On 6/25/2024 10:13 AM, Lucas Pardue wrote:
On Tue, Jun 25, 2024, at 17:39, Paul Vixie wrote:
On Jun 25, 2024 09:00, Lucas Pardue<[email protected]> wrote:
<<As others have noted, some folks are risk averse and are happy enough with the
status quo. If there are performance wins to be had, they'll likely be wanting to see case
studies before the CTO signs off on turning something on that might even have the slightest
hint of beung able to cause some regression in performance or stability.>>
I know that the designated topic is performance, but please give a thought to
the CISO's sign off. In a secure private network, a protocol designed to
prohibit monitoring is a nonstarter. We could get further faster with QUIC
deployment to these networks if there was support for secure proxy discovery
with connection annealing after the proxy had applied its policies to a flow.
Secure proxy discovery and configuration would be useful for a number of use
cases beyond just QUIC. I totally support the idea of people working on that in
the appropriate IETF venue.
Many QUIC (and TLS) implementations support the "key log file" facility
designed for debugging QUIC using wireshark (see
https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/). I have
heard reports of on-device "host firewalls" using that API to get the
encryption keys of QUIC connections and inspect their traffic. I have
mixed feelings about that, but it is clearly an "emerging behavior".
-- Christian Huitema
