Re: Asymmetric CIDs

Christian Huitema <huitema@huitema.net> Fri, 16 February 2018 18:15 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581FA1200C1 for <quic@ietfa.amsl.com>; Fri, 16 Feb 2018 10:15:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7dbbQIj4Gf4 for <quic@ietfa.amsl.com>; Fri, 16 Feb 2018 10:15:32 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0383129515 for <quic@ietf.org>; Fri, 16 Feb 2018 10:15:31 -0800 (PST)
Received: from xsmtp24.mail2web.com ([168.144.250.190] helo=xsmtp04.mail2web.com) by mx26.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1emkXd-0003bG-Q1 for quic@ietf.org; Fri, 16 Feb 2018 19:15:29 +0100
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1emkXS-0006sa-Oi for quic@ietf.org; Fri, 16 Feb 2018 13:15:20 -0500
Received: (qmail 17637 invoked from network); 16 Feb 2018 18:15:06 -0000
Received: from unknown (HELO [192.168.1.102]) (Authenticated-user:_huitema@huitema.net@[172.56.42.15]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ianswett@google.com>; 16 Feb 2018 18:14:59 -0000
Content-Type: multipart/alternative; boundary=Apple-Mail-5360B801-F24E-4074-BD1C-633DD2DBA600
Mime-Version: 1.0 (1.0)
From: Christian Huitema <huitema@huitema.net>
X-Mailer: iPhone Mail (15D60)
In-Reply-To: <CAM4esxQW1-dVfJSi4zoURNV-7u0EP6h-Xdyx5Wbo0QMdrkLk=w@mail.gmail.com>
Date: Fri, 16 Feb 2018 08:14:57 -1000
Cc: Ian Swett <ianswett@google.com>, Eric Rescorla <ekr@rtfm.com>, IETF QUIC WG <quic@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <AA0705E2-7A79-47DD-846A-C0B74A8A4B24@huitema.net>
References: <CABcZeBMVabN9LQ42BxpSwK71hzu_TbzwqhHTJV1uJBKr5g-N3A@mail.gmail.com> <CAKcm_gOvf0N7sq2so38sQaD+2jHGnDpsSQHEwU8HPgSpMJRfzA@mail.gmail.com> <CAM4esxQW1-dVfJSi4zoURNV-7u0EP6h-Xdyx5Wbo0QMdrkLk=w@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Subject: Re: Asymmetric CIDs
X-Originating-IP: 168.144.250.190
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.42)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5g1VrvYOmBIHi52D440i0wp602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiVivJRpx5P6MruxD1GllRPlX87i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pBy0LkIcQZ+RRGzUcmNZyDXh/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8lRJSPf/SXbEnDSsal/zZzc4n9VZdr7RAFD5mRwooUYhwMPaBP aKeQW+/QlaOdv8isl/qMm08Zpim2AHUKEWvQ6G/bWfgucjnNmABpGhD9TTttrFCuZ0NkwnSz2Luu o1u9uevuNfM1HjkNEFwape+IgNezYqxGMqsKjARq8PBC4qjSYb8Ll5Ew7esaVIVXxqL4mdySlZou 9qHIGOZDEEo7Oyc1nq0gsY582CWqKjiRB3upW940lL8kAcN44/h+EKQYg8fO0sqTNbFIxwq5nK+B tNm4YXH+1fMTrNbJKTtzvwOdxCO5CCKrpBmx6d8NosRZXrsVnlgJAwCslL3Wle4MwAfG/OGabeQO D+JyvmSUpW+ZQTl/k5oRlt1ErWfaEWxe22o4BNBy+bVfxj88zI41K1O7B0jvACHkMSS0WCQUO4Da Q6mrvkz1ms5n2i5GFAoJSGG/BQd7r2NVEaNhWos5pnlmhjstJS63RQEec9TqGd8ccBIk1Sag4dKi qCrF8eZZeNMTAWyxeqt3BjCO03tBtkqah8tX/yBccUywZq2FP6SBi6owqeb+h1kbxIVWYdC7N1zg 8T9ahw4hquQDupK1jleqv/VOJZnHunWcIBzbsDrLaeA4pl20N4bgeYf9w8whIRFsicyJMEhQFtD8 PLoinpgjWjpMfsxmWdg884icSQEZwRvSfvkJh2VafuDhMcA1uHlEIbR8fMtAowK0FL525g==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/GDqdFzq1RI2KEFAZcPE6m6T4hX0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 18:15:35 -0000

I like the concept, but I would like to understand how we avoid linkability on migration.

