Re: Higher layer comments on stream 0 proposal, WG schedule, and gQUIC

[Patrick McManus <pmcmanus@mozilla.com>]

Schedule needs to be part of this conversation - it certainly was within
the design team. But its not the initial (or solely determinative)
question, in my mind.

At the end of the DT process the group had consensus that it was more
important to get it right with reasonable cost instead of constraining
ourselves to near zero cost. The output reflects that.

In particular the proposal does a nice job of sorting out the issues of
encryption level (which is a terrible problem with stream 0 and the
associated acks) while still maintaining a unified reliability layer.
That's a pretty neat trick and a tough circle to square.

There was a bit of a personal journey on this as well for me (it may have
helped to have internalized an entire potential shift to DTLS first before
settling on this much more modest approach). I would encourage you to get
comfortable with the details, and lets all have a discussion of the merits
instead of jumping ahead to the cost benefit discussion (I'm not suggesting
eliding that discussion entirely - shipping is a feature, and we should
balance all the features as we've done in the past.). As the details start
to come together it actually feels less ambitious - just a reasonable
ordering of things really that solves a number of very practical issues
we've shown during our running code exercises. It just looks at the
boundaries between security/application/transport in a novel way.. which is
just a synonym for the QUIC WG :)

That's my experience anyhow.

Personally, I've been reassured that the owners of a number of TLS stacks
embraced this approach so eagerly, as a significant amount of the burden
falls on them. There will, as always, be laggards and trailblazers on that
front.. as long as there are existence proofs that it can be done
reasonably I wouldn't let the competitive details of which libraries are at
what stage tell us too much about what is right for the protocol we're
building.

-P



On Wed, May 23, 2018 at 4:16 PM, Ted Hardie <ted.ietf@gmail.com> wrote:

> The charter for the working group currently says:
>
> This work will describe how the protocol uses TLS 1.3 for key negotiation
> and will also describe how those keys are used to provide confidentiality
> and integrity protection of both application data and QUIC headers.
>
> It's easy to read that as saying the work should be constrained to use TLS
> 1..3 as provided.  If we read it that way, the design team proposal is
> strictly speaking out of charter, because it requires the creation of not
> just new APIs for TLS 1.3 but essentially a new formal analysis that the
> security guarantees work when there is no record layer and where the
> replacement has somewhat different facilities.
>
> But the charter also says
>
> Note that consensus is required both for changes to the current
> protocol mechanisms and retention of current mechanisms. In particular,
> because something is in the initial document set does not imply that
> there is consensus around the feature or around how it is specified.
>
> That argues that the community was willing to see serious change in
> adopting this work and that this work falls within the kind of change that
> was contemplated, even if happens to be across working groups.  Personally,
> I think that means the design should be considered.
>
> But I have grave concerns about the implications.  My back of the envelope
> calculation is that this means at least one more cycle of specification and
> interop will be required before we get back to where we are with draft -11,
> and that estimate is because I'm in a hopeful mood that Sean and Eric can
> move the required work in TLS along.  A more practical Ted would see this
> as adding at minimum 6 months to the schedule.  The changes in TLS are also
> large enough that I expect that the deployment time to see significant
> penetration of the new libraries to be longer than it would be for the
> previous design.   Call it 9 months, with 3 months of error bar.
>
> During that time, the penetration of gQUIC outside Google does not seem
> likely to slow.  If you want what QUIC has to offer now, you will take the
> already available code and go.  For Web usages, there are some down sides
> to that, and it may slow the eventual deployment of IETF QUIC.
>
> But there are also down sides to all of the other protocols that would
> like to use QUIC but have been told to wait for the completion of this
> effort.  We're likely to see DNS over HTTPS over QUIC instead of DNS over
> QUIC, simply because the DOH transport docs will be done.  There are some
> advantages there, but also disadvantages in enmeshing the HTTP and DNS
> caching semantics.    There are also a number of groups who want to use
> QUIC as a replacement for the WebRTC data channel (and some as the
> substrate for media).  This additional delay will certainly cause some code
> to be written that will either need extensive change or will bit rot (or
> fork).  None of that is without costs, especially opportunity costs.
>
> If the working group does decide to adopt this design, I believe part of
> the milestone adjustment must be a serious consideration of delaying the
> qpack and HTTP-specific work while the core transport is finished.  The
> good news, I think this design could end up making the document separation
> that requires much cleaner, as well as making how to use QUIC with other
> application protocols much more obvious.
>
> My thanks again for doing the work of bringing the design forward,
>
> Ted
>
>
>