IETF Logo Mail Archive

Re: [tsvwg] [dispatch] Connection Identifier Flow Indicator (CIDFI)

Dan Wing <danwing@gmail.com> Fri, 18 August 2023 18:11 UTC

Return-Path: <danwing@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA305C151531; Fri, 18 Aug 2023 11:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ESzUm80p029P; Fri, 18 Aug 2023 11:11:46 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C7A2C151525; Fri, 18 Aug 2023 11:11:41 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-68866e64bceso1000390b3a.3; Fri, 18 Aug 2023 11:11:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692382300; x=1692987100; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=J1tfutvexgGVgNQq7WQNLWqIZBZ+YBazFpnS16rLedE=; b=FqmFkS+ms2ylO/YoAIBCJmnbWLLzVOhDIHhNoXNlpDGRkYCuWHwNMcMpU5ll5qcO4X rkwf/Ah5YyUTe5Qr5e8pwQGBax4EzOV6olE777d9mscbTAXvLf126qzvlGzixa4e7GLR O0UJbpmm2IGJmycmwoMAeFL4sQJBpv11afsPVfceJK/DvJeVjweGPnGRi1zeQNepsGXC JBAA6f6jXEPAGIKu3wzzdc6b9Eh4tfddmr5UMG8jUnQQ544ffeDvXT3g0GrV/3ONuM3h oAqRPieDJVV4F4DXUZGEpjEg2+69mqmCMm04oMPEcGdxx+HIAfmYc3YnDp0N40rQAHVR +ZgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692382300; x=1692987100; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=J1tfutvexgGVgNQq7WQNLWqIZBZ+YBazFpnS16rLedE=; b=IJ399k4G7vlpQGp2xSCSF7wB80Vj/3MNs/+4HZmSZNs95fEPCXJ0f92N1LDJe2R3i6 3DFOVHMp7pOx670qEeYvz1+qWzv8Qxk0n52S3zsYnxy0EoD9MKuu91RG8QzOge6sVGgi 0e2gQuM3afVIbnc41o5Lzoraf6CRhxUT/6Mx7oxeZ9+meVTxlpl7PI5neUssFlpZpPeV QT8x7mu0miU9fiWa138Y0H7Hanh796p/H4CBRQDatdxF3b1FV/k+sm5lKLssBOM0WbZO xWVeefhjfelsd5jUAWi3VFyL+D3vuHUnRhW8p3MUPaltcBvjn2aDvfdH9LvEP2tRA1p5 EqJw==
X-Gm-Message-State: AOJu0Yx6zRPrN1qmhc51G7nr/3CCJsWakt6TRNkySwoi1Xj/T4yHaxB3 1mZVThw/NmYU1i5wo7Bv2GlobMvPzONE8w==
X-Google-Smtp-Source: AGHT+IHXJ1G4mmcdjMRY4CxOlEuDXH6Xtv9EB+MsVfj2XMMBKCwpbbFMumghheJzeEWBo3N/DbMejQ==
X-Received: by 2002:a05:6a00:1810:b0:67a:a906:9edb with SMTP id y16-20020a056a00181000b0067aa9069edbmr4150267pfa.30.1692382300318; Fri, 18 Aug 2023 11:11:40 -0700 (PDT)
Received: from smtpclient.apple ([47.208.218.46]) by smtp.gmail.com with ESMTPSA id l4-20020a639844000000b00566089d5b92sm1835872pgo.63.2023.08.18.11.11.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Aug 2023 11:11:39 -0700 (PDT)
From: Dan Wing <danwing@gmail.com>
Message-Id: <4ABA9388-3A3D-4652-B211-1232949F72FB@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CF788591-DAD2-4BBA-AE52-981F62BA7259"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Fri, 18 Aug 2023 11:11:37 -0700
In-Reply-To: <CALx6S37ChWn4BjNT9cZ75-9tiXaEpmqnhJQz22b9T=MtvAvwDg@mail.gmail.com>
Cc: art@ietf.org, tsvwg <tsvwg@ietf.org>, dispatch@ietf.org, draft-kaippallimalil-tsvwg-media-hdr-wireless@ietf.org, draft-joras-sadcdn@ietf.org, draft-zmlk-quic-te@ietf.org, draft-reddy-tsvwg-explcit-signal@ietf.org, draft-cc-v6ops-wlcg-flow-label-marking@ietf.org
To: Tom Herbert <tom=40herbertland.com@dmarc.ietf.org>
References: <82A29F54-17B8-42D1-9FBC-78348CA55570@gmail.com> <CALx6S37ChWn4BjNT9cZ75-9tiXaEpmqnhJQz22b9T=MtvAvwDg@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/VxJNkcjGeXTM7b0woxnFXbcQ5Zg>
Subject: Re: [tsvwg] [dispatch] Connection Identifier Flow Indicator (CIDFI)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2023 18:11:51 -0000

