IETF Logo Mail Archive

Re: Historic TLS Discussion

Jana Iyengar <jri.ietf@gmail.com> Fri, 16 February 2024 23:32 UTC

Return-Path: <jri.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E929C14F704 for <quic@ietfa.amsl.com>; Fri, 16 Feb 2024 15:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jt4pjGzFddLM for <quic@ietfa.amsl.com>; Fri, 16 Feb 2024 15:32:17 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 731A2C14F5E5 for <quic@ietf.org>; Fri, 16 Feb 2024 15:32:17 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id 2adb3069b0e04-51296ca7f78so1397379e87.0 for <quic@ietf.org>; Fri, 16 Feb 2024 15:32:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708126335; x=1708731135; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QhtI86TjAPhI5iV1CN404RXNf6MJKSXuEM2lG9q7vZ4=; b=YlfTaLMeFkklZShRCSRs66Qpsg1iwa66ncEj6Z7Q/xyFXBH46aQ+AFY4rfDv+rdhyf +jtxAjQAUWQRU0+tfrcaG4SdTkowVqhygkmkfAAKGU0Jx365BerfQ6yG/ociPoiwyM3F GhiaRZFOxUGnv7H3X2dghFJV7PVE8L+/zsUrVhT1RqARxizCeu1ehy2Cs0KIZjVt9NFT YQmMkVjyYE/uFcRp2GZ524RnUsNAzMoJ80872i+uFSQtAmRs67GN0c5ve/MLWTXjCOo6 CSRO1sUGuZtkQnbt3K4QzhyU0ekWi9uoZPcgX0d+OXiqhp/rmj4RafXJP7Vxp9Wvy/zc hORA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708126335; x=1708731135; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QhtI86TjAPhI5iV1CN404RXNf6MJKSXuEM2lG9q7vZ4=; b=Ho8F4W98GxVICHrCSqeyYhz2j3btuF282HMZIc+v6FPN5Y5bkCw73bfHmFxLtyl/+j 58NjjFmp72Nw7Zrp6ZcyLSOOqRJire9JOK2PnVDxX2B+Bu4atRKdQasUGqlAmdnJ+xVo Nvy/8rSu32M3JIFz7O4a9mHa5lUeV0sbG0nghACTSnn4kxeJLgtsDBgKYr+BRdt8JnI/ Ve2yM1NWqQGnSL+NOzpEG2JpyZe/Kqfv6NjAYqETkwp8lSg0UfGb7hkwqzGKBalVVI1j Q70bz2HcMst9XpdYCWRm03BlL91+sq3iatbVuc6D21t5scX2iCK0IHmGhiU4NcYl4bGY Axyg==
X-Forwarded-Encrypted: i=1; AJvYcCXjWQYCEvLswpvaC+JuSuyDNoOafEKMZKT+/e0sUY9ibJqPXGHhP4mQWu0QebteYuZ3lnKmYGUEGQicDvIX
X-Gm-Message-State: AOJu0Yw14OoilKDaD66aFWkGlwS3YfAbG7ECHFhaWOMhi2aekfTwW7P0 DO0vxRpduqVl8EmsLNZxxK2h5VZLmbZYmxZIsB8PyuKVtiAFBfXLVxyiYIZf8oorogP8e3O4JL9 MgGufQzKVVU4LkzFTKrWo2Xk3wd493CckJqw=
X-Google-Smtp-Source: AGHT+IFE8EaWgvFy3tihyE2tphRYucw8TT2t0FjeEMUAakLRXDsZnvxQ/JGSM1Is10rtz4lT+xu7AUCIiq3pnZBUILI=
X-Received: by 2002:ac2:446e:0:b0:512:9e54:da7a with SMTP id y14-20020ac2446e000000b005129e54da7amr832789lfl.9.1708126334767; Fri, 16 Feb 2024 15:32:14 -0800 (PST)
MIME-Version: 1.0
References: <SA1PR04MB8561BABF161D2CF980526E56BF752@SA1PR04MB8561.namprd04.prod.outlook.com> <CACcvr==ik5+A-b5E2VsQGU4k42U7oAsJKNdaKXMANWY11Ae-4g@mail.gmail.com> <CADdTf+igvDGLoQvfD5gKKCR24xD9-NE_1FyWgDMQH5Dj=QxikQ@mail.gmail.com> <SA1PR04MB8561574A21D536B2BBDF0C70BF752@SA1PR04MB8561.namprd04.prod.outlook.com> <CAOYVs2pvMCVbKAGJ3QAneSNazr363UyG5PJDP2fP21YyisAdAQ@mail.gmail.com> <2c83612c-dc09-4c8c-9948-d0aaf2b8c8dc@betaapp.fastmail.com> <Za92A7qALrEyjBGk@camelot.lhh.devever.net> <7d1be041-c70b-456b-8a89-b37fdc82af3a@betaapp.fastmail.com> <3BF1B2DE-F77B-4489-8F2D-9D0F27E4342E@gmail.com> <CA+9kkMCso3s5yMTCnfADOOSqpF6_vEDbu+oMHzgVWjmB4CHjEQ@mail.gmail.com> <CACcvr=kcrvSQcBFcZYs2LnXTzifeGPy8ch0x8cgZShWqQnUGMg@mail.gmail.com>
In-Reply-To: <CACcvr=kcrvSQcBFcZYs2LnXTzifeGPy8ch0x8cgZShWqQnUGMg@mail.gmail.com>
From: Jana Iyengar <jri.ietf@gmail.com>
Date: Fri, 16 Feb 2024 15:32:03 -0800
Message-ID: <CACpbDcdkc8cPtuaFPGWeRqV4vGt52RKL7NLoWz3HasL5_imqLg@mail.gmail.com>
Subject: Re: Historic TLS Discussion
To: Nick Harper <ietf@nharper.org>
Cc: Ted Hardie <ted.ietf@gmail.com>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, Martin Thomson <mt@lowentropy.net>, Hugo Landau <hlandau@openssl.org>, Nicholas Warren <nwarren@barryelectric.com>, "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006a56b50611882758"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/6C6lpkakjR5ntpciuShcL8oX6ak>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2024 23:32:21 -0000

