IETF Logo Mail Archive

Version Ossification: Intended Scope for QUICv1

David Schinazi <dschinazi.ietf@gmail.com> Thu, 31 October 2019 21:13 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8CA5120090 for <quic@ietfa.amsl.com>; Thu, 31 Oct 2019 14:13:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEtFNzQpp3Qx for <quic@ietfa.amsl.com>; Thu, 31 Oct 2019 14:12:59 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BFDB12081B for <quic@ietf.org>; Thu, 31 Oct 2019 14:12:59 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id q64so8097417ljb.12 for <quic@ietf.org>; Thu, 31 Oct 2019 14:12:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=vDDJTVyrM43qYQyvU1BiMOJbJM3rxCznBN4y3dqzSWU=; b=I6nDlrh1iBI669ojSVm+BFvW/UYtRxt5ug67ju2bwEC6mGROtIA0SuBu5CCpJ75Dj4 VdzwAMWN2r2uY6lAZ5M641gNiQxl4gEFsUjYOmfE0rAGvw/nZHK/eGsfIsEJwIsJObfL E0sxH0vs0wtVa/ZnBR9XsXTA/BDCfGg22lZuuVw4tKtPariWTfvrUfDhgI5LUrZD4WvX WA04m++BbOrs662F/+HHhIPPwfKwGWkUcmPSNw6wp8DbYfDESG0dTqtSrLiEc21xUscH 7/8mTZVgN1APr2F1PiADnDuoIrI4iyeCURelEepknd5kmkdYP566kh3x1Ga9ssbzjeXt 5JZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vDDJTVyrM43qYQyvU1BiMOJbJM3rxCznBN4y3dqzSWU=; b=g5vOl9lqMR8Frq2uZ8xsPJI2m/9wvqROWLefMjCRN5wPbxAlh50B41SpwsmdxRBxzr 7vd4fuSf9Vvqya3/wr9O3qfD03/Fi2MBd1S4QhDNTXNSa9yK5Kh5/X05PTnM2Ej1T0Wz mvNwS9qDrnszGhPgp3fJsdWKiTN9auiQQ5zXihXR86toGANKgYgELrbEEjmY+FjTv4Mg 4MzuyhHRooNiQW+x+v68gHW02rzRUCtMFCwQJcSCd7gSf/Pp5UVRCQwV9C4dafrKTMrf haJUlS+L8iqN1d9xmNxhv1NwC0iTTp3vkFmAzoKHfj7x7QnySdhinzZmAJ7wPRInBsYh Emeg==
X-Gm-Message-State: APjAAAUp0n+q7dac+mpJDgUDugAc2Wr0v1sPqIWkoLE4oh1cHJiMA17s YNUVRDRr9e8/2H8Woib08/o3sd02fPAvjXbxxfZoxuvy
X-Google-Smtp-Source: APXvYqwrAE3WMEBrjerln7dGAWTTLcLW4IZduju855+mC5gA8643pgFhBJtCGl/dj4T0MmGlF8aFm5asUfxcXkjOo8g=
X-Received: by 2002:a2e:b0d9:: with SMTP id g25mr1666642ljl.176.1572556377111; Thu, 31 Oct 2019 14:12:57 -0700 (PDT)
MIME-Version: 1.0
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Thu, 31 Oct 2019 14:12:46 -0700
Message-ID: <CAPDSy+6E79OySoOLbJ8eWp0J-+3yeB5iGvj6sW19bEDn_V7-NA@mail.gmail.com>
Subject: Version Ossification: Intended Scope for QUICv1
To: QUIC <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f3fa005963b502e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4g4JeLA-kUEohZphCoIyS9ZoebA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 21:13:02 -0000

Hi folks,

The conversation around version ossification has been really interesting
since Cupertino. But at least for me it's reached a level of complexity
that warrants taking a step back and looking at what we're trying to solve.
Here's my understanding of where we are:

1) In Cupertino there was consensus in the room to do something to mitigate
ossification of QUICv1.

2) The solution that folks liked was to have a concept of alternative
versions and alternative salts that act like QUICv1 but are encoded
differently over the wire.

3) A concrete proposal for (2) was for servers to have their own set of
(alternative_version, alternative_salt) pairs, then transmit a random pair
from that set to each client (i.e. via transport parameters). The server
can then reconstruct the alternative_salt just by seeing
the alternative_version.

4) Kazuho proposed a solution (#3166
<https://github.com/quicwg/base-drafts/pull/3166>) that was both more
powerful and more complex: tie the (alternative_version, alternative_salt)
pair to NEW_TOKEN frames, to allow servers to generate a
unique alternative_salt per client and encode it in the token.

5) After some interesting back and forth on that PR, it became clear that
this is a hard problem to solve: this could cause failures if servers
forget their token keys, and mitigations for that problem can become
downgrade attack vectors

6) While there was clear WG appetite for (1), I'm not sure we have
consensus to build a more powerful solution like (4)

I fear that solving (5) could take some time, which would delay QUICv1.
Instead I'd like to propose the following plan:
a) we take the simpler solution (3) and add that to the spec
b) we take the more powerful/complex solution (5) a turn it into a QUIC
extension

That would allow us to ship QUICv1 with some level of ossification
mitigations without delay.

Thoughts?

David

v2.23.0 | Report a Bug | By Email