►
Description
Evolvability, Deployability, & Maintainability (EDM) Program Meeting, 2023-02-09
More info: https://datatracker.ietf.org/program/edm/about/
A
A
Oh,
no,
it's
being
recorded
all
right
and
since
these
program
meetings
now
also
show
up
in
data
tracker,
we
have
official
notepads
and
everything
so
I'll
drop
that
no.
B
C
A
That's
pretty
funny
very
good
point
all
right,
so
welcome
to
EDM
I,
don't
we
haven't
met
for
a
little
bit
and
I
think
we
will
be
planning
on
meeting
again
at
116,
but
David
and
I
thought
be
good
to
have
a
chat
with
people
now
so
I
guess:
first
off
Thanks,
Martin
and
David
for
taking
protocol
maintenance
to
to
the
finish
line
here-
and
it's
been
a
long
road
on
that
one.
But
yeah
appreciate
all
the
back
and
forth
and
editing
and
working
on
incorporating
Community
feedback.
C
D
A
A
So
for
the
agenda.
For
today,
what
I
was
proposing
we
talk
about
is
one
of
the
parts
that
in
you
know,
deployability
and
maintainability,
that
we've
talked
about
that
the
user
to
lose
it
draft
talks
about
as
greasing
and
previous
calls.
We've
alluded
to
a
couple
different
questions
here,
but
I
wanted
to
spend
a
bit
more
time
digging
in,
and
particularly
just
you
know,
to
set
some
of
the
stage
into
questions.
It'd
be
nice
to
answer
is
like
we've.
A
Often
in
the
past,
said
that
you
know
we're
greasing
and
it's
you
know
something
of
an
experiment
where
we
are
learning
how
effective
it
actually
is,
and
we
you
know
as
far
as
I
know,
TLS
was
the
first
instance
of
explicitly
doing
this
in
a
protocol
and
calling
it
Greece,
and
that
was
done
for
very
particular
reasons
to
you
know
avoid
perpetuating
Brokenness,
but
we
are
starting
to
do
it
in
new
protocols.
A
A
So
you
know,
one
question
is:
are
we
aware
of
other
places
where
we
are
using
greasing
and
I
know,
there's
a
discussion
we
had
previously
on
the
GitHub
about
you
know:
when
does
it
make
sense
to
do
greasing
from
the
start
of
a
protocol
in
the
design,
as
opposed
to
you
know,
adding
it
into
an
existing
protocol,
but
the
real
thing
I'd
love
to
get
to?
A
Is
you
know
at
what
point
if
we
say
this
is
something
where
we're
learning
if
it's
actually
effective
and
how
it
works?
How
are
we
learning
that?
How
are
we
measuring
if
it
actually
works
and
if
you
know
I
assume
we
can't
say
anything
like
as
an
IB
document
now
like
this
is
how
greasing
works,
and
this
is
the
right
thing
to
do.
But
when
will
we
be
able
to
say
that
and
what
are
we
learning
from
it?
So
those
are
thoughts,
have
added
people.
D
It
instructs
me
that
the
the
instances
where
we
we
could
have
used
some
grazing
we
haven't
had
them
and
we've
seen
some
protocols
sort
of
atrophy
in
in
interesting
ways.
D
Http
2
is
a
is
a
great
example
of
where
we
I
think
we
knew
about
greasing
at
the
time
we
built
it,
and
we
didn't
put
it
in
the
two
new
at
the
time
that
the
concept
and
since
we've
discovered
that
it's
just
not
extensive
anymore
in
a
couple
of
places
and
that's
kind
of
disappointing,
given
how
new
that
protocol
is,
but
that's
how
things
work
apparently.
A
What
are
some
of
the
concrete
examples
of
the
places
where
you've
already
seen
each
two.
D
D
So
places
where
you
might
have
decided
your
extension
was
was
simply
I'll
just
send
a
frame
you
you
have
to
negotiate
that
with
settings
and
I
believe
that
the
settings
work
and
it's
kind
of
another
Testament
to
use
it
or
lose
it
all
right
because
it
was
being
used
and
people
are
putting
other
new
stuff
in
there.
So,
let's.
E
F
D
F
D
I
think
the
problem
there
was
that
we
didn't
have
a
whole
lot
of
active
use
or
active
need
for
new
stuff
to
be
used
in
the
frames
context.
Whereas
the
settings
were
you
know
a
few
things
popped
up
over
time,
pretty
quickly
and
and
so
there
was
active
use
on
the
settings,
and
so
we
really
didn't
need
to
grease
that.
D
But
then
and
that's
potentially
a
lesson
for
people
doing
greeting
in
that
you
know
in
quick,
for
instance,
we
probably
didn't
need
degrees
of
the
transport
parameters,
because
they're,
seeing
like
active
use
on
an
ongoing
basis
with
like
people
on
this
call
throwing
stuff
in
there
like
every
other
week.
C
Fun
story,
early
days
of
interop
for
her
quick
Apple
had
a
bug
where
they
crashed.
If
you
sent
them
a
dress,
more
prouder,
they
didn't
know,
guess
how
I
found
out
because
Google's
like
oh,
we
have
this
all
this
G
quick
stuff,
let's
just
shove
it
into
a
transport
parameter.
A
C
C
Caught
this
not
because
of
greasing,
because
I
was
using
it
for
something,
and
that's
actually
that
that's
what
triggered
me
to
follow
the
issue
and
someone
to
add
greasing,
probably
Martin
to
greasing
code
points
to
the
transport
parameters.
