IETF Logo Mail Archive

Re: Authentication in draft-kuhn-quic-bdpframe-extension

Lucas Pardue <lucaspardue.24.7@gmail.com> Fri, 03 November 2023 15:45 UTC

Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31861C187709 for <quic@ietfa.amsl.com>; Fri, 3 Nov 2023 08:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wxce-8PKz3nv for <quic@ietfa.amsl.com>; Fri, 3 Nov 2023 08:45:10 -0700 (PDT)
Received: from mail-oa1-x2c.google.com (mail-oa1-x2c.google.com [IPv6:2001:4860:4864:20::2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C6B5C137380 for <quic@ietf.org>; Fri, 3 Nov 2023 08:45:10 -0700 (PDT)
Received: by mail-oa1-x2c.google.com with SMTP id 586e51a60fabf-1ef36a04931so1218627fac.2 for <quic@ietf.org>; Fri, 03 Nov 2023 08:45:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699026309; x=1699631109; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4cZX6rK9NhcbgoKnwK2QfLMbgbW+4UUO5EyUK3KKDC0=; b=nexOFXztwPbyW/y3xYUNR1tcUb+kRIT1EsLw4qrpj2FL0IFoFlC6XABtxGLkAOr+FW DZT5jXuVoEie/ikthFUKRzDW30ZU5QvS2FhwRlj7RnA9CsEq4woD4Ku5aU7XkcXoBM9a di1nFMd2zcpZ9m//5OeyRX149JSTPC0IMjPPCv591jiP8L5k6EqTF31doXPmRsRLkmGV vqa/bfrUGsoAAzoa02LtdlAs3R3eti6GNW8LAbiO7WTXPHlSKPYA8idIABxeIAEhzxIV yiB3o2uFSBcIvizQt+KW3BAmBb0MtC4Kb3YOIjbJ3FihhCi1I83qZcp7WelIj/ESg/Uc 9Dyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699026309; x=1699631109; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4cZX6rK9NhcbgoKnwK2QfLMbgbW+4UUO5EyUK3KKDC0=; b=v/sgLqFWlmPdY6Si041BK7gFJex+5ycW4ryZGcLzq0JwJUzQgYMyM73h1Bs/ui+F9Z tzZesmJJjskzGdm4kTy8Zi9Hy+Vg+ZO2IwHeCUl7FZuqCVUHPT1WSSZWIJQbYIW7h7DT mNE14TCLKMpS40Y44B9UH2GmQ7R30fT1q61jLnecMMGf5L0MglNPY79YXKMrxPX7EESE oZCA0wtY5QCQTcUiMXJuCyy+PUCvPtDTRpC5jRftk4Z+auN4QabdYfNCTdpUjDxJIwUm WR6haKZZl3qpEpr7YSCCgvJ+3c2BVNyVU0qaXGEa5hKFmcmjA5wpD+kv9WnIsenvP73Z o0wQ==
X-Gm-Message-State: AOJu0YwJnJINFUBIDz2YraC12pwhabEb04lZJrvqyFxxPCS5L2eivB81 NnvODL8T1V6Uqw8ugeAMOUGQbXPhb3jAQ/7HK5ush5TtbPE=
X-Google-Smtp-Source: AGHT+IGxkpahj1GgoHdJfB+Bn9+huV2bVP2nxnMjhe2H8HQm+1jo4VEp1yvEp/hgjkzAmYBd5bmfy6FApGQDz01hKzw=
X-Received: by 2002:a05:6870:815:b0:1e9:9c39:a580 with SMTP id fw21-20020a056870081500b001e99c39a580mr25934637oab.7.1699026309165; Fri, 03 Nov 2023 08:45:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAMEWqGsGCEhC97Yt-r9YBwGCPxH6+OGj7GfTmomMDJBD6S_ZBQ@mail.gmail.com> <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk>
In-Reply-To: <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Fri, 03 Nov 2023 15:44:57 +0000
Message-ID: <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com>
Subject: Re: Authentication in draft-kuhn-quic-bdpframe-extension
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Cc: Q Misell <q=40as207960.net@dmarc.ietf.org>, quic@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009f36a6060941636f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/1Fhl4sK8Bb3lSH-LSEs_v03KX8E>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 15:45:15 -0000

Hi folks,

I'm still trying to come up to speed on this spec. But when I've thought
about it a little, its seemed very natural to associate the BDP frame
(contents) with the TLS session. We already have a lot of text about TLS
session resumption in QUIC. It feels like there is already a template
design with HTTP/3 - a server sends SETTINGS to tell a client something
unique about the active QUIC connection. RFC 9114 section 7.2.4.2 [1]states

> When a 0-RTT QUIC connection is being used, the initial value of each
server setting is the value used in the previous session. Clients SHOULD store
the settings the server provided in the HTTP/3 connection where resumption
information was provided, but they MAY opt not to store settings in certain
cases (e.g., if the session ticket is received before the SETTINGS frame).
A client MUST comply with stored settings -- or default values if no values
are stored -- when attempting 0-RTT. Once a server has provided new
settings, clients MUST comply with those values.¶
<https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6>

So with a bit of massaging, if we can link BDP frame to session resumption.
we know that it is based on a previous trust relationship.

