Re: Asymmetric CIDs

Roberto Peon <> Fri, 16 February 2018 18:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6FF88129C6E for <>; Fri, 16 Feb 2018 10:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=fxpkJMl5; dkim=pass (1024-bit key) header.b=Wz6EoKDD
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DkwBaeTVeKM1 for <>; Fri, 16 Feb 2018 10:26:22 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6324A1200C1 for <>; Fri, 16 Feb 2018 10:26:22 -0800 (PST)
Received: from pps.filterd ( []) by ( with SMTP id w1GIE8K6000834; Fri, 16 Feb 2018 10:26:13 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=fRh/x9tX9JURrcoHQwzNOJLRL5JY9RBQOceyhEZVLY4=; b=fxpkJMl5ho+KGrk6U3EuszUWncWBBH1Pv7t/axaoAS4ktZcKCqj6LmtT+Lp+nB0F3Yc9 F6CIbA0Qb3WXCqgyhUSb1UCj1oGDXRgd3CZTx/RNpeF+hd+3ILGGsyUnXOIxE9RvG6Kf 3ba2Hsi9Tt26WkWazEjXE6XCQ0ksq3ihQnU=
Received: from ([]) by with ESMTP id 2g604csus6-16 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 16 Feb 2018 10:26:13 -0800
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.361.1; Fri, 16 Feb 2018 10:25:59 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fRh/x9tX9JURrcoHQwzNOJLRL5JY9RBQOceyhEZVLY4=; b=Wz6EoKDDGDMfOQfZRPNufo0JKho1txW9zPD3mKfWJ4YqZNyZ+UBdxmUlXuY21yagb98SrN6YRAHXRUUrlPYc0KBaggRtXdfiAlGwwNKVgG9h+i4pIwru/G3IwODUhusWsiA+MjD9vZu1SvFSTBXLJymuZz0HexpvSUO5uyUawNY=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Fri, 16 Feb 2018 18:25:56 +0000
Received: from ([]) by ([]) with mapi id 15.20.0506.020; Fri, 16 Feb 2018 18:25:56 +0000
From: Roberto Peon <>
To: Christian Huitema <>, Martin Duke <>
CC: Ian Swett <>, IETF QUIC WG <>, "Eric Rescorla" <>
Subject: Re: Asymmetric CIDs
Thread-Topic: Asymmetric CIDs
Thread-Index: AQHTp0fsUiwRXYubE0qEd47QbEYhNqOnR9oAgAAHeYCAAAY3gP//fPSA
Date: Fri, 16 Feb 2018 18:25:56 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2620:10d:c090:200::7:3472]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR15MB0231; 7:SQGokSvikeFz6X30KkdsoNA1D2SUQCOihG2oQJW8PB0YuDVD61mg0HBQ4fKIaAcpRutNGO5+GH+JVjq0G4vgnoiRateEyfwbjcH7XRRKVuSDoIkC+JZHCm8hKgVDgumUr3+SxZd3Oi035kCILwI31PwYOQALxoy0vIFR/DH0SGAIaoAuDRnjMnl9tWvFmSdK6BQrvQu5Fg7CElSRWhWUv7Q69qg4WaBtMUC0RRq2IpFSLMW48QF5Vd4P6g5LBxt3; 20:5E7EFi478xsi7MnGGKyCSwJp501zs/+NG6Nm8mmc/zyOlrDY5oSKeQNhwWfATgvM8wZrn6i9mWIMeJWn5SfV2uuDTpe91qndx1UStRlCUeiU4OAmihwt2wAXrOYHImO6y1uAkBV5MttAdnHi2HOwDBAtiA1e70/jg+vg8o3Pq04=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: e8b4306d-6902-4560-39be-08d5756ab885
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:BY2PR15MB0231;
x-ms-traffictypediagnostic: BY2PR15MB0231:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(85827821059158)(211936372134217)(100405760836317)(153496737603132)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231101)(11241501184)(944501161)(6041288)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:BY2PR15MB0231; BCL:0; PCL:0; RULEID:; SRVR:BY2PR15MB0231;
x-forefront-prvs: 0585417D7B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(366004)(346002)(39860400002)(376002)(396003)(189003)(199004)(51914003)(76176011)(82746002)(6116002)(102836004)(53936002)(3660700001)(2900100001)(236005)(6306002)(6512007)(54896002)(106356001)(6246003)(54906003)(99286004)(221733001)(110136005)(186003)(316002)(77096007)(68736007)(2906002)(7116003)(6436002)(93886005)(3480700004)(5660300001)(86362001)(83716003)(8936002)(7736002)(478600001)(36756003)(6486002)(53546011)(229853002)(3280700002)(2950100002)(105586002)(25786009)(33656002)(59450400001)(81166006)(81156014)(561944003)(8676002)(14454004)(39060400002)(97736004)(6506007)(4326008)(21314002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR15MB0231;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0VhfvY6VNHQul5Qw7ChAbVPfSfz8SoQFVBwagTeOQ2LRxGutipYQwvFtep25ZS9RUFl+h4tSmnZkmMF+XmoRTA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_D7E469CDB9D841ED8F5C9933DCBA90E6fbcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e8b4306d-6902-4560-39be-08d5756ab885
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Feb 2018 18:25:56.4577 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR15MB0231
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-16_07:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 Feb 2018 18:26:25 -0000