Was
that
blowing
up
which
still
good
to
have
greasing
but
I
agree
in
some
cases,
just
making
sure
there
you
really
get
use,
makes
life
easier.
E
So
so
in
in
one
place,
two
places
that
it
would
have
been
really
nice
to
have
greasing
decades
ago
is
an
IPv6
extension
headers
and,
like
we've,
essentially
written
ourselves
into
a
corner
painted
herself
in
her
corner
with
that
and
I
wish.
We
had
described
in
six
man
a
decade
ago
when
we
went
through
that
we
had.
We
had
this
document.
We
had
described
it
as
greasing
to
keep
these
Asic
guys,
honest
and
the
other
side
which
we
still
don't
have.
A
good
thing
is
TCP
options.
E
We
still
have
banks
that
will
drop
them
just
totally
thing
and
they
dropped
them
because
of
default
configurations
for
firewalls,
which
are
now
wrong,
but
are
somehow
been
painted
into
stone
and
there's
no
reason
for
it
like,
like
just
say.
No,
if
you
don't
like
that
option,
just
say
no,
it's,
okay,
right
and
and
but
they
don't
they
they
they're
they're,
just
being
too
silly
about
it.
E
Okay
and
I
and
I
think
it's
I,
I
I
think
it's
it's
a
fake
security
process
that
they
go
through
where
they
think.
Oh,
we
should
know
everything
about
everything
and
they're
for
anything.
That's
that's!
El!
That's
new
must
be
bad
rather
than
thinking
no
I
should
be
suspicious,
but
that
doesn't
mean
I
should
drop
the
connection
and
I
think
that
that's
a
that's
a
really
big
difference
and
it
would
be
nice
to
talk
more
about
greasing
I'm,
gonna,
say
outside
of
the
HTTP
World.
F
But
I
don't
think
racing
would
have
in
the
TCP
case,
because
the
reason
they
drop
it
is
because
they
can
right,
they
can
drop
it
and
it
doesn't
have
any
consequences.
So
it's
easy.
E
F
E
A
E
Do
if
they
don't
want
to
negotiate
TCP
big
window
option,
okay
and
they
decide
to
remove
that
at
their
firewall.
That's
fine
or
their
middle
box,
okay
and
and
if
their
endpoint
doesn't
know
how
to
negotiate
TCP
big
window,
whatever
it
was
called
option.
Okay-
and
they
say:
oh
we're
just
not
going
to
process
it-
that's
fine
I,
don't
care
which
way
they
which
which
point,
but
what
they
did
was
that
oh,
this
is
a
bad
packet.
E
I'm
dropping
it
right,
so
you
get
nothing
and
and
that's
the
the
problem
and
they
don't
like
oh,
but
it
works
with
Internet
Explorer
and
Windows
95
when
we
tested
it
20
years
ago.
So
it
must
be
okay
right
and
then
you're
like
well.
But
you
know,
and
at
one
point
we
know
we
had
an
ecn.
We
tried
to
have
an
ecn
Wall
of
Shame
right
and
it
it
didn't
work
that
well,
okay,
but-
and
it
sure
prevented
us
from
deploying
ecn
by
at
least
10
years.
E
I
would
say,
because
we
couldn't
properly
get
people
to
you,
know
tolerate
it.
Let
alone
participate
right
so
anyway.
I
just
think
that
I
think
that
we
kind
of
need
a
greasing
is
good
Roadshow
and
it
needs
to
get
outside
the
ietf,
and
we
need
to
explain
to
to
the
security
quote
professionals
unquote
why
it
is
that
they're
they're
actually
harming
themselves
doing
this.
Yes,
exactly
thank
you
for
the
air
quotes.
I
could
turn
on
my
video
but
yeah.
E
D
A
Going
back
to
one
of
the
questions
I
had
I
have
to
start,
because
we've
mentioned
some
of
the
protocols
that
could
have
greased
and
didn't
or
existed
before.
We
talked
about
greasing
and
probably
would
have
benefited.
Are
there?
So
you
know
TLS,
quick,
we're
doing
the
whole
thing.
Privacy
pass.
Are
there
others
that
are
actively
greasing
or
protocols
that
are
baking
it
in?
At
this
point,.
C
Great
I
just
said,
capsules
and
Lucas
showed
up.
It
worked
wow.
D
I
was
gonna,
say:
I
was
gonna,
ask
Michael
if
there's
anything
in
the
in
the
space
by
a
t,
protocols
like
Co-op
and
whatnot
that
have
adopted.
E
It
would
be
a
really
good
place.
We
could
easily
do
greasing
and
the
option
fields
are
very,
very
I
want
to
say
rich,
but
easy
to
do,
and
what's
also
interesting
is
you
make
no
collab
options
are
like
they're,
not
one,
two,
three
they're
four
plus
the
last
one,
six
plus
the
last
one,
and
so
you
could
easily
have
some
interesting
greasing
options
that
you
know
would
split
up
things
so
that
it's
no
longer
quite
the
same
thing,
but
you
always
put
the
options
in
order
of
incrementing
value.
E
Okay,
this
is
encoding.
This
is
an
encoding
efficiency
and
that's
something
yeah
I
actually
think
we
should
put
a.
We
should
have
some
something
in
there.
