-
moparisthebest
anyone know what servers in the wild do when a remote server sends stanzas back over an outgoing-only s2s connection ?
-
moparisthebest
that could be a fun vulnerability if they aren't rejected, I'll try to test this soon
-
MattJ
goffi: since you're working on ActivityPub stuff, wanted to make sure you're aware of https://socialhub.activitypub.rocks/pub/ec-ngi0-liaison-webinars-and-workshop-april-2021
-
goffi
MattJ: thanks, I think I've seen it passing, but unfortunaly it's during my paid job working time, so I can't attend.
-
dwd
moparisthebest, There used to be all sorts of cases of servers doing that, and indeed servers not bothering to reject and just processing (sort of XEP-0288 by default).
-
moparisthebest
dwd, yea I could see it being an easy mistake
-
moparisthebest
so QUIC has bi-directional streams like TCP, but also uni-directional, I'm thinking those should be the only thing normal s2s should be allowed over
-
moparisthebest
then you prevent that problem right out of the gate
-
moparisthebest
it has the handy side-effect of making multi-plexing s2s and c2s on the same quic port trivial, all new bidirectional streams are c2s, all new unidirectional streams are s2s
-
dwd
I don't think there's any security issue with accepting stanzas over an outgoing S2S channel though. It's just an interop problem because some implementations migt ignore them.
-
dwd
And there's lots to be said for making S2S bidirectional.
-
Zash
I'm thinking it would be good to at least support errors in the "wrong" direction... like what Google did, except, you know, discussing it first and not just breaking spec.
-
moparisthebest
an alternative could be to make BIDI required for XMPP-over-QUIC
-
moparisthebest
it might or might not be worth doing though, QUIC connections are considerably cheaper than TCP+TLS connections
-
dwd
moparisthebest, In terms of connection speed, yes. But the major memory cost of XMPP is in TLS sessions, as I recall.
-
Kev
And buffering.
-
moparisthebest
from an OS level you are just sending/receiving a bunch of UDP packets on a single port anyway
-
moparisthebest
but yes, re: TLS sessions there could be some wins too, since each QUIC connections supports multiple streams over it
-
moparisthebest
so if a server has the same cert for a.org and b.org and I have a QUIC connection for a.org already, I can just open another stream over it for b.org
-
moparisthebest
so far I have the "server" side done and am working on the "client" side now, I put them in quotes because they both support c2s and s2s so it's annoying terminology wise :)
-
moparisthebest
in the end though, should be able to slap it in front of any xmpp server or client and make them speak xmpp-over-quic, and then, the xep
-
Kev
This is all very interesting stuff.
-
dwd
XMPP/QUIC is definitely in I-D territory, mind.
-
dwd
And yes, XMPP/QUIC has a lot of utility in the spaces in which Kev and I seem to end up.
-
moparisthebest
I expect so, but no reason implementation and XEP can't come first
-
moparisthebest
I don't think QUIC itself is fully finalized yet even
-
Kev
Just a word of warning about acting as a proxy to quic - most servers have different expectations on what clients will do than what quic will necesarily support. I *think* it should be ok if a client treats the quic connection like tcp with possibly better failure cases, but if they were to start expecting be able to do things quic can do (like going silent and coming back) it might get messy.
-
dwd
QUIC also does things that TCP has no analogue for, like handover and stuff. It'd be really interesting to fully explore this.
-
moparisthebest
the most visible benefit I can think of is mobile clients roaming between wifi and lte etc, no reconnections
-
Kev
(Whereas a server doing quic natively knows it’s quic and can cope with it. Hopefully)
-
Ge0rG
shouldn't handover be transparent for a socket user like an xmpp server?
-
Kev
moparisthebest: Yes, there are definite benefits to be had here. There are also some possible drawbacks to a proxy approach, which I’m flagging just so they’re thought about, rather than to suggest you should stop what you’re doing.
