Benjamin Kaduk's Discuss on draft-ietf-quic-http-33: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 20 January 2021 18:30 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: quic@ietf.org
Delivered-To: quic@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 65DAB3A11D0; Wed, 20 Jan 2021 10:30:15 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-quic-http@ietf.org, quic-chairs@ietf.org, quic@ietf.org, quic-chairs@ietf.org, lucaspardue.24.7@gmail.com
Subject: Benjamin Kaduk's Discuss on draft-ietf-quic-http-33: (with DISCUSS and COMMENT)
X-Test-IDTracker: no
X-IETF-IDTracker: 7.24.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <161116741504.28838.3011643882056868272@ietfa.amsl.com>
Date: Wed, 20 Jan 2021 10:30:15 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/6W-zohICZuhUW0zvf-dpYwQ9jew>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 18:30:16 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-quic-http-33: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-quic-http/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- [note to Lucas/chairs: a few (three, I think) of these discusses/comments have preexisting github issues created by the editors over the past couple days due to some out of band discussions; if we can easily reuse them instead of creating new ones that would be preferred] (discuss point 1) Mike already filed https://github.com/quicwg/base-drafts/issues/4761 and I think we can keep the discussion there. But to reiterate, we reference [SEMANTICS] for certificate validation and use in determining authority for the "https" scheme, yet the additional prose discussion we offer (with CN-ID and DNS-ID as the certificate fields to validate against, though not by that name) does not match what's currently present in [SEMANTICS]. Discussion so far on the linked issue against [SEMANTICS] suggests that [SEMANTICS] will change, but we should not go forward with this document until we've resolved the disparity. (One might also wonder whether we need to duplicate the content ourselves or should just reference the other document(s).) There is a related topic in that our current formulation in this document treats CN-ID and DNS-ID as equivalently recommended, but current recommendations (including in RFC 6125) are to prefer SAN-based names over the (legacy) CN-ID. I believe there are even some efforts underway in the Web ecosystem to move to fully deprecating the use of CN-ID; at present I believe that some entities require that any name present in the CN-ID be replicated as a DNS-ID as well. If we are to proceed with giving equal preference to CN-ID and DNS-ID, I think that we need to justify or at least call out the divergence from current IETF guidance. [Martin filed https://github.com/quicwg/base-drafts/issues/4769 for the topic regarding whether CN-ID is mandatory or even recommended.] (discuss point 2) I also think that the procedure, as written, for coalescing HTTP requests against different URI authority components onto a single HTTP/3 connection is under-specified and seems inconsistent both with earlier WG conclusions and with previous IETF-mandated practices for certificate validation. [begin historical tracethrough] There appears to be quite a long history in this space (and I probably missed some of it, even). The idea of coalescing has been around back from the days when we only allowed Alt-Svc as discovery for using QUIC (no direct access), with https://github.com/quicwg/base-drafts/issues/940 being an early issue leading to https://github.com/quicwg/base-drafts/pull/1024/files, with text that requires both Alt-Svc and valid certificate in order to be authoritative. Then we had https://github.com/quicwg/base-drafts/issues/2223 that notes that this Alt-Svc requirement is more restrictive than RFC 7540, which allegedly only requires the certificate to match a given name. (One might argue that 7540's "additionally depends on having a certificate that is valid" implies the "depends on the host having resolved to the same IP address" still applies, though of course ORIGIN weakens that if it was ever present and this is not terribly relevant to the current question.) Comments on #2223 seem to confirm that the intent is to largely parallel what HTTP/2 does; I'll come back to that in a bit. The corresponding text changes here are https://github.com/quicwg/base-drafts/pull/3558/files that brings in the concept that "a server is considered authoritative for all URIs with the 'https' scheme for which the hostname in the URI is present in the authenticated certificate provided by the server, either as [...]". This text got moved a bit and reworded slightly in response to the secdir review (https://github.com/quicwg/base-drafts/pull/4419/files) but the intent is largely still present as "If a server presents a valid certificate and proof that it controls the corresponding private key, then a client will accept a secured TLS session with that server as being authoritative for all origins with the "https" scheme and a host identified in the certificate." [end historical tracethrough] So now we have text that says: