Re: Exercising Version Negotiation
Eric Rescorla <ekr@rtfm.com> Fri, 23 March 2018 08:48 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82CE412D77E for <quic@ietfa.amsl.com>; Fri, 23 Mar 2018 01:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7l0dF1y9qehp for <quic@ietfa.amsl.com>; Fri, 23 Mar 2018 01:48:45 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD6EA12D0C3 for <quic@ietf.org>; Fri, 23 Mar 2018 01:48:44 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id u84-v6so460721oie.10 for <quic@ietf.org>; Fri, 23 Mar 2018 01:48:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PMS6xsbt7oq5SYyj9MkO0Da2nG1hhutdHFRK2pgshT8=; b=0SNXkBY8zp9ZavDiwzPOksXJ8Sn66woIDkaWfLz3d3Na12DDkTTDwDyWEn3sEaXREC x8DBSUgHzpDvth4M4f4YG7M8tgqny7hSp+cwD3rFI4l6K0lIB6Kv5Hix37po1IbYUH6h oygpcdx5WeR3JXbkl8s9eakMujVp9uyhem6QkdjWDfspWTJbQUBzt2Abi+Aj/vxnISpG brf/MI4Fz32Dk17CjNejP3Ol6kbWX9cMKF0/3iKIyJ2oX3gAbKog7n3M/huf+TrVH3Mc gzhf73HKPSISUoZhnHnoxbldazGZzpmLbEv5eAIki+32uPPyzXh8ORVrzor/N9sSKxBM Vu6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PMS6xsbt7oq5SYyj9MkO0Da2nG1hhutdHFRK2pgshT8=; b=oGjwWeik/qukUnPFD4jT0MVx0e8OB1oO1YH8uGQazKme9etNSqPIr/kHYY8gvOv4xD cU4ueBz9YGV5oKayBgKum+zHcNMJr5eB9niEfNrEGAkhJzlVnnvmgvpzxaBn/jfKtmkD uuvEbTgSeCxZGOGAmwwWeMhF7WOtdA/UEQeF/xFHWWtiqMVcgEB2ikIoyej+BHXqfLFN vT13GUixUqa4uGd2Fa8mRxVDGwC2O5uvo/TfFWAkQ/6QQDKJNOvt6+twyEPOBHTNm/Hl jkH31KLxrRd0zNByYFxV9HDLCWpwficlZsgrXYQBWYwmTOah6u7qT8v0AnsRWINdeUKh mFxQ==
X-Gm-Message-State: AElRT7GCRW2fUKSiWbUqO4IChgihD0LrGfbRZsTvf3QpPjJrnXmDp7Rg +TeIGPbb3ZWeqLI3aL4edjAMjb+clkDrZJWUEsoNcg==
X-Google-Smtp-Source: AG47ELuHQ/CnTLIhg1bYYWDts/E9UlkZJwumEQA2qHtsJ/9qZsn9l/Eg74AeKJGdk32lzX5LuIoDKwS1qOPrwoufoAc=
X-Received: by 10.202.204.83 with SMTP id c80mr3192677oig.174.1521794924100; Fri, 23 Mar 2018 01:48:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.23.21 with HTTP; Fri, 23 Mar 2018 01:48:03 -0700 (PDT)
In-Reply-To: <CAJ_4DfQxcxNGNP9CW3poPqnFgUsrNy269dO2Lf0dvWBFKKsSHg@mail.gmail.com>
References: <CABcZeBMv5BqZOtgVA2wfqaaGCd94gcNPB9bTXkrvNXXRveU8wA@mail.gmail.com> <CAJ_4DfQ6zqVeUUF7XcoT110kVcP1BJFEtqVR-+FN5XD2UuRMMA@mail.gmail.com> <CABcZeBMVNy151rFntLutSPtctPsd2Ei3Qy-ChuEXVMVpz4pgdQ@mail.gmail.com> <SN1PR08MB1854DD71FDCB9FBA48DD26E9DAA90@SN1PR08MB1854.namprd08.prod.outlook.com> <CAJ_4DfQxcxNGNP9CW3poPqnFgUsrNy269dO2Lf0dvWBFKKsSHg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Mar 2018 08:48:03 +0000
Message-ID: <CABcZeBNfw6MjjgeqQct11g6Kf=4xy+zVZiBRMwwzhtKB2rWHZg@mail.gmail.com>
Subject: Re: Exercising Version Negotiation
To: Ryan Hamilton <rch@google.com>
Cc: Mike Bishop <mbishop@evequefou.be>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a113532acdf4fb40568107dbe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/1S57LXjQOgcD3s4j2rtTEKvBffI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 08:48:49 -0000
On Thu, Mar 22, 2018 at 8:53 PM, Ryan Hamilton <rch@google.com> wrote: > Agreed. As specified, I don't see how the server would be induced to send > a version negotiation packet in this case. Ekr, perhaps you can provide > some sample flows. If the server supports versions A and B, and the client > supports versions A and B, then it doesn't matter which version the client > prefers. In either case, the server supports the version the client is > attempting to speak and will not send a version negotiation packet. > I'm not suggesting that you flip the preferences, but rather that the each side configure itself with one version for a given connection. This is obviously trivial for a client. For the server, you can just hash the client's IP address to get a stable choice. -Ekr Further, it's complicated for the server to (some fraction of the time) > send a VN packet in response to a connection attempt that uses a version > the server actually does support. It will, obviously, need