IETF Logo Mail Archive

Version negotiation: the bare minimum?

Watson Ladd <watsonbladd@gmail.com> Wed, 10 March 2021 21:55 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B933A1936 for <quic@ietfa.amsl.com>; Wed, 10 Mar 2021 13:55:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mu4PyOInxvhY for <quic@ietfa.amsl.com>; Wed, 10 Mar 2021 13:55:15 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8754E3A1935 for <quic@ietf.org>; Wed, 10 Mar 2021 13:55:15 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id p1so76877edy.2 for <quic@ietf.org>; Wed, 10 Mar 2021 13:55:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=WCZnltzqMvQcX9c7Sl7hcfhNAh3lQlOteBILM+41n8g=; b=p6xsV4nw8Klxh231TJ7hcr8MJYp6ciaULu7bgrTMZ+uZ4F7TOL4VeCldRQA73qAQYa GjL29at3/W6BHPw+UTXbLhkzJu+6S88YOi+DjEMtc4SAJ2zL806brkDVeGmEBYQbsIKf zVA9Rg1MBodQ41hYmuSoaX5jijNsBRlUPvqFIxLBZ8F9VpwdxWaHnTbm3xElXiv8UNDf yZ2k03lPsOnH/U5QZOPjAhuZb/GIb9LxT5MNDZ1DBaKQRhEdmP1t5GsXRuiIgJlMCpSD RlaVodT2o/Bfc4fgJb5+jvOOE12FVR4Sts/f3jGWB0DfFlVNflRQohY32ixLKzmPcAoh T1oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WCZnltzqMvQcX9c7Sl7hcfhNAh3lQlOteBILM+41n8g=; b=Lwa8ruAQ3B0fg1k7mo1q6RMmss4lb8UTzWUQdPPOZzB1jfbzlGLbI/kU9FjpGQDPyR T2MPr9yQFKyM0b+RXLH2wmv02zDwL9H1Wj8ULy09q1db2xXDvu7NP4DehrJj0KArmRQd ZxqGoeRSqjNGdjW+fq2hBBOp7D8+ttRfkaX060cmXqedIJ1+VxDLH7CmaTejdeU9nmtz NMlblMBzbbvgSE8gRhKZx6EaR1C7e03ZuIUxDlu9H9L4lFelc1Psg05NGgkBK0xah96R 0yhDIK0pDdeGbUHDeMxBeqqrNCnv4nFbWLAfERUCbArqJ2GsOQD96d2KMaAZIr7hxXhh Fy0Q==
X-Gm-Message-State: AOAM532mDplYDydqJ+DINUYgdMGVyegBIO6SQM6YJIAZpdEbKNs9X4g4 iKusgznlI+CtCbMmcddtClRB7qslk4EhnAQJEHQ0HdqDUjM=
X-Google-Smtp-Source: ABdhPJy6++K1yVsjeHF7EMU4gkzQhBY1UGYctud8h5N7kG0HRvDt/bKGcBzEf398TsJAG/NTJl+MApDhLS+bMjMRuYI=
X-Received: by 2002:a05:6402:1115:: with SMTP id u21mr5453838edv.383.1615413308377; Wed, 10 Mar 2021 13:55:08 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 10 Mar 2021 13:54:57 -0800
Message-ID: <CACsn0cm-vWCZEeA+kh-BUF0M0ZhM_ev6R-9DYZgWQCA-byHofQ@mail.gmail.com>
Subject: Version negotiation: the bare minimum?
To: IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/3xuaYLxF9ponLMntPJSt4j3LXfY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 21:55:17 -0000

Dear WG,

I'd like to proffer the world's simplest version negotiation scheme,
based on comments heard during the meeting today from a number of
people.

The following weak assumptions are made: the client has a set of
versions. The server has a partial ordering on versions: this means
that versions are not necessarily preferred over each other (consider
experiments where we will do what the client offers first), but the
relation is transitive. Then the server selection is a function of the
client offered version and supported set.

The client transmits its supported versions and a proffered hello
version in the first packet. The server selects. If that selection is
incompatible they try again with the new selected version transmitted
in VN. If it is compatible, the server selects and proceeds.

The constraint on the handshake is that the supported versions and
offered version and server selection are incorporated on the handshake
in such a way that a mismatch triggers failure, and no two different
versions can derive the same keys. If we assume that e.g. SHA256 is
unbroken this is easy to get.

This only permits a downgrade to a version the server was willing to prefer.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email