Re: Stream0 Design Team Proposal

Martin Thomson <> Wed, 23 May 2018 23:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E9F5912D7F1 for <>; Wed, 23 May 2018 16:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uVxZeHxDvSOG for <>; Wed, 23 May 2018 16:51:29 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4D7D7127077 for <>; Wed, 23 May 2018 16:51:29 -0700 (PDT)
Received: by with SMTP id l13-v6so27294492otk.9 for <>; Wed, 23 May 2018 16:51:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b3rG876BoZ3/h62mIR98Brr1zwR/yxNdd46I5Gu0d10=; b=ilVMZYgz4zmThhAsaSaepDGuElm2N+gF+evaFzDFTmfRRiH/WS6CwOoRT5NeJq0AHP Qp/e8bx41ZInoT3oF+PPmaPhOEa0ekZJPeFiTFlmDf2JiyCEdQBsInPpQAl1h+9Lz39N rwjUDtRJECKDZGMNYD6yEQjS6ZZLbOqMTxkIVQ692X1qoYqvo/XVRgvE3/+ZDxfGxgc+ MoBBWWcs4V4WUOlz1oUpWmSWccOHt2PbEFT2cgVtc98VIsdSwDNNTyepHt+YBAqofGnd 6w/42Hk+Vut83Uwn8zJ5QTIzD+i2Heyo+cQt5Kz0V8z6ej/W+/HrGOoEzHMK79cLc8QS kUAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b3rG876BoZ3/h62mIR98Brr1zwR/yxNdd46I5Gu0d10=; b=aVAZ73WAu/JgveVRwa04xKw8w89KVSJsAYVYIN/Ilf1MQfJG7fvZqz7J3EUybsDMYH Ap0qco6faxbNMRKGS3Y0HumY7eX5rfOmio6Lu2Wt0VJtBQEMbVNkOg6YkesFmPCZ4HN/ oJCJEqq6HgKnSrkp8rgnZdPs3EV3hO5/sBw6BnkBOUFPSYnysQSoJB+kGEAMPPT3/faI qjXxz/jxNV8eH75IO+QOhS9UdIcqtbr8boVm7SyFkkd09WCygHyeQnx8aFGiryOj4qYS +T9ni3lyGQFQKKyJmu0ee9QSL+exb/+d7nbZkq4Acjknv59U7lf2if3MnTWLe5bylYja bEIw==
X-Gm-Message-State: ALKqPweurHnPwSd8HCpFe8tJvRtBWY0J+dJIJrcul8vM8Mlnczrv/Xgz F0hcoQJCzVn9rn7hxMm87+SRj9U2i6JT8PGe4TU=
X-Google-Smtp-Source: AB8JxZr3zNg3buAx1QEIaTOv4afOdek4YXTB1DZqQJjOXgTgr0MaNyovFzpp5P+DFW9P0BxyMyxayo+9FqyxhM0wARI=
X-Received: by 2002:a9d:524d:: with SMTP id q13-v6mr3313848otg.241.1527119488429; Wed, 23 May 2018 16:51:28 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Martin Thomson <>
Date: Thu, 24 May 2018 09:51:16 +1000
Message-ID: <>
Subject: Re: Stream0 Design Team Proposal
To: Jana Iyengar <>
Cc: Kazuho Oku <>,, QUIC WG <>, Ian Swett <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 May 2018 23:51:32 -0000

I'm not a fan of micro-optimizations like this, especially when it means
taking space we don't need.

We don't need ANY of the bits on the CRYPTO stream.  The savings for an
absent length and offset are marginal and not worth burning 8 frame types
on, and the stream never really ends.  So if we made it have a type of
0x18, then you would run it through the same code and get the same result.

On Wed, May 23, 2018 at 4:40 PM Jana Iyengar <> wrote:

> Thank you for your implementation and your report -- this is terrific and

> On your note about CRYPTO_HS frames, I think your idea is clever. Just to
ensure that I am understanding it correctly, I believe you're proposing
> 0x10 - 0x17: STREAM frame
> 0x18 - 0x1F: CRYPTO_HS frame

> We can the same frame format for CRYPTO_HS as STREAM except that
CRYPTO_HS will not have the stream ID field. This means an implementation
handling these frames can reuse the stream machinery with a small change to
parse the header bits as follows:

> if (type & 0x10)  {  // STREAM or CRYPTO_HS frame
>      if (type & 0x08) streamID = varint_consume(frame);
>      if (type & 0x04) offset = varint_consume(frame);
>      if (type & 0x02) length = varint_consume(frame);
>      if (type & 0x01) fin = 1;
>      read body if present
> }

> On Tue, May 22, 2018 at 9:57 PM, Kazuho Oku <> wrote:

>> FWIW, I am happy to tell you that I have a working PoC code for the
>> proposed approach.

