Re: Submission of QUIC-AH draft-01, with support for version number greasing (Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-01.txt)
Kazuho Oku <kazuhooku@gmail.com> Fri, 05 July 2019 08:43 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA8B12027A for <quic@ietfa.amsl.com>; Fri, 5 Jul 2019 01:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNgq3iSDK_e0 for <quic@ietfa.amsl.com>; Fri, 5 Jul 2019 01:43:53 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84E6912028F for <quic@ietf.org>; Fri, 5 Jul 2019 01:43:52 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id 16so8443252ljv.10 for <quic@ietf.org>; Fri, 05 Jul 2019 01:43:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=yXyMQSKkLboEyfi85OTouq0nefcZ0OIs1dmc/aGb8wc=; b=R99qp+e2ZjcClUFYb1UxX9zidYWpxPO3JcW7YA6tezD6uYR1fc19XyzuoDREtDSmAX 4UhjQNHHgfIf0ORTd/e0m02OinXZVgYrPg4Yi/Gvo3qnMjJuofxzJ6ZQHtHCCLQmqNtG XvVEGKsnOrspL3IDOjdS5CgfGNDI/2fZqEs+WDQGDZqDkozKiWQuGzXERrCtT+eC7yyq hiH+p/FhxGYR7nxG2NWsujRpBfTkU+DjW9iSCXTbZoN9UhxPeqf7LPr8QOspgcsIpXYQ IOo9RgQhDNiEoUOUnH+X85hvljb2QpEY195/fsV/PPOf79Y6d06n0jBOfnRgzdfU6kJL YoUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=yXyMQSKkLboEyfi85OTouq0nefcZ0OIs1dmc/aGb8wc=; b=FPhGbms9XwBDRnGsUMYPMzeSv2bMjgmmgLktkK7FYHZ1Azh0YjhwIv3o+Gk4/qL5yB HoSy4UKv2oxIPGFgHrYXFfAALp6P38vbXTKl4BcziTB+4T3b/osRb84Twrj73hrQ85eb u9UQFoPNn99wZ+keXRqUFKrj7ZKJ8hNF/Dpejp3+hT/59LICoKhnpMyRzjrYEuIRROvg wtO0DaQQe0b0qv51KHAOqErFqI/kd7qLAbT0mw3Xu7AveXna+HwHteiFca421D4+WqMn h5Y2NFMpSj5uNdMRJ3ZzN0YyfyQkNaPnTeAkJKlPBlWzEXIYEEJihqHjO+XeOnh/t3Z4 kEug==
X-Gm-Message-State: APjAAAVIxjaVryNzV+fFZqT7/GJvqCROoTdRGDvpNs0JPti3xApLhaCN 3c7Rggqd3ngIXYPKjoA0Zk4kRcLyhQj1oRFthvP8DHpq
X-Google-Smtp-Source: APXvYqy5esM/6L1ohh4XMmCQV73AiX2j5NarQIwD+HjmiQLSslLYySDwy/Tvx2yLX9YjKoCpo/D/uHYiCax8o8lFL5M=
X-Received: by 2002:a2e:968f:: with SMTP id q15mr1535406lji.30.1562316230667; Fri, 05 Jul 2019 01:43:50 -0700 (PDT)
MIME-Version: 1.0
References: <156231582165.22018.291016500099755441.idtracker@ietfa.amsl.com> <CANatvzym7Da28HXdOtmv8GdGpPYaOyX943gv_Y=dXweFJHpwqg@mail.gmail.com>
In-Reply-To: <CANatvzym7Da28HXdOtmv8GdGpPYaOyX943gv_Y=dXweFJHpwqg@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 05 Jul 2019 17:43:39 +0900
Message-ID: <CANatvzyQs47sU1NPUQ4LTcRRSs376WE==ry3ac+n3y0PG-_52g@mail.gmail.com>
Subject: Re: Submission of QUIC-AH draft-01, with support for version number greasing (Fwd: New Version Notification for draft-kazuho-quic-authenticated-handshake-01.txt)
To: IETF QUIC WG <quic@ietf.org>
Cc: Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4UbcfsfCOD5OZ_I-4dvpYFMP-eU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2019 08:44:09 -0000
PS. Apologies, I failed to put the link to the new I-D at the top of my mail. Maybe it's obvious, but it's https://www.ietf.org/id/draft-kazuho-quic-authenticated-handshake-01.txt. 2019年7月5日(金) 17:42 Kazuho Oku <kazuhooku@gmail.com>: > > Hi all, > > Christian and I have submitted -01 of > draft-ietf-quic-authenticated-handshake (QUIC-AH), that descriibes a > variant of QUIC v1 that uses ESNI [1] to protect Initial packets (and > therefore the entire lifetime of a QUIC connection) from MITM attacks. > > Since -00 [2], we have fixed a design flaw (pointed out by EKR), added > Considerations, and introduced the capability to advertise alternative > QUIC version numbers to be used on the wire, as we have discussed in > London [3]. > > Version number greasing, the new feature in -01, works as follows: > > 1. Alternative versions to be used on the wire is published using DNS, > through an extension of the ESNI Resource Record. ESNI requires the > Resource Record be known to the server. > 2. Client that supports QUIC-AH picks one of the wire-versions found > in the ESNI RR. The obfuscation key