If a server presents a valid certificate and proof that it controls the corresponding private key, then a client will accept a secured TLS session with that server as being authoritative for all origins with the "https" scheme and a host identified in the certificate. This seems problematic to me, and divergent from HTTP/2, in that it focuses on the contents of a certificate *all* being valid/authoritative, as opposed to a certificate being valid for a given host/name. To quote §9.1.1 of RFC 7540: For "https" resources, connection reuse additionally depends on having a certificate that is valid for the host in the URI. The certificate presented by the server MUST satisfy any checks that the client would perform when forming a new TLS connection for the host in the URI. A representative discussion of these checks is included in RFC 6125, and the general procedure for (server) certificate validation takes as input a candidate name of a service or entity that the client is attempting to contact, a certificate (chain) and signature presented by the server, and the application context in which the decision is being made [0]. In short, the question is always "do I (as the client) trust the peer entity to act as this specific name?", and the answer may differ across names present in a single certificate! So I think we need to refresh this text once more, to bring back the sense that for each name that we might want to allow the server to act as an authority for, we have to do the normal validation checks. Saying that we validate a certificate once along with proof of possession of its private key and then the holder of the key is a valid authority for all names in the certificate invites violation of the client's security policy. For example, the client's trust database might not allow the CA(s) in the presented chain to certify some of the names contained in the certificate, among other reasons. (discuss point 2.1) There is probably some extra excitement surrounding revocation, in that the "normal certificate validation procedures" typically involve some form of attempt at a revocation check. What should happen if this check determines that the certificate has been revoked is not entirely clear. Presumably the attempt to use a new name from the certificate would fail, but does it also imply that the entire connection should be torn down, since it was built using the now-revoked certificate? (discuss point 2.2) In practice, the procedure of "check the name in question against the certificate chain" seems to mean that a client that is willing to coalesce connections needs to retain the certificate and chain presented by the peer, so that it is available as input to the certificate validation engine (typically accessed via the TLS stack, I suppose) at the time when an authentication decision needs to be made for a given name. This operational practice, as well as the actual mechanics of running a fresh certificate validation procedure, should probably be mentioned down in Section 3.3 where we discuss the actual connection reuse procedures. In particular, I think it would be very benficial to indicate what protocol interactions trigger an attempt by the client to validate a new name from the certificate for use as the authority for HTTP responses, as well as to note clearly that the certificate+chain have to be retained in order to run these checks. (discuss point 2.3) I think we should also look at the procedures for server push as they relate to coalescing; my understanding is that pushed responses are allowed to be for requests to a different authority, and thus that a client will need to discard or reject pushes that are from an authority that the client does not accept the peer as being authoritative for. I guess this is in some sense a check that the client always has to do for all pushed responses, but I'm not entirely sure whether or where that is currently described. [0] This context includes things like the set of trust anchors, as well as potentially information about restrictions on trust anchors, revocation checks, pinning or other restrictive information that reduces the set of CAs that might be allowed to certify a given name, etc. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for another clear and well-written document. I especially appreciated Appendix A. Thanks to Hilarie Orman for the secdir review and to the team for responding to it! It looks like one of the secdir review comments didn't get its own github issue, so perhaps we can discuss it now: > I would like to see the Security Considerations spell out exactly > what security features HTTP expects from QUIC. Perhaps we could add a line to Section 1.2 where we discuss how QUIC provides comparable confidentiality and integrity to TLS+TCP, along the lines of "HTTP/3 relies on QUIC to provide that confidentiality and integrity protection of data, as well as to provide peer authentication and reliable, in-order, per-stream delivery." With all HTTP/3 frames being sent on QUIC streams, including connection-wide control frames on the control stream, we are in the situation where QUIC flow