-
moparisthebest
in my current implementation, both the client and the server thinks their doing TCP, and will do TCP things, it's just actually doing QUIC over the network✎ -
moparisthebest
in my current implementation, both the client and the server thinks they're doing TCP, and will do TCP things, it's just actually doing QUIC over the network ✏
-
moparisthebest
so the specific case of going silent and coming back should work fine I think, the quic proxy will just keep the same TCP connection open to the server
-
Kev
I’m thinking, for example, that both ends keep their TCP open while the QUIC goes away. Then the server terminates their TCP for unresponsiveness. Then the QUIC comes back. The client-side proxy then gets told over quic that the connection has gone. Then the client gets told their TCP has gone. Then they reestablish (through the proxy, but costing as many roundtrips as the normal setup would be, plus the time for the original connection to be told to kill over QUIC.
-
Kev
Sorry if that was horribly incoherent.
-
moparisthebest
ah yes, no I got it
-
moparisthebest
on one hand (temporary connectivity loss) timeouts could just be extended, but also they could have hopped to a quic-blocking network, in which case disconnecting and reconnecting (might end up reconnecting over TCP) is the right thing to do
-
Kev
I only have half-baked thoughts, rather than anything useful, on this at the moment :)
-
dwd
Kev, FWIW, I think a proxy is a useful way to start exploring how a binding might look. Ultimately, though, we'll need servers and clients to natively support the binding, otherwise as you say various weird mismatches will make things go awry.
-
dwd
Kev, And indeed, a proxy is almost by definition only half baked...
-
moparisthebest
I certainly expect the code+spec to change quite a bit before finalization, but might as well get something going
-
Kev
Yes, a proxy (pair) is entirely a sensible (probably most sensible) way to start investigating this. I couldn’t be happier that moparisthebest is looking at it. Please don’t take my comments as suggesting it’s not valuable.
-
moparisthebest
the nice thing that enables playing around is if quic-connections fail for any reason, good clients and servers will fall back to TCP
-
moparisthebest
at the moment if everyone implemented quic, there are even base protocol differences between the libraries, because quic itself isn't finalized
-
dwd
moparisthebest, _xmpp-client._quic....?
-
dwd
I am rather beginning to wish we'd gone the _xmpp-client._tls... route now for symmetry.
-
moparisthebest
I'm hoping not... srv2/whatever-its-called-now would cover quic + all previous connection methods
-
dwd
Oh, I keep forgetting that exists.
-
moparisthebest
it should let us advertise+prioritize websocket, starttls, tls, quic, $new-thing-here in 1 DNS query/response
-
moparisthebest
I haven't gotten this far yet, other than vague thoughts
-
moparisthebest
but if we have to stick (or start) with regular SRV I guess for consistency-sake it'd be xmpp-clientq._tcp >:D
-
Zash
`_tcp` ... makes no sense
-
jonas’
ITYM _xmpp-clientq._udp
-
moparisthebest
could do yea
-
jonas’
s/could/must/ I guess
-
moparisthebest
the problem (and this is a REALLY STUPID PROBLEM) with anything other than _tcp and _udp is crap DNS web interfaces that only support those 2
-
jonas’
what else would you put there?
-
Zash
What
-
jonas’
quic runs on top of UDP
-
jonas’
not next to
-
jonas’
so _udp is the right thing here anyway
-
Zash
Stupid DNS web interfaces gonna be stupid.
-
moparisthebest
yep it'd make more sense than _tcp
-
moparisthebest
and dumb web interfaces should be able to handle it
-
jonas’
stupid DNS web interfaces are the IP middleboxes of DNS
-
moparisthebest
on a related topic... nothing currently does s2s-over-websocket does it ?
-
Zash
Maybe Google et all can be convinced to put HTTP/4 directly on top of IP, then maybe we'll finally be able to flush out all those middleboxes
-
moparisthebest
I think they gave up on that when they chose UDP for QUIC Zash
-
moparisthebest
I *think* the answer to s2s-over-websocket is: 1. nothing does it 2. because there is no way to discover support sound right?
-
Zash
Nice things. Can't have them.
-
jonas’
moparisthebest, I think the answer is why would you even consider doing such a thing ;)
-
Kev
There’s limited value in S2S over websocket, I think.
-
moparisthebest
I guess I'm asking... other than lack of discovery support, is there a reason *not* to do s2s over websocket?
-
jonas’
moparisthebest, why bring an HTTP stack into something where TCP (or plain QUIC) is sufficient?
