IETF Logo Mail Archive

Re: [QUIC] Early implementation feedback on draft-hamilton-quic-transport-protocol-00

Jana Iyengar <jri@google.com> Fri, 21 October 2016 05:14 UTC

Return-Path: <jri@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41571294CC for <quic@ietfa.amsl.com>; Thu, 20 Oct 2016 22:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.431
X-Spam-Level:
X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydImtnkEay5Q for <quic@ietfa.amsl.com>; Thu, 20 Oct 2016 22:14:01 -0700 (PDT)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3204129481 for <quic@ietf.org>; Thu, 20 Oct 2016 22:14:01 -0700 (PDT)
Received: by mail-it0-x22a.google.com with SMTP id k64so45245428itb.0 for <quic@ietf.org>; Thu, 20 Oct 2016 22:14:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=agpBjh9lqWWdzcz3usEfa8CYHe/akQLuQumhlUWXVUA=; b=GOFhSYNkEmZlH2e7EP/HRf3t+U4n2xS/rUg26dz+SU9qzy338/iCC5KvaZxjGhBC/M IBUdesmKklwmHPlfn5PkeN+0G3l2KlNR8GYG2Q4l0/tdYSNfz9rNKyBk4I6aLSpLt+DQ K6I4F9a3WlZ05VOhxf2P23ag8jh6GOP9KBd0e1r02hu+SNgsPm08F83/9DhyUOh9sV/o 1M64AhGpk6MbyqzJ1Mt/wqL/T1R2OeYqaVD3ZSp2eY27sGfz9w1WiWhsOU5/T5YKMoLM M8eJRl6+M44SBX0YkF2eHW07n/X4eWhJtxd6/qUxMCj8Vy09QxCyQJJn+8Rev+41JRQE lw0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=agpBjh9lqWWdzcz3usEfa8CYHe/akQLuQumhlUWXVUA=; b=O0FGdzEck+NlB+mYV/D+tvZqkyrBgc3KoVgMA6DKTsw/dogm3mZSxE9Bxf7uGXzb2j r13M1uUFOV5l6s9ei6FsBnm4pi4IKS9EozoPB8/5uMeBl1LPcH+ys+KclyyI5Brpqabz fcwKOsjM57oo/K52QJ385Iqg5Y6suh17a0whQ5gzbrzuwKzrEKdz5yF+2/eviN/CLzn0 eMmBohEVTypdSK2LJDS2jO5T6ar5EP2DMwnq491GKZPvX87b4+uf+R1CdL4lYxe/bVlc Tnq5/tDEOPz2EhDH2tWSugmbCYSIrf18wq/aAqlVVtpGpeYwHo1T8xaNv+T3F9nFoTHf w00A==
X-Gm-Message-State: ABUngvfPvkY11BAm844OkGM9i9lAYCbjLGgnQ62ixI/ESpg1uHGdMbXVgba4zJOCKg4QvduO2LBuFOSQIWzrm48x
X-Received: by 10.107.128.28 with SMTP id b28mr5228747iod.134.1477026840784; Thu, 20 Oct 2016 22:14:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.36.216 with HTTP; Thu, 20 Oct 2016 22:14:00 -0700 (PDT)
In-Reply-To: <04C36CF1-387A-460D-8820-591BD2ED7C90@netapp.com>
References: <04C36CF1-387A-460D-8820-591BD2ED7C90@netapp.com>
From: Jana Iyengar <jri@google.com>
Date: Thu, 20 Oct 2016 22:14:00 -0700
Message-ID: <CAGD1bZZ33NFp6XA9Mb4WZzvA6o8fmGMy6YsO-KPSeP=YzyBzVA@mail.gmail.com>
To: "Eggert, Lars" <lars@netapp.com>
Content-Type: multipart/alternative; boundary="001a113f9a622ba5c5053f591ceb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/J5Hy_gk02GUtcQaThtJ4R39Obe8>
Cc: "quic@ietf.org" <quic@ietf.org>
Subject: Re: [QUIC] Early implementation feedback on draft-hamilton-quic-transport-protocol-00
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list to discuss QUIC standardization <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 05:14:04 -0000

Hi Lars,

Thanks again for your implementation effort and detailed feedback, and
apologies for taking a while to respond. I'm happy to iterate, and I expect
that my turnaround will be much faster (unlike this time :-))

On Fri, Sep 23, 2016 at 2:47 AM, Eggert, Lars <lars@netapp.com> wrote:

> Hi,
>
> I've started to do a little QUIC implementation exercise, to see if
> the current set of documents is sufficient to allow independent
> implementation. As can be expected, they're not, but I wanted to post
> some feedback based on what I encountered at this very, very, VERY
> early phase, so the documents can be improved.
>

Thank you! This is what we're hoping for as well. Thank you for being a
willing early implementer.


> I'm purposefully avoiding to rely at documentation other than the IDs.
> I won't look at the Chromium code, and I'm only looking at the specs
> on Google Docs or wireshark outputs in order to more accurately
> describe what's currently missing in the IDs. However, I run my
> implementation against the Chromium quic_server and quic_client
> implementations, in order to see if they interoperate.
>

I anticipate some trouble in getting it to work with quic_client and
quic_server if you're just building from the spec, since these binaries use
the QUIC crypto handshake
<https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit>,
and the spec currently does not specify one.


