Introduces PATH_CHALLENGE and PATH_RESPONSE frames

[janaiyengar]

Replaces PING with Data and PONG frames with PATH_CHALLENGE and PATH_RESPONSE frames.

Closes #1091.

[ianswett]

One suggestion, otherwise LGTM

[ianswett]

Are we clear on the meaning of elicit here? We definitely intend for the packet containing the PATH_CHALLENGE frame to be acknowledged. Given that, I'd be inclined to just consider it a frame we acknowledge and remove this paragraph.

[martinthomson]

I'm with Ian here. I think that we can treat this frame as normal. I can see how you might want to exclude PATH_RESPONSE from acknowledgment, but even there I would just let the ACKs flow.

[erickinnear]

I didn't think that we previously intended a packet containing only a PATH_CHALLENGE frame to be acknowledged, but I think that could make sense.

Minor question though:
What if we get a PATH_RESPONSE, but no ACK? Do we then retransmit the PATH_CHALLENGE?

The previous comment about the packets potentially being sent on (or taking) different paths is interesting, because we could ACK along the current path, but send the PATH_RESPONSE along the same path the PATH_CHALLENGE came in on. This could provide valuable information to the endpoint about the viability of those two paths, although we still end up in the situation of a rapidly failing path causing the ACK to not be delivered, which is not the end of the world.

[erickinnear]

Also, given that we stated that a new transmission of a PATH_CHALLENGE frame due to a lack of a PATH_RESPONSE should include different random data, how does that interact with loss recovery due to ACKs being present/not being present?

(In other words, I can see an argument for either behavior, but we should make sure that we update below if we change this.)

[MikeBishop]

I think we should always acknowledge all packets. I wouldn't be upset about including PATH_CHALLENGE/PATH_RESPONSE along with ACK in the context of "packets containing only ACKs don't trigger the sending of a ACK immediately, but are included the next time an ACK is generated."

[janaiyengar]

I'll change the text, but the point here was that an ACK frame is basically useless for acknowledging receipt of a PATH_CHALLENGE frame. The entire point of this frame is to require an echo of the random bytes from the peer... if an ACK were adequate, a PING frame is enough. I don't think it matters whether the peer acks the frame or not, since the endpoint shouldn't use the received ACK as an acknowledgment. This problem exists with PING+Data as well, it just isn't stated.

I'll change this text.

[martinthomson]

This is definitely a much cleaner design than overloading PING as I did.

[martinthomson]

I think that we can remove this last sentence now that PATH_CHALLENGE is fixed size. FWIW, I think that we could drop back to 8 happily. 12 raised some eyebrows, and the handshake uses fewer octets. That said, 12 means that you could include 8 octets of randomness and a timestamp - or a timestamp and an 8 octet HMAC - so that you don't have to maintain state and you can still measure RTT.

[ianswett]

Fixed 8 bytes SGTM.

[janaiyengar]

I don't have an opinion on size at all. I'll make it 8 bytes to avoid confusion... also because I don't think stateless operation is much of a benefit here.

[martinthomson]

You can still do stateless in 8 bytes, I guess. It's just a weaker authenticator. (I think that stateless is a good strategy actually.)

[martinthomson]

Split the last clause here into a new sentence: Using fresh values allows the endpoint to measure the time taken to respond to a challenge.

[janaiyengar]

Done.

[martinthomson]

Rather than SHOULD here, I think that you need to talk about sending multiple to deal with the potential of loss, but limiting the total time or number of challenges and eventually giving up.

[janaiyengar]

This text is the same as previous, with PING+Data. I intend to change this in the PR that addresses other migration concerns, but not here.

[martinthomson]

I think that you should drop the PMTU bit here. It's the packet size that determines PMTU validity anyway.

[MikeBishop]

The point about PMTU is that you can send multiple PATH_CHALLENGEs on the new path in packets of different sizes and see which ones get through. However, I'd recommend putting that in a section on probing for PMTU than making an offhand reference here.

[janaiyengar]

Removed.

[martinthomson]

A fixed size is better. No chance of messing it up that way. As I said above, I think that 12 octets is pretty good (that's the size of the STUN transaction ID).

[nibanks]

+1 for fixed size.

[martinthomson]

To the above, one octet is of almost no value. You would need many PATH_RESPONSE frames.

[martinthomson]

When? If the secondary value of PATH_CHALLENGE is to be realized, this should be done immediately. Or are we expecting the ACK frame to include ACK Delay and we expect challengers to use that to correct their view of path delay? With the potential for the ACK or response to follow a different path, it's hard to know how reliable this will be for measuring path RTT.

