Re: Do we need compatible version negotiation at all? (Re: Version negotiation: the bare minimum?)

David Schinazi <dschinazi.ietf@gmail.com> Wed, 21 April 2021 15:11 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36CBF3A2B78 for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 08:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osaR7T2FNK3G for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 08:11:43 -0700 (PDT)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C7E63A2B16 for <quic@ietf.org>; Wed, 21 Apr 2021 08:11:43 -0700 (PDT)
Received: by mail-pf1-x42d.google.com with SMTP id i190so29113877pfc.12 for <quic@ietf.org>; Wed, 21 Apr 2021 08:11:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dtctZam7Qx1YZRkzZ67OYh5rvRrS1lpR5OeKUB5eQfI=; b=DvVyD6BdJpnJLqkTYglIqNILST7xWg4XFFxrfZRJKQlm/pGnKP/X4xVOfz2dvYE9pm k7KsHj/r30zPQSvDyvPkn6N/wAhq+dh1Hmn4GxoLckMHFJXXNjoN8jDgBETIN16rcaEH ZFzR7Lw797U93RGo330VLslo0KQi2m48TFMcboMUX9sBZND+mrWtDNGqcrqo8J+Rh3ZV puFstvFg3hyk8kgPitAHrArmXgb0ciGeAcrNfay1huWU+WFyFJYzcy9IdrOWNpvNVXXl +LsLACS+SN6vqKhGzRvhmWtgmM0J8+k9WxYLAavfpXKR4ab89qMujDggVbefMs8OmoES x1Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dtctZam7Qx1YZRkzZ67OYh5rvRrS1lpR5OeKUB5eQfI=; b=UFNu2tLfKHhTwcrTDikH51xAwkQgNG/o476CO02xOqwzwvax2lW/jWhZuyCykiaDbG JPlzTbJV9iy4zbuMTfac+jebF1c0UXDF3CBxuEwh8YxQouviaStzFUNO+yXKJZZT0pyw V4eFnqaoIre0TNbzMYStww8+q9ee+vZsCahgpqM1jYavyWq2YJuTGWgyFKlXnbL3mJp4 ActWkA5+z1Kc4mybQ0B8eJURZz1qrmPfC2U9SU3fnNVcsPVPMRPIv/fjbhqIftlfXs8l OBSK1tDXQ3oCtuWOzfg5mytSWqoioeJO6bMjCdSsnnBMiIR3eWiIufNPVKT88YaVnifJ rUaw==
X-Gm-Message-State: AOAM530Fizkt+PKy0TALkN69yvN+voEsdMK9zLA0b/v9wT5Y1G+7JSJq MLJ13ogiG8J6vd0FkCM7jOVSVd2WHIfWDexxnKQ=
X-Google-Smtp-Source: ABdhPJw9X1bu9ptgtgm1cG2NIVzh3Qsrxhgy0uY4AJNFM8DLOhZROKLis6uXgvLik6Yp5l++OIejtU6KpABx22Yzh7o=
X-Received: by 2002:a65:61a1:: with SMTP id i1mr22191037pgv.411.1619017902004; Wed, 21 Apr 2021 08:11:42 -0700 (PDT)
MIME-Version: 1.0
References: <CACsn0cm-vWCZEeA+kh-BUF0M0ZhM_ev6R-9DYZgWQCA-byHofQ@mail.gmail.com> <CAPDSy+4QLJnE8njgsP33GQLnwtNH1v6ACbWTfOXhe00jXdwCbw@mail.gmail.com> <6322e767-433c-7181-08ae-897c6625f3f2@huitema.net> <CANatvzzgKtN+jW_yqhfzQwZBeiFLDY-+2DQ3BuWACX7LkeSxqA@mail.gmail.com> <CAPDSy+7DNyKJTs1BjKMszJU0PgBT5v8PO9g49a59oW3Vh0eusA@mail.gmail.com> <4b8f8975-48b4-b7ed-2d7b-40878aee37ff@huitema.net>
In-Reply-To: <4b8f8975-48b4-b7ed-2d7b-40878aee37ff@huitema.net>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 21 Apr 2021 08:11:30 -0700
Message-ID: <CAPDSy+5bpUEudPf9AoFtCNDQ-W5o00-ac4xhQ5YJC-c7aNeP5w@mail.gmail.com>
Subject: Re: Do we need compatible version negotiation at all? (Re: Version negotiation: the bare minimum?)
To: Christian Huitema <huitema@huitema.net>
Cc: Kazuho Oku <kazuhooku@gmail.com>, Watson Ladd <watsonbladd@gmail.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ef1db105c07cfa9d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/HI5jjwsi5j2unuLG2tQDI-WhsKY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 15:11:48 -0000

I'll note that there are many ways for an attacker to close
a QUIC connection during the handshake:
- send ICMP port unreachable
- send a version negotiation packet with no real versions
- send an initial with a ServerHello of the attacker's choosing
- send a retry with a token of the attacker's choosing

We do not plan on preventing these attacks in Chrome,
because for example ICMP allows us to determine that QUIC
is blocked and fall back to TCP without having the user wait
for a timeout.