++ what Christian says.
The fact that it now takes two implementations to prevent linkability (either side messes it up, and that half-path is exposed, likely rendering it all exposed) is a bit sad.

From: QUIC <> on behalf of Christian Huitema <>
Date: Friday, February 16, 2018 at 10:16 AM
To: Martin Duke <>
Cc: Ian Swett <>om>, IETF QUIC WG <>rg>, Eric Rescorla <>
Subject: Re: Asymmetric CIDs

I like the concept, but I would like to understand how we avoid linkability on migration.
-- Christian Huitema

On Feb 16, 2018, at 7:52 AM, Martin Duke <<>> wrote:
Thanks for writing this up, ekr. This incorporates many of the suggestions I made in objection to this project (perhaps coincidentally) and I like it a lot.

Advantages of this:
- In the common case where most of the data is server->client, clients can get away with shorter Conn IDs to reduce overhead.
- Omit-conn-id just becomes a case where length = 0. Does this sidestep some of Google's transition issues?
- If a client sends NEW_CONNECTION_ID, that indicates an intention to migrate, and is a good cue for the server to send the same. We should add a SHOULD to specify this behavior.

I must be missing something, however, regarding implicit CIDs.

If there's a NAT rebinding, how is the server supposed to extract the CID? Furthermore, this obviates the entire concept of using Connection ID for routing; it's not obviously a savings to store CID length in a table vs. just storing the destination server.

Lastly, if we encode the length somewhere that seems to solve the Stateless Reset issue.

On Fri, Feb 16, 2018 at 9:25 AM, Ian Swett <<>> wrote:
Thanks for the excellent summary EKR.  I like this design and think the breakage of stateless reset in certain cases is acceptable, since it only applies if both sides must have their preferred connection ID present in order to route correctly, which is a use case that's impossible in the status quo.  I have not come up with any other downsides.

On Fri, Feb 16, 2018 at 12:01 PM, Eric Rescorla <<>> wrote:
Hi folks,

After a bunch of discussion, the CID task force came down to rough
consensus that asymmetric conn IDs were probably the right
direction (CID task force members, please feel free to voice dissent
here). Here's a complete writeup of what I think would be needed
for asymmetric connection IDs. It's not a PR, because I think
something self-contained is cleaner.

Note that if we adopt this direction, we would be sacrificing
public reset under some conditions (see previous emails to the
list) and we would need to decide if it was worth keeping at all.

The basic idea is that each side gets to dictate the connection IDs
that are used to send to it. During the handshake, you establish those
CIDs and then each side can issue new CIDs during the connection.  The
main advantage of this is that it allows for symmetric topologies in which
the client is also behind some kind of stateless LB/router rather than
just the server. See Issue #1091 for more info on this.