[erickinnear]

If we require the PATH_RESPONSE to be sent on the same path as the PATH_CHALLENGE, do we place any requirements on the ACK? And does such a requirement make sense?

[MikeBishop]

The previous text says that the PATH_RESPONSE can be sent on any path, so currently we don't.

[janaiyengar]

We should require PATH_RESPONSE to be sent to the same address as the PATH_CHALLENGE, though I'm open to arguments as to why not. That said, I'm not fixing migration bugs in this PR, just changing the PING+Data frame.

[martinthomson]

I think that it would be better to keep the special handling to a minimum. It is easier to generate a PATH_RESPONSE and send on any path than require use of the same path. That limits the special logic to the entity that is probing. I'm happy to keep this simple - you ACK these frames as normal and you generate the response where ever and whenever it is easiest to do so.

[janaiyengar]

Again, not for this PR, but the idea would be to demonstrate two way reachability using PATH_CHALLENGE and PATH_RESPONSE. Otherwise, you may end up in a situation where, for instance, UDP packets are blocked on one direction, but migration happens anyways since PATH_RESPONSE was sent from an address which didn't block UDP packets.

[martinthomson]

I'm with Ian here. I think that we can treat this frame as normal. I can see how you might want to exclude PATH_RESPONSE from acknowledgment, but even there I would just let the ACKs flow.

[martinthomson]

Can you open an issue for this, so we can track it?

[janaiyengar]

Yes, good point. Filed #1091.

[erickinnear]

A few minor nits, but otherwise looks good!
Thanks for putting this together.

[erickinnear]

Nit: need -> needs

[erickinnear]

Should these fall after ACK frames in terms of ordering?

[ianswett]

I don't believe we have specified packet ordering if that's what you're referring to, so I'd prefer not to start now.

[erickinnear]

Ah no, sorry, this is much more minor: I'm referring to ordering within the document itself (although that might not be a concern at this point), which no longer matches the table above.

[MikeBishop]

We've already done one reorder of the document to match the table -- we'll probably need to do another as part of the grand editorial pass being discussed in a few months.

[janaiyengar]

Done

[erickinnear]

I didn't think that we previously intended a packet containing only a PATH_CHALLENGE frame to be acknowledged, but I think that could make sense.

Minor question though:
What if we get a PATH_RESPONSE, but no ACK? Do we then retransmit the PATH_CHALLENGE?

The previous comment about the packets potentially being sent on (or taking) different paths is interesting, because we could ACK along the current path, but send the PATH_RESPONSE along the same path the PATH_CHALLENGE came in on. This could provide valuable information to the endpoint about the viability of those two paths, although we still end up in the situation of a rapidly failing path causing the ACK to not be delivered, which is not the end of the world.

[erickinnear]

If we require the PATH_RESPONSE to be sent on the same path as the PATH_CHALLENGE, do we place any requirements on the ACK? And does such a requirement make sense?

[erickinnear]

Minor: This is now type 0x0d

[MikeBishop]

Not minor -- you can create chaos doing this. Ask me how I know. 😉

[janaiyengar]

yup, this would not be happy. fixed.

[erickinnear]

Also, given that we stated that a new transmission of a PATH_CHALLENGE frame due to a lack of a PATH_RESPONSE should include different random data, how does that interact with loss recovery due to ACKs being present/not being present?

(In other words, I can see an argument for either behavior, but we should make sure that we update below if we change this.)

[nibanks]

Looks pretty good. Just a few comments/questions.

[nibanks]

Why should the connection be terminated if the response wasn't received? What if the new path was just being interrogated for viability and it just wasn't viable (too much loss, blocked in one direction or got disconnected)? Should that really cause the good path to be killed as well?

[erickinnear]

This is specific to address validation, I think.
So, if you're just probing new paths for viability then you're not doing this and it's totally fine to consider those packets lost and move on.
If you're doing address validation and the remote side cannot prove that it actually owns that address, we need to not send it anything more.

In practice, this is determined by what role you're playing (are you the one changing addresses or are you the one seeing the remote endpoint change).

[nibanks]

Let's imagine a client is on path A and probes path B with a challenge. The server receives this challenge and then responds with the response and a challenge of its own. Then, for some reason, that packet never makes it (too much loss, blocked in that direction, or client got disconnected). The both sides won't receive their challenge's response. The current spec text indicates both sides would kill the connection on path A now. I am just questioning if that is the best course of action.

[erickinnear]

This should probably be clarified in the text: I read this as only the server would be performing address validation for this example (since the client isn't seeing the server's address change) and therefore would be the only one required to kill the connection if the client cannot demonstrate that it owns the new address.