to exclude this > version from the VN packet it sends to the client. That's easy. But it also > needs to ensure that the list of QUIC versions it provides in the > subsequent TLS handshake matches this version list. This, I suspect, is > more complicated as version negotiation is typically stateless. > > On Thu, Mar 22, 2018 at 8:46 AM, Mike Bishop <mbishop@evequefou.be> wrote: > >> Technically, no, it wouldn’t. Servers accept if they’re capable/willing >> to speak the version the client selected, so a server that supports both >> would always accept no matter what the client chooses. You’d need the >> server to be contrarian a small percentage of the time instead. >> >> >> >> *From:* QUIC <quic-bounces@ietf.org> *On Behalf Of * Eric Rescorla >> *Sent:* Thursday, March 22, 2018 2:26 PM >> *To:* Ryan Hamilton <rch@google.com> >> *Cc:* IETF QUIC WG <quic@ietf.org> >> *Subject:* Re: Exercising Version Negotiation >> >> >> >> It would exercise the former. >> >> >> >> -Ekr >> >> >> >> >> >> On Thu, Mar 22, 2018 at 2:10 PM, Ryan Hamilton <rch@google.com> wrote: >> >> When you say Version Negotiation, do you mean the process of sending an >> receiving a version negotiation packet, or simply the act of speaking two >> different versions? Your proposal seems to be the latter but I don't think >> I follow how it would exercise the former, though maybe that's intentional? >> >> >> >> On Thu, Mar 22, 2018 at 5:03 AM, Eric Rescorla <ekr@rtfm.com> wrote: >> >> Following up on the discussion at the mic, I do think it is useful to >> exercise the VN function, but I don't think it's useful to have those >> versions be different, because that creates perverse incentives. >> >> >> >> Here's what I suggest instead: create two versions (we can call them QUIC >> v1+i and QUIC v1-i), each with its own code point [0]. They should be >> essentially identical except for two trivial differences, intended to >> ensure that if you screw up version negotiation, you get failed interop. >> >> >> >> - The constant in the handshake salt (5.2.2) >> >> - The HKDF expansion constants >> >> >> >> I suggest we handle each of these by just inverting the bits. >> >> >> >> We would then suggest to people that they somewhat randomize their >> preferences (e.g., 99% of the time prefer v1+i, 1% of the time prefer >> v1-i). This will almost always result in matching versions, but will >> occasionally result in a mismatch, thus forcing us to test VN. >> >> >> >> -Ekr >> >> >> >> [0] Obviously we can do this for draft versions. We just say that the two >> versions are >> >> ff0000XX and ffffffXX. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >
- Exercising Version Negotiation Eric Rescorla
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Eric Rescorla
- RE: Exercising Version Negotiation Mike Bishop
- Re: Exercising Version Negotiation Spencer Dawkins at IETF
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Eric Rescorla
- Re: Exercising Version Negotiation Subodh Iyengar
- Re: Exercising Version Negotiation Subodh Iyengar
- Re: Exercising Version Negotiation Subodh Iyengar
- Re: Exercising Version Negotiation Ian Swett
- Re: Exercising Version Negotiation Subodh Iyengar
- RE: Exercising Version Negotiation Lubashev, Igor
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Ryan Hamilton
- RE: Exercising Version Negotiation Lubashev, Igor
- Re: Exercising Version Negotiation Eric Rescorla
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Christian Huitema
- RE: Exercising Version Negotiation Mike Bishop
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Ted Hardie
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Ryan Hamilton
- Re: Exercising Version Negotiation Roberto Peon
- Re: Exercising Version Negotiation Philipp S. Tiesel
- Re: Exercising Version Negotiation Christian Huitema