Re: Proposal: Run QUIC over DTLS

Mirja Kühlewind <> Tue, 13 March 2018 18:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 93247124BAC for <>; Tue, 13 Mar 2018 11:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eLE96pujDHta for <>; Tue, 13 Mar 2018 11:30:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 71919124BE8 for <>; Tue, 13 Mar 2018 11:30:23 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4013Lk2xRyz15MTh; Tue, 13 Mar 2018 19:30:22 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e9qvMsV32lZr; Tue, 13 Mar 2018 19:30:21 +0100 (CET)
X-MtScore: NO score=0
Received: from [] ( []) by (Postfix) with ESMTPSA; Tue, 13 Mar 2018 19:30:20 +0100 (CET)
Subject: Re: Proposal: Run QUIC over DTLS
To: Mark Nottingham <>, Eric Rescorla <>
Cc: Lars Eggert <>, IETF QUIC WG <>
References: <> <>
From: =?UTF-8?Q?Mirja_K=c3=bchlewind?= <>
Message-ID: <>
Date: Tue, 13 Mar 2018 19:30:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/mixed; boundary="------------98248066F37A72660021E910"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Mar 2018 18:30:28 -0000

Hi Mark,

coming back to this initial mail, I believe that it is clear that people 
are interested in the problem(s) that this proposal is addressing but 
not the actually solution as there is a strong feeling that it is too 
late for such a fundamental change in the process.

I just looked at the draft agenda and it (still) say "QUIC over DTLS 
Proposal". Is there a plan to change this and level this up to a more 
higher level discussion on the problems or do people still want to use 
the time to discuss this concrete proposal?


On 06.03.2018 02:46, Mark Nottingham wrote:
> Thanks for the proposal, EKR. We'll track this as <>.
> Since we're trying to nail down the invariants in London (or soon afterwards), I'd like to figure out the WG's feelings on this pretty quickly.
> I know folks need a chance to read and digest, but it would be extremely helpful if we could have some initial discussion on-list now. Please focus on the technical merit of the proposal, clarifying questions, and statements of support/lack thereof.
> Assuming it's still a topic of interest in two weeks, we'll schedule some time to discuss it in London. EKR, could you please submit a presentation (say, max 20 minutes, plus discussion time afterwards) ASAP?
> Cheers,
>> On 6 Mar 2018, at 10:05 am, Eric Rescorla <> wrote:
>> Hi folks,
>> Sorry to be the one randomizing things again, but the asymmetric
>> conn-id thing went well, so here goes....
>> TL;DR.
>> I'd like to discuss refactoring things to run QUIC over DTLS.
>> When we originally designed the interaction between TLS and QUIC,
>> there seemed like a lot of advantages to embedding the crypto
>> handshake on stream 0, in particular the ability to share a common
>> reliability and congestion mechanism. However, as we've gotten further
>> along in design and implementation, it's also become clear that it's
>> archictecturally kind of crufty and this creates a bunch of problems,
>> including:
>>    * Stream 0 is unencrypted at the beginning of the connection, but
>>      encrypted after the handshake completes, and you still need
>>      to service it.
>>    * Retransmission of stream 0 frames from lost packets needs special
>>      handling to avoid accidentally encrypting them.
>>    * Stream 0 is not subject to flow control; it can exceed limits and
>>      goes into negative credit after the handshake completes.
>>    * There are complicated rules about which packets can ACK other
>>      packets, as both cleartext and ciphertext ACKs are possible.
>>    * Very tight coupling between the crypto stack and the transport
>>      stack, especially in terms of knowing where you are in the
>>      crypto state machine.
>> I've been looking at an alternative design in which we instead adopt a
>> more natural layering of putting QUIC on top of DTLS. The basic
>> intuition is that you do a DTLS handshake and just put QUIC frames
>> directly in DTLS records (rather than QUIC packets). This
>> significantly reduces the degree of entanglement between the two
>> components and removes the corner cases above, as well as just
>> generally being a more conventional architecture. Of course, no design
>> is perfect, but on balance, I think this is a cleaner structure.
>> I have a draft for this at:
>> And a partial implementation of it in Minq at:
>> Mint:
>> Minq:
>> I can't speak for anyone else's implementation, but at least in my
>> case, the result was considerable simplification.
>> It's natural at this point to say that this is coming late in the
>> process after we have a lot invested in the current design, as well as
>> to worry that it will delay the process. That's not my intention, and
>> as I say in the draft, many of the issues we have struggled over
>> (headers especially) can be directly ported into this architecture (or
>> perhaps just reused with QUIC-over-DTLS while letting ordinary DTLS do
>> its thing) and this change would allow us to sidestep issued we are
>> still fighting with, so on balance I believe we can keep the schedule
>> impact contained.
>> We are designing a protocol that will be used long into the future, so
>> having the right architecture is especially important. Our goal has
>> always been to guide this effort by implementation experience and we
>> are learning about the deficiencies of the Stream 0 design as we go
>> down our current path. If the primary concern to this proposal is
>> schedule we should have an explicit discussion about those relative
>> priorities in the context of the pros and cons of the proposal.
>> The hackathon would be a good opportunity to have a face to face chat
>> about this in addition to on-list discussion.
>> Thanks in advance for taking a look,
>> -Ekr
> --
> Mark Nottingham