Hello Nicholas,

On reasoning for why we have TLS, I'll add a few points to the discussion:

Encryption is not an option anymore if you want to see anything deployed
and continue to evolve on the Internet. It hasn't been for decades now, and
there's tons of evidence for this that I won't go into here. The QUIC wg
accepted this premise very early on, and it was in the charter early as I
recall.

We tried to keep the crypto part of it "pluggable". Early versions of the
QUIC transport draft had "Crypto Requirements" as sort of an API, that
would be met by the QUIC-TLS mapping document. Our initial thinking was to
keep TLS as much out of the QUIC transport as possible... but at some point
it became too unwieldy. It became clear that without another clear mapping
to another handshake, it was going to also possibly be the wrong
abstraction. Additionally, we had the HTTP use case as the primary one that
drove the work of the wg, so it was clear that TLS was going to be it for
now. We'd figure out other mappings as they became useful/necessary. As
Lucas noted, there is at least one other mapping, so there is existence
proof, but none has been standardized yet.

QUIC used QUIC-Crypto while at Google, but some of us spent a considerable
amount of time figuring out how to map from what was already there to a
nebulous TLS1.3 back in 2015-2016, before the BoF. Martin's talk at the BoF
covers this, and Adam Langley did a talk at SAAG in 2015 alluding to this
expected transition from QUIC-Crypto to TLS (link
<https://www.ietf.org/proceedings/92/slides/slides-92-saag-5.pdf>).

To the question of what happens if TLS moves to 1.4 (or god forbid, 4), I
expect the path would be that we'd consider the implications of the
changes, and issue a new QUIC-TLS document making QUIC work with TLS-1.4,
as anyone would for any new crypto protocol that needs to be used with QUIC.

- jana

On Thu, Jan 25, 2024 at 2:05 PM Nick Harper <ietf@nharper.org> wrote:

>
>
> On Thu, Jan 25, 2024 at 3:29 AM Ted Hardie <ted.ietf@gmail.com> wrote:
>
>> On Thu, Jan 25, 2024 at 7:58 AM Mikkel Fahnøe Jørgensen <
>> mikkelfj@gmail.com> wrote:
>>
>>> As to why TLS 1.3 specifically, I recall early on asking for schemes
>>> that were more IoT friendly.
>>>
>>>
>> You may recall that Google QUIC did not use TLS.  If memory serves me
>> correctly that was partly because Google wanted 0-RTT resumption and a few
>> other capabilities that TLS did not provide at the time.  When those
>> facilities were added to TLS in TLS 1.3, it made sense to re-use TLS rather
>> than maintain a separate crypto stack.
>>
>
> This is my recollection as well. The Google QUIC crypto handshake protocol
> was designed knowing that it would be replaced. The doc (
> https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit?tab=t.0)
> calls out that the protocol was destined to die. It was created because
> there wasn't something that did 0-RTT at that point, but it would be a
> feature of TLS 1.3.
>
>>
>> I no longer work for Google, so I don't have access to my notes on this;
>> you may want to confirm with Ian Swett or one of the folks who was both
>> there at the time and is still a Googler.
>>
>> regards,
>>
>> Ted
>>
>>
>>
>>> The consensus at the time was that encryption is important for
>>> ossification prevention and non-encryption was a deal breaker, as has been
>>> explained in this thread. However, there was nothing preventing other
>>> encryption schemes than TLS and this could be added in other later QUIC
>>> versions separately, but for QUIC 1.0, IoT would not be a priority in part
>>> to get something out of the door to finalize 1.0, and in part because TLS
>>> 1.3 allows for negotiation in case some encryption turns out weak.
>>>
>>> As to network transparency for troubleshooting, various tooling has been
>>> mentioned but there are header bits explicitly exposed to measure pacing
>>> and roundtrip of encrypted packets modulating a signal that can be
>>> observed, which was deemed sufficient after some testing, although there
>>> was a push for more insight operator side of things.
>>>
>>> QUIC load balancing protocol was also discussed, partly in order to
>>> avoid early TLS termination. LBs requires access to some confidential
>>> information in order to route packets correctly. I have not studied this
>>> closely, but I guess one could introduce a load balancer to gain more
>>> insights?
>>>
>>> Mikkel
>>>
>>>

v2.23.0 | Report a Bug | By Email