Comments (8)
Of course, I was thinking of something else.
from load-balancers.
For the stateless algorithm, can we assume that servers are configured with a "current epoch" in a way that's properly synchronized with the LB, and that the epoch is encoded in the first byte of the "compliant" CID? Then the LB can do the following:
-
For Initial packets, assume non compliance. Treat CID as if they were part of the current epoch. Derive mapping from CID to server ID according to current epoch' key.
-
For all other packets, assume compliance. If epoch is "too old", drop the packet (server should have sent new CID to client.) Otherwise, derive mapping from CID to server ID according to specified epoch' key. (Or if CID in cache, use cache.)
from load-balancers.
Thanks Christian!
I am not sure I fully understand your proposal, but I will make some points:
-
quic-lb tries to distinguish only short-header and long-header packets to remain version invariant. There is no notion of Initials.
-
the second Initial carries a server generated CID, and 0RTT does not. so it is not so simple as sniffing the Initial codepoint.
-
IIUC the CR codepoint is much like your "epoch." I think the problem is when you are switching epochs; the LB must understand both and can't be sure which epoch any given server is on. Indeed, this is the heart of the issue.
Or perhaps I've wildly misunderstood your proposal.
from load-balancers.
So it boils down to a synchronization problem. The LB knows that a server is in epoch N+1 if it sees a CID from that server with the new epoch. So the transition will work like this:
- Before transition, server use epoch N. LB sees from that server CID with epoch N.
- At some point, LBtransitions to N+1.
- If the server notices the LB's transition, it also moves to epoch N+1
- Some time after that, the LB sees clients sending packets to that server with DCID marked for epoch N+1, at which points it knows server and LB are synchronized.
The main problem is that there is no synchronization signal from LB to server. The server cannot look at the ID and infer that the LB has moved to a new epoch.
It might be possible to use the retry frames to solve that. When it receives a new initial that would map to server X before confirmation that server X is on epoch N+1, the LB might send a retry to the client, suggesting a conforming DCID marked with epoch N+1. The server will receive the retried Initial, and learn that the new epoch has started. The idea probably needs some exploring, but that seems plausible.
from load-balancers.
Assuming handshakes are going on, yes, LBs can see what configs are operating. This is my option 2 but using egress SCID instead of ingress DCID, definitely an improvement.
Several drafts ago we moved away from explicit in-band signaling. Now we're headed back.
from load-balancers.
@ianswett and I had a long discussion about this problem. We reached a consensus that solution #6 was the least bad one. To summarize:
- If a client-generated CID comes in that does not match a known config, do not add an SID entry at the LB or server.
- If it does match a config codepoint, extract the SID accordingly and add it to the table.
- There will be cases where the LB has a config codepoint, but the server does not. If so, the LB has "wasted" an entry but this is not a big problem. The reverse would be a problem, but it is already a requirement for the LB to have the superset of server configs.
- When it first loads a config, the server will not have any SIDs. This should correct itself after a handful of connections, but until it does the CIDs it generates use the 4-tuple routing codepoint. When it does get an SID, it can retire the old ones across all connections. Thus, there are transitory states where a server can't support rebinding and migration.
This is still open for discussion, but I am working on a large PR to reorganize the whole routing section around dynamic SID allocation.
from load-balancers.
One Note: I believe it can support NAT rebinding, just not migration or changing CIDs. If a client unknowingly changes its address due to a NAT rebind, it does not change its CID.
from load-balancers.
No, because if it's the 4-tuple routing codepoint the LB ignores the rest of the CID. So it will route based on the (changed) 4tuple
from load-balancers.
Related Issues (20)
- Switching between Server processes
- Do you really need the notation extension? HOT 2
- Fallback CIDs HOT 2
- Define the fields in
- Handover
- "appear to be random" HOT 1
- Is it really a nonce? HOT 2
- Extra bytes HOT 2
- Citation for AES-128-ECB
- The Feistel network would benefit from a picture
- The description of encryption could be improved HOT 1
- Server actions and load-balancer actions may not be right HOT 5
- What is "reasonable" here?
- Using expand-left and expand-right has undesirable properties HOT 1
- Inconsistent use of DCID and Server ID HOT 1
- Thread Demultiplexing with keyed hash
- Restore text about the continuum of privacy HOT 1
- Expand to 3 Config ID bits HOT 1
- Version 17 on datatracker.ietf.org seems old
- Tweak the expand() function again to reduce copying
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from load-balancers.