgdphhhtthhpvddrihhtpd hivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvght
X-ME-Proxy: <xmx:rLnRX78Agixjw9oHQDfM2zyM8I6B8dA0gQiyK8H4z5bREee0IuuA1A> <xmx:rLnRX3pX_VZbAecJDPcTAp06quXRDe-pQJpPdaTHuwQNTa9lATPg3g> <xmx:rLnRX0qfMVM5uu8yvw2BShpn3VKtq4csAQAR1vBosK9gcEF0s1HfRA> <xmx:rbnRXxAY9hUefpkIBhriMauEwoSaUI-ieceYaQUYZOXs0lqkKTtP2Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3642E200EC; Thu, 10 Dec 2020 01:01:16 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-622-g4a97c0b-fm-20201115.001-g4a97c0b3
Mime-Version: 1.0
Message-Id: <9ff7d93c-42cd-4b2b-bed6-8b0deff77469@www.fastmail.com>
In-Reply-To: <CAF8qwaAUE4H2-JxCyQJSWW680=Xp9pkUOQdOQpbLhd-HjYaVcA@mail.gmail.com>
References: <160703055132.9234.3055845983488231389@ietfa.amsl.com> <CAF8qwaAUE4H2-JxCyQJSWW680=Xp9pkUOQdOQpbLhd-HjYaVcA@mail.gmail.com>
Date: Thu, 10 Dec 2020 17:00:21 +1100
From: Martin Thomson <mt@lowentropy.net>
To: David Benjamin <davidben@chromium.org>, "<tls@ietf.org>" <tls@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Qgy-q1G4z6vBajzeBfStP2s1-ho>
Subject: Re: [TLS] ALPS and TLS 1.3 half-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 06:01:20 -0000
Hi David, Thanks for writing this up. I think that it helped clarify things a little in my mind. I had been separately thinking about the problem and did reach a conclusion. I just needed time to write a response. I think that there are two things you might want to separate here: what might we do to engender good protocol design hygiene, and what do we do about HTTP/2 and HTTP/3. Like Cory, I didn't find this persuasive regarding HTTP/2. It is even less persuasive for HTTP/3, where I have evidence that half-RTT data is being used successfully (this comes first hand: ngtcp2 hit a performance bug in my code). The idea of creating a 0.5-RTT -> 1-RTT marker somehow is an odd idea, and one we've talked about maybe using in a new version of TLS, but I hardly see justification for that here. A lot of your reluctance to use half-RTT seems to be based on the buggy IO pattern you identified. Coupling send and receive flow control in the way you describe is - at least in my view - a defect in stacks rather than something to engineer a protocol around. An endpoint that refuses to read until a write is complete invites deadlock in a great many situations in HTTP/2, and we even have specific text in RFC 7540, Section 5.2.2 (https://tools.ietf.org/html/rfc7540#section-5.2.2) that recommends against deferral of reads. I realize that some applications don't work that way, but that doesn't mean that their TLS and HTTP/2 stacks need to be allowed to have the same bug. Full disclosure, I think that NSS could have this bug under some usage patterns. We don't buffer incoming data when we don't need it for the handshake. But I'm not sure that we need perfect here. This might come down to "well don't do that then", rather than the IETF embarking on a protocol engineering drill to fix these implementation issues. What is somewhat odd about TLS 1.3 is the way that applications can write to the socket before the handshake is complete. But reads are only possible afterwards. That does create some problems for incoming data, but it is always a modest amount to buffer. A new version of TLS might even allow clients to limit 0.5-RTT data, if this turns into a real problem. In any case, I can see some advantages to something like ALPS for WebTransport. The operational problems aren't any better, and I might not agree with you about the severity of the other things, but the protocol design hygiene aspects are pretty nice. Thinking about QuicTransport, the ability to signal the requesting URL and origin to the server outside of the use of streams and other application data makes the whole protocol much easier to structure. You no longer have to reserve streams or set aside control codepoints. That said, if you need control codepoints or stream reservation for other reasons, the value is diminished somewhat. After all, this is not magically reliable. When you add stuff to the handshake you make the handshake bigger and more fragile. If you really need this stuff, waiting on stream data to be retransmitted is no better or worse than waiting on the handshake. Indeed, binding to the handshake could be less performant in those cases where you are able to do some work ahead of receiving configuration. You can't even buffer incoming data when the handshake is incomplete, but you could if you were waiting on receiving configuration that was sent on a stream. On Fri, Dec 4, 2020, at 08:55, David Benjamin wrote: > Hi TLS and HTTP friends, > > At the last HTTPWG interim, there was a question of why one would want > something like ALPS (draft-vvv-tls-alps) for HTTP SETTINGS > (draft-vvv-httpbis-alps) over TLS 1.3 half-RTT data. I know we've also > had some discussion on this topic in the TLSWG as well. At the HTTP > meeting, folks suggested writing up what a half-RTT-based mechanism > might look like, so I put together an I-D below. I hope it helps > clarify some of our thinking. > > (The I-D is not meant for adoption or publication or anything. I > figured an I-D was probably the most familiar format for folks.) > > David > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Thu, Dec 3, 2020 at 4:22 PM > Subject: New Version Notification for draft-davidben-tls-alps-half-rtt-00.txt > To: David Benjamin <davidben@google.com> > > > > A new version of I-D, draft-davidben-tls-alps-half-rtt-00.txt > has been successfully submitted by David Benjamin and posted to the > IETF repository. > > Name: draft-davidben-tls-alps-half-rtt > Revision: 00 > Title: Comparing ALPS and Half-RTT Data > Document date: 2020-12-03 > Group: Individual Submission > Pages: 11 > URL: > https://www.ietf.org/archive/id/draft-davidben-tls-alps-half-rtt-00.txt > Status: > https://datatracker.ietf.org/doc/draft-davidben-tls-alps-half-rtt/ > Html: > https://www.ietf.org/archive/id/draft-davidben-tls-alps-half-rtt-00.html > Htmlized: > https://tools.ietf.org/html/draft-davidben-tls-alps-half-rtt-00 > > > Abstract: > This document compares the Application Layer Protocols Settings > extension with the half-RTT feature in TLS 1.3. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > >
- [TLS] ALPS and TLS 1.3 half-RTT data David Benjamin
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Cory Benfield
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Martin Thomson
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Victor Vasiliev
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Cory Benfield
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Cory Benfield
- Re: [TLS] ALPS and TLS 1.3 half-RTT data David Benjamin
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Martin Thomson
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Cory Benfield
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Cory Benfield
- Re: [TLS] ALPS and TLS 1.3 half-RTT data David Benjamin
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Victor Vasiliev
- Re: [TLS] ALPS and TLS 1.3 half-RTT data Cory Benfield