Ike
V2
would
be
nice
to
finally
put
something
in
that
to
do
that
kind
of
stuff.
A
E
And
and
also
just
here's
a
really
big
fat
option
that
causes
the
packet
to
fragment,
yeah,
yeah
right
and
then
you
know
now,
and
then
you
put
that
in
that
would
be
interesting.
But
do.
D
E
That's
the
the
point
here
is
is
is
to
identify
it
in
testing
when
people
are
doing
things
to
cause
them
to
go.
Oh,
you
know
what
it
I
mean.
That's
the
whole
point
it
it
doesn't
work.
Our
new
upgrade
doesn't
work
with
97
of
the
Apple
devices
out
there
oops.
What
do
we
do
wrong
right?.
A
E
I
know
I,
know,
I
know
it's
it's
it's
it's
it's
a
thing,
but
but
the
point
is
here.
The
point
here
is
that
that
this
is
again,
this
is
the
point.
This
is
caused
by
people
doing
stupid
things
on
the
network
that
the
intolerant
of
of
things
and
assuming
that,
because
it
worked
last
week,
it's
going
to
work
next
week
right.
D
Yeah,
so
the
the
problem
here
I
think,
is
that
these
are
applications
that
are
often
quite
sensitive
to
Performance
problems.
So
you
wouldn't
want
to
do
this
very
often,
but
that
leads
to
the
next
problem,
which
is
that
most
of
the
time
you're
not
doing
this,
so
people
aren't
encountering
the
the
sort
of
unusual
behavior
and
then,
when
it
happens,
it's
like
oh
there's,
a
transient
failure,
we'll
just
ignore
that.
E
I
wanted
to
actually
have
a
button
that
was
do
interop
right,
which
would
actually
propose
a
known
set
of
traffic
selectors
with
a
known
set
of
algorithms
and
even
get
this
a
known,
P
pre-shared
key
across
the
network
and
the
whole
point
of
and
the
result
would
be
a
useless
connection.
However,
it
would
validate
the
fact
that
the
packets
got
there
and
got
back
right,
and
that
would
allow
you
to
keep
doing
the
network
test
until
you
figured
out.
E
Oh
I
figured
out
what
firewall
is
is
is
breaking
the
connection
right
and
Paul.
Hoffman
thought
it
was
a
terrible
idea,
oh
my
goodness,
because
someone's
gonna
gonna
code
it
as
if
it's
a
real
thing
and
it's
going
to
use
it
with
for
the
real
thing.
Is
it
Well
yeah?
If
they're
that
stupid,
then
yeah?
Of
course
that
could
happen.
E
But
on
the
other
hand,
the
rest
of
us
are
left
with
I
have
no
way
to
debug
the
other
other
version
at
all,
because
I
can't
get
at
the
logs
I
can't
turn
on
debugging
and
I
can't
do
anything,
and
so
let's
install
openvpn
right
and
that's
how
we
have
20
years.
We
have.
We
have
no
good
in
no
test
this
thing
option
I
mean
even
I
was
helping
a
is
it
some
related
thing.
E
I
was
helping
a
friend
who
runs
a
pub
to
get
her
Wireless
to
work,
so
she
could
actually
get.
You
know
her
her
credit
card
terminal
to
work
at
the
far
end
of
her
patio
right.
So
what
we're
doing
we're
setting
up
you
know
Wi-Fi
extenders
and
this,
and
that
they
aren't
working
right
and
the
only
way
she
had
to
test
it
was
to
put
a
card
her
card
into
it
and
debit
a
dollar
there
was
no
button
on
the
stupid
little
terminal.
E
That
said,
please
just
check
if
my
connection
is
alive
right,
it
was
just
there
was
like
no
one
had
thought
about
this.
I'm
like
come
on
really
I
mean
just
give
me
a
button
that
doesn't
doesn't
HTTP
ping
or
an
https
ping
to
the
credit
card.
Clearinghouse
and
let
me
know
if
it's
alive.
Instead,
she
had
to
you
know
debit,
a
dollar
at
refund.
It
debit
a
dollar
refund
it
it
was.
E
You
know
we
did
that
27
times
or
something
before
we
got
it
working,
but
I
mean
it's
just
like
really
no
testing
right
and,
and
that's
the
same
kind
of
thing
that
we
need-
and
this
is
where
the
the
greasing
comes
in.
It's
like
test
it
with
greasing
all
right.
Here's
the
connection.
Okay,
minimal,
works.
Okay,
give
me
the
Christmas
tree
packet,
oh
it
fails,
and
if
I
could
do
that
with
every
product
in
the
ike
space
we
would
have,
we
would
solve
problems
so
much
faster
right
anyway,
although.
A
I
guess
do
what
Mario
was
saying
earlier
about
doing
this
very
often
I
could
do
that
when
I'm
building
the
product
and
find
the
interrupt
there
when
I
know
I'm
testing
this
but
later
on,
people
change
their
configuration,
deployment,
I,
don't
know
about
it
and
then
things
break
and
if
I'm
doing
greasing
on
one
tenth
of
one
percent
of
connections,
you
know
TLS
failures,
happen.
Network,
really,
you
know
just
like
network
connectivity
failures
happen
all
the
time.
Vpn
failures
are
pretty
common,
we'll
just
retry
automatically
in
the
background
no
one's
ever
gonna
notice.
C
They're
David
Ben
had
a
really
neat
idea,
which,
unfortunately,
he
never
got
around
to
implementing.
