From nobody Tue May 11 10:43:46 2021 Return-Path: X-Original-To: quic@ietfa.amsl.com Delivered-To: quic@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35E873A2018 for ; Tue, 11 May 2021 10:43:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lvpq5l2FI-mA for ; Tue, 11 May 2021 10:43:40 -0700 (PDT) Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D433D3A201C for ; Tue, 11 May 2021 10:43:40 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id k19so16625291pfu.5 for ; Tue, 11 May 2021 10:43:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CiRYS//on6e2ScrYgz0vwxNmyNIxIaN3sJ7JuPL+DrY=; b=tSQLlq92g6R+UigeHDjxB9dM+SqA4C4Q7ujt+PJCzPTkYqPnkzIE3mqMovdoKkG2Q4 itKFRd0AH/dPkKEv8pFdJkFCZx620X5gQnvSqU8aK3xLx306iJoox4Cyu1rpiA9RoCWE 7xt7/ADpA4Az5aF7VK2MWVbOCboHYlceNjM8+a0cpJo5Qr0RkVrqtzXcr4D2bJOOwBAV kcj8alj88x6tRorBsWwZ8iIllZ6+uoUVe9MkJ0syvPvuQEUFHBZ5WrnamZoNxHZBRpHN Zo3HwTzqXOdrzJ/UPworDn4cBn+l55H2QZB9ZJX7tImhqnXte5Q9ZG7IqGINbhkOY+yo 5ljg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CiRYS//on6e2ScrYgz0vwxNmyNIxIaN3sJ7JuPL+DrY=; b=myO1CWc6ARYzmEvQnRwf6902fuiN9BrUn4pYj6TAT4chUMm53Muv6Nyq3oLSyeUsxP Kcj8hetMcUTfuxT52XMew8dUo7eERRlq47DA8bia7IgIqBXAEVnoP61b61NY8u8lvLP5 DgeIBj11KBFIjpoN/CB+1Qk2yMtVnt3/EG29NWQR3wZoD7aC6c+cFYN+hHQBJZeeWUP6 9ParypkZfa+MhuJ2uVedQnEInB6PRmz3Uolt4OqUJOHOw0EIYa4IvQYV+IWdKv1QCoem uNiDkV7eCtbRbzHmtnuTh1zvt9vCwzjjHkGVcdUG9H+JwCxAB3M4KPafjZASiWCvaFty 0WLA== X-Gm-Message-State: AOAM5330w+yRXUdBhIHtlEqz0dWf8Q8Qy6yXfGd0DuTOHvhCwYweiDlt N3wg3dMd/Ljz36kjONq/jWNzWcBqUGh1EAnXcnc= X-Google-Smtp-Source: ABdhPJwJGbf3M6V+Mrq8VpiQRnhaBbgXogZJUNyACrz/0ryelILwSCmQ7orIZlzMKfu4V6FEdlMYluV+pec27J/BNJM= X-Received: by 2002:a63:f40e:: with SMTP id g14mr32682111pgi.402.1620755019474; Tue, 11 May 2021 10:43:39 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: David Schinazi Date: Tue, 11 May 2021 10:43:27 -0700 Message-ID: Subject: Re: Tacking stuff on to VN packets To: Martin Duke Cc: IETF QUIC WG Content-Type: multipart/alternative; boundary="0000000000003429e905c2116f8b" Archived-At: X-BeenThere: quic@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Main mailing list of the IETF QUIC working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2021 17:43:45 -0000 --0000000000003429e905c2116f8b Content-Type: text/plain; charset="UTF-8" Can you clarify why you want to remove that text from invariants? It seems correct to me: it states that the VN packet conveys Supported Versions without a way to authenticate this data. Other protocol elements can authenticate the data. For example, draft-ietf-quic-version-negotiation does allow endpoints to detect modification or corruption in the set of supported versions. David On Tue, May 11, 2021 at 10:28 AM Martin Duke wrote: > > What problem are you trying to solve with this trailer? > > For the purposes of this discussion, I'm wondering about this idle > speculation in the invariants draft. Having this field would simplify some > problems in an individual draft I'm working on, but there are other ways to > fix it. > > If no one is going to say "Yes we should have this capability" then we can > either excise the text from invariants or, at this late stage, at least > have an understanding that this text doesn't mean anything. > > Martin > > On Tue, May 11, 2021 at 10:18 AM David Schinazi > wrote: > >> Unfortunately that won't work. Supporting multiple versions of QUIC does >> not require supporting any document, apart from the QUIC invariants. And >> the invariants don't reserve space for a trailer after the Supported >> Versions field. What problem are you trying to solve with this trailer? I >> suspect there are easier ways of solving it. >> >> David >> >> On Tue, May 11, 2021 at 10:11 AM Martin Duke >> wrote: >> >>> Section 6 of invariants >>> >>> sayeth: >>> >>> "Version Negotiation packets do not use integrity or confidentiality >>> protection. Specific QUIC versions might include protocol elements that >>> allow endpoints to detect modification or corruption in the set of >>> supported versions." >>> >>> I also vaguely remember ekr batting around the idea of tacking some data >>> onto the packet to solve a problem we were discussing. >>> >>> *Maybe we just don't want to do this at all and we can safely ignore >>> this text in invariants.* >>> >>> If we *do* want to do it, the design is a little problematic. There is >>> no length field in VN packets to signal that the supported version list is >>> ending and other stuff is beginning. >>> >>> The only way I can think of to make this work is to use the VN draft to >>> reserve a magic version number to mean "this is the end of the supported >>> version list". That version is not a real version, MUST be the last one >>> listed, and perhaps can be followed by another magic number to indicate the >>> content that follows. >>> >>> Leaving aside legacy stuff negotiating pre-standard versions, which will >>> hopefully go away someday, someone supporting multiple versions would be >>> REQUIRED to support the VN draft and therefore incorporate this change. >>> >>> Thoughts? >>> Martin >>> >>> >>> --0000000000003429e905c2116f8b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Can you clarify why you want to remove that text from inva= riants? It seems correct to me: it states that the VN packet conveys Suppor= ted Versions without a way to authenticate this data. Other protocol elemen= ts can authenticate the data. For example,=C2=A0 draft-ietf-quic-version-ne= gotiation does allow endpoints to detect modification or corruption in the = set of supported versions.