On Aug 18, 2023, at 7:48 AM, Tom Herbert <tom=40herbertland.com@dmarc.ietf.org> wrote:
> On Thu, Aug 17, 2023, 10:45 AM Dan Wing <danwing@gmail.com <mailto:danwing@gmail.com>> wrote:
>> Reply-To: art@ietf.org <mailto:art@ietf.org>
>> 
>> We have a new proposal for using Connection Identifiers to signal host-to-network and network-to-host.  The CIDs can be QUIC CIDs or DTLS CIDs.
> 
>> 
>> The CIDFI proposal has commonality with the I-D's in the CC line, most of which were presented at IETF117 in TSVAREA, QUIC, DISCUSS, and V6OPS.  CIDFI takes a different approach.  CIDFI does not use UDP trailers, allows the client and server to choose their Connection IDs however they wish, works on IPv4 and IPv6 (including through NATs and IPv6/IPv4 translators), and avoids the network operator's equipment connecting to the content server (which would identify the server to the network operator).
> 
> 
> Hi Dan,
> 
> Thanks for the draft. Offhand it looks this solution provides signaling specifically for QUIC.

CIDFI supports both QUIC and DTLS's Connection ID (RFC9146, "Connection Identifier for DTLS 1.2").  CIDFI was first written for QUIC and I see there are several places where I missed editing the DTLS CID text to be equal with the QUIC CID text.


> Is there a route here for a general solution that could be used across different transport protocols or applications (TCP, SCTP, RTP, custom app protocols in UDP, etc.)?

Yes.

TCP: Short answer:  yes with two new TCP options:  one containing nonces and HMAC-output sent in the SYN, a second option containing Connection ID in each packet for the network to differentiate handling that packet.  Longer answer: It seems achievable with a new TCP option containing a Connection ID in each packet -- as long as sender is using (now ubiquitous) Dont Fragment so the TCP option appears in each TCP packet.  Proving ownership of that TCP 4-tuple would need to be re-worked from draft-wing-cidfi.  Currently the CIDFI specification proves ownership of the UDP 4-tuple by sending a UDP STUN Indication packet on the same UDP 4-tuple as the client/server connection that has a nonce and HMAC-output to proves knowledge of the network element's HMAC secret (reference https://www.ietf.org/archive/id/draft-wing-cidfi-00.html#section-6.2).  This creates the association between the client's connection to its (content) server and the client's connection to the CIDFI network element (e.g., its Wi-Fi access point or their ISP's edge router), so they are bound to each other. For TCP, this same proof could be accomplished by sending the HMAC-output in a new TCP option in the SYN which could be observed by the on-path CIDFI network elements and prove ownership of the TCP 4-tuple.  The SHA256 HMAC output is 32 bytes which consumes an inordinate amount of TCP option space, though, so we would have to truncate the SHA256 or, perhaps, send it in several TCP packets perhaps using option subtypes similar to what MPTCP define (e.g., the entire SHA256 HMAC sent across 4 TCP packets each containing the (shortened?) Nonce and 8 bytes of the SHA256-HMAC output in separate packets).  Afterall, the STUN Indication described in CIDFI's Section 6.2 is just a bunch of bits on the wire that can be easily observed by the CIDFI network element -- putting those same bits into the TCP handshake and the first ~4 TCP packets can prove socket ownership.  After that socket ownership is proven to the CIDFI-aware network element, the CIDFI treatment could confidently begin at the CIDFI-aware network element.  Truncation feels easier than this multi-packet idea, though.  Multiple CIDFI-aware network elements on the path would each need to see their own Nonce and HMAC, so it could be awhile before all of them see their Nonce and HMAC-output.

