RE: Clarification of transport and HTTP version compatibility

[Mike Bishop <mbishop@evequefou.be>]

Ah, I see SEC_E_APPLICATION_PROTOCOL_MISMATCH for that.  Good to know.

In that case, we should be able to assume that the requirement to use ALPN is sufficient; if no ALPN token can be agreed on, the TLS handshake will fail and the connection will close.

-----Original Message-----
From: Andrei Popov [mailto:Andrei.Popov@microsoft.com] 
Sent: Thursday, May 10, 2018 11:41 AM
To: Mike Bishop <mbishop@evequefou.be>; Lucas Pardue <Lucas.Pardue@bbc.co.uk>; Sam Hurst-RD <samuelh@rd.bbc.co.uk>; IETF QUIC WG <quic@ietf.org>
Subject: RE: Clarification of transport and HTTP version compatibility

Mike, you have not only seen, but shipped such an implementation in several Windows releases.
😊

The logic behind the RFC is that there is no need to waste cycles and complete the handshake if the client and server disagree on the application protocol.

-----Original Message-----
From: QUIC <quic-bounces@ietf.org> On Behalf Of Mike Bishop
Sent: Thursday, May 10, 2018 11:28 AM
To: Lucas Pardue <Lucas.Pardue@bbc.co.uk>; Sam Hurst-RD <samuelh@rd.bbc.co.uk>; IETF QUIC WG <quic@ietf.org>
Subject: RE: Clarification of transport and HTTP version compatibility

Interesting.  I don't believe I've ever seen an implementation actually do that.  If none of the client's proffered protocols are supported, they pretend not to support ALPN and don't include the extension in the ServerHello.  (Though obviously I haven't attempted to test this much.)

-----Original Message-----
From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk] 
Sent: Wednesday, May 9, 2018 4:24 PM
To: Mike Bishop <mbishop@evequefou.be>; Sam Hurst-RD <samuelh@rd.bbc.co.uk>; IETF QUIC WG <quic@ietf.org>
Subject: RE: Clarification of transport and HTTP version compatibility

Thanks for that explanation Mike, it makes more sense now. 

> It should be implied, but might be worth explicitly stating, that failure to agree on an ALPN is incompatible with all QUIC versions, always fatal.

I don't know if it needs explicit statement. RFC 7301 section 3.2 states that "In the event that the server supports no  protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert."

Cheers
Lucas

-----Original Message-----
From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
Sent: Wednesday, May 9, 2018 2:43 PM
To: Mike Bishop <mbishop@evequefou.be>; Sam Hurst-RD <samuelh@rd.bbc.co.uk>; IETF QUIC WG <quic@ietf.org>
Subject: RE: Clarification of transport and HTTP version compatibility

I've not terribly familiar with the transport negotiation aspects, so I'm probably missing something sorry.

I guess what is not clear to me is the question, who is responsible for ensuring a sane answer is negotiated? (I suspect no one). It gets more annoying if the client is acting on information provided to it via Alt-Svc, which is quite liberal to from the sender perspective (there are some rules for the client defined in HTTP/QUIC 2.1.1.).

How I read things in the simple case was:

1) Transport version negotiation takes place and client chooses a version. Cryptographic handshake is next.
2) Client intitiates TLS 1.3 handshake with version info for revalidation, plus ALPN list of what it believes are application protocols that are compatible with the chosen version of QUIC.
   a) POSSIBILITY 1 in a pathological case it always sends the same list regardless of version.
3) Server selects an application protocol it believes is compatible with the chosen version of QUIC.
  b) POSSIBILITY 2 naive implementations just assume "hq" works for everything.
4) Client sends something the server is unhappy with and the connection bombs with a protocol error.

Cheers
Lucas
________________________________________
From: Mike Bishop [mbishop@evequefou.be]
Sent: 09 May 2018 22:01
To: Lucas Pardue; Sam Hurst-RD; IETF QUIC WG
Subject: RE: Clarification of transport and HTTP version compatibility

They *shouldn't* be unanticipated protocol errors, because both are negotiated.  I would expect (or at least hope) that these will manifest as negotiation failures at worst.

-----Original Message-----
From: Lucas Pardue [mailto:Lucas.Pardue@bbc.co.uk]
Sent: Wednesday, May 9, 2018 11:04 AM
To: Mike Bishop <mbishop@evequefou.be>; Sam Hurst-RD <samuelh@rd.bbc.co.uk>; IETF QUIC WG <quic@ietf.org>
Subject: RE: Clarification of transport and HTTP version compatibility

I think this all works fine in the current stage of specification.

Longer term, what is the failure case for interoperability where different implementations have  different rules for how to combine QUIC version and HTTP/QUIC version. Protocol error due to reception of unanticipated packets and or HTTP/QUIC frames?

Lucas
________________________________________
From: QUIC [quic-bounces@ietf.org] on behalf of Mike Bishop [mbishop@evequefou.be]
Sent: 09 May 2018 18:18
To: Sam Hurst-RD; IETF QUIC WG
Subject: RE: Clarification of transport and HTTP version compatibility

There's no firm restriction, no.  While I find it likely that draft deployments will choose to keep matching versions, the only restriction that the HTTP draft currently imposes is that it be a version of QUIC which uses TLS as the handshake protocol.

-----Original Message-----
From: QUIC <quic-bounces@ietf.org> On Behalf Of Samuel Hurst
Sent: Wednesday, May 9, 2018 9:05 AM
To: IETF QUIC WG <quic@ietf.org>
Subject: Clarification of transport and HTTP version compatibility

Hi all,

Does the quic-transport version and the HTTP mapping version have to match? For example, could you negotiate QUIC draft-11, but the HTTP side is still using an older version (such as draft-09 to avoid the requirement of QPACK)?

As far as I understand it, the QUIC transport version is negotiated as part of the TransportParams in the appropriate TLS extension, and the HTTP mapping version is negotiated by ALPN. So in the example above, would it be acceptable to negotiate 0xff00000a as the transport protocol version, and then have an ALPN string of "hq-09"?

I'm then assuming that a valid Alt-Svc header for my example could be as
follows:

Alt-Svc: hq-09=":4443";quic="ff00000a"

The quic-tls draft mentions in Section 9.1 "The application-layer protocol MAY restrict the QUIC version that it can operate over", but none of the quic-http drafts that I've read list any such restriction.
Therefore, I'm then further assuming that it's safe to run whatever version of the HTTP mapping I like, unless there's a compatibility matrix between the various specs that I'm missing?

Best Regards,
Sam



-----------------------------
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.bbc.co.uk&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C4ae9736e39614601660308d5b6a3d4e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636615737135415287&sdata=%2Fcrt5YmXDN4bvV9yfGkjvnWvYr0LbttsFP3NmhFMtuI%3D&reserved=0
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
-----------------------------