Re: Cookie crumbling in QPACK?
Alan Frindell <afrind@fb.com> Fri, 07 June 2019 16:13 UTC
Return-Path: <prvs=1061f3bc2c=afrind@fb.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 997231200E6 for <quic@ietfa.amsl.com>; Fri, 7 Jun 2019 09:13:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=Yg7jBYUX; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=NMIVqt5J
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKL5Q9pF2KlX for <quic@ietfa.amsl.com>; Fri, 7 Jun 2019 09:12:59 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 223DE1200DE for <quic@ietf.org>; Fri, 7 Jun 2019 09:12:59 -0700 (PDT)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x57G8hO4021508; Fri, 7 Jun 2019 09:12:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=hs60ET34zGFJH4Cxbud1qlD6q4yOZ5dDSH3sCwpXdnY=; b=Yg7jBYUXlHHOb7F3SewX2S4P5RgwPHmLP+lJ26f4R5aEf+ML48Sm9efROeBAahsHY6NQ ROQPymjTWCwYCSUYwt4IM818AsiZ3ccgFZZQepMbD5uoTmlr8Zo0zzIlpKDNMaBJ1bWL TzH+wll3qzAeksK5+m+6zL9r7n4CsUzaWhc=
Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com with ESMTP id 2syepu24x9-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 07 Jun 2019 09:12:53 -0700
Received: from ash-exhub203.TheFacebook.com (2620:10d:c0a8:83::5) by ash-exhub204.TheFacebook.com (2620:10d:c0a8:83::4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 7 Jun 2019 09:12:51 -0700
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (100.104.31.183) by o365-in.thefacebook.com (100.104.36.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Fri, 7 Jun 2019 09:12:51 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hs60ET34zGFJH4Cxbud1qlD6q4yOZ5dDSH3sCwpXdnY=; b=NMIVqt5JcXO2K542cbBIgKnTvsskM/PEZ1zJkZOimi7qLWsfy9bY3R1xgUovEHonxwi7Gn8rLighsERY5ZLs0gHeCaFcgQG4isKhWMDOLd2S4OUiezfUt3rdM8wuLaj/UYaNNn0On3/oqWFrLj1t7tgkTfF/AWV44sBslJckC+0=
Received: from DM5PR15MB1179.namprd15.prod.outlook.com (10.173.215.151) by DM5PR15MB1388.namprd15.prod.outlook.com (10.173.224.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.12; Fri, 7 Jun 2019 16:12:50 +0000
Received: from DM5PR15MB1179.namprd15.prod.outlook.com ([fe80::b075:97af:6ae3:29a5]) by DM5PR15MB1179.namprd15.prod.outlook.com ([fe80::b075:97af:6ae3:29a5%2]) with mapi id 15.20.1965.011; Fri, 7 Jun 2019 16:12:50 +0000
From: Alan Frindell <afrind@fb.com>
To: Bence Béky <bnc=40google.com@dmarc.ietf.org>, "quic@ietf.org" <quic@ietf.org>
Subject: Re: Cookie crumbling in QPACK?
Thread-Topic: Cookie crumbling in QPACK?
Thread-Index: AQHVHMOLjh2xwZnwW02jnHSWTiMOL6aP6NOA
Date: Fri, 07 Jun 2019 16:12:50 +0000
Message-ID: <39BCBB46-D35D-44F7-9069-A49BD8CA0C98@fb.com>
References: <CACMu3tr58b1GPOiq3aAt9PC+VTrm5+G1+KVfKup8VmEDOONKDw@mail.gmail.com> <CACMu3toTXbejBYrbno8yyaQKrPa27a4Gg4XOn+eFbOZH+AqDjQ@mail.gmail.com>
In-Reply-To: <CACMu3toTXbejBYrbno8yyaQKrPa27a4Gg4XOn+eFbOZH+AqDjQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.19.0.190512
x-originating-ip: [2620:10d:c090:200::1:609a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b683e4f1-5428-4d4f-962d-08d6eb62fd25
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR15MB1388;
x-ms-traffictypediagnostic: DM5PR15MB1388:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DM5PR15MB138803BF7CA0F5D7B2A8D1AAA7100@DM5PR15MB1388.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0061C35778
