IETF Logo Mail Archive

Re: [TLS] Transport Issues in DTLS 1.3

Mark Allman <mallman@icsi.berkeley.edu> Tue, 30 March 2021 17:48 UTC

Return-Path: <mallman@icsi.berkeley.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9673A1C66 for <tls@ietfa.amsl.com>; Tue, 30 Mar 2021 10:48:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icsi-berkeley-edu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCNvk0E1Fbww for <tls@ietfa.amsl.com>; Tue, 30 Mar 2021 10:48:40 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BDEC3A1C6E for <tls@ietf.org>; Tue, 30 Mar 2021 10:48:40 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id n140so17283889oig.9 for <tls@ietf.org>; Tue, 30 Mar 2021 10:48:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icsi-berkeley-edu.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version; bh=dtoBg87bs5rKZBCNKxQ1hyPv3k8SiqWcllf+D4lQJGk=; b=fF5OIos2vTz7RJGdKj6sCzjIjo5BGWgOm+E2TMVEFYHNYZa1AtTviB3xkwiJh+EfxS XCZxoMr4ceOKfD5VmrXyF5KMwcKDg50qMlN4bSBrGsLnRaWOunEqnFfu6EMuIEbc4IUN QTkBQ4EDxdhsGSoKkMYfrIzgKwZh1lEWtiryHr3CofNoq+9x4av7HD6/qnoQ0UN4NNDI mLVWGkH0ItPN+cl644fbEMnk9l9ZpqceFkbG9EUjJf5/E09ZPd8YfhG0+sexf1Eu3P2O iIUfC1xw7mUKFzPme9EIVCyuTldCWgS2O+DKx5zlNPPzqib+tlRtlxuDrqUJ6Gb5zhc+ OzYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version; bh=dtoBg87bs5rKZBCNKxQ1hyPv3k8SiqWcllf+D4lQJGk=; b=Yi/Z22r9A82/MyJ3Nj+9Fq7hMvt7D7AAxqt1D2mQzD6uz1uTQt9j+zPnnoa/0S6lqa PdpNc0eoHecp7a9ZA7LpUs8UIgRc4gBQu8SF2ZLf1KGNNW4a+vIJ61vAb0oEsEXiqNFr x2XWTuiZ//VgGHbrgVQAuNrcMMFCBUGHo4uF09PhySYb3mVGlmHZAHiGy2TTVunAiy0c rBmpiPA6gd2DS2x2+oXzcxl2vePn/IPbfRyquIaHZfFXpeQPHwEFFjBFiEzXYY9LxlXF YLsUKYahBevzVom8AXXdyEUSLqv43+waaITnO12FGgBBmRpAzDcsDfOQbSYMv7UFJZLL RQNA==
X-Gm-Message-State: AOAM533ZAPzOP2/MG68RCBfnzV1S4I2pr9Fzx8yQHnF3RnAeprx6lXPV RiWL4zpfkCCB1DNlELNO6PVCpg==
X-Google-Smtp-Source: ABdhPJzbprTYkk/ufdV6E03Ap1dP4oxzRuzjFdn5kvgCDpqM/mkrnbUWDHJIcYl1shXGhaLBk4/dsg==
X-Received: by 2002:aca:4357:: with SMTP id q84mr4045438oia.51.1617126519417; Tue, 30 Mar 2021 10:48:39 -0700 (PDT)
Received: from [192.168.1.181] (162-203-32-211.lightspeed.bcvloh.sbcglobal.net. [162.203.32.211]) by smtp.gmail.com with ESMTPSA id j11sm3625208ooo.45.2021.03.30.10.48.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 30 Mar 2021 10:48:38 -0700 (PDT)
From: Mark Allman <mallman@icsi.berkeley.edu>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Duke <martin.h.duke@gmail.com>, draft-ietf-tls-dtls13.all@ietf.org, Lars Eggert <lars@eggert.org>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tls@ietf.org
Date: Tue, 30 Mar 2021 13:48:25 -0400
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <E43A7F98-6AE3-402B-B166-077B6D74B97A@icsi.berkeley.edu>
In-Reply-To: <CABcZeBMS5fUej0q5XhbxM5sMLQwAAyCgyAfbkTORQjvMM+jb7A@mail.gmail.com>
References: <CAM4esxR3YPoWaxU9B--oaT9r2bh_QBNH=tt0FsiUKaAT=M6_fg@mail.gmail.com> <CABcZeBMS5fUej0q5XhbxM5sMLQwAAyCgyAfbkTORQjvMM+jb7A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_EA62721F-7951-4E76-9EDC-C3C4A5837D39_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ln8Jy_qKK9GqedzVgh6gXB58x3w>
X-Mailman-Approved-At: Thu, 01 Apr 2021 10:23:14 -0700
Subject: Re: [TLS] Transport Issues in DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Mar 2021 17:48:43 -0000

