[QUIC] Review of draft-hamilton-quic-transport-protocol-01
Kyle Rose <krose@krose.org> Mon, 14 November 2016 14:03 UTC
Return-Path: <krose@krose.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E155A1296F5 for <quic@ietfa.amsl.com>; Mon, 14 Nov 2016 06:03:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GR2JrZ0aANWn for <quic@ietfa.amsl.com>; Mon, 14 Nov 2016 06:03:32 -0800 (PST)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11BF8129418 for <quic@ietf.org>; Mon, 14 Nov 2016 06:03:32 -0800 (PST)
Received: by mail-qt0-x22a.google.com with SMTP id c47so47436480qtc.2 for <quic@ietf.org>; Mon, 14 Nov 2016 06:03:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=bg4O39bPVoaYGff7IVE8CSC37zmiBc67enYTV3vNNsk=; b=B0O27tDUz4IqqN5YK1w6eezTSzq4ZWSOvF+k8F9OGMa314OQgHJ2LrsjlkOwHAQ4nv yMT2CDOlgGKjRKTetj0W1pB4T0QBh2NuEU6j3frD4mU4UnYo2sZYHmXWl1S8+Lkb3sEL FY90Hb6r2GHh7fJS5bW6JlJ6v7l8v585/56eM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=bg4O39bPVoaYGff7IVE8CSC37zmiBc67enYTV3vNNsk=; b=A9FFBW6wWyyh+85AePCDAn8tzsz6eVHjh5WX9YAqDfH67Sz9qdj5QpyJVAoFJWH07i bjE7gJdjP+8+baorV3cxWLnUqqtLh2QUot+8X48bo8/gMXSU2mlkkIqmBwJDenxbakP2 yrqG4ysmXXGFeNFqpJifB6XzcAldy0HUxEi4w71AJVbN5n7ektzY7XaXJKQ1zSH9UmyQ JZV8S/uqHaiM0UCbPbzGxkIjiMEa/GCV8i6WWbe6FkwRWth2yHNtJbvKyLBleixJ/HcP shDV45HGPB9xyqFY9S7NlrqGGYhJZws+OHSMi6JdFu3QrlsjOTYaVqjUgVGXggWSM7VY PvEg==
X-Gm-Message-State: ABUngvceFvPs+0Mp/YHrZCUeYYSupbzjLzgcpv7Oap3t19WcJKjk4ePisMdBP1jS3Kwr10CYggMo0s/Npb9MQQ==
X-Received: by 10.237.37.60 with SMTP id v57mr11875676qtc.135.1479132210779; Mon, 14 Nov 2016 06:03:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.55.180.2 with HTTP; Mon, 14 Nov 2016 06:03:30 -0800 (PST)
X-Originating-IP: [2001:67c:370:144:8806:9eca:6f2f:8f7b]
From: Kyle Rose <krose@krose.org>
Date: Mon, 14 Nov 2016 23:03:30 +0900
Message-ID: <CAJU8_nXjDWQaWTaYPTmsKPJwBBBcastWSV05uYdQvFon62s6Tw@mail.gmail.com>
To: quic@ietf.org
Content-Type: multipart/alternative; boundary="001a114125e0ffedee0541434dd8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/7WHXECICxClEa0JTJsIkOlVbiUQ>
Subject: [QUIC] Review of draft-hamilton-quic-transport-protocol-01
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2016 14:03:36 -0000
In general, the spec is pretty clear and easy to follow. The most confusing bit is that it's not entirely clear from this spec which things are encrypted/authenticated and when. Maybe an additional state diagram detailing encryption/authentication keys at various stages of connection establishment would help. 3.7. I know there will be much discussion of the connection ID as a tracking cookie. I'm willing to bet there's some reduction from public key cryptography to any scheme for sending omega(1) cryptographically-independent identifying tokens (e.g., table indices) based on O(1) shared data, so until PKC is cheap enough, we're probably stuck with either issuing enough connection IDs that we can be assured of a unique ID per packet, or living with some degree of trackability across client address changes. 4.2. Packet number is authenticated but not encrypted? Is there a good reason not to encrypt it to the degree possible? (I.e., with a traffic key derived from the best shared secret we know at any particular point in connection establishment.) The same goes for ACKs. See also: section 11.1. 4.2.1. See the discussion in the "Packet number recovery" thread. Slight addendum: about 10 seconds after hitting "send" on my message, I realized that one of the doom scenarios I posited (K*2^n) couldn't happen given some of the earlier assumptions I made about how the sender must choose packet numbers, i.e. that such large packet numbers couldn't be used without largest acked advancing. 5.1. Is it possible for the mandatory version negotiation response behavior to be an amplification vector for spoofed packets? 5.2.1.3: How is the client to know that it doesn't need a connection ID? What if there's an SNAT close to the server? A synthetic example would be a lab environment that needs to use all public IP space, and so NATs connections from external IPs to a specific gateway IP. 5.2.3: Is it intended for the STK to be folded into the TLS session ticket? I haven't gotten to Martin's draft yet. 5.2.3: "The crypto handshake MUST ensure that the final negotiated key is distinct for every connection between two endpoints.": trivially unachievable if both ends cooperate. Maybe want to say something like "The crypto handshake MUST ensure that the final negotiated key is distinct for every connection between two endpoints if at least one endpoint desires this property." 