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(366004)(39860400002)(376002)(346002)(189003)(199004)(25786009)(606006)(6486002)(478600001)(6116002)(4744005)(5660300002)(33656002)(446003)(6436002)(68736007)(8936002)(46003)(186003)(316002)(86362001)(229853002)(14454004)(476003)(486006)(11346002)(2906002)(2616005)(8676002)(82746002)(110136005)(81166006)(81156014)(58126008)(36756003)(6506007)(71200400001)(71190400001)(76176011)(83716004)(53546011)(102836004)(99286004)(6246003)(66446008)(64756008)(66556008)(66476007)(73956011)(66946007)(76116006)(6306002)(54896002)(6512007)(53936002)(2501003)(236005)(256004)(3480700005)(91956017)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR15MB1388; H:DM5PR15MB1179.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8zAGDeolYw6YTd5OHlzxQQrm72RpehLNvT4tmsSAUZJcdoZZsfXRB/6OjrH2PoqnNhvb2dWGT+fvMOo/yj75rsIVx985PZsgO2zdFRRACOajlDUsHFLyxps4DkvGqUvxn1VAGX8uwdkQX2olOOPH1LmRMOnybA3D1G0AH+tLrDagZcbgLDwSjtxIgAUk4ZhtzAOS6L02R0mBz16ykb7KT5p0l9of47hbkJNRTcj8FxwVMgrQ1TJZ1GeR8T4J+Jnw6q5xENMynuLh4Ra2B3HKxFsWrwlL5NxzTMqhXbT0z+w6JhJy25YNrIT0vX2aagjEh/s4KY6SL4XCst30T4aOkZFSt904xHj6unGpFL+c24eTQNaxb3POuO5PvcrBm5Wsm3Jfxf5UaJWDDvCBDBubxnz5cVFQNFuwciC9GjJUyKY=
Content-Type: multipart/alternative; boundary="_000_39BCBB46D35D44F79069A49BD8CA0C98fbcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b683e4f1-5428-4d4f-962d-08d6eb62fd25
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2019 16:12:50.3773 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: afrind@fb.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR15MB1388
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-06-07_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=995 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906070109
X-FB-Internal: deliver
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/0Zn1N1si-O9dNNz8pJJh1nmBnSA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 16:13:02 -0000
It should be as safe for QPACK as it is for HPACK. Since HTTP/2 went out of the way to mention it in the draft, I suppose HTTP/3 should also? -Alan From: QUIC <quic-bounces@ietf.org> on behalf of Bence Béky <bnc=40google.com@dmarc.ietf.org> Date: Thursday, June 6, 2019 at 4:57 PM To: "quic@ietf.org" <quic@ietf.org> Subject: Cookie crumbling in QPACK? Hi, RFC7540<https://urldefense.proofpoint.com/v2/url?u=https-3A__httpwg.org_specs_rfc7540.html-23CompressCookie&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=1ITKsZAeDaw65eyQcdVGcw&m=urPLloJAs-KXlLX8dfjH8UwbzK-aPMcWZC2SWGscpbY&s=l54Q2U8p8mQyKAfrOs5tmZK6-70aqMkAQmJgrxMrJKM&e=> allows crumbling cookies for compression efficiency with HPACK. However, neither quic-http<https://urldefense.proofpoint.com/v2/url?u=https-3A__quicwg.org_base-2Ddrafts_draft-2Dietf-2Dquic-2Dhttp.html&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=1ITKsZAeDaw65eyQcdVGcw&m=urPLloJAs-KXlLX8dfjH8UwbzK-aPMcWZC2SWGscpbY&s=_ZUe_ehassD_ZSCA3Z3mkNH6UHQt7PuDXY5i4zDPj7Q&e=> nor quic-qpack<https://urldefense.proofpoint.com/v2/url?u=https-3A__quicwg.org_base-2Ddrafts_draft-2Dietf-2Dquic-2Dqpack.html&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=1ITKsZAeDaw65eyQcdVGcw&m=urPLloJAs-KXlLX8dfjH8UwbzK-aPMcWZC2SWGscpbY&s=GBguobzHDuTB5rp_Zs4BOZ7ZjKmvS81rA1hL_5teOfA&e=> drafts mention cookies or crumbling. Is it considered safe for a QPACK implementation to crumble cookies before compression and concatenate them after decompression? If so, should the draft include clarification on this? Thanks, Bence
- Cookie crumbling in QPACK? Bence Béky
- Re: Cookie crumbling in QPACK? Alan Frindell
- Re: Cookie crumbling in QPACK? Ryan Hamilton
- Re: Cookie crumbling in QPACK? Roberto Peon
- RE: Cookie crumbling in QPACK? Mike Bishop