We
were
thinking
in
Chrome
that,
like
the
seed
for
greasing
would
be
every
Chrome
instance
has
a
random
number,
that's
fixed,
and
then
you
hash
that
number
with
like
the
origin,
and
that
gives
you
your
seed
for
for
greasing,
and
so
you
can
refresh
as
many
times
as
you
want.
You
always
get
a
the
same
numbers
but
like
you're,
the
next
person.
Next
to
you
actually
doesn't
that's.
H
E
You
get
support,
saying
works
for
me,
you're,
an
idiot,
okay
and
and
that's
the
problem
right
I
mean
I,
mean
I
went
through
this
with
a
with
with
one
with
my
DNS
guys,
the
registrar
wouldn't
work
wouldn't
work
PayPal,
not
working
PayPal,
not
working,
they
finally
said.
Could
you
try
with
Firefox
and
I
agreed
to
do
that
and
all
sorts
like
back
and
forth?
They,
you
know
all
debug
logs
from
chrome
and
whatever,
and
all
that
the
the?
C
E
No
something
else,
but
anyway,
pardon
me
par
Hao
yeah,
maybe
that's
it
anyway.
It's
supposed
to
anyway
record.
You
can
record
the
thing.
Firefox
and
and
chrome
will
record
all
the
stuff
back
and
forth,
and
anyway,
all
that
stuff
they
can
reproduce
it.
They
can't
figure
out
what
I'm
busy
pointing
to
what
about
this
load
that
doesn't
really
work
here
and
I,
don't
think
it's
relevant
and
anyway
I
don't
think
they
fixed
it
yet.
E
But
but,
as
I
said,
we
we
it
works
for
us
on
the
same
platform
with
the
same
version
on
the
same
thing
and
I'm
like
you
know
what
am
I
supposed
to
do
now,
right,
as
you
say,
yeah.
A
Lucas
since
you're
hearing
to
call
on
you,
you
know
I
I've
done
a
lot
of
quick
testing
against
you.
In
your
servers,
I
mean
the
cloudflare.
E
A
Always
sends
some
greased
code
points
right
during
the
handshake,
because
they're
small
enough
hi.
B
It's:
okay,
okay,
yeah.
So
this
is
like
I,
think
I
I
thought
it
was
late
as
well,
so
I've
missed
stuff
I
apologize
if
I'm
repeating
things
I've
already
been
discussed,
I
think
you
know
the
H2
ship
has
kind
of
sailed
without
the
greasing,
and
that's
sad
and
the
I
was
even
this
week.
I
was
reminding
us
some
of
the
good
work
that
the
the
folks
over
at
Google
and
Chrome
did.
B
We
spoke
with
Vince
back
in
these
zones
of
experiments
there
and
he
thought
there
was
some
problem
we
had
I
think
maybe
we
did
and
we
fixed
something
pretty
quick,
but
then
it
was.
It
was
something
else
whatever
so
very
early
in
the
hb3
implementation,
like
we,
we
kind
of
chose
to
just
sign
Greece.
B
All
the
time
like
it
was
easy
when
we're
doing
interop,
you
know,
sat
around
a
hackathon
and
someone's
like
what
the
heck
what's
going
on
here
and
I
was
mainly
around
us
basic
implementation
bug
because
of
whatever
but-
and
there
was
always
something
I've
considered
like
yeah,
maybe
maybe
I
could
just
turn
it
off
now,
but
actually
a
just
leaving
it
in
is
I.
Think
fine.
Do
it
for
everything
the
careless
one
I'm,
not
so
sure
I
don't
know
if
that's
maybe
a
boring
asset,
owl
kind
of
opinionated
matter.
B
I
need
someone
else
more
familiar
with
the
TLs
stuff
to
say
whether
or
not
but
yeah
like
just
do
stuff.
I
think
what
maybe
like
it's
easy
to
send
it's
hard
to
detect
from
a
server
operational
perspective
like
the
finding
out
when
you've
caused
those
kind
of
handshake
problems.
Like
is
kind
of
tricky.
There's
network
error
logging,
some
of
those
things
can
sort
of
help,
but
especially
with
quick,
even
the
Apparently
Clarity
of
them
isn't
brilliant
and,
like
you
said
Tommy
like
there's,
so
many
other
reasons
that
things
can
fail.
B
You
know
we
just
talk
about,
but
like
I'm,
deep
in
months
worth
of
discussions
with
the
customer
support
people
like
quietflair,
because
they
ask
people
to
collect
cars
because
they
think
it
includes
everything,
but
it,
it
generally
doesn't
include
any
of
the
information
that
I
would
find
useful
to
debug
stuff
because
the
the
most
of
the
bugs
have
been
fixed,
which
is
great,
but
a
lot
of
the
ones
that
are
under
my
remit,
like
H2
flow
control,
hp3
whatevers,
like
really
really
hard
to
find
I,
don't
expect
people
to
be
able
to
know.
B
What's
going
on.
The
manifestation
of
the
problems
is
weird.
You
know.
Even
this
week,
I
was
working
with
a
colleague
to
look
at
Hills
behavior
when
I,
like
somebody,
did
a
post
upload
where
a
response
came
back
at
a
certain
point
in
time
it
wasn't
a
race
condition,
but
it's
a
timing,
kind
of
thing
and
they
they
were
doing
this
to
fix
something
else,
and
they
did
just
a
test
with
Carol,
because
you
know
everyone
uses
curl
and
it's
fine
and
it
wasn't
meeting
our
expectations.