In the scenario you mentioned, the client should be sending additional PATH_CHALLENGES when it doesn't get the response (and I think it's possible and probably a good idea for a server implementation to send a new one as well instead of waiting for the client to retransmit, if it wishes).

I agree with your general point, however -- I think we should clarify that the server must not send additional data to the new client's address rather than closing the connection as a whole. Otherwise I can trivially get the server to close your connection just by failing address validation on your behalf.

[MikeBishop]

I think the language should be around not considering that path viable. If that was your only path, that means you'll have to kill the connection, yes. If you think you still have the old path but you're wrong, you'll discover that via timeout soon enough.

[janaiyengar]

The strategy that I'd like to suggest is to go back to the last best path. That said, this text is the same as it was previously with PING+Data and I'd like to not change migration behavior. I'd like to change this behavior but in a different PR that fixes migration. This PR simply replaces PING+Data / PONG with new frames.

[martinthomson]

Yes, let's just keep this constrained to replacement as much as possible.

[nibanks]

+1 for fixed size.

[nibanks]

Do we really need to error out if a response is received for a challenge we don't have saved at the moment? What if the sender of the challenge ended up timing out the packet too aggressively and threw away its state for it? If we really need to reliability validate this, how long would the sender of the challenge need to keep this state around then?

[MikeBishop]

Defining the error code doesn't create a mandate to enforce and send it. Implementations that know they have accounting for every PATH_CHALLENGE they've ever sent (e.g. because they've never sent any) can enforce this, while implementations which have discarded state can let an unknown PATH_RESPONSE pass without comment.

[mikkelfj]

I must be missing something fundamental but ...

What is the real gain of a path challenge compared to just sending a packet on the desired path with an empty ping on a new path and see if an ACK gets through? Is to to enforce the ACK (aka path response) to follow the same path, and if so, I don't see any requirement that the path response is sent on a particular path?

Why must must the challenge be hard to guess if it happens on an encrypted channel? It would seem that the packet number with an auth tag would be sufficient, unless challenges can happen early on stream 0, which I don't think is the intention.

Is there a risk that the recipient is not cooperating, and hence the need for something unguessable? This then leans up against optimitistic ACK attacks.

Could this challenge thing be integrated with PMTU probing, considering that you need that knowledge to use the path, of course starting with the minimum size probe?

[nibanks]

@mikkelfj As I understand it, the challenge response doesn't have to be on a particular path. The reason it needs to be hard to guess is because you are doing source address validation. You are trying to make sure the client isn't trying to dump traffic on some unsuspecting IP. If the client can guess the challenge and reply with the appropriate response on its own path, it could make the server think it does own that other IP, and start sending traffic to it.

[mikkelfj]

OK, so the fundamental thing I was missing (which dawned after hitting return of course), is that it is not necessarily the client proping for a new path, but the server not trusting the peer to be on the path that it claims to be. So the sending a challenge is already following a return path.

@nibanks explained this while I was writing the above.

[MikeBishop]

Generally fine.

[MikeBishop]

I think the language should be around not considering that path viable. If that was your only path, that means you'll have to kill the connection, yes. If you think you still have the old path but you're wrong, you'll discover that via timeout soon enough.

[MikeBishop]

I'd question this piece, too. Rather than "does not want," the implementation should be assuming that the other side cannot receive any more packets on the path being probed. If you have another path, sending a CONNECTION_CLOSE or even maintaining the connection seems quite reasonable.

[janaiyengar]

Agreed, again not changing text here for what the draft currently states, since I'd like to simply get rid of PING+Data for now. This will change with fixing the rest of migration.

[ianswett]

I would change this to "cannot" from "does not want to" as Mike suggested.

[janaiyengar]

Done.

[MikeBishop]

How about a recommendation to probe both old and new addresses to guard against this?

[ianswett]

I think Jana's planning to improve this in a follow up, so I'm ok with it as is.

[janaiyengar]

Yup. Happy to take this comment in the follow-up.

[MikeBishop]

We've already done one reorder of the document to match the table -- we'll probably need to do another as part of the grand editorial pass being discussed in a few months.

[MikeBishop]

The point about PMTU is that you can send multiple PATH_CHALLENGEs on the new path in packets of different sizes and see which ones get through. However, I'd recommend putting that in a section on probing for PMTU than making an offhand reference here.

[MikeBishop]

The previous text says that the PATH_RESPONSE can be sent on any path, so currently we don't.

[MikeBishop]

I think we should always acknowledge all packets. I wouldn't be upset about including PATH_CHALLENGE/PATH_RESPONSE along with ACK in the context of "packets containing only ACKs don't trigger the sending of a ACK immediately, but are included the next time an ACK is generated."

