IETF Logo Mail Archive

Re: Authentication in draft-kuhn-quic-bdpframe-extension

Watson Ladd <watsonbladd@gmail.com> Mon, 06 November 2023 00:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6FC1C1D2D77 for <quic@ietfa.amsl.com>; Sun, 5 Nov 2023 16:43:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pOVoVoEpEDtu for <quic@ietfa.amsl.com>; Sun, 5 Nov 2023 16:43:13 -0800 (PST)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56482C187724 for <quic@ietf.org>; Sun, 5 Nov 2023 16:43:13 -0800 (PST)
Received: by mail-oi1-x232.google.com with SMTP id 5614622812f47-3b40d5ea323so2421446b6e.0 for <quic@ietf.org>; Sun, 05 Nov 2023 16:43:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699231392; x=1699836192; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lMvUurGik+Wq2xRv3SWeu7DTptMoUXFhLEnV+Nyvfkg=; b=PnSfJWM7xzxB3p4QgEj+Sqb812gsJnr2Oq9ghzmpuHQ3MbTuXdAeogn9vmJu0s774U krMM4LNahruliC1yIioWOQynnF7QSPn/GCNJusbBYN4ggxvfDMGr9em5cpHs08yepRu5 ZNu4iDQ54NRSFFR+R9D01QSJKMzlAX785bTfR5EY0p4X0YMfz7FRrsOZ9WwjKmOuHaud 3sJYDe7CL2ihuck4s8T/VFs5BDy+qzKztHHdD3fPJdr2j61SDFCKNMslslLwma41yJuI iOesxV4v29hgQobjl6jGIIQ7n4Kj4lnqj4V001cUOEEkiVM0RAux+VfVxqscpE2gUK3y 61Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699231392; x=1699836192; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lMvUurGik+Wq2xRv3SWeu7DTptMoUXFhLEnV+Nyvfkg=; b=kUIOIn/SqXY+Htw/yxOxC+SWgC7v8J6VOJorGo1/AolyAAfQ6ByNijmza5VMNHaGX5 P7tJj7cPC5EjsFwJ4mRQglLB7H+dscsQeojMz3FvYgRAogx6rOoXHCrfEom4ems9qi5h Kd/Or9+j51mcW7ZcYFmMfgfZd+WotFmG0oAwLJcCEN6qo0aReyX1Ngi1sCnxv3yB7g7I cRtwEQASnG3IZ9T8YFjPVW7xlvMyAG3V0Yx1ox8NJB+P0I7qwn42rai4uTkVAHhLc7Hl PZwMpwBdJtvVhBm6s7vHMj4i8iL/AdrrVMuaOPcaqcWQx2BnNqcIRkfdVOZd7qmOFKuH tWUw==
X-Gm-Message-State: AOJu0YwPCSC/8rI/Ceq9h2Bhf2/IrMYK7h2dvo9CdNNH7kVU6aCwUiiO egY26YxyxCYZgUkvLRCiEL92idoqbH4g6mWPZ42NNn7qRz8=
X-Google-Smtp-Source: AGHT+IHaUFaLLAy52oBdNazf+OaBTyN6W1U2Sn6S98whvz3c65ZVixVqb48xT0/fSNlpTGlZdPyjJlzE3m07sTKopm8=
X-Received: by 2002:a05:6808:3c90:b0:3b5:9583:dc80 with SMTP id gs16-20020a0568083c9000b003b59583dc80mr10215442oib.30.1699231392556; Sun, 05 Nov 2023 16:43:12 -0800 (PST)
MIME-Version: 1.0
References: <CAMEWqGsGCEhC97Yt-r9YBwGCPxH6+OGj7GfTmomMDJBD6S_ZBQ@mail.gmail.com> <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk> <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com>
In-Reply-To: <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 05 Nov 2023 16:43:01 -0800
Message-ID: <CACsn0cmPa2tpChSY8qKUQzCGWfW71WWzZ-L-a4H8DpDEK9BwFQ@mail.gmail.com>
Subject: Re: Authentication in draft-kuhn-quic-bdpframe-extension
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Q Misell <q=40as207960.net@dmarc.ietf.org>, quic@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/7liZVqYYMgYKbG7pn7MK6J1MZD0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 00:43:13 -0000

On Fri, Nov 3, 2023 at 8:45 AM Lucas Pardue <lucaspardue.24.7@gmail.com> wrote:
>
> Hi folks,
>
> I'm still trying to come up to speed on this spec. But when I've thought about it a little, its seemed very natural to associate the BDP frame (contents) with the TLS session. We already have a lot of text about TLS session resumption in QUIC. It feels like there is already a template design with HTTP/3 - a server sends SETTINGS to tell a client something unique about the active QUIC connection. RFC 9114 section 7.2.4.2 [1]states
>
> > When a 0-RTT QUIC connection is being used, the initial value of each server setting is the value used in the previous session. Clients SHOULD store the settings the server provided in the HTTP/3 connection where resumption information was provided, but they MAY opt not to store settings in certain cases (e.g., if the session ticket is received before the SETTINGS frame). A client MUST comply with stored settings -- or default values if no values are stored -- when attempting 0-RTT. Once a server has provided new settings, clients MUST comply with those values.¶
>
> So with a bit of massaging, if we can link BDP frame to session resumption. we know that it is based on a previous trust relationship.

I'd prefer not to incorporate user application related data (which
QUIC info would be) in TLS resumption tickets. There is not a great
way to do this, and particularly as BDP can vary over time so the TLS
layer would have to send more tickets. Not fatal, but more coupling
than I think is ideal.

>
> Is there any scenario where BDP frame would want to be used without TLS resumption?
>
> Cheers
> Lucas



-- 
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email