Hi Ekr!

> This means that we have rather more latitude in terms of how
> aggressively we retransmit because it only applies to a small
> fraction of the traffic.

(Strikes me as a bit of a weird formulation.)

> Firefox uses 50ms and AIUI Chrome
> uses a value derived from the ICE handshake (which is probably
> better because there are certainly times where 50ms is too short).

Yes- the best thing to do is to use a measured value instead of
assuming on static number will always work.  But, you have to get a
measurement to do that, so you have to start somewhere.

>> Relatedly, in section 5.8.3 there is no specific recommendation for a
>> maximum flight size at all. I would think that applications SHOULD
>> have no more than 10 datagrams outstanding unless it has some OOB
>> evidence of available bandwidth on the channel, in keeping with de
>> facto transport best practice.
>
> I agree that this is a reasonable change.

I like this, too.  I think that limits the impact of any sort of
badness.

>> Granted, doubling the timeout will reduce the rate, but when
>> retransmission is ack-driven there is essentially no reduction of
>> sending rate in response to loss.
>
> I don't believe this is correct. Recall that unlike TCP, there's
> generally no buffer of queued packets waiting to be transmitted.
> Rather, there is a fixed flight of data which must be delivered.
> With one exceptional case [1], an ACK will reflect that some but
> not all of the data was delivered and processed; when
> retransmitting, the sender will only retransmit the un-ACKed
> packets, which naturally reduces the sending rate. Given the quite
> small flights in play here, that reduction is likely to be quite
> substantial. For instance, if there are three packets and 1 is
> ACKed, then there will be a reduction of 1/3.

I tend to agree with ekr here.  This doesn't tend to worry me
greatly.

> Note that the timeout is actually only reset after successful loss-free
> delivery of a flight:
>
>    Implementations SHOULD retain the current timer value until a
>    message is transmitted and acknowledged without having to
>    be retransmitted, at which time the value may be
>    reset to the initial value.
>
> There seems to be some confusion here (perhaps due to bad
> writing).  When the text says "resets the retransmission timer" it
> means "re-arm it with the current value" not "re-set it to the
> initial default". For instance, suppose that I send flight 1 with
> retransmit timer value
> T. After T seconds, I have not received anything and so I retransmit
> it, doubling to 2T. After I get a response, I now send a new
> flight. The timer should be 2T, not T.

I agree that is how to manage the timer.

> With that said, I think it would be reasonable to re-set to whatever
> the measured RTT was, rather than the initial default. This would
> avoid potentially resetting to an overly low default (though it's
> not clear to me how this could happen because if your RTT estimate
> is too low you will never get a delivery without retransmission).

That's one problem with a too-low initial RTT and a reason why RFCs
8085 & 8961 use a conservative initial.

However, I might suggest not setting the timeout to the measured
RTT, but to something based on the measured RTT.  The best guidance
here (8085 & 8961) is that this value should be based on both the
RTT and the variance in the RTT.  With one sample you don't have
variance.  TCP handles this by setting the RTO to 3 times the first
measured RTT.  That's just old VJCC.  It has always struck me as a
bit conservative, but ultimately this is a blip in the TCP context
and so I have never thought deeply about it.  But, perhaps if you
did something like 1.5 times the measured RTT you'd account for a
bit of variance that will no doubt be present.