control can prevent the conveyance of HTTP control messages. This is in some sense covered in Appendix A.2.3, since "all HTTP/3 frame types defined in this document are sent on streams", but the corresponding PR discussion seems to have mostly focused on how this applies to request/response headers, and while the discussion in #204 does confirm that it is intentional for flow control to apply, that doesn't really cover whether it is worth noting as a potentially surprising difference from HTTP/2. While the HTTP frames currently defined for the control stream might not be too catastrophic to be blocked from sending (assuming that SETTINGS will typically get through in the initial window), I do still wonder if giving specific guidance on flow control for the HTTP control stream could be useful. (E.g., calling out that an endpoint might terminate the connection if blocked by flow control on the control stream for an extended duration, or even requiring preferential treatment for window updates.) Section 4.1.1 Such intermediaries SHOULD also remove other connection-specific fields, such as Keep- Alive, Proxy-Connection, Transfer-Encoding, and Upgrade, even if they are not nominated by the Connection field. I don't understand why Transfer-Encoding is intrinsically connection-scoped. [HTTP11] seems to discuss it acting on a "message" and being tied to a specific request or response. Section 9 Is there anything useful to say about whether an HTTP extension might want to make use of QUIC frames other than STREAM? In the spirit of greasing, I worry that if we don't say something, "all HTTP/3 frames go in QUIC STREAM frames" might become an implicit invariant. (Yes, I know about draft-ietf-quic-datagram.) Section 10.5.2 There is some good discussion in [HTTP-SEMANTICS] about the risk of CONNECT being used as an arbitrary tunnel, that is probably worth referencing from here. The CONNECT method can be used to create disproportionate load on a proxy, since stream creation is relatively inexpensive when compared to the creation and maintenance of a TCP connection. A proxy might also maintain some resources for a TCP connection beyond the closing of the stream that carries the CONNECT request, since the outgoing TCP connection remains in the TIME_WAIT state. Therefore, a proxy cannot rely on QUIC stream limits alone to control the resources consumed by CONNECT requests. I'm not sure how well this last sentence translates from HTTP/2 to HTTP/3 -- in HTTP/2 the limit is on the number of concurrent streams, but QUIC gives a hard cap on the absolute stream number, so IIUC an endpoint could refuse to allow new streams until TCP state had quiesced. (Of course, this would also prevent any new HTTP requests from being sent...) Section 10.9 I think it might be worth another sentence to reiterate that when [HTTP-REPLAY] talks about "the TLS layer", this applies to the TLS handshake layer as used as part of QUIC v1, and when it talks about "early data" that means QUIC 0-RTT. FWIW, I made a quick pass through RFC 8470 to look for references to TLS, and didn't find any references to TLS that would not also apply to QUIC v1's usage of TLS. (It does have things like "early data received on that TLS connection" that do not strictly speaking apply to HTTP/3, but I don't see that one as particularly problematic.) Section 11.2.1, 11.2.2 We give the HTTP/3 experts (and registrants) some guidance that coordinating with the HTTP/2 registries is useful. Do we want to add a note to or otherwise update the guidance for the HTTP/2 registries to give analogous advice to the HTTP/2 experts? [Mike already opened https://github.com/quicwg/base-drafts/issues/4760 based on some out-of-band discussion, which I incorporate here by reference. Summary: We probably want the DEs to be able to reject requests to stomp on a value already used in the other protocol, in addition to the first unassigned value and excessive/bulk requests.] Section 11.2.2 I note that RFC 7540 marked setting code 0x0 reserved for h2; should we mirror that? Section 12.1 [ALTSVC] doesn't exactly seem to be referenced in a normative manner anymore. Back when it was the only way to do HTTP/3 it made sense, but the current description seems mostly to be saying that "other services could use Alt-Svc to initiate HTTP/3" which is arguably not really something you have to know in order to implement and use this spec. Section 12.2 Can we review the places that reference [HTTP11]? It seems like we may be deferring to it for the semantics of, e.g., CONNECT, and OPTIONS with asterisk-form authority, which would seem to make it a normative reference, which I understand to be something we're trying to avoid. Appendix A.3 (nit) I note that A.2.5 gave the codepoints for the HTTP/2 frame types being discussed; should do the analogous thing for HTTP/2 settings types?
- Benjamin Kaduk's Discuss on draft-ietf-quic-http-… Benjamin Kaduk via Datatracker
- Re: Benjamin Kaduk's Discuss on draft-ietf-quic-h… Lucas Pardue
- Re: Benjamin Kaduk's Discuss on draft-ietf-quic-h… Mark Nottingham
- Re: Benjamin Kaduk's Discuss on draft-ietf-quic-h… Benjamin Kaduk