Version negotiation: the bare minimum?
Watson Ladd <watsonbladd@gmail.com> Wed, 10 March 2021 21:55 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B933A1936 for <quic@ietfa.amsl.com>; Wed, 10 Mar 2021 13:55:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mu4PyOInxvhY for <quic@ietfa.amsl.com>; Wed, 10 Mar 2021 13:55:15 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8754E3A1935 for <quic@ietf.org>; Wed, 10 Mar 2021 13:55:15 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id p1so76877edy.2 for <quic@ietf.org>; Wed, 10 Mar 2021 13:55:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=WCZnltzqMvQcX9c7Sl7hcfhNAh3lQlOteBILM+41n8g=; b=p6xsV4nw8Klxh231TJ7hcr8MJYp6ciaULu7bgrTMZ+uZ4F7TOL4VeCldRQA73qAQYa GjL29at3/W6BHPw+UTXbLhkzJu+6S88YOi+DjEMtc4SAJ2zL806brkDVeGmEBYQbsIKf zVA9Rg1MBodQ41hYmuSoaX5jijNsBRlUPvqFIxLBZ8F9VpwdxWaHnTbm3xElXiv8UNDf yZ2k03lPsOnH/U5QZOPjAhuZb/GIb9LxT5MNDZ1DBaKQRhEdmP1t5GsXRuiIgJlMCpSD RlaVodT2o/Bfc4fgJb5+jvOOE12FVR4Sts/f3jGWB0DfFlVNflRQohY32ixLKzmPcAoh T1oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WCZnltzqMvQcX9c7Sl7hcfhNAh3lQlOteBILM+41n8g=; b=Lwa8ruAQ3B0fg1k7mo1q6RMmss4lb8UTzWUQdPPOZzB1jfbzlGLbI/kU9FjpGQDPyR T2MPr9yQFKyM0b+RXLH2wmv02zDwL9H1Wj8ULy09q1db2xXDvu7NP4DehrJj0KArmRQd ZxqGoeRSqjNGdjW+fq2hBBOp7D8+ttRfkaX060cmXqedIJ1+VxDLH7CmaTejdeU9nmtz NMlblMBzbbvgSE8gRhKZx6EaR1C7e03ZuIUxDlu9H9L4lFelc1Psg05NGgkBK0xah96R 0yhDIK0pDdeGbUHDeMxBeqqrNCnv4nFbWLAfERUCbArqJ2GsOQD96d2KMaAZIr7hxXhh Fy0Q==
X-Gm-Message-State: AOAM532mDplYDydqJ+DINUYgdMGVyegBIO6SQM6YJIAZpdEbKNs9X4g4 iKusgznlI+CtCbMmcddtClRB7qslk4EhnAQJEHQ0HdqDUjM=
X-Google-Smtp-Source: ABdhPJy6++K1yVsjeHF7EMU4gkzQhBY1UGYctud8h5N7kG0HRvDt/bKGcBzEf398TsJAG/NTJl+MApDhLS+bMjMRuYI=
X-Received: by 2002:a05:6402:1115:: with SMTP id u21mr5453838edv.383.1615413308377; Wed, 10 Mar 2021 13:55:08 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 10 Mar 2021 13:54:57 -0800
Message-ID: <CACsn0cm-vWCZEeA+kh-BUF0M0ZhM_ev6R-9DYZgWQCA-byHofQ@mail.gmail.com>
Subject: Version negotiation: the bare minimum?
To: IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/3xuaYLxF9ponLMntPJSt4j3LXfY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 21:55:17 -0000
Dear WG, I'd like to proffer the world's simplest version negotiation scheme, based on comments heard during the meeting today from a number of people. The following weak assumptions are made: the client has a set of versions. The server has a partial ordering on versions: this means that versions are not necessarily preferred over each other (consider experiments where we will do what the client offers first), but the relation is transitive. Then the server selection is a function of the client offered version and supported set. The client transmits its supported versions and a proffered hello version in the first packet. The server selects. If that selection is incompatible they try again with the new selected version transmitted in VN. If it is compatible, the server selects and proceeds. The constraint on the handshake is that the supported versions and offered version and server selection are incorporated on the handshake in such a way that a mismatch triggers failure, and no two different versions can derive the same keys. If we assume that e.g. SHA256 is unbroken this is easy to get. This only permits a downgrade to a version the server was willing to prefer. Sincerely, Watson Ladd
- Version negotiation: the bare minimum? Watson Ladd
- Re: Version negotiation: the bare minimum? David Schinazi
- Re: Version negotiation: the bare minimum? Christian Huitema
- Re: Version negotiation: the bare minimum? David Schinazi
- Re: Version negotiation: the bare minimum? Lucas Pardue
- Re: Version negotiation: the bare minimum? Watson Ladd
- Re: Version negotiation: the bare minimum? Christian Huitema
- Re: Version negotiation: the bare minimum? David Schinazi
- Do we need compatible version negotiation at all?… Kazuho Oku
- Re: Do we need compatible version negotiation at … David Schinazi
- Re: Do we need compatible version negotiation at … Christian Huitema
- Re: Do we need compatible version negotiation at … David Schinazi
- Re: Do we need compatible version negotiation at … Kazuho Oku