-- Christian Huitema 

> On Feb 16, 2018, at 7:52 AM, Martin Duke <martin.h.duke@gmail.com> wrote:
> 
> Thanks for writing this up, ekr. This incorporates many of the suggestions I made in objection to this project (perhaps coincidentally) and I like it a lot.
> 
> Advantages of this:
> - In the common case where most of the data is server->client, clients can get away with shorter Conn IDs to reduce overhead.
> - Omit-conn-id just becomes a case where length = 0. Does this sidestep some of Google's transition issues?
> - If a client sends NEW_CONNECTION_ID, that indicates an intention to migrate, and is a good cue for the server to send the same. We should add a SHOULD to specify this behavior.
> 
> I must be missing something, however, regarding implicit CIDs.
> 
> If there's a NAT rebinding, how is the server supposed to extract the CID? Furthermore, this obviates the entire concept of using Connection ID for routing; it's not obviously a savings to store CID length in a table vs. just storing the destination server.
> 
> Lastly, if we encode the length somewhere that seems to solve the Stateless Reset issue.
> 
> 
>> On Fri, Feb 16, 2018 at 9:25 AM, Ian Swett <ianswett@google.com> wrote:
>> Thanks for the excellent summary EKR.  I like this design and think the breakage of stateless reset in certain cases is acceptable, since it only applies if both sides must have their preferred connection ID present in order to route correctly, which is a use case that's impossible in the status quo.  I have not come up with any other downsides.
>> 
>>> On Fri, Feb 16, 2018 at 12:01 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>> Hi folks,
>>> 
>>> After a bunch of discussion, the CID task force came down to rough
>>> consensus that asymmetric conn IDs were probably the right
>>> direction (CID task force members, please feel free to voice dissent
>>> here). Here's a complete writeup of what I think would be needed
>>> for asymmetric connection IDs. It's not a PR, because I think
>>> something self-contained is cleaner.
>>> 
>>> Note that if we adopt this direction, we would be sacrificing
>>> public reset under some conditions (see previous emails to the
>>> list) and we would need to decide if it was worth keeping at all.
>>> 
>>> 
>>> OVERVIEW
>>> The basic idea is that each side gets to dictate the connection IDs
>>> that are used to send to it. During the handshake, you establish those
>>> CIDs and then each side can issue new CIDs during the connection.  The
>>> main advantage of this is that it allows for symmetric topologies in which
>>> the client is also behind some kind of stateless LB/router rather than
>>> just the server. See Issue #1091 for more info on this.
>>> 
>>> 
>>> The overall handshake looks something like this:
>>> 
>>> Client                                      Server
>>> 
>>> Initial [CID=XXX] {recv-CID=YYY} ---------------->
>>> <-------------- Cleartext [CID=YYY] {recv-CID=ZZZ}
>>> Cleartext [CID=ZZZ], {recv-CID=YYY} ------------->
>>> <-------------------------- Short header [CID=YYY]
>>> Short header [CID=ZZZ] -------------------------->
>>> 
>>> 
>>> The client's initial CID (XXX) is special, and either consists of
>>> 
>>>     (a) a randomly chosen dummy CID. Proposal: require this to be
>>>         8 bytes or at least a minimum. This should be the same
>>>         for all Initial packets in a connection (unless a stateless
>>>         reject is received, as below).
>>>     (b) a CID which it received from the server in a stateless reject
>>> 
>>> All the server's packets are sent with the client's receive CID (YYY)
>>> and all subsequent client packets are sent with the server's receive
>>> CID (ZZZ). The general rule is that you should send with the
>>> connection ID that you most recently received (where recently
>>> is defined as highest PN).
