IETF Logo Mail Archive

Re: [MSEC] QUIC multicast

"Holland, Jake" <jholland@akamai.com> Tue, 28 June 2022 17:37 UTC

Return-Path: <jholland@akamai.com>
X-Original-To: msec@ietfa.amsl.com
Delivered-To: msec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D6FDC157B39 for <msec@ietfa.amsl.com>; Tue, 28 Jun 2022 10:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qPq5ts0aPKK for <msec@ietfa.amsl.com>; Tue, 28 Jun 2022 10:37:24 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74C99C157B34 for <msec@ietf.org>; Tue, 28 Jun 2022 10:37:24 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.17.1.5/8.17.1.5) with ESMTP id 25SHVX2P010173; Tue, 28 Jun 2022 18:37:21 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=6Rp/l+IBknsSv6scHhZYxMqRzxdVWAd9fdbhgsz/HUU=; b=H+zg3Rr6xFxeqYKn7uaolKXX1ldpp4f/1sbZJYhU60GLX6r0m8KSdj1d4Hg+q+XwaGKD 49y/roGk1Vpj/Ym7PmGVZ1rXb6KPwrx4pnvAEkhv0QW4ssX4PT1oiremIRx15u/lKTQU 29biTrndNrkbGfKzJQ/Q/CpCaL+5us1j1u7VRrxgOrWp0WOS8S3oz3bnXe2IVlnYrSOu MViEeZCo6N+8Wp0KiNIgZqK9rMxVfhF08CtgOrFgU8rSWHBNW8WXFyvDhl3lK8AFvQXT XDu8ivDpaAWwFqytCFN9VeSjuOJ0D5VXmugQdH0rMVJXuOC/WxZXkrP8eb92Vz52MtsO WQ==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by m0050096.ppops.net-00190b01. (PPS) with ESMTPS id 3gynj99d5g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Jun 2022 18:37:21 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.17.1.5/8.17.1.5) with ESMTP id 25SDZFpX011921; Tue, 28 Jun 2022 10:37:20 -0700
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint5.akamai.com (PPS) with ESMTPS id 3gx0b9t7gk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Jun 2022 10:37:18 -0700
Received: from usma1ex-dag3mb2.msg.corp.akamai.com (172.27.123.59) by usma1ex-dag4mb3.msg.corp.akamai.com (172.27.91.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.26; Tue, 28 Jun 2022 13:35:56 -0400
Received: from usma1ex-dag3mb5.msg.corp.akamai.com (172.27.123.55) by usma1ex-dag3mb2.msg.corp.akamai.com (172.27.123.59) with Microsoft SMTP Server (TLS) id 15.0.1497.36; Tue, 28 Jun 2022 13:35:56 -0400
Received: from usma1ex-dag3mb5.msg.corp.akamai.com ([172.27.123.55]) by usma1ex-dag3mb5.msg.corp.akamai.com ([172.27.123.55]) with mapi id 15.00.1497.036; Tue, 28 Jun 2022 13:35:56 -0400
From: "Holland, Jake" <jholland@akamai.com>
To: "sarikaya@ieee.org" <sarikaya@ieee.org>
CC: "msec@ietf.org" <msec@ietf.org>
Thread-Topic: [MSEC] QUIC multicast
Thread-Index: AQHYij1gcuY29HGYmk+y8BxGzr0uNK1lPOgA//+nWoA=
Date: Tue, 28 Jun 2022 17:35:55 +0000
Message-ID: <4F4CB186-40E9-4CC6-9DA5-F63F157BD9F8@akamai.com>
References: <367D7BA3-4883-49C3-9C9A-B0ACF82AB144@akamai.com> <CAC8QAccDoV=29qoxJUQLbp2qD3XNBboURmwR4eju-FFyYQYJxw@mail.gmail.com>
In-Reply-To: <CAC8QAccDoV=29qoxJUQLbp2qD3XNBboURmwR4eju-FFyYQYJxw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.61.22050700
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: multipart/alternative; boundary="_000_4F4CB18640E94CC69DA5F63F157BD9F8akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-06-28_11,2022-06-28_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 spamscore=0 suspectscore=0 adultscore=0 mlxlogscore=999 bulkscore=0 phishscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206280069
X-Proofpoint-ORIG-GUID: 7YQ2Z1VG0-Uyts_UKzsLFXF6C1l9oSGd
X-Proofpoint-GUID: 7YQ2Z1VG0-Uyts_UKzsLFXF6C1l9oSGd
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-06-28_10,2022-06-28_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0 phishscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1011 bulkscore=0 suspectscore=0 malwarescore=0 impostorscore=0 priorityscore=1501 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2204290000 definitions=main-2206280069
Archived-At: <https://mailarchive.ietf.org/arch/msg/msec/6ef5jtWkDTVEq6MPpkqQVHEdOBg>
Subject: Re: [MSEC] QUIC multicast
X-BeenThere: msec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multicast Security List <msec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/msec/>
List-Post: <mailto:msec@ietf.org>
List-Help: <mailto:msec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 17:37:29 -0000

Hi Behcet,

I’d encourage you to read sections 1 and 4 of the draft, which try to cover this in some detail.