>> On the QUIC side, I saw 2% (124 lines) increase in code size (more on
>> that below). On the TLS side, I also saw 2% (175 lines) increase.
>> However please look at the code size change especially on the QUIC
>> side with grain of salt, as it is just a PoC.

>> As expected, the key and encryption-level management on the QUIC side
>> became very clean. Following are some of the design decisions I made
>> as well as the outcomes:

>> * All the interaction between picotls and quicly are accompanied by
>> "epoch". Handshake messages are attributed with their epochs so that
>> they do not get protected by the wrong key, or so that octets received
>> under an incorrect encryption context cannot be misused.

>> * All the traffic keys are governed by quicly (managing some traffic
>> keys in TLS while managing PNE key in QUIC seems messy).

>> * The Initial key is setup by quicly, wheeras other traffic keys are
>> installed by picotls by calling a callback named
>> update_traffic_key_cb. The callback accepts and installs 6 keys in
>> total: for three levels (i.e. 0-RTT, handshake, 1-RTT) in two
>> directions (send-side and receive-side).

>> * Three PN spaces have their own AEAD encryption key. Initial PN and
>> Handshake PN spaces have one aead decryption key each. Application PN
>> space has up to two decryption keys: either for 0-RTT and 1-RTT or for
>> two 1-RTT keys during key update.

>> It was a pain to have a dedicated frame encoding for CRYPTO_HS, even
>> though we can reuse (and I reused) the retransmission and reassembly
>> logic of QUIC streams for the handshake flows. About a half of the
>> code size increase comes from that (the other half comes from the
>> added abstraction for having two contexts for the handshake). I would
>> prefer reusing the STREAM frame encoding for the handshake data. We
>> could possibly use a different base offset (i.e. for CRYPTO_HS frames
>> we could use 0b00011XXX, whereas the STREAM frames use 0b00010XXX), as
>> well as omitting the Stream ID field.

>> Overall, now that I have a PoC, I am more confident that the proposed
>> approach is the correct path forward. It *simplifies* the QUIC stack
>> at the same time giving us better security properties as well as
>> fixing various issues in the current design (as discussed in the
>> design doc).

>> 2018-05-23 10:30 GMT+09:00 Ian Swett <ianswett=>:
>> > Dear QUIC WG,
>> >
>> >
>> > On behalf of the Stream 0 Design Team, I am pleased to report that we
>> > consensus on a proposed approach to share with the WG. The DT's
>> > will make QUIC and TLS work closer together and incorporates ideas from
>> > DTLS, but it does not use the DTLS protocol itself.
>> >
>> >
>> > The DT believes this solves the important open Stream 0 issues. The
>> > will be a bit more invasive in TLS, but we believe it is the right
>> > direction and several TLS stacks (BoringSSL, PicoTLS, NSS, and Mint)
>> > willing and able to do the work necessary.. A number of stacks are
>> > working on implementations of this new approach, which we hope to have
>> > time for the Interim meeting.
>> >
>> >
>> > A design document describing the overall approach can be found at:
>> >
>> >
>> >
>> >
>> > A PR making the changes to the QUIC documents can be found at:
>> >
>> >
>> >
>> >
>> > A few design details did not have clear consensus, but it was felt it
>> > be better to discuss those in the wider WG than delay the design team.
>> > consistent choice was made in the PR and these issues are mentioned in
>> > Appendix B of the design doc.
>> >
>> >
>> > As always, comments and questions welcome. That said, this is a big PR
>> > we recognize that some editorial work is going to be needed before
>> > In the interest of letting people follow along, and to keep github from
>> > falling over, we ask people to keep discussion on the mailing list and
>> > refrain from making PR comments.
>> >
>> >
>> > See you in Kista!
>> >
>> >
>> > Ian and Eric

>> --
>> Kazuho Oku