Include handshake anti-deadlock logic in pseudocode #2281
Conversation
There was a problem hiding this comment.
I think that this requirement only applies when Initial packets are in flight. The text allows for Handshake, but I think that we don't need these special rules for Handshake packets. Though we might want to send more aggressively for Handshake, the standard rules are sufficient there. I wonder if we need to change the text.
I interpreted "MUST NOT send more than three times as many bytes as the number of bytes they have received" as referring to real bytes transmitted, rather than congestion control bytes in flight. Given that, repeated complete loss of the server's handshake flights can cause a server to overrun its budget before the client's address is validated by handshake completion, requiring a padding packet to be transmitted even if the client received acknowledgement for its Initial. |
|
The x3 rule does refer to simple bytes as opposed to bytes in flight as calculated for the purposes of congestion control. So PADDING is completely sufficient for the client. My point was that this extra "code" exists only for the purposes of driving that x3 rule, and is only necessary when the client is sending Initial packets. If it is sending Handshake packets, there is no need because any Handshake packet of any size is sufficient to validate the client address and disable the x3 rule. (BTW, this wasn't directly a comment on this PR, but on the cited text as well as the code.) |
Right, but I think the currently-required behavior is justified. Consider this case:
Because the client's crypto packets have all been ACKed, and it has received no further ack-eliciting packets, it has nothing to send. If the client's second Initial was also lost, meaning the budget is only about 3600 bytes, this can happen almost immediately; a single Quinn server Handshake flight is larger than that. |
|
The client can get Handshake keys in this case, but it won't be sending Handshake packets until it has all of the server Handshake packets, so I think we're still in the original state. This is still the case that there are outstanding Initial packets. If the client were to be sending Handshake packets, this rule - as written - would still apply, but my point is that it isn't necessary. |
Is that accurate? Transport §17.6 has:
It seems that client might reasonably send Handshake-level ACKs (for example) prior to receiving the server's full flight even under ideal network conditions.
Ah, it wasn't clear to me that the client's second, ack-only, Initial packet qualified as "in flight"/"outstanding" here. Even then, the client discards the Initial space after first sending a Handshake packet, which might not be ack-eliciting, and might become lost, so a padding-only packet might still be necessary. |
|
Right, I had forgotten. Handshake ACKs are sent earlier. Either way, once that starts, the risk of deadlocking is gone.
Good point. The current text says "When crypto packets are sent, the sender MUST set a timer for the crypto timeout period." And crypto packets don't include ACK-only Initial packets. That suggests a bigger problem with that text. I would suggest then that the condition is "Initial packets outstanding and no packet from a higher encryption level ever sent". |
The risk of deadlocking remains so long as the client has not sent any ack-eliciting, i.e. retransmittable, Handshake packets and has not received any Handshake ACKs, because it is possible that all of the client's Handshake packets might be lost, at which point the server may reach the 3x threshold and cease transmitting while the client has nothing to send. |
|
On review, the client certainly doesn't need to pad Handshake level anti-deadlock packets to 1200 bytes, though it must send them so long as it hasn't seen an ACK or sent anything that it would otherwise be required to retransmit. |
draft-ietf-quic-recovery.md
Outdated
| return | ||
|
|
||
| if (crypto packets are in flight): | ||
| if (crypto packets are in flight || handshaking client): |
There was a problem hiding this comment.
I agree the pseudocode doesn't match the text, but I think the term "handshaking client" is not specific enough a definition to use in the pseudocode.
There was a problem hiding this comment.
Yeah, I wasn't sure what to go with. Should I introduce a new defined variable?
Ralith
force-pushed
the
anti-deadlock-pseudocode
branch
2 times, most recently
from
3a7dcd9
to
8088a86
Compare
|
Updated to use an explicit variable, and to use unpadded packets at Handshake level. |
draft-ietf-quic-recovery.md
Outdated
| @@ -699,6 +703,9 @@ Pseudocode for OnAckReceived and UpdateRtt follow: | |||
| largest_acked_packet = max(largest_acked_packet, | |||
| ack.largest_acked) | |||
|
|
|||
| if (from Handshake packet): | |||
There was a problem hiding this comment.
| if (from Handshake packet): | |
| if (ack from Handshake packet): |
There was a problem hiding this comment.