> (I may open source this pure C implementation at some point; at the
> moment, it's too embarrassing to do so.)
>
> I began by reading draft-hamilton-quic-transport-protocol-00, in order
> to implement the initial handshake. The ID is reasonably long and
> complete-looking. Sections 1, 2 and 3 are reasonable in terms of
> content.
>
> Section 4 (Connection Establishment) is difficult to make sense of
> without first reading Section 9 (Packet Types and Formats), because
> Section 4 refers to header fields, flags and other concepts that are
> only defined in Section 9. The content seems arbitrarily split between
> those sections, e.g., Section 4.1 attempts to specify version
> negotiation, but Section 9.2.1 describes the version negotiation
> packet format. One needs to constantly flip back and forth, which is
> annoying. I'd recommend reordering the content here.
>

I wasn't sure how to organize this content, so it's currently mechanisms in
early sections and wire formats later. From your experience it seems like
it may be better organized if the the wire format of the various packets
and frames were alongside the mechanisms. Does that sound like a good rule
of thumb? Given the size of the draft, that may be better, so I'm happy to
do it.

One thing that threw me was that Section 9.1 states "all QUIC packets
> on the wire begin with a public header" and then has a diagram of what
> that header looks like, only to immediately follow it in Section 9.2
> with special packets that don't fully include that public header.
> That's really confusing. Is there a way to describe the public header
> that would include the format of the special packets? Is there a way
> to make those special packets use the public header? They're so rarely
> sent that deviating to save a few bytes doesn't seem to be a smart
> tradeoff.
>

I think there may be a way to separate the common parts out. Specifically,
the flags and the connection ID are really the "common header", but the
reason for having these three packet types is because they differ in the
parts that are not encrypted (The parts that are encrypted should be
specified, and I'll add that.) Perhaps one way to describe them would be to
say:
- Common Header = Flags + (optional) Connection ID
- Regular Packets = Common Header + (optional) Version + Packet Number +
Frames
- Version Negotiation Packet = Common Header (Version Negotiation bit set)
+ Version List
- Public Reset Packet = Common Header (Reset bit set) + Optional tag-values

I realized that we don't describe the format for the optional tag-values in
the spec, but they're potentially useful to help authenticate the Reset.
That's entirely optional at the moment, but really the Public Reset packet
is identified by the bit in the flags and the connection is identified by
the Connection ID.


> Also, the document makes no mention of what endianness the protocol
> fields are supposed to be encoded in.
>

Good point -- I've added a sentence to the Packet Types and Formats saying
"All values are little-endian unless otherwise noted." This sentence will
likely move as the doc gets restructured, but that is the first place a
packet format is currently being described.

The ID mentions QUIC version "Q025", so my code attempts to negotiate
> this version with the Chromium quic_server, but that offers "Q036" and
> indicates support for "Q035Q034Q033Q032" as well. The negotiation
> response from the server does not conform to what's in the ID, since
> it has the "diversification nonce" flag set (0x04), which is not
> specified in Section 9.2.1. It also seems to use only 12 bytes of the
> fixed 32 bytes that the nonce should occupy to indicate support for
> other versions, according to Section 9.1.
>
> Also, that "diversification nonce" is not referred to anywhere else in
> the ID other than Section 9.1. It remains fully unclear what it is.
>

Good catch. The diversification nonce was a need for QUIC crypto, and it
won't be required for TLS or for the general format. I'll remove mentions
of it from the document.


> I change my code to negotiate version "Q036", and am trying to
> figure out which frame types I am supposed to include in the initial
> packet. The various subsections of Section 4.2 list some (and say that
> some are required), but there is not enough information here for me to
> determine which to include and what the initial values should be.
>

So, this initial packet will be a CHLO, which is a crypto handshake packet.
Basically, this is a Regular QUIC Packet, with the crypto handshake bits
being sent as a STREAM frame on stream ID 1. It's clear to me now that
having a detailed description of a handshake packet at this point in the
text is probably helpful. If the reorganization that I suggested earlier
makes sense, this may be around where I'd introduce the Regular Packet and
the STREAM frame format.

So I'm cheating, and am looking at a wireshark dump of the initial
> packet that the Chromium quic_client sends to my server. I notice
> there is a "Message Authentication Hash" following the public header
> that is not mentioned at all in the ID. There is some brief text about
> "AEAD data" in Section 9.3, but nothing that would let me understand
> how that hash is computed. A quick glance at draft-thomson-quic-tls
> doesn't resolve this either. Googling around, I find that older
> versions of the spec on Google Docs have a short paragraph on "Initial
> Packet Null Encryption" that talks about using a FNV1a­128 hash, but
> even the current version on Google Docs doesn't have that paragraph
> anymore. There's clearly some content missing here.
>

Right -- this is the hash that is used by the AEAD algo used by QUIC's
current packet crypto. This may change with TLS, and may be a different
hash, but the location of the hash is right after the public header. This
isn't documtned in the spec as you note, so I'll add some text about this
along with the revision of the Packet Formats.

And that's where I'm currently at, after a few hours of coding. Hope
> this is useful.
>

Yes, extremely useful. Thanks again for your effort and feedback -- I'll
try to incorporate as much as I can before the next rev.

- jana


> Lars
> _______________________________________________
> QUIC mailing list
> QUIC@ietf.org
> https://www.ietf.org/mailman/listinfo/quic
>

v2.23.0 | Report a Bug | By Email