> On point (1), I think that the fact that we have extensive
> deployment of timeout-driven retransmission in the field with
> short timers is fairly strong evidence that it will not destroy
> the Internet and more generally that the "retransmit the whole
> flight" design is safe in this case. I certainly agree that there
> might be settings in which 100ms is too short. Rather than
> litigate the timer value, which I agree is a judgement call, I
> suggest we increase the default somewhat (250? 500) and then
> indicate that if the application has information that a shorter
> timer is appropriate, it can use one.

I think that sounds fine.  And, if you could wedge some words about
experience into the document that'd seem useful, as well, IMO.

> With that said, given that your concern seems to be large flights,
> I could maybe live with halving the *window* rather than the size
> of the flight. In your example, you suggest an initial window of
> 10, so this would give us 10, 5, 3, ... This would have little
> practical impact on the vast majority of handshakes, but I suppose
> might slightly improve things on the edge cases where you have a
> large flight *and* a high congestion network.

I dunno ... I'd be interested in Martin's thought here.  But, at
these levels I am just not sure if the complexity of tracking a
flight size is really worth it.

>>   - "Though timer values are the choice of the implementation,
>>     mishandling of the timer can lead to serious congestion
>>     problems"
>>
>>     + Gorry flagged this and I am flagging it again.  If this is
>>       something that can lead to serious problems, let's not just
>>       leave it to "choice of the implementation".  Especially if we
>>       have some idea how to make it less problematic.
>
> I'm not sure what you'd like here. I think the guidance in this
> specification is reasonable, so I'd be happy to just remove this
> text.

I don't find the two halves of the sentence consistent with each
other and therefore the message seems muddled.

Removing is fine.

>>   - "The retransmit timer expires: the implementation transitions to
>>     the SENDING state, where it retransmits the flight, resets the
>>     retransmit timer, and returns to the WAITING state."
>>
>>     + Maybe this is spec sloppiness, but boy does it sound like the
>>       recipe TCP used before VJCC to collapse the network.  I.e.,
>>       expire and retransmit the window.  Rinse and repeat.  It may
>>       be the intention is for backoff to be involved.  But, that
>>       isn't what it says.
>
> It says it elsewhere, in the section you quoted:
>
>    a congested link.  Implementations SHOULD use an initial timer value
>    of 100 msec (the minimum defined in RFC 6298 {{RFC6298}}) and double
>    the value at each retransmission, up to no less than 60 seconds
>    (the RFC 6298 maximum).
>
> As I said to Martin, I think some of the confusion is that this
> specification uses "reset" to mean both "re-arm" and "set the
> value back to the initial" and depends on context to clarify
> that. Obviously that's not been entirely successful, so I propose
> to use re-arm" where I mean "start a timer with the now current
> value".

I agree this is mostly a writing issue.  I would suggest looking for
the word "reset" and just using more than one word so it's
absolutely clear what you mean.  E.g., something like "double the
timeout value and start a new timer" instead of "reset" or "rearm".

>>   - “When they have received part of a flight and do not immediately
>>     receive the rest of the flight (which may be in the same UDP
>>     datagram). A reasonable approach here is to set a timer for 1/4 the
>>     current retransmit timer value when the first record in the flight
>>     is received and then send an ACK when that timer expires.”
>>
>>     + Where does 1/4 come from?  Why is it "reasonable"?  This just
>>       feels like a complete WAG that was pulled out of the air.
>
> Yes, it was in fact pulled out of the air (though I did discuss it
> with Ian Swett a bit). To be honest, any value here is going to be
> somewhat pulled out of the air, especially because during the
> handshake the retransmit timer values are incredibly imprecise,
> consisting as they do of (at most) one set of samples.  In
> general, this value is a compromise between ACKing too
> aggressively (thus causing spurious retransmission of in-flight
> packets) and ACKing too conservatively (thus causing spurious
> retransmission of received packets).

Well, perhaps what is needed here is some of the words from your
email.  I.e., a bit of an explanation of things instead of simply
declaring 1/4 to be reasonable.

allman

v2.23.0 | Report a Bug | By Email