QUIC as a solution to protocol ossification
QUIC as a solution to protocol ossification
Posted Feb 1, 2018 1:45 UTC (Thu) by ebiederm (subscriber, #35028)In reply to: QUIC as a solution to protocol ossification by sorokin
Parent article: QUIC as a solution to protocol ossification
Partly this is PNAT firewalls that everyone calls wireless routers in their homes. The fact they are sharing a single IPv4 address among multiple computers means for protocols to work at all they have to look past the IP layer into the TCP/UDP layer and give some ports to some machines and other ports to other machines.
There has been a lot of good work in recent years on what should be expected from home routers. With specifications so you can show your hardware is out of spec (to return it/reject supporting it if you are the ISP) and the multiple addresses of IPv6 we may see some deossification.
But even then there are only 1 byte's worth of protocols that sit above IP. Which unfortunately means that protocol numbers must be assigned with care. Which means that if you don't have something that is a fantastic improvement over what has gone before getting a protocol number will be work, and getting everyone to support it will be a huge uphill struggle.
Anyone who wants to understand the complexity of setting up an end-to-end connection between two arbitrary computers on the internet I suggest you look at RFC5245 Interactive Connectivity Establishment (aka ICE). This is being deployed in WebRTC so that video chat will work in browsers, and is much of magic the skype used back in the day to not require server resources.
When you honestly need PNAT in every home, and you consider implementation bugs. It becomes increasingly clear new protocols need to be encrypted just so that in some small fraction of cases they are not mistake for something else, and broken by someones well meaning but buggy code.
Then you get the challenge that most protocols get deigned on nice networks that don't run NAT of any kind. There are no obstructions. So the protocol designers don't make their protocols deal with the reality of the internet. SCTP is a good examples of that. Linux to this day does not have a good PNAT solution for multi-homed SCTP because the design of SCTP makes it essentially impossible unless you can see all traffic on of the paths (and machines are not multi-homed behind you if you can see all of the traffic they emit). Which means that even if someone wanted to add support for SCTP to the next generation of a NAT box it isn't easy.
If you are willing to live with not supporting the small fraction of problem cases, and have enough pull to get people to fix their broken networks you can see that things are not completely ossified. The increasing percentage of internet clients with IPv6 support is proof of that. The larger address space really is worth dealing with the mess.
So the ossification picture is not quite a bleak as some people make out. Progress is possible when it is important enough. But it is hard to design a new protocol, and it even more so with the prevalence of PNAT on the internet. The best hope for reduced ossification is the deployment of IPv6 which will mean middle boxes should be both more standardized, and have much less reason to mangle the traffic going through them. As the prevalence of addresses in IPv6 removes the need for PNAT.
Posted Feb 1, 2018 4:13 UTC (Thu)
by mtaht (subscriber, #11087)
[Link] (1 responses)
I shure hope "5g" deployments get this right.
Posted Feb 1, 2018 6:37 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Feb 1, 2018 6:34 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
All to make sure it can work through middleboxes that horribly break everything but HTTPS.
Good luck trying to write the same code if you're a small company. But meanwhile, nim-nims can enjoy "control" that they exert by breaking Google.
Posted Feb 9, 2018 1:46 UTC (Fri)
by ras (subscriber, #33059)
[Link]
I was at the talk, and yet he did hammer on and on about middle boxes. It sounded over the top until he said something along the lines of:
"The only fix is to encrypt everything. We had one byte, just one byte that wasn't encrypted. Then we when changed it, and we started getting reports of broken connections. It has only been out for a few months, and it wasn't published anywhere so no one could have known what that byte was. Yet ossification has set in."
At that point started to feel sorry for him.
Posted Feb 2, 2018 23:57 UTC (Fri)
by lsl (subscriber, #86508)
[Link]
Having such specs available is very nice. Is there anything like it for non-home enterprise firewalls and the like?
It would be even more awesome to have some kind of test suite that admins could run when evaluating such devices. Or that you could use to help admins bring their network to a more sane state. Often times, such issues are just the result of a botched configuration with network operators unaware of the implications but happy to fix when pointed out to them.
I might even write such test suite myself if it doesn't exist yet. But what do you test for? Obvious candidates would be things like the very helpful RFC4890 ICMPv6 firewalling recommendations. Then probably test the effects of various TCP options, IP multi-cast, the proper functioning of PMTU discovery or interaction with very recent TLS and exotic features of older plaintext protocols including HTTP.
What are the other areas middlebox vendors have proven themselves incapable of implementing in a sane way? Where to expect problems?
If anyone has pointers to relevant resources, I'd be very happy to read them.
QUIC as a solution to protocol ossification
QUIC as a solution to protocol ossification
QUIC as a solution to protocol ossification
Around 2007 I was involved in a project that used multiple HTTP connections to transmit VoIP packets, with forward error correction and elaborate TCP retry avoidance logic. All-in-all, it took about several man-years to get right.
QUIC as a solution to protocol ossification
QUIC as a solution to protocol ossification