SCTP: Yes, using a technique similar to TCP, as SCTP has kinship to TCP with its connection establishment.  If SCTP is run over UDP, the CIDFI Nonce and HMAC-output could be sent over a STUN Indication (rather than over SCTP).  As SCTP-over-UDP still has SCTP headers in a known location, the CIDFI-aware network element could peek into SCTP-over-UDP as easily as SCTP-over-IP.

RTP: The RTP SSRC could be signaled in the same way as the QUIC (and DTLS) Connection ID described in draft-wing-cidfi, and the sender could use different SSRCs for different packet 'importance'.  The RTP SSRC is guaranteed unique within a UDP 4-tuple and is in the clear for RTP, SRTP (RFC3711), and avtcore-cryptex (RFC9355).  The complication with using SSRC, however, is RTP stacks handle SSRC with their own output buffer (jitter buffer); a sender switching SSRCs (in order to influence network delivery of those packets) will usually cause the RTP implementation to get confused that a new 'source' is sending.  The RTP stack could in theory be modified to handle this, such that it knew SSRC #A and SSRC #B were, in fact, the same sender and should all be handled as if those two SSRCs were the same.  Another approach for RTP is wait for deployment of RTP-over-QUIC (draft-ietf-avtcore-rtp-over-quic) which does QUIC encapsulation and thus has a QUIC Connection ID.  This would avoid confusing the RTP receiver with different SSRCs, and would only influence the network's packet scheduling.  The Media over QUIC working group (moq) includes interactive media in their requirements, https://www.ietf.org/archive/id/draft-ietf-moq-requirements-01.html#section-3.1 so there will be more RTP-over-QUIC.  My employer is hoping to move our existing proprietary UDP encapsulation to QUIC, for whatever that is worth.

Custom UDP apps:  it would work if they can send a STUN Indication (and discard it on the server) to prove the ownership of the UDP 4-tuple (https://www.ietf.org/archive/id/draft-wing-cidfi-00.html#section-6.2), and can extend their custom protocol so the first few bits can be mapped to their packet importance (high/medium/low priority or whatever mapping is needed).  Ideally those first few bits is a random mapping to preserve the privacy characteristics of QUIC CID's (and DTLS's CID) and CIDFI.  Alternatively, the custom protocol could be moved to run over DTLS-CID (RFC9146) or over QUIC.


> Could the host to network signaling part be a use case of FAST (draft-herbert-fast-06)?

Yes.  A lifetime ago I architected a system that was effectively FAST for multi-path firewalls, but it sent its permission tickets using UDP (rather than IPv6 HbH options).  Cisco shipped it but I don't recall the feature name.  The feature was too early then.

-d


> Tom
> 
>> 
>> Abstract:
>> 
>>   This document describes how clients and servers can cooperate with
>>   network elements so their QUIC and DTLS streams can be augmented with
>>   information about network conditions and packet importance.
>> 
>> As Matt's SADCDN was DISPATCH'd to ART area, I set reply-to to art@ietf.org <mailto:art@ietf.org>
>> 
>> editor's copy, https://danwing.github.io/cidfi/draft-wing-cidfi.html
>> published -00,  https://www.ietf.org/archive/id/draft-wing-cidfi-00.html
>> 
>> -d
>> 
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch

v2.23.0 | Report a Bug | By Email