Can you add a short comment like "Once the client receives an ACK in a Handshake packet, it knows the server considers its address verified."?
There was a problem hiding this comment.
I don't think that we should be using acknowledgments to drive state at this level. I realize that this is less optimal, but I don't think that we need this variable.
The client can know that it is unverified if it is sending Initial packets and not Handshake (or greater). That should be enough. As for the test in SetLossDetectionTimer() or LossDetectionTimeout(), how is it possible for a crypto packet to be in flight, where this condition would be true?
There was a problem hiding this comment.
The client can know that it is unverified if it is sending Initial packets and not Handshake (or greater).
That's not true, though: the client doesn't know it's been validated until it's seen an ACK using Handshake keys (or greater). The server needs to see a Handshake packet to validate the client, and until the client's seen such an ACK it can't be sure that any Handshake packets it might have sent so far weren't lost.
e: "Sending initial packets" is sufficient but not necessary information to determine that the client is unverified, but we need to determine this accurately to avoid handshake deadlock when client Handshake packets are lost.
As for the test in SetLossDetectionTimer() or LossDetectionTimeout(), how is it possible for a crypto packet to be in flight, where this condition would be true?
I'm not sure I understand the question. The tests in those functions are to ensure that a client sends packets to either earn anti-amplification credit or validate its address even when it has no information to send.
There was a problem hiding this comment.
Sorry, I should proof-read these. I should have said that the client can assume that it is unverified for longer than it actually is. The cost, for a client that is sending Handshake packets is small and for Initial packets, the time is well bounded.
There was a problem hiding this comment.
Are you suggesting that we ditch unverified_client in favor of checking whether the endpoint is a client that doesn't yet have 1-RTT? I think that works as a simplification, if I'm understanding correctly.
There was a problem hiding this comment.
I think that works. For the most part "do I have crypto packets in flight" covers the rest of it. Though "in flight" might be wrong, and it might be better as "are any crypto packets that I have sent, but are unacknowledged".
The cost is that the client might keep this timer well past the point it is needed when acknowledgments are lost, but the simplification is pretty big.
Ralith
force-pushed
the
anti-deadlock-pseudocode
branch
from
8088a86
to
0eb67d4
Compare
|
Added @ianswett's tweaks and relaxed the validation check slightly, since a client could conceivably receive a 1-RTT ACK before a Handshake ACK due to even a single packet's worth of reordering. |
There was a problem hiding this comment.
Should this be happening in an issue? I think we're close here, but I would recommend moving this discussion to an issue if it continues.
FWIW, I'm in agreement with @martinthomson that it's better to drive logic here using the client's state instead of the received packets.
Ralith
force-pushed
the
anti-deadlock-pseudocode
branch
from
0eb67d4
to
66b99f6
Compare
|
Rebased and switched to the simplified logic as suggested. |
draft-ietf-quic-recovery.md
Outdated
| // Crypto retransmission timeout. | ||
| RetransmitUnackedCryptoData() | ||
| crypto_count++ | ||
| else if (endpoint is client without 1-RTT keys): | ||
| if (handshake keys available) |
There was a problem hiding this comment.
| if (handshake keys available) | |
| if (handshake keys available): |
Unfortunately, this is still incorrect. As we discussed on #2519 (comment) there is a requirement to pad any time the client needs to send an Initial packet (it's a little more complicated in practice, but this is what the resolution boils down to).
There was a problem hiding this comment.
If the availability of Handshake keys isn't a strong enough condition for that, what should be used instead? I'd be inclined to just fall back on SendOnePacket and let the nontrivial padding logic be implied by the text elsewhere, but that's where we started for this fragment.
There was a problem hiding this comment.