of the Initial packet is derived > the same way as QUICv1 (i.e. from DCID). > 3. The server, with the knowledge of the mapping between the versions > on the wire and the actual versions, decodes and processes the Initial > packet. > > I think that this design is simple, and that it would be trivial to > implement on top of QUIC-AH (or on top of QUIC v1/TLS+ESNI, if the WG > prefers just using the version number greasing but not the > “authenticated handshake” part of the I-D). > > That said, I think the broader question is how we should protect not > only the version number field but also other non-encrypted fields of > QUIC packets (e.g., payload format of Initial packet = ClientHello) > from getting ossified. I think there are three options: > > a) Merely obfuscate the version number field. That's what is currently > being achieved by the draft. > > b) In addition to the version numbers, advertise alternative salt > values to be used on the wire using the ESNI Resource Record. Doing so > does not prevent a middlebox from observing the content of ClientHello > (even though it cannot see the plaintext SNI), however it would > require the middlebox more work, as it needs to fetch the ESNI > Resource Record to obtain the salt. IIRC, this is analogous to what > was proposed in #2573 [4]. > > c) Encrypt the Initial payload [5]. ESNI provides a semi-static public > key known to the server. In case of ESNI, that key is used to encrypt > only the server name, but in case of QUIC, because the format of the > Initial packet is not yet encrypted, we have the freedom to change the > design as we would like. That would be the ultimate method to prevent > the payload of v1 CRYPTO frame from getting ossified. Though in turn, > the way the client encodes it's public key in the AH Initial packet > (most likely a particular encoding of HPKE [6]) could become an > ossification vector. > > What do you think? I would appreciate it if you could give us > feedback, either on QUIC-AH in general, or on the version number > greasing design. > > > [1] https://tools.ietf.org/html/draft-ietf-tls-esni-03 > [2] https://mailarchive.ietf.org/arch/msg/quic/DdT-gIgzxUDnSajyoMwDm1A_URQ > [3] https://github.com/quicwg/base-drafts/issues/2496 > [4] https://github.com/quicwg/base-drafts/pull/2573 > [5] https://github.com/kazuho/draft-kazuho-quic-authenticated-handshake/issues/9 > [6] https://tools.ietf.org/html/draft-barnes-cfrg-hpke-01 > > > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: 2019年7月5日(金) 17:37 > Subject: New Version Notification for > draft-kazuho-quic-authenticated-handshake-01.txt > To: Kazuho Oku <kazuhooku@gmail.com>, Christian Huitema <huitema@huitema.net> > > > > A new version of I-D, draft-kazuho-quic-authenticated-handshake-01.txt > has been successfully submitted by Kazuho Oku and posted to the > IETF repository. > > Name: draft-kazuho-quic-authenticated-handshake > Revision: 01 > Title: Authenticated Handshake for QUIC > Document date: 2019-07-05 > Group: Individual Submission > Pages: 11 > URL: > https://www.ietf.org/internet-drafts/draft-kazuho-quic-authenticated-handshake-01.txt > Status: > https://datatracker.ietf.org/doc/draft-kazuho-quic-authenticated-handshake/ > Htmlized: > https://tools.ietf.org/html/draft-kazuho-quic-authenticated-handshake-01 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-kazuho-quic-authenticated-handshake > Diff: > https://www.ietf.org/rfcdiff?url2=draft-kazuho-quic-authenticated-handshake-01 > > Abstract: > This document explains a variant of QUIC protocol version 1 that uses > the ESNI Keys to authenticate the Initial packets thereby making the > entire handshake tamper-proof. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > -- > Kazuho Oku -- Kazuho Oku