IETF Logo Mail Archive

Re: Stream0 Design Team Proposal

Jana Iyengar <jri.ietf@gmail.com> Thu, 24 May 2018 00:07 UTC

Return-Path: <jri.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36720127077 for <quic@ietfa.amsl.com>; Wed, 23 May 2018 17:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMeJ7IHbW5XM for <quic@ietfa.amsl.com>; Wed, 23 May 2018 17:07:36 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25F47124217 for <quic@ietf.org>; Wed, 23 May 2018 17:07:36 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id d10-v6so186131itj.1 for <quic@ietf.org>; Wed, 23 May 2018 17:07:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uuZsKdMZGL37wohzWFEKHhTDUnaivh+p6DXqfDXeGR4=; b=DV5yQOBpOcZebDOl3d/WEaaMex4L9d/afcqAOEttzH04UZdFGgNd2tGeJKUQdKMsxf eFy2lO51GjvApCbm9AswIsT/cqzCkPMA/K0UlZjyINF9rXLDkRytszSCVO4HUNdePaBQ LiNi0iUyj3u05GWdgKbnH3nKEgQQ9uc59FPnRDygv8Ri8yrPfwmj7DezVYbvBq01fiUL kpWqaKD2GaVaGSYKZ59KIP5YBHwOBeOIkIBU7ap0LVExiL9vUK7kWzcr4MkdLy0ksLg8 wZPWHwspbHUvEtw0bJO2l9ljXFGd8PHfuu3XQ2tw0VXrSbt5HD3r9TQKpEZY5AcmnBRQ bshQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uuZsKdMZGL37wohzWFEKHhTDUnaivh+p6DXqfDXeGR4=; b=ZXqTXdeC1WTpmFcA/FmwWr7C9z0ZKhWOzvZjrKIjqXEjpP+dNvmXNJDjcVL083Akiz 8CE4CuDa4bsz3Fi6vT/4YjwzcfDZ8r1uxoLVUQT5ogs8VOwkHVssDkODW2Ib8yetI8Z+ 3JGneMhSqVYxubhfRWBm/fHXL8OIrrd8jg0rYQdp7cdlGtiK3f/ax3x/f9qgBbWWZJVL h06u2AQTm3dNdCQJCMmC5mLpUqY1YNzulzR7imgJm0EXCQQ6IFhxiJsq9JxHK9mLX5zP tD96FEc8i0pmf0MpyoZ6/mDDNzoyV8Eg1Dvn7kJ7R9pWfiyusrJlNj0XjXPpaPsXmBxf V6Dg==
X-Gm-Message-State: ALKqPwfa++J6TGjpW31fZVKjUsTg5c+6v9hc+9FmA6KRWIaaewr+6xUg +WsKj0ejxg6EYbjkL5mLASmf9Hj4jq23ysyAgyk=
X-Google-Smtp-Source: AB8JxZr7HABtRpcflg4rstc/umvWAWnYjYnes3xkYy8DhwWRoZaA3KrLxR3YQdRZaqRYUJM9NvaqhKjPWWzsuJad0Gc=
X-Received: by 2002:a24:9c1:: with SMTP id 184-v6mr7813106itm.9.1527120455249; Wed, 23 May 2018 17:07:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:27d4:0:0:0:0:0 with HTTP; Wed, 23 May 2018 17:07:34 -0700 (PDT)
In-Reply-To: <CABcZeBNYVmqnv_42mX=cQsdas-ZS8DS1v0dcLjdnBB0iZkoKfQ@mail.gmail.com>
References: <CAKcm_gM39_x+==WwYfb5qeiqB_qxdAt0ow69V+s_Jny3Ek_hDw@mail.gmail.com> <CANatvzzS+T4HcddCemKF7bb1BmACFp=R4n+YMWkq7tnZaUXw4w@mail.gmail.com> <CACpbDcddWz_i5GoNWYfDAdWKcX0_gOMiKk=ORVABGPE8+7c8Vw@mail.gmail.com> <CABkgnnUfEtkXBYrzZFm9mJ5o_nG_vLVgbgxDG5TxUhLYoe55Xg@mail.gmail.com> <CABcZeBNYVmqnv_42mX=cQsdas-ZS8DS1v0dcLjdnBB0iZkoKfQ@mail.gmail.com>
From: Jana Iyengar <jri.ietf@gmail.com>
Date: Wed, 23 May 2018 17:07:34 -0700
Message-ID: <CACpbDce9nib7hOqBAS3ksoEcZ1d7c3yOFGcL1n+9HNreHRZ-iw@mail.gmail.com>
Subject: Re: Stream0 Design Team Proposal
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Eric Rescorla <ekr@mozilla.com>, QUIC WG <quic@ietf.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Kazuho Oku <kazuhooku@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000043b50b056ce8704d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/GVCOLHo3vo6-_GBUyAb-4QUz2II>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 00:07:39 -0000