I
was
like.
B
Maybe
this
is
a
bugging
kill.
They
wouldn't
believe
me
because
it's
cool,
but
you
know
because
we
know
people,
you
speak
to
some
of
the
maintainers
like
Daniel
and
Stefan,
and
it
turned
out
Stefan
had
stumbled
on
this
last
week.
It's
some
Behavior
they've
been
in
curl
for
forever,
and
the
fix
is
easy
enough.
B
They
knew
exactly
what
to
do,
but
finding
finding
these
things
is
is
really
hard.
So.
E
I
actually
had
a
a
HTTP
tube
bug
with
curl,
with
the
internet
draft
submission
thing
that
I
reported
to
Robert
Sparks,
that's
going
through,
obviously
cloudflare
and,
of
course
it
worked
with
one
one.
So
I
was
just
thinking
like
maybe
I
actually
experienced
that
bug.
So
you
know
whatever.
B
E
You
that
I
I
yeah
I,
don't
really
know
what
happened,
except
that
I
got
an
error,
but
I
wondered:
does
the
Jeff
Houston
method
of
you
know
zero,
pixel,
loading
and
scanning
and
stuff
like
that?
Does
that
have
you
ever
tried
that
kind
of
stuff
to
see
if
this
works,
or
maybe
you
we
should
contract
Jeff
to
do
that?
E
Jeff
Houston
has
done
a
whole
bunch
of
surveys
of
things
where
he
DNS
Tech
resolution,
whether
you
accept
broken
name
servers,
penetration
of
HTTP,
2,
all
sorts
of
stuff
by
having,
by
displaying
ads
to
zero
pixel
ads
to
people
right
any
measures,
whether
or
not
they
load
and
I
think
he
has
JavaScript
on
I,
can't
remember
which
side
he
does
the
job,
some
things,
but
he
measures
things.
Yeah.
B
I
mean
it
doesn't,
doesn't
hurt,
but
I
think
I
mean
the
point
I
generally
get
pulled
in.
Is
that
it's
it's
like
a
really
hard
to
find
bug,
and
maybe
even
certainly
the
protocol
was
unclear
about
on
what
to
do
and
stuff
like
basic
connectivity,
yeah
sometimes,
but
then
we
get
into
the
issues
of
like
well
as
a
as
a
big
Cloud
infrastructure
provider,
we're
not
really
responsible
for
the
content
in
any
way.
So
then,
where
do
those
reports
go?
What
are
they
revealing
about
the
the
people
who
use
those
Services
end
users?
B
Should
we
even
know
any
of
that
so
like
some
of
this
stuff
is
difficult,
the
things
in
privacy,
preserving
metrics,
and
things
like
that
is
super
interesting
for
this
and
I
know.
Other
people
are
working
on
those
things
like
for
Chris
Wood,
for
instance,
kind
of
looking
at
maybe
how
network
error
logging
could
be
made
slightly
more
Anonymous
or
whatever
so
yeah
I,
don't
know
it
just.
It
gets
to
the
point
where
you
know.
B
Even
even
me,
I've
I
thought
I
found
a
bugging
in
in
Chrome
like
six
months
ago,
but
I
wasn't
sure
and
the
only
way
really
was
to
get
a
very
specific
reproduction
with
all
of
the
error,
logging
and
Analysis
and
graphing,
and
to
say
to
somebody
I
think
it's
here,
and
then
they
had
the
expertise
of
Chrome
internals
to
say
oh
yeah.
That
is
a
bug
thanks.
B
Without
that
you
know
this
is
impossible
to
reproduce
anything.
I
think
this
is
it.
You
might
even
agree
that
there's
a
problem
somewhere,
but
if
you
can't
reproduce
something,
okay,
are
you
gonna
fix
it
and
know
that
you
haven't
regressed,
like
you
need
to
develop
a
test
even
to
kind
of
exhibit
that
weirdness
of
behavior,
where
we
get
into
the
point
of
like,
should
something
like
curl
behave,
100
to
the
protocol,
compliance
Maybe
by
default?
B
B
These
paths
are
less
trodden?
In
that
respect,
you
might
even
do
it
Implement
that,
like
as
you
want,
but
because
you
don't
exercise
that
code
ever
in
practice,
then
it
breaks
and
whoops
I
I
give
an
example
as
well
like
recently
we're
informed
of
some
Behavior
within
within
our
quick
and
hb3
layer,
and
it
was
It,
was
kind
of
around
greasing
and
extension
frames.
B
Like
I
said,
I
was
I,
knew
about
this
stuff
when
I
was
doing
the
implementation,
but
some
unique
sequence
of
events
meant
if
you
set
an
extension
frame
at
a
certain
point
in
time
during
an
entire
HP
request,
response
exchange
some
something
failed
and
it
kind
of
timed
out
and
that's
that's
annoying
without
automated
testing
I,
don't
think
we
could
have
caught
that
until
we
got
a
user
who
was
able
to
be
bothered
to
even
spend
the
time
to
look
into
it
a
bit
more
and
then
report
the
thing.
A
I
I
was
also
seeing
on
the
chat
David
you
were
bringing
up.
Mls
is
another
protocol
asking
questions
about
I.
Think
it's
interesting
question
of
like:
should
we
get
stuff
in
there?