>>> 
>>> Note: I believe it's safe to just use the sending CID as the mixin
>>> for the KDF, but I haven't thought this entirely through yet.
>>> 
>>> Finally, you can send NEW_CONNECTION_ID in either direction to provide
>>> a new connection ID for the other side to use. The general assumption
>>> is that you can do this at any time, just as with current QUIC, and
>>> that any time you send to a new remote 3-tuple you should change CIDs
>>> if you can. Note that this means that endpoints should try to make
>>> sure that the other side has spare CIDs in case they need to migrate.
>>> 
>>> 
>>> WIRE ENCODING
>>> As we discussed in the meeting the short header should just have
>>> an implicit length CID. This gives us the following short header:
>>> 
>>>    +-+-+-+-+-+-+-+-+
>>>    |0|C|K| Type (5)|
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                                                               |
>>>    +                     [Connection ID (*)]                       +  <- change from 64
>>>    |                                                               |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                      Packet Number (8/16/32)                ...
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                     Protected Payload (*)                   ...
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>> 
>>> Note that we may also be able to dispense with the C bit, if each
>>> side just gets to say "send me this CID exactly", why do we want
>>> to say "here is my CID but you can omit it".
>>> 
>>> 
>>> We have several options about the long header. The first question
>>> is where recv-CIDs go. In previous versions I suggested putting
>>> them in transport parameters, or elsewhere in the TLS handshake,
>>> and that might still be viable, though it has some drawbacks [0],
>>> so the other alternative is to put both CIDs in in the long header.
>>> This would look something like:
>>> 
>>>    +-+-+-+-+-+-+-+-+
>>>    |1|   Type (7)  |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |  DCID-Length  |                                               |
>>>    +-+-+-+-+-+-+-+-+   Dst Connection ID (*)                       +
>>>    |                                                               |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |  SCID-Length  |                                               |
>>>    +-+-+-+-+-+-+-+-+   Src Connection ID (*)                       +
>>>    |                                                               |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                         Version (32)                          |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                       Packet Number (32)                      |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                          Payload (*)                        ...
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>> 
>>> The semantics here are that the first value is the CID you want to
>>> send to and the second one is the value you want used to send to you
>>> (I've inverted these to keep the order the same as short header).
>>> 
>>> Two notes about this encoding:
>>> 
>>> 1. I think we agreed that we didn't want arbitrary length CIDs up to
>>> 255 bytes, and yet we have room in this length byte. I propose we
>>> limit it to 31 bytes and then grease the remaining 3 bits [1].
>>> 
>>> 2. Because the client sends its CID first, there's no way to get the
>>> current QUIC semantics of the server just dictates the CID.  I propose
>>> we fix that by defining a special sentinel CID (all 1s, all 0s,
>>> whatever) of whatever our maximum length is that means "just use your
>>> own CID".
>>> 
>>> We can endlessly bikeshed on this structure.
>>> 
>>> 
>>> Finally, we will need to update NEW_CONNECTION_ID to allow a variable
>>> length CID. This would look like this:
>>> 
>>>     0                   1                   2                   3
>>>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                          Sequence (i)                       ...
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |  CID-Length   |                                               |
>>>    +-+-+-+-+-+-+-+-+       Connection ID (*)                       +
>>>    |                                                               |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>>    |                                                               |
>>>    +                                                               +
>>>    |                                                               |
>>>    +                   Stateless Reset Token (128)                 +
>>>    |                                                               |
>>>    +                                                               +
>>>    |                                                               |
>>>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>>> 
>>> 
>>> 
>>> [0] However, in the transport parameters design, if the server's
>>> handshake gets reordered, the client might need to send some ACKs with
>>> the initial CID. However, we've agreed that the client's IP address
>>> has to be stable, so this isn't a problem. Alternately, you could
>>> change C->S CIDs in the short header if that was easier.
>>> 
>>> [1] An alternative would be to have a sparse range (e.g., you can
>>> express 0-7 and then 8-22 by 2s, assuming I have counted correctly)
>>> and then we could pack both lengths into a single byte. As I said,
>>> lots of opportunities for bikeshedding here.
>>> 
>> 
>