[MikeBishop]

Not minor -- you can create chaos doing this. Ask me how I know. 😉

[MikeBishop]

Defining the error code doesn't create a mandate to enforce and send it. Implementations that know they have accounting for every PATH_CHALLENGE they've ever sent (e.g. because they've never sent any) can enforce this, while implementations which have discarded state can let an unknown PATH_RESPONSE pass without comment.

[janaiyengar]

High-level point: The goal of this PR is to replace PING+Data with new frames, to avoid overloaded semantics. I'd like to not fix migration bugs here, since I'd like to fix them in a separate PR (upcoming).

[janaiyengar]

I don't have an opinion on size at all. I'll make it 8 bytes to avoid confusion... also because I don't think stateless operation is much of a benefit here.

[janaiyengar]

Done.

[janaiyengar]

This text is the same as previous, with PING+Data. I intend to change this in the PR that addresses other migration concerns, but not here.

[janaiyengar]

The strategy that I'd like to suggest is to go back to the last best path. That said, this text is the same as it was previously with PING+Data and I'd like to not change migration behavior. I'd like to change this behavior but in a different PR that fixes migration. This PR simply replaces PING+Data / PONG with new frames.

[janaiyengar]

Agreed, again not changing text here for what the draft currently states, since I'd like to simply get rid of PING+Data for now. This will change with fixing the rest of migration.

[janaiyengar]

Done

[janaiyengar]

Removed.

[janaiyengar]

We should require PATH_RESPONSE to be sent to the same address as the PATH_CHALLENGE, though I'm open to arguments as to why not. That said, I'm not fixing migration bugs in this PR, just changing the PING+Data frame.

[janaiyengar]

yup, this would not be happy. fixed.

[janaiyengar]

Yes, good point. Filed #1091.

[martinthomson]

Yes, let's just keep this constrained to replacement as much as possible.

[martinthomson]

I think that it would be better to keep the special handling to a minimum. It is easier to generate a PATH_RESPONSE and send on any path than require use of the same path. That limits the special logic to the entity that is probing. I'm happy to keep this simple - you ACK these frames as normal and you generate the response where ever and whenever it is easiest to do so.

[martinthomson]

I think that we're making this too hard. Can we just say hard to guess? How they are generated can be left to the challenger. (If TCP is our benchmark, then 32 bits of entropy is probably enough.)

[janaiyengar]

SGTM. I kept futzing around with saying the right thing, and it's probably adequate to say "hard to guess". Done.

[ianswett]

Some suggested text on validation and acking.

[ianswett]

This gets a bit weird if the PATH_RESPONSE doesn't come back via the new path.

[janaiyengar]

Yup, and validation gets weird when PATH_RESPONSE is sent via any path too. Again, I don't want to fix the connection migration mechanism here, so leaving it as is. But removed text about measuring time taken.

[ianswett]

I would change this to "cannot" from "does not want to" as Mike suggested.

[ianswett]

I think Jana's planning to improve this in a follow up, so I'm ok with it as is.

[ianswett]

There's no length, so I don't believe you can have an empty PATH_CHALLENGE frame

[janaiyengar]

Good point. Removed the text, since it seems redundant now.

[ianswett]

Same comment: It can no longer be empty

[janaiyengar]

Done.

[ianswett]

How about "received and processed by" instead of "delivered to", since processing is as important as receipt

[janaiyengar]

Done.

[ianswett]

I would prefer to leave this text out because it's more confusing than helpful. It's ok to consider it delivered to the peer when it's acknowledged, the key is that one must receive a PATH_RESPONSE before the path has been verified, which you say above.

[janaiyengar]

It depends on what the semantics of delivery are. What I say above is that an ACK implies that the frame has been received and processed by the peer. I don't think that's a safe assumption with PATH_CHALLENGE, since the entire point of it is to get something besides an ACK.

[ianswett]

How about "The new address is not validated until a PATH_RESPONSE frame containing the same payload is received, even if the packet containing the PATH_RESPONSE frame is acknowledged." (and then remove the text below I think is a bit confusing)

[janaiyengar]

Added. Which text is weird? The text about measuring time taken? It's caused me enough trouble so I'll remove it.

[ianswett]

I can't find my comment, but I thought it was weird to take an RTT sample of one path in one direction and a different path in another, which is what happens if PATH_RESPONSE comes back on a different path from the one PATH_CHALLENGE is sent on.

[ianswett]

I still think this new text is more confusing than helpful. You're going to have to write some new text that's more complete than this for connection migration, so I would keep this section as is for now.

[ianswett]

as is = as it was

[janaiyengar]

Removed offending text. Many things need fixing in migration.

[janaiyengar]

I'm going to merge this PR, please feel free to comment on the issue if you want to see any further changes.