udippant
commented
2 years ago Q1: server_id in the map points to only the L7 host ip (gets updated here)
Q2: Katran itself doesn't encrypt or modify the server_id. But applications can apply different schemes to encrypt / rotate the server_ids before inserting the mapping into Katran.
Q3: Linkability concern is mentioned in the QUIC's RFC (https://datatracker.ietf.org/doc/html/rfc9000#section-9.5) along with suggestion to use different connection-ids on both endpoints following the migration. Regarding the potential concern with server-id : depending on the use case, a potential workaround could be adding many-to-1 entries for server_id => L7 hosts and rotate the server_ids frequently. If you want more cryptographically secure implementation, this draft has more details : https://tools.ietf.org/id/draft-duke-quic-load-balancers-03.html (which Katran does not yet implement).
Lingtaonju
Dear Sir, Fortunately, I have read the slides proposed by Udip Pant and Martin Lau and the stateless routing is a clever design. About this idea, I have some questions, will you give me some guides?
Q1. The "server id" maps to the "layer 7 lb ip and port" or only "layer 7 lb ip" ? Q2. Is the "server id " encrypted or in plaintext ? Q3. Will the "server id" be used by the observer to link the connection when quic doing migration, as described in "rfc9000, #9.5" ?
I will look forward for the reply, thanks a lot.
Best regards! lingtao.