As far as I know, preventing denial of service before the
handshake is complete is not a feature provided by QUICv1.

David

On Wed, Apr 21, 2021 at 8:04 AM Christian Huitema <huitema@huitema.net>
wrote:

> Maybe the first question is, do we need to support what you call
> "incompatible" version negotiation, i.e., the original design from 4
> years ago. It was taken off the spec for a number of reasons, of which I
> remember two:
>
> 1) VN packets are easy to spoof by ill-intended third parties. We can
> protect that with end-to-end verification, but that merely downgrades
> the third party action to a denial of service, which is not great.
>
> 2) Version negotiation does not feel good when rolling partial upgrades
> of server farms, because the server of the second connection is not
> necessarily the same as the server sending the VN, andmight support a
> different set of versions.
>
> One reason for removing support is, if nobody expect VN to work, clients
> can just ignore incoming VN packets and get rid of the DOS surface.
>
> The proposed "compatible" version negotiation makes third party
> interference significantly harder -- it requires MITM-ing the
> connection, instead of merely shooting a VN packet. It also solves the
> server farm issue, since it maintains a single connection.
>
> -- Christian Huitema
>
> On 4/21/2021 7:48 AM, David Schinazi wrote:
> > Hi Kazuho,
> >
> > First, to confirm: your characterization of compatible VN matches my
> > understanding.
> >
> > Then, on the topic of what we need, let's start with basics. Your point
> > that QUICv1 has extension points is true,
> > but we've designed QUIC as a versioned protocol to allow innovation
> outside
> > of the confines of QUICv1. We
> > could in theory say that the QUIC version field is ossified and no other
> > versions are allowed for perpetuity,
> > but I think that this would be a loss for our ecosystem. If we assume
> that
> > there is value in having other versions
> > of QUIC, then there is a need for version negotiation. This doesn't apply
> > to HTTP/3 or other application protocols
> > that negotiate their QUIC version out of band (e.g. via Alt-Svc), but we
> > built QUIC in such a way to specifically
> > enable non-HTTP application protocols. Now, given that we want version
> > negotiation, we'll need at least incompatible
> > version negotiation, as that is the one that supports all potential
> > versions. If we decide to build incompatible version
> > negotiation, we need to prevent downgrade attacks - attackers should not
> be
> > able to modify the version field on
> > long headers, and should not be able to inject or modify version
> > negotiation packets. To solve this, we need to
> > authenticate these versions in the TLS transcript, which means adding a
> new
> > transport parameter. At a minimum,
> > this transport parameter needs to include the versions being sent in long
> > headers, and needs some form of what
> > was sent in a version negotiation packet.
> >
> > To summarize that wall of text, if we don't want to ossify on QUICv1, we
> > need a new transport parameter with
> > some version information.
> >
> > Now, to answer your question about compatible version negotiation: it
> does
> > mean adding one more field in the
> > client-to-server transport parameter so the client can list its
> compatible
> > version. In terms of wire encoding, that's
> > the only change. The only complexity in compatible version negotiation is
> > in defining the concepts.
> >
> > My personal opinion is that we should tackle this minor complexity in
> order
> > to make QUIC more robust. Having a
> > version negotiation mechanism that doesn't cost a round trip will help
> > encourage innovators to use new versions
> > of QUIC as opposed to shoehorning everything into extensions to QUICv1.
> My
> > intuition is that this feature will
> > impact the long term success of QUIC, and is therefore worth the minor
> > complexity.
> >
> > David
> >
> > On Tue, Apr 20, 2021 at 11:40 PM Kazuho Oku <kazuhooku@gmail.com> wrote:
> >
> >> Please correct me if I'm wrong, but it seems to me that people are using
> >> "compatible version" as a term to describe packets carrying first-flight
> >> initial data (e.g., ClientHello) using QUIC version X to which servers
> >> might respond with something other than Version Negotiation packets