You
wanna
bring.
C
That
to
me
you
know,
I
was
just
thinking
like
what
are
the
protocols
that
are
happening
these
days,
that
I
know
about
and
MLS
is
top
of
mind
because
I've
been
talking
with
ads
about
it
quite
a
lot
lately,
but
one
of
the
things
it
does
I
just
pulled
it
up
and
pulled
the
ioni
consideration
section
up
and
I
was
like.
Oh,
they
have
eight
new
Registries
and
no
greasing.
D
F
It
actually
like
Lucas
wrench,
is
like
kind
of
indicates
to
me
that
maybe
we
should
put
more
effort
into
testing
in
the
first
place,
rather
than
like
I.
Think
wheezing
is
just
covering
kind
of
the
tip
of
the
iceberg
where
you
can
like
catch
some
of
the
obvious
cases,
but
you
don't
catch
all
the
other
problems.
C
E
Why
greasing
is
is
important?
Is
that
not
everyone
implements
the
same
day
and
not
everyone
gets
to
go
to
the
the
hackathons
and
the
bake
offs
and
whatever,
and
sometimes
implementation
is
five
years
later,
and
you
can't
even
find
the
people
you
want
to
interoperate
with
you
know,
XYZ
product,
the
people
that
built
that
wrote
it
aren't
even
at
XYZ
anymore.
E
E
We
actually
need
that
to
kind
of
be
available
out
there
on
a
regular
basis
to
surprise
people
who
are
writing
new
code
and
to
go.
Oh
and
I
actually
think
that
I
like
this,
this
business,
that
that
you
know
the
ionic
considerations
actually
should
have
a
subsection
called
greasing
and
that
if
it's
not
there,
you
should
say
why.
E
And
one
answer
is:
oh,
we,
you
know
it's
a
four
bit
code
point
and
we
couldn't
possibly
afford
one
for
greasing.
Okay
and
that's,
you
know
not
an
unfortunate
situation,
but
not
crazy,
and
then
you
know
if
there's
some
private
use
space,
then
to
me
that
is
actually
kind
of
almost
begging,
for
you
know
allocating
a
couple
of
them
for
greasing
one
of
the
problems
in,
for
instance,
Ike
V1.
For
instance.
E
We
had
all
this
private
use
space,
but
we
didn't
know
whose
private
use
space
it
was
and
we
went
to
some
conniptions
right.
So
we
had
all
these
people
throwing
extensions
in
there
and
we
had
to
qualify
that
with
a
vendor,
and
that
was
something
we
did
our
very
early
on
right
and
I.
Think
that
was
a
good
thing,
but
not
everyone
understood
what
was
going
on
and
there
were
implementations
where
you
know
you
would
say:
I'm
vendorfu,
here's
my
private
number
and
it
would
go
oh
yeah
you're
using
that
private
number.
E
Oh,
that
I'm
using
it
from
to
mean
this,
but
it's
not
formatted
right,
oops
fail,
and
so
that
was
an
example
of
of
greasing
with
unintentional
greasing,
but
they
got
it
wrong.
Right
I
mean
they
just
didn't
check
the
qualifications
of
the
private
use
number,
and
so
that's
why
I
think
it
has
to
be
there
regularly
and
I
would
really
love
to
have
every
document
have
some
kind
of
statement
about.
F
C
F
C
A
A
Reserve
Cypher,
Suite
code
points,
I
mean
you
certainly
could
grease
it,
and
you
could
certainly
have
ossification
with
implementations
that
are
like
barfing.
If
they
ever
see
a
cipher
Suite
that
they
don't
recognize
as
one
of
the
things
that's
being
offered.
D
C
D
I
think,
there's
more
than
just
throwing
in
random
extra
code
points
into
your
implementations,
as
we've
discovered
with
TLS
ordering
matters.
If
you
can
have
variable
ordering
values
of
different
parameters
can
matter
as
well.
It
can
be
the
case
that
you
have
a
protocol
that
most
people
exercise
only
a
sport,
small
part
of
the
value
space
of
a
particular
parameter,
and
you
set
it
set
that
value
to
something
large
and
people
choke.
A
And
you
know
we
certainly
can
do
things
in
the
initial
definitions
of
protocols
like
allocate
things
in
the
registry
saying
you
should
switch
the
order,
but
we
can
also
say
things
separately
and
afterwards.
So
you
know
like.
A
Maybe
doing
the
code
Point
reservation
is
something
that's
nice
to
have
just
so
that
those
things
exist,
but
you
know
the
strategies
for
greasing.
Tls
could
be
a
separate
documented
strategies
for
greasing
MLS
could
be
its
own
thing.
Like
I
mean
they
don't
need
to
necessarily
be
in
the
core
protocol.
Also,
there
are
ways
you
use
it.
D
Yeah
I
think
this.
This
sort
of
a
very
important
question
regarding
how
how
you
sort
of
work
through
these
problems
I
think.
D
We're
we're
greasing
a
bunch
of
other
things,
a
quick
we
probably
don't
need
to
grease
those
things.
It's
the
other
things
that
we
need
to
grease,
and
this
I
think
comes
back
to
the
the
protocol
maintenance
question
when,
when
things
break,
how
quickly
can
you
detect
that
they're
broken
is?
Is
part
of
the
reason
why
you
do
greasing
I
think,
but
also
what
happens
next
and
it
seems
like
HTTP
2
is
a
great
example
of
well
what
happens
next.