Fair enough. I think 0x18 is fine.

On Wed, May 23, 2018 at 4:55 PM, Eric Rescorla <ekr@rtfm.com> wrote:

> I'm with MT on this one. Bits in the handshake are comparatively cheap. I
> do think it's of *some* benefit to be able to use the STREAM frame parser,
> but that 0x18 hack seems to get us that.
>
> -Ekr
>
>
> On Wed, May 23, 2018 at 4:51 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>> I'm not a fan of micro-optimizations like this, especially when it means
>> taking space we don't need.
>>
>> We don't need ANY of the bits on the CRYPTO stream.  The savings for an
>> absent length and offset are marginal and not worth burning 8 frame types
>> on, and the stream never really ends.  So if we made it have a type of
>> 0x18, then you would run it through the same code and get the same result.
>>
>> On Wed, May 23, 2018 at 4:40 PM Jana Iyengar <jri.ietf@gmail.com> wrote:
>>
>> > Thank you for your implementation and your report -- this is terrific
>> and
>> helpful!
>>
>> > On your note about CRYPTO_HS frames, I think your idea is clever. Just
>> to
>> ensure that I am understanding it correctly, I believe you're proposing
>> defining:
>> > 0x10 - 0x17: STREAM frame
>> > 0x18 - 0x1F: CRYPTO_HS frame
>>
>> > We can the same frame format for CRYPTO_HS as STREAM except that
>> CRYPTO_HS will not have the stream ID field. This means an implementation
>> handling these frames can reuse the stream machinery with a small change
>> to
>> parse the header bits as follows:
>>
>> > if (type & 0x10)  {  // STREAM or CRYPTO_HS frame
>> >      if (type & 0x08) streamID = varint_consume(frame);
>> >      if (type & 0x04) offset = varint_consume(frame);
>> >      if (type & 0x02) length = varint_consume(frame);
>> >      if (type & 0x01) fin = 1;
>> >      read body if present
>> > }
>>
>> > On Tue, May 22, 2018 at 9:57 PM, Kazuho Oku <kazuhooku@gmail.com>
>> wrote:
>>
>> >> FWIW, I am happy to tell you that I have a working PoC code for the
>> >> proposed approach.
>>
>> >> On the QUIC side, I saw 2% (124 lines) increase in code size (more on
>> >> that below). On the TLS side, I also saw 2% (175 lines) increase.
>> >> However please look at the code size change especially on the QUIC
>> >> side with grain of salt, as it is just a PoC.
>>
>> >> As expected, the key and encryption-level management on the QUIC side
>> >> became very clean. Following are some of the design decisions I made
>> >> as well as the outcomes:
>>
>> >> * All the interaction between picotls and quicly are accompanied by
>> >> "epoch". Handshake messages are attributed with their epochs so that
>> >> they do not get protected by the wrong key, or so that octets received
>> >> under an incorrect encryption context cannot be misused.
>>
>> >> * All the traffic keys are governed by quicly (managing some traffic
>> >> keys in TLS while managing PNE key in QUIC seems messy).
>>
>> >> * The Initial key is setup by quicly, wheeras other traffic keys are
>> >> installed by picotls by calling a callback named
>> >> update_traffic_key_cb. The callback accepts and installs 6 keys in
>> >> total: for three levels (i.e. 0-RTT, handshake, 1-RTT) in two
>> >> directions (send-side and receive-side).
>>
>> >> * Three PN spaces have their own AEAD encryption key. Initial PN and