If you need to send an Initial packet, pad.
| // Retransmit crypto data if no packets were lost | ||
| // and there are still crypto packets in flight. | ||
| else if (crypto packets are in flight): | ||
| if (crypto packets are in flight): | ||
| // Crypto retransmission timeout. | ||
| RetransmitUnackedCryptoData() |
There was a problem hiding this comment.
I assume that RetransmitUnackedCryptoData() is going to catch any need for padding...
Ralith
force-pushed
the
anti-deadlock-pseudocode
branch
2 times, most recently
from
faf279c
to
75478a7
Compare
draft-ietf-quic-recovery.md
Outdated
| // Crypto retransmission timeout. | ||
| RetransmitUnackedCryptoData() | ||
| crypto_count++ | ||
| else if (endpoint is client without 1-RTT keys): | ||
| if (will send Initial packet): |
There was a problem hiding this comment.
I'd say
"if (has Handshake keys):
SendOneHandshakePacket()
else
SendOnePaddedInitialPacket()"
There was a problem hiding this comment.
@martinthomson, is this consistent with your earlier suggestions?
There was a problem hiding this comment.
No. The important factor is not whether you have handshake keys, but whether your peer believes your address to be validated.
There was a problem hiding this comment.
To be clear, my suggestion started at line 1133. The intent was to change "Will send Initial packet" to "has Handshake keys", which I believe is clearer.
There was a problem hiding this comment.
"Will send Initial packet" is correct.
There was a problem hiding this comment.
That sounds like the approach that I originally had here, which was argued against.
There was a problem hiding this comment.
Martin didn't want to allow for ACK of handshake stopping the anti-amplification retransmissions, which I think is fine, though a bit overly strict. So all of this is within the "if (endpoint is client without 1-RTT keys)" conditional, which is our proxy for: Should we keep trying to prevent a deadlock?
To be clear on what I'm suggesting:
else if (endpoint is client without 1-RTT keys):
// The client must continue sending packets until it's
// sure the server has validated the path.
if (has Handshake keys):
SendOneHandshakePacket()
else
SendOnePaddedInitialPacket()
There was a problem hiding this comment.
I see. Your proposal seems good to me. @martinthomson: can you clarify what you think is missing?
There was a problem hiding this comment.
Striking out the bit that we've agreed to remove, the text from the transport draft is:
Clients MUST ensure that UDP datagrams containing Initial packets are sized to at least 1200 bytes, adding padding to packets in the datagram as necessary.
Once a client has received an acknowledgment for a Handshake packet it MAY send smaller datagrams.Sending padded datagrams ensures that the server is not overly constrained by the amplification restriction.
This contradicts that text. It's true that a server that received a Handshake packet is no longer subject to the anti-DoS limit on bytes transmitted, but it's a bit weird that we have an algorithm that directly contradicts a MUST-level requirement in the other document.
There was a problem hiding this comment.
@martinthomson: AIUI, you'd remember this better since it was your PR, but wasn't the bit we agreed to remove was about special-casing padding of Initial packets? My reading of @ianswett 's proposed text doesn't contradict that.
Ralith
force-pushed
the
anti-deadlock-pseudocode
branch
from
75478a7
to
2a35f8b
Compare
The draft requires that clients transmit packets to prevent anti-amplification deadlock when there is no crypto data to send.
Ralith
force-pushed
the
anti-deadlock-pseudocode
branch
from
2a35f8b
to
7e0a5c0
Compare
* Don't arm the handshake timer if there's no data Fixes the portion of #1964 not fixed in #2281 * MUST send * Martin and Marten's comments * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md * Martin and Ian's comments * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md Don't set the crypto retransmission timer if the time threshold timer is set * Jana's comments * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md Co-Authored-By: ianswett <ianswett@users.noreply.github.com> * Update draft-ietf-quic-recovery.md Co-Authored-By: ianswett <ianswett@users.noreply.github.com> * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md * Update draft-ietf-quic-recovery.md
Recovery §6.2.1 instructs:
but this was not reflected in the pseudocode. I think these changes reflect the intended behavior.