Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move connection ID change to only Server Cleartext #589

Merged
merged 3 commits into from
Jun 6, 2017
Merged

Move connection ID change to only Server Cleartext #589

merged 3 commits into from
Jun 6, 2017

Conversation

martinthomson
Copy link
Member

Closes #588

@martinthomson martinthomson added design An issue that affects the design of the protocol; resolution requires consensus. -transport labels Jun 6, 2017
MikeBishop
MikeBishop reviewed Jun 6, 2017
View reviewed changes
draft-ietf-quic-transport.md Outdated

The packet number field echoes the packet number of the triggering client
packet. This allows a client to verify that the server received its packet.
The packet number and connection ID fields echo the packet number of the
Copy link
Contributor

@MikeBishop MikeBishop Jun 6, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This says the connection ID field contains the original packet's packet number. Don't think that's correct.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that it is correct.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, the packet number field should contain the client's packet number, and the connection ID field should contain the client's connection ID. Otherwise, this is just... weird.

@igorlord
Copy link
Contributor

igorlord commented Jun 6, 2017
edited
Loading

So if I have 50% of the backend servers upgraded to a newer QUIC version, how do I make sure that client comes back to the same server after Version Negotiation? I.e. I think what you are doing here is removing Server Connection ID from Version negotiation packets.

@chocis
Copy link

chocis commented Jun 6, 2017

Why such design changes? I want to selectively decide which server will load balance asymmetric cryptography (heavy processing) of TLS handshake. With this design its not possible.

@martinthomson
Copy link
Member Author

@chocis, That was discussed here at the interim as being a primary advantage of the current design. No one spoke in favour of retaining that.

janaiyengar
janaiyengar reviewed Jun 6, 2017
View reviewed changes
draft-ietf-quic-transport.md Outdated
only sent after the server has committed to maintaining connection state.
packets ({{packet-client-initial}}) and 0-RTT packets ({{packet-protected}}).
If the client has received any packet from the server, it uses the connection ID
it received from the server.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sentence is slightly misleading, since 0-RTT packets will continue using the client Connection ID. I would remove this sentence since paras below cover everything else.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"... for all packets other than 0-RTT packets." ?

@MikeBishop
Copy link
Contributor

@huitema also spoke against that, since it becomes easy for an attacker to forge.

@janaiyengar janaiyengar merged commit 22bd53f into master Jun 6, 2017
@martinthomson martinthomson deleted the scid branch June 6, 2017 15:04
@chocis
Copy link

chocis commented Jun 6, 2017

Well then I would like to propose to reconsider that. Is there any reason why Server Stateless Retry couldn't change CID?

  1. Firstly, in my opininon server without using Server Stateless Retry (without verifying src address/port) is simply asking to be DOS attacked. I could fill server's RAM with Raspberry Pi by simply spoofing src address. Thats why I am talking about situation where that check is enabled.

  2. Secondly, imageine that you want to use CID for load balancing your clients. In current solution you would have to support accepting TLS handshake on all backends and when initial request is validated the partial TLS and QUIC state must be serialized and somehow transported to decided loadbalanced server (with the new CID) - and thats not easy AT ALL. I think, that this can be solved by simply returning new CID in Server Stateless Retry without doing any work or state transportation on backend.

@igorlord
Copy link
Contributor

igorlord commented Jun 6, 2017

The way I would implement the load balancer:

  1. If the packet has CCID, consistent hash it into the pool of backend servers for this dest IP or hostname based on the 6-tuple (5+tuple + CCID) and forward the packet.
    1a. The backend server replies with a Version Negotiation packet (too bad cannot use SCID here). or
    1b. The backend server replies with a SCID to continue the handshake.

  2. If the packet has SCID, validate that SCID seems ok and forward the packet to the identified server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikeBishop MikeBishop MikeBishop left review comments

@larseggert larseggert larseggert approved these changes

@janaiyengar janaiyengar janaiyengar approved these changes

Assignees

@janaiyengar janaiyengar

Labels
-transport design An issue that affects the design of the protocol; resolution requires consensus.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@martinthomson @igorlord @chocis @MikeBishop @larseggert @janaiyengar