D
D
Find
the
problem-
and
you
discover
that
you
can't
use
this
this
extension
mechanism
anymore.
What
do
you
do
at
that
point?
And
it
might
just
be
that
there's
like
one
implementation,
that
you
can
send
them
an
email
or
what
have
you
or
you
know
it's
endemic,
and
you
have
to
find
a
a
new
way
to
extend
the
Protocol,
no
I
think
the
the
reaction
to
what
we've
done
in
HTTP
2
is
to
to
use
the
sort
of
settings
which
which
are
reasonably
available
and
you
sort
of
negotiate.
The
use
of
the
extension
thanks.
C
C
A
But
you
can,
can
you
can
forward
something
to
find
a
we?
You
know
we've
had
we've
had
80s
on
here
before
we've
had
Eric
and
others,
so
we
can
just
say
yo.
A
A
F
E
C
C
D
D
F
D
F
D
C
C
To
agree
I
think,
like
someone
has
have
been,
some
folks
have
been
calling
it
Langley's
law,
which
is,
you
know,
have
one
joint
and
oil
it
well
and
if
you
have
one
extension,
joint
and
you're
forced
to
use
it
like
you
know,
let's
say
transport
parameters,
you're
forced
to
send
transport
parameters
and
to
parse
them
to
be
able
to
establish
a
connection
you're
guaranteed
that
that
joint,
won't
rust,
shut
to
some
extent,
which
is
kind
of
nice.
Yeah.
F
There
is
a
document
which
is
basically
the
main
advice
is
like.
If
you
design
a
protocol,
it
should
be
extensible.
A
G
C
C
Yeah
to
define
the
extension
and
not
do
the
TLs
thing
of
hey,
we've
magically
made
it
work
and
and
and
here's
why
that
wasn't
great
yeah.
C
Yep
SNR
anyone.
D
C
B
The
the
other
thing
that
I
was
thinking
about
this
week
even
before
this
meeting,
which
is
way
coincidence,
I
saw
this
in
the
calendar
somewhere,
but
the
the
whole
thing
with,
like
extension,
well
frames
in
HTTP
2
as
an
example
is
where
you
have
some
intermediary
between
the
client,
like
a
browser
that
you're
trying
to
speak
to
and
the
server
that
you're
trying
to
send
a
frame
from
and
that
frames
are
hot
by
hop.
B
So
even
if
the
intermediary
does
things
like
through
the
unknown
extension
on
the
floor,
it
doesn't
pass
it
on,
even
if
the
intermediary
wouldn't
need
to
do
anything
with
that,
and
that
some
of
the
attempts
are
trying
to
do
with
greasing.
Maybe
don't
run
the
full
chain.
Because
of
that,
if
that
makes
sense
like
the
setting
greasing
would
maybe
I
mean
the
intermediary
can
always
drop
things
if
they
want,
but
the
way
that
the
the
specification
is
written
is
that
you
know
you
ignore
an
unknown
frame.
B
You
don't
pass
it
through
in
order
to
kind
of
Grease
the
whole
chain.
I
don't
know
if
we
have
to
do
anything
there,
but
it
did
seem
a
funny
situation.
G
C
A
So
being
cognizant
of
time,
we
have
seven
minutes
left
I
did
want
to
come
back
to
one
of
the
questions
I'd
mentioned
early
on
just
to
see
if
we
have
any
opinions
here
of
you
know
as
we
are
doing
greasing
and
things
like
quick
and
you
know
Martin,
you
were
mentioning
I.
Think
rightly,
that
like
there
are
places
where
we're
greasing
that
yeah
we
probably
didn't
need
to,
but
in
other
cases
where
we
are
greasing
and
it's
not
as
obvious
that
it
is
being
used.
A
A
At
what
point
is
this
not
just
a
futile
effort
where
we're
defining?
Oh,
you
have
all
these
code
points,
but
maybe
no
one's
using
it
or
maybe
they're
using
it,
but
it's
not
actually
effective
enough
and
we
brought
up
the
ideas
that
you
know.
Maybe
you're
not
greasing,
often
enough
to
make
it
noticeable
to
users.
E
E
E
Of
course,
I
can't
know
that
right,
of
course,
but
at
least
I
should
be
able
to
test
the
same
scenario.
So
if
that
means
that
the
greasing
is
happening
based
upon
some
pseudorandom
cookie,
then
that
cookie
needs
to
be
visible
so
that
I
can
plug
it
into
a
new
browser
and
reproduce
the
problem
right
I
mean
that
is
a
UI
problem,
but
we
can
put
requirements
on
that
UI,
even
if
we're
people
think
we're
not
allowed
to
design
them.
E
So
that's
that's
that's
one
thing.
The
second
thing
is
that
we
might
actually
need
to
have
some
kind
of
a
logging
or
reporting
mechanism
that
allows
greasing
to
become
visible
in
logs
or
something
like
this,
so
that
you
know,
entities
like
cloudflare
could
actually
go
and
collect
greasing
and
from
greasing
results
from
a
wide
variety
of
different
products.
Right
sounds
like
a
lot,
but
I
mean
if
we're
serious
about
it,
I
think
it's
important.
E
H
F
Related,
but
probably
several
problems
also
about
how
do
we
get
actually
better
logging
in
cases
of
failure
right?
How
do
we
can?