>> >> Handshake PN spaces have one aead decryption key each. Application PN
>> >> space has up to two decryption keys: either for 0-RTT and 1-RTT or for
>> >> two 1-RTT keys during key update.
>>
>> >> It was a pain to have a dedicated frame encoding for CRYPTO_HS, even
>> >> though we can reuse (and I reused) the retransmission and reassembly
>> >> logic of QUIC streams for the handshake flows. About a half of the
>> >> code size increase comes from that (the other half comes from the
>> >> added abstraction for having two contexts for the handshake). I would
>> >> prefer reusing the STREAM frame encoding for the handshake data. We
>> >> could possibly use a different base offset (i.e. for CRYPTO_HS frames
>> >> we could use 0b00011XXX, whereas the STREAM frames use 0b00010XXX), as
>> >> well as omitting the Stream ID field.
>>
>> >> Overall, now that I have a PoC, I am more confident that the proposed
>> >> approach is the correct path forward. It *simplifies* the QUIC stack
>> >> at the same time giving us better security properties as well as
>> >> fixing various issues in the current design (as discussed in the
>> >> design doc).
>>
>>
>> >> 2018-05-23 10:30 GMT+09:00 Ian Swett <ianswett=
>> 40google.com@dmarc.ietf.org>:
>> >> > Dear QUIC WG,
>> >> >
>> >> >
>> >> > On behalf of the Stream 0 Design Team, I am pleased to report that we
>> have
>> >> > consensus on a proposed approach to share with the WG. The DT's
>> proposal
>> >> > will make QUIC and TLS work closer together and incorporates ideas
>> from
>> >> > DTLS, but it does not use the DTLS protocol itself.
>> >> >
>> >> >
>> >> > The DT believes this solves the important open Stream 0 issues. The
>> proposal
>> >> > will be a bit more invasive in TLS, but we believe it is the right
>> long-term
>> >> > direction and several TLS stacks (BoringSSL, PicoTLS, NSS, and Mint)
>> are
>> >> > willing and able to do the work necessary.. A number of stacks are
>> currently
>> >> > working on implementations of this new approach, which we hope to
>> have
>> in
>> >> > time for the Interim meeting.
>> >> >
>> >> >
>> >> > A design document describing the overall approach can be found at:
>> >> >
>> >> >
>> https://docs.google.com/document/d/1fRsJqPinJl8N3b-bflDRV6au
>> ojfJLkxddT93j6SwHY8/edit
>> >> >
>> >> >
>> >> > A PR making the changes to the QUIC documents can be found at:
>> >> >
>> >> > https://github.com/quicwg/base-drafts/pull/1377
>> >> >
>> >> >
>> >> > A few design details did not have clear consensus, but it was felt it
>> would
>> >> > be better to discuss those in the wider WG than delay the design
>> team.
>>   A
>> >> > consistent choice was made in the PR and these issues are mentioned
>> in
>> >> > Appendix B of the design doc.
>> >> >
>> >> >
>> >> > As always, comments and questions welcome. That said, this is a big
>> PR
>> and
>> >> > we recognize that some editorial work is going to be needed before
>> merging.
>> >> > In the interest of letting people follow along, and to keep github
>> from
>> >> > falling over, we ask people to keep discussion on the mailing list
>> and
>> >> > refrain from making PR comments.
>> >> >
>> >> >
>> >> > See you in Kista!
>> >> >
>> >> >
>> >> > Ian and Eric
>>
>>
>>
>> >> --
>> >> Kazuho Oku
>>
>>
>

v2.14.0 | Report a Bug | By Email