5.2.3: TLS hasn't had to deal with amplification attacks of this sort because of the TCP 3WHS. I'm not sure compression is enough here, but I also don't know if there's a good universal mitigation to the spoofing problem. 6.2: I would move the "It is recommended for the sender to send the most recent largest acked packet [number]...." out of the normative protocol description. I would also explain why this is the recommended strategy, because it isn't obvious to me why you'd want to do this or why this wouldn't result in spurious retransmits from slightly out-of-order delivery. 6.2: I would mostly eliminate opportunistic ACK attacks by authenticating all ACKs to the degree possible (as suggested above). See also: section 11.1. 6.2: "The two 'LL/MM' bits encode..." A normative mapping from two bits to {1,2,4,6} is required IMO. 6.2: Num Blocks: So, the value is actually number of additional ACK blocks minus 1? 6.2: "...between the largest acked and the first packet whose timestamp is being reported." By "first" you mean "latest"? It seems they must go in reverse order, so I think "first" might be confusing terminology here. 6.2: Is there ever a situation in which it might be valuable not to include packets in the explicit ACK list if they are also included in the timestamp section? If the packets in the timestamp section are sparse, then introducing gaps would make the ACK frame strictly larger, but if every packet appears in both places it could reduce the size of the ACK frame somewhat. I'm willing to concede that this may be an optimization that is more complicated than it is worth. 6.5: Is there a situation in which a BLOCKED frame could inform the recipient that the sender missed a WINDOW_UPDATE frame? This would presumably fix itself eventually via retransmission, anyway. 7: "A sender SHOULD minimize per-packet bandwidth and computational costs by bundling as many frames as possible within a QUIC packet." This directly conflicts with the earlier recommendation "An implementation is therefore advised to bundle as few streams as necessary in outgoing packets without losing transmission efficiency to underfilled packets." Heuristics around frame packing would be helpful here: surely, for streams A and B you never want to send packets A_1||B_1 and A_2||B_2 when you could send A_1||A_2 and B_1||B_2 with the same latency, but whether you want to send A and B in separate packets or as A||B depends on some function of overhead and loss. 7: "...a receiver MUST NOT generate an ACK in response to every packet containing only ACK frames *or padding*". 7: Is the goal of sending an ACK-of-ACKs just to update largest ACKed? 8: One potential problem with QUIC streams as a message abstraction is that the stream ID space is pretty limited at 2^32. 8.1: I think "recv FIN" on the transition from "half closed (remote)" to "closed" and "send FIN" on the transition from "half closed (local)" to "closed" are reversed. Should there also be a transition from "idle" to "closed" for "recv RST"? 8.1.6: Given the requirement to send a RST immediately after receiving an unsolicited RST, should there also be a "remote reset" state whenever "recv RST" occurs first, followed immediately by "send RST" and a transition to "closed"? Or does this just complicate the diagram for no good reason? 8.4: Is triggered delivery prohibited? I.e., is it out-of-spec for a sender to send a series of packets containing the bytes 1-65535 of a message and then trigger instantaneous application delivery of this blob by sending byte 0 in the last packet? Surely this can happen by accident, but doing it intentionally is somewhat different. 9.1.1: Should a RST with a lower offset than highest data offset already seen for a stream result in a connection error? Otherwise, the sender and receiver could have inconsistent views of the flow control state. 9.1.4: "...it is generally considered best to not let the sender go into quiescence if avoidable." Should this be "an active sender"? 11.1: I again feel like there's no reason to allow unauthenticated ACKs when authentication is possible. Nits: (Maybe will be PRs if this ends up in Github) 5.2. "crypto stream": forward reference? 6.1: I would move things like the "Implementation note" out of the normative protocol description into some other section describing recommendations/best practices for optimization. 6.9. "QuicErrorCode": forward reference? Kyle