-
moparisthebest
the value is just... another way to connect I guess
-
moparisthebest
yet again, crap networks with crap restrictions
-
jonas’
I think those are much less relevant for s2s
-
Zash
Don't host your server there then
-
moparisthebest
oh I agree, but some people have to live in say china
-
jonas’
websockets won’t save you against the GFW
-
jonas’
not for long anyway
-
moparisthebest
I guess it'd also allow folks that want phone-battery-eating-p2p messengers to *just use XMPP* :D
-
Zash
Just run it over Tor tehn✎ -
Zash
Just run it over Tor then ✏
-
Zash
That'll take care of the p2p as well as the battery eating
-
moparisthebest
and not be able to communicate with 90% of the xmpp network
-
Zash
Do they want to?
-
Zash
THEY!!!
-
moparisthebest
idk, why not ?
-
moparisthebest
the infamous "user"
-
moparisthebest
what do they want? no one knows!
-
moparisthebest
long story short though, if a new way to discover $connection-types is introduced to cover quic, tcp, direct tls, I guess no reason to avoid throwing websocket in there? maybe even bosh? s2s-over-bosh should be fun right?
-
jonas’
second system syndrome?
-
Zash
There are too many connection methods now.
-
Kev
I think if s2s over websockt adds no value, it’s better to not speak of it than to distract people.
-
dwd
How do you discover which DNS transport to use, though?
-
Zash
Easy, just use {Google,Cloudflare}
-
jonas’
dwd, that hurt.
-
moparisthebest
dwd: dns-over-xmpp is the only choice there
-
Zash
But how do you find where to connect to *that*?
-
moparisthebest
That's hardcoded
-
moparisthebest
Seriously though, I'm not immediately convinced s2s over websocket adds no value
-
Zash
Try saying it with even more double negative
-
moparisthebest
Ha, I think it could be valuable
-
dwd
I wouldn't say that I'm not immediately convinced that S2S over websockets adds no value, myself.
-
Zash
🤯️
-
dwd
Actually, more seriously, it might make deployment simpler. Getting an XMPP server up and running currently is roughly similar to a mailserver, except that people are usually a bit more familiar with mail routing.
-
jonas’
oh no.
-
jonas’
but so could doing QUIC + ALPN + multiplexing, which I would prefer over websockets for s2s
-
Holger
dwd: `apt install ejabberd`, fix the XMPP domain name? :-P
-
dwd
Holger, And figure out SRV, firewalling rules, load balancers, and so on.
-
moparisthebest
there are also terrible terrible hosting services now that only expose http load balancing for access
-
Holger
dwd: None of those are required if you didn't create an unnecessarily complex environment before installing the daemon ;-)
-
dwd
Holger, I mean, for you and me, sure. For average sysadmin experieced with The Ways Of Net but new to XMPP? Hard.
-
Holger
In the email universe you have an entirely separate daemon for MAM.
-
moparisthebest
my thoughts for xmpp-proxy were, on the inbound side, support all-the-methods, and talk to the backend xmpp server over plain tcp
-
moparisthebest
on the outbound side, do the same thing, support plain tcp only for the xmpp server/client, then support all-the-methods outgoing
-
moparisthebest
this lets you build an xmpp server and/or client that only does plain tcp, no tls/starttls/quic/websocket/bosh
-
moparisthebest
clearly a monoculture where every xmpp thing goes through the same proxy would be terrible, but it would allow retrofitting new connection methods while servers catch up✎ -
moparisthebest
clearly a monoculture where every xmpp thing goes through the same proxy would be terrible, but it would allow retrofitting new connection methods while servers and clients catch up ✏
-
Sam
Reminder that tomorrow is the XMPP Office Hours! This week I'm giving an intro to XMPP for new XMPP developers. However, if you're an experienced dev I'd love feedback! https://wiki.xmpp.org/web/XMPP_Office_Hours
-
emus
Yes, and with that reminder I would like to ask for a volunteer with access to Twitter to put this into a tweet as well? Would be a great support! https://fosstodon.org/web/statuses/106093870952431363
-
Sam
Thanks emus!
-
emus
Sure! You do a great setup there!