Is there any scenario where BDP frame would want to be used without TLS
resumption?

Cheers
Lucas

[1] - https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6

On Thu, Nov 2, 2023 at 6:17 PM Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:

> On 02/11/2023 16:43, Q Misell wrote:
>
> Hi all,
>
> I've been working with Gorry (and others) on actually implementing the BDP
> frame extension, and further refining the draft based on experience from
> implementation.
>
> Q, I think I can help a little, see below, but I think there are good
> questions here.
>
>
> One thing that came up that I'd like to ask the WG's opinion on is that of
> authentication of the BDP frame, and when it should be sent in the
> exchange. I've had a few thoughts on this, it'd be great to hear what
> others think of them, or what other suggestions people might have.
>
> First, my thoughts on authentication. Do the CC parameters need to be
> authenticated at all? I would say "yes" as a client sending some
> unauthenticated CC parameters could cause a DoS of the server (or any other
> node along the path) by trying to send far too much data at once.
>
> The reason for the secure hash around the contents of the BDP Frame is to
> allow a server to know the CC params had not been modified. Of course you
> caould ask what sort of information contributes to that hash, to make the
> server confident that it can accept CC params from the client and believe
> that these have not been modifed? That could be important?
>
> Should the CC parameters be encrypted? Probably not, as a client which is
> aware of a major decrease in available capacity could compare the new link
> capacity to its stored CC parameters and decide not to send them. If
> they're encrypted the client can't inspect what CC parameters the server
> thinks the link will have.
>
> Perhaps the ID ought to be clearer. The QUIC Session is of course
> encrypted and authenticated, so, in this respect, the BDP Frame is
> protected in transit along the path using TLS.
>
> The current proposal is not to additionally encrypt the CC params *within*
> the BDP, so that a client could read these and utlise as it sees fit. This
> still needs to authenticate the entire set of params, so that the server
> could trust them.
>
> The params include an endpoint token used by a server  to represent the
> remote endpoint - we could have used the client IP source address for this
> if the client had an invariant public IP  source address. That's not so
> common with IPv6 or the use of IPv4 NAPT - so the server has to find a way
> to represent it's view of the client as the endpoint token. There could be
> possibilities to do this quite differently.
>
>
> How should they be authenticated? There are a few options I can see here,
> and I'm unsure which is best:
> (1) Authenticated with the TLS certificate
> (2) Authenticated with some other asymmetric key
> (3) Authenticated using some symmetric key known only to the server
> (4) Same as 3 but with a key identifier
>
> Options 1 and 2 allow the client to verify the authentication over the CC
> parameters, but this doesn't seem to be of much use to me. Option 1
> additionally sets a time limit on use of stored CC parameters, as the TLS
> certificate will eventually expire. This doesn't seem to me to be much of
> an issue. A new connection far into the future (say 1-2 months) would
> almost certainly have different CC parameters anyway.
>
> Option 3 seems the best to me. It would allow one key to be shared across
> an array of anycast servers, without sharing other keying material that
> might be used to protect more sensitive parts of the connection. Option 4
> additionally expands on this by allowing key rotation without immediately
> invalidating all current stored CC parameters.
>
> So, if this is about how to construct the secure hash, irt seems like an
> interesting topic to find out more, I'd agree.
>
>
> When should the BDP frame be sent? There are two places I can see BDP
> frames being useful to send:
> (1) After initial frames but before crypto frames
> (2) After crypto frames and before application data
>
> Option 1 allows for the previously calculated CC parameters to be used for
> the sometimes quite large TLS handshake, but also precludes options 1 and 2
> for authentication. Option 2 allows for greater flexibility in
> authentication, and also makes the BDP frame encrypted in transit. I'm
> unsure what the privacy implications of an unencrypted BDP frame are, so if
> anyone can come up with a reason CC data shouldn't be observable to an
> intermediary that would be greatly appreciated.
>
> :-)
>
>
> Looking forward to hearing your thoughts.
> Cheers,
> Q Misell
>
> Gorry
>
> ------------------------------
>
> Any statements contained in this email are personal to the author and are
> not necessarily the statements of the company unless specifically stated.
> AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
> Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
> registered in Wales under № 12417574
> <https://find-and-update.company-information.service.gov.uk/company/12417574>,
> LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876
> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867.
> EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
> 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru
> maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca
> Digital, is a company registered in Estonia under № 16755226. Estonian VAT
> №: EE102625532. Glauca Digital and the Glauca logo are registered
> trademarks in the UK, under № UK00003718474 and № UK00003718468,
> respectively.
>
>
>

v2.23.0 | Report a Bug | By Email