The overall handshake looks something like this:

Client                                      Server

Initial [CID=XXX] {recv-CID=YYY} ---------------->
<-------------- Cleartext [CID=YYY] {recv-CID=ZZZ}
Cleartext [CID=ZZZ], {recv-CID=YYY} ------------->
<-------------------------- Short header [CID=YYY]
Short header [CID=ZZZ] -------------------------->

The client's initial CID (XXX) is special, and either consists of

    (a) a randomly chosen dummy CID. Proposal: require this to be
        8 bytes or at least a minimum. This should be the same
        for all Initial packets in a connection (unless a stateless
        reject is received, as below).
    (b) a CID which it received from the server in a stateless reject

All the server's packets are sent with the client's receive CID (YYY)
and all subsequent client packets are sent with the server's receive
CID (ZZZ). The general rule is that you should send with the
connection ID that you most recently received (where recently
is defined as highest PN).

Note: I believe it's safe to just use the sending CID as the mixin
for the KDF, but I haven't thought this entirely through yet.

Finally, you can send NEW_CONNECTION_ID in either direction to provide
a new connection ID for the other side to use. The general assumption
is that you can do this at any time, just as with current QUIC, and
that any time you send to a new remote 3-tuple you should change CIDs
if you can. Note that this means that endpoints should try to make
sure that the other side has spare CIDs in case they need to migrate.

As we discussed in the meeting the short header should just have
an implicit length CID. This gives us the following short header:

   |0|C|K| Type (5)|
   |                                                               |
   +                     [Connection ID (*)]                       +  <- change from 64
   |                                                               |
   |                      Packet Number (8/16/32)                ...
   |                     Protected Payload (*)                   ...

Note that we may also be able to dispense with the C bit, if each
side just gets to say "send me this CID exactly", why do we want
to say "here is my CID but you can omit it".

We have several options about the long header. The first question
is where recv-CIDs go. In previous versions I suggested putting
them in transport parameters, or elsewhere in the TLS handshake,
and that might still be viable, though it has some drawbacks [0],
so the other alternative is to put both CIDs in in the long header.
This would look something like:

   |1|   Type (7)  |
   |  DCID-Length  |                                               |
   +-+-+-+-+-+-+-+-+   Dst Connection ID (*)                       +
   |                                                               |
   |  SCID-Length  |                                               |
   +-+-+-+-+-+-+-+-+   Src Connection ID (*)                       +
   |                                                               |
   |                         Version (32)                          |
   |                       Packet Number (32)                      |
   |                          Payload (*)                        ...

The semantics here are that the first value is the CID you want to
send to and the second one is the value you want used to send to you
(I've inverted these to keep the order the same as short header).

Two notes about this encoding:

1. I think we agreed that we didn't want arbitrary length CIDs up to
255 bytes, and yet we have room in this length byte. I propose we
limit it to 31 bytes and then grease the remaining 3 bits [1].

2. Because the client sends its CID first, there's no way to get the
current QUIC semantics of the server just dictates the CID.  I propose
we fix that by defining a special sentinel CID (all 1s, all 0s,
whatever) of whatever our maximum length is that means "just use your
own CID".

We can endlessly bikeshed on this structure.

Finally, we will need to update NEW_CONNECTION_ID to allow a variable
length CID. This would look like this:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |                          Sequence (i)                       ...
   |  CID-Length   |                                               |
   +-+-+-+-+-+-+-+-+       Connection ID (*)                       +
   |                                                               |
   |                                                               |
   +                                                               +
   |                                                               |
   +                   Stateless Reset Token (128)                 +
   |                                                               |
   +                                                               +
   |                                                               |

[0] However, in the transport parameters design, if the server's
handshake gets reordered, the client might need to send some ACKs with
the initial CID. However, we've agreed that the client's IP address
has to be stable, so this isn't a problem. Alternately, you could
change C->S CIDs in the short header if that was easier.

[1] An alternative would be to have a sparse range (e.g., you can
express 0-7 and then 8-22 by 2s, assuming I have counted correctly)
and then we could pack both lengths into a single byte. As I said,
lots of opportunities for bikeshedding here.