The summary answer is that there’s always a unicast connection as an anchor, but the server can ask the client to additionally join multicast channels that carry QUIC packets that can be decoded by the client using information that was passed to the client over the unicast connection.

Those packets have a channel id instead of a connection id, as well as secrets that are generated and distributed differently than the unicast secrets (with the in-depth examination of the security consequences of this covered in our earlier draft-krose-multicast-security doc), but the handling is otherwise very similar to handling for QUIC multipath packets.

HTH.

-Jake

From: Behcet Sarikaya <sarikaya2012@gmail.com>
Reply-To: "sarikaya@ieee.org" <sarikaya@ieee.org>
Date: Tue,2022-06-28 at 8:53 AM
To: "Holland, Jake" <jholland@akamai.com>
Cc: "msec@ietf.org" <msec@ietf.org>
Subject: Re: [MSEC] QUIC multicast



On Mon, Jun 27, 2022 at 10:48 AM Holland, Jake <jholland=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>> wrote:
Hi msec,

One of the actionable pieces of feedback[1] from the secdispatch
presentation of draft-krose-multicast-security at IETF 112 was
that we needed a concrete protocol proposal in order to evaluate
the security considerations, so we went ahead and made a
concrete proposal for multicast QUIC:
https://datatracker.ietf.org/doc/draft-jholland-quic-multicast/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-jholland-quic-multicast/__;!!GjvTz_vk!WLI8K0REmBUeJXD8Ej_71_7ACc80QBBiN3l8uU2VEeWp44usc-fp8cEfrfiEemXLTEOJg5PyoY7i4lv2dGuCBA$>
https://github.com/GrumpyOldTroll/draft-jholland-quic-multicast<https://urldefense.com/v3/__https:/github.com/GrumpyOldTroll/draft-jholland-quic-multicast__;!!GjvTz_vk!WLI8K0REmBUeJXD8Ej_71_7ACc80QBBiN3l8uU2VEeWp44usc-fp8cEfrfiEemXLTEOJg5PyoY7i4lsEw-3FOg$>

We think this proposal meets the security goals given in
draft-krose-multicast-security (plus the one that Ekr raised that
we haven't added text for about web content needing to be associated
with a url), but if you can see any sense in which this draft falls
short or is unclear on how those security properties are achieved,
we'd love to get that feedback (and suggestions on fixing it if you
have any).

I haven't sent this to quic yet, but will do so before long
unless anyone in msec can point out a critical flaw.  I'm planning
to ask for a short slot in quic to present at 114.  My main question
will be about what wg members would want to see addressed before
we ask for adoption (not planning to ask for adoption this time yet),
plus soliciting general feedback.

Before sending to quic, will you please let me know how multicast will work with a connection oriented  transport protocol which Quic largely is?

Behcet
-Jake

PS: several members of the W3C Multicast Community Group have
been working on an implementation and we'll have a table at the
hackathon, so if you'd like to be involved with that, please let
me know.

[1] notes from the secdispatch feedback:
https://mailarchive.ietf.org/arch/msg/msec/FYx5GsAtAyI3pypPIlJ_s3vtiwc/<https://urldefense.com/v3/__https:/mailarchive.ietf.org/arch/msg/msec/FYx5GsAtAyI3pypPIlJ_s3vtiwc/__;!!GjvTz_vk!WLI8K0REmBUeJXD8Ej_71_7ACc80QBBiN3l8uU2VEeWp44usc-fp8cEfrfiEemXLTEOJg5PyoY7i4lsbbSpK7w$>


_______________________________________________
MSEC mailing list
MSEC@ietf.org<mailto:MSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/msec<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/msec__;!!GjvTz_vk!WLI8K0REmBUeJXD8Ej_71_7ACc80QBBiN3l8uU2VEeWp44usc-fp8cEfrfiEemXLTEOJg5PyoY7i4luYDboKgw$>

v2.23.0 | Report a Bug | By Email