Can
we
get
better
measurements.
C
Ask
the
question
as
a
French
person
who
likes
cooking
with
butter,
is
there
such
a
thing
as
too
much
grease
as
in?
Is
there
ever
a
case
where
you're
like
maybe
should
I
agree?
Should
I
not?
And
then
you
don't?
You
do
and
you're
like
you
know,
I
shouldn't
have
like
I
I,
see
mt's
point
that,
like
there
are
cases
where
maybe
wasn't
necessary,
but
it
definitely
didn't
hurt.
D
Yeah
I
I'm
not
suggesting
that
it
it
it's
not
something
that
we
shouldn't
do
in
those
cases
where,
where
we
think
it
would
help
in
that
way,
there
are
cases
where
it's
not
going
to
be
very
helpful
in
the
iot
case,
where
you
you
cause
fragmentation
by
blowing
the
packet
up
multiple
times,
you're,
probably
introducing
an
unacceptable
performance
hit,
and
if
you
only
do
it
under
the
special
mode
that
Michael
suggests
then
we're
in
a
situation
where
no
one's
going
to
use
it,
and
it's
not
gonna,
not
gonna,
find
the
bugs
when
you
when
you
need
it
to
yeah,
but
on
the,
on
the
other
hand,
I
I
think
we
need
to
be
sort
of
cognizant
of
the
fact
that
this
has
limitations
and
those
limitations
are
we're
testing
a
very
specific
set
of
bugs
in
a
very
specific
way
and
protocol
implementations,
get
lots
and
lots
of
other
problems,
and
just
by
closing
off
this
particular
type
of
problem,
we're
not
necessarily
sort
of
addressing
the
sort
of
whole
Suite
of
ways
in
which
protocol
implementations
can
start
to
break
down.
D
You
know
the
state
machine
problems,
the
the
value
range
problems,
the
all
of
the
sorts
of
intermediary
things
like
like
Lucas
is
referring
to
all
of
those
sorts
of
things
tend
to
tend
to
require
different
approaches
to
find
them
and
I
think
we
we
can
sort
of
overly
fixate
on
one
particular
type
of
bug.
It's
a
very,
very
well
known
bug
and
a
very
common
one.
I
think
I
was
shocked
at
how
fast
people
managed
to
replicate
this
bug
in
the
new
protocol,
and
we
continue
to
be
shocked.
D
A
But
I
mean
I,
guess
Martin
to
your
point,
that
there
are
different
types
of
problems
like
like
ordering
or
values
like
there
are
things
where
you
can
do
where
I
can
use
an
extension
point
a
lot.
But
if
I
do
it
always
in
the
same
way,
and
everyone
always
puts
things
in
the
same
order,
even
if
they're
not
required
to
have
in
the
same
order,
then
someone
comes
along,
puts
them
in
a
different
order.
A
Then
they
could
break
in
weird
ways
like
we
could
also
have
a
false
sense
of
security,
and
we
probably
need
to
level
up
our
discussion
of
greasing
to
more
than
just
allocated
code
points
and
talk
about
all
of
these
behavioral
behavioral
greasing.
D
Things
that
are
interesting
even
though
I
said
said:
don't
inflate
the
packet
size
we're
going
to
need
to
inflate
the
packet
size
in
in
quick,
because
we're
going
to
find
that
this
post
Quantum
apocalypse
comes
along
and
we
need
some
new
algorithms
and
they
tend
to
be
grossly
inefficient
ones,
so
we'll
find
out.
D
At
that
point
it
would
be
nice
if
we
could
find
out
a
little
bit
ahead
of
time,
but
it's
very
hard
to
anticipate
the
sorts
of
problems
that
you
might
encounter
in
the
future
based
on
requirements
that
you
haven't
anticipated
today.
B
Yeah
sure
how
much
all
right,
like
just
just
one
one
quick
comment
like
how
much
is
the
spectrum
between
greasing
and
like
doing
more
greasing
versus,
like
just
fuzzing
like
to
the
point
where
you're
just
tweaking
every
variable
Under
the
Sun,
whether
it's
an
extension
or
not?
But
just
this
is
very
big
slope.
I.
Think.
D
E
E
My
experience
with
fuzzing
is
that
mostly
they
just
make
just
they
just
ran,
put
random
garbage
and
keep
permuting
the
random
garbage
until
they
see
something
break.
It's
not
very
efficient.
That
way,
it
would
be.
You
know
much
more
informed
to
you
know,
format,
things
in
once:
you've
tested
that
the
the
length
parameter
and
the
tlv
is
not
susceptible.
E
Then
you're
wasting
your
time,
making
things
that
don't
have
valid
type
length
things
right
and
you
you
it's
very
hard
to
get
that
in
a
generic
fashion
and
often
the
fuzzers
don't
even
know
what
they
broke
when
they
break
something.
D
Yeah,
so
ltls
fuzzo
was
set
up
with
very
specific
permutations
on
valid
handshakes,
so
that
we
could
avoid
the
sort
of
filtering
that
happens
by
throwing
up
random
garbage
and
I
I.
Don't
know
if
we
didn't
reordering
one
but
potentially.
E
A
Yeah,
all
right,
we
are
over
time
and
I'm
going
to
need
to
drop
now.
So
thank
you
all
I'll.
Stop
this
recording
and
I
think
if
people
are
okay,
we
can
kind
of
continue
the
discussion.
The
next
idea.