> _nor_
> >> QUIC version X packets.
> >>
> >> IIUC, the intention is to allow endpoints start the handshake using QUIC
> >> v1 but end up with using something other than QUIC v1, without incurring
> >> the cost of one extra round-trip due to Version Negotiation packet being
> >> sent by the server.
> >>
> >> Based on this understanding, I have one question. Do we need such a
> >> feature?
> >>
> >> QUIC v1 already has Transport Parameters that can be used for
> negotiating
> >> how 0-RTT and short header packets would be used. By using Transport
> >> Parameters, we can define extensions that add, modify, or remove any
> >> feature wrt how application data would be exchanged.
> >>
> >> The idea of having a mechanism for selecting a QUIC version between
> >> "compatible versions" sounds to me like just creating another way of
> >> negotiating features using TLS messages as the conveyor. Hence the
> question.
> >>
> >> 2021年3月16日(火) 13:12 Christian Huitema <huitema@huitema.net>et>:
> >>
> >>> I have been considering pretty much the same design as Watson. In the
> >>> slide deck that you presented, this would be the "compatible" option.
> >>> The client would select  version X in the QUIC header of the Initial
> >>> packet, and format one or several TP stating:
> >>>
> >>> 1) Version in the QUIC header: X
> >>>
> >>> 2) Supported compatible versions: Y, Z, T, and maybe Grease. These must
> >>> be "compatible" versions.
> >>>
> >>> The server will:
> >>>
> >>> 1) verify that the version in the QUIC header is indeed X. If it is
> not,
> >>> close the connection with an error.
> >>>
> >>> 2) pick one of X, Y, Z or T as the selected version, say Y.
> >>> (Questionable whether the version in the QUIC header should be set to
> X
> >>> or Y.)
> >>>
> >>> 3) Set the TP stating something like "you proposed X and I selected Y"
> >>>
> >>> 4) Very optionally, mention in a TP that "this server also supports
> >>> versions V, W." These might be "incompatible" versions.
> >>>
> >>> If none of X, Y, Z, T are supported, the server replies with a VN.
> >>>
> >>> On receiving the server TP, the client verifies that the server saw the
> >>> intended version X, and chose one of the supported version. The client
> >>> might remember additional version V and W for next time, but that's
> >>> extra complexity.
> >>>
> >>> -- Christian Huitema
> >>>
> >>> On 3/15/2021 5:18 PM, David Schinazi wrote:
> >>>> Hi Watson,
> >>>>
> >>>> Could you elaborate on your proposal? In particular:
> >>>> How does the client transmit its supported versions?
> >>>> What does "compatible" mean?
> >>>> What does "the server selects" mean?
> >>>> What does "the server proceeds" mean?
> >>>>
> >>>> Thanks,
> >>>> David
> >>>>
> >>>> On Wed, Mar 10, 2021 at 1:55 PM Watson Ladd <watsonbladd@gmail.com>
> >>> wrote:
> >>>>> Dear WG,
> >>>>>
> >>>>> I'd like to proffer the world's simplest version negotiation scheme,
> >>>>> based on comments heard during the meeting today from a number of
> >>>>> people.
> >>>>>
> >>>>> The following weak assumptions are made: the client has a set of
> >>>>> versions. The server has a partial ordering on versions: this means
> >>>>> that versions are not necessarily preferred over each other (consider
> >>>>> experiments where we will do what the client offers first), but the
> >>>>> relation is transitive. Then the server selection is a function of
> the
> >>>>> client offered version and supported set.
> >>>>>
> >>>>> The client transmits its supported versions and a proffered hello
> >>>>> version in the first packet. The server selects. If that selection is
> >>>>> incompatible they try again with the new selected version transmitted
> >>>>> in VN. If it is compatible, the server selects and proceeds.
> >>>>>
> >>>>> The constraint on the handshake is that the supported versions and
> >>>>> offered version and server selection are incorporated on the
> handshake
> >>>>> in such a way that a mismatch triggers failure, and no two different
> >>>>> versions can derive the same keys. If we assume that e.g. SHA256 is
> >>>>> unbroken this is easy to get.
> >>>>>
> >>>>> This only permits a downgrade to a version the server was willing to
> >>>>> prefer.
> >>>>>
> >>>>> Sincerely,
> >>>>> Watson Ladd
> >>>>>
> >>>>>
> >>>
> >> --
> >> Kazuho Oku
> >>
>
>