David

On Tue, May 11, 20= 21 at 10:28 AM Martin Duke <m= artin.h.duke@gmail.com> wrote:
>=20 What problem are you trying to solve with this trailer?

=
For the purposes of this discussion, I'm wondering about thi= s idle speculation in the invariants draft. Having this field would simplif= y some problems in an individual draft I'm working on, but there are ot= her ways to fix it.

If no one is going to say &quo= t;Yes we should have this capability" then we can either excise the te= xt from invariants or, at this late stage, at least have an understanding t= hat this text doesn't mean anything.

Marti= n

On Tue, May 11, 2021 at 10:18 AM David Schinazi <dschinazi.ietf@gmail.com<= /a>> wrote:
<= div dir=3D"ltr">Unfortunately that won't work. Supporting multiple vers= ions of QUIC does not require supporting any document, apart from the QUIC = invariants. And the invariants don't reserve space for a trailer after = the Supported Versions field. What problem are you trying to solve with thi= s trailer? I suspect there are easier ways of solving it.

David

On Tue, May 11, 2021 at 10:11 AM Martin Duke <martin.h.duke@gmail.com= > wrote:

"Version Negotiation packets do not use in= tegrity or confidentiality protection. Specific QUIC versions might include= protocol elements that allow endpoints to detect modification or corruptio= n in the set of supported versions."

I also v= aguely remember ekr batting around the idea of tacking some data onto the p= acket=C2=A0 to solve a problem we were discussing.

Maybe we just don't want to do this at all and we can safely ignore= this text in invariants.

If we *do* want to d= o it, the design is a little problematic. There is no length field in VN pa= ckets to signal that the supported version list is ending and other stuff i= s beginning.

The only way I can think of to make t= his work is to use the VN draft to reserve a magic version number to mean &= quot;this is the end of the supported version list". That version is n= ot a real version, MUST be the last one listed, and perhaps can be followed= by another magic number to indicate the content that follows.
Leaving aside legacy stuff negotiating pre-standard versions, = which will hopefully go away someday, someone supporting multiple versions = would be REQUIRED to support the VN draft and therefore incorporate this ch= ange.

Thoughts?
Martin

--0000000000003429e905c2116f8b--