Re: Asymmetric CIDs

Ted Hardie <ted.ietf@gmail.com> Fri, 16 February 2018 17:49 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61917124C27 for <quic@ietfa.amsl.com>; Fri, 16 Feb 2018 09:49:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxSwh3jOyGS0 for <quic@ietfa.amsl.com>; Fri, 16 Feb 2018 09:49:35 -0800 (PST)
Received: from mail-ot0-x234.google.com (mail-ot0-x234.google.com [IPv6:2607:f8b0:4003:c0f::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E49271200C1 for <quic@ietf.org>; Fri, 16 Feb 2018 09:49:34 -0800 (PST)
Received: by mail-ot0-x234.google.com with SMTP id f18so3408449otf.6 for <quic@ietf.org>; Fri, 16 Feb 2018 09:49:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Qfw8BoXrk48M4poXYGrzWKWMjc+OwDpH2nGdT737daw=; b=Jf3hrOAziYYRA988Pk17Q8pBB7dAGgGx3+NhdfKECsNTt/Rz1nox6ZIn1eZT/29fDB RrsQq2VMotiTN+i/DegqtlQityicEGJ82VM7Hp6h5WWkCsoHF7UyhwXR2HwtamCtC8n9 i3y474ELiLy8d0VSpwzbJ05aPsCB/4J/54mqqlFq+5RjYLtooes4uG1fHRHFLz+5gfaR E6FXxH3F54eDwNIi6UvC/g9/aUAtpvBk7g4GcrB/tiBZHBFWxAU9d3SwnKkGxFd3NXKf 2CYIkrTcjrS28AIs18bPBRcLhcIpncOjDpt64nZjCqec4VX7bl13//bk7BwJkPs401Bz A3xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Qfw8BoXrk48M4poXYGrzWKWMjc+OwDpH2nGdT737daw=; b=Z6d5tViJ4RP/qplcAs9nM39tSPUzlfRGY8L/TIlABlXabzDhQ4dLI3Zy7M9v1ND7f4 i8iBoj/gteiCiFJKcptm3pArvQVGqFL/mi1wEr6RzqEl5VlRT/ekZJf5LlNkayHgR0ew TRYJXFX4yZenY4N440RvWzLepHOai97xP3hWfOq8g96t4dOapuTzSlT38kQ41fG7eYcw Lx1zu8Yw3vtjJ8UQk6EJhpSB9IQBtht4IboVAkwezmUkDnZWYFRsV/V5BSEjybqI2/07 LxFHOqKywAf00LOW1IfHjLdRo7KZpFMWN5GgrbkrfxMMKPtq7Zch+8QSKubz7h5jwSlf 8QVA==
X-Gm-Message-State: APf1xPCvBKepLYX4RecxBR7PdIDrVpu9vmk/LjasKX3AtT2Sz5CrHHi0 ktQNg/XgHBw5b1K2dNBhA4u72OUkyEHjyRSba7M=
X-Google-Smtp-Source: AH8x224di82HWdIWkh2jJSyOb03TEoSpiX1A0aVLls77as0fNVJ3Gg4qWwWXtheTk7uNzHttyFpYI8hGNX5lJX6thX8=
X-Received: by 10.157.24.14 with SMTP id b14mr5457906ote.195.1518803373921; Fri, 16 Feb 2018 09:49:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.3.71 with HTTP; Fri, 16 Feb 2018 09:49:03 -0800 (PST)
In-Reply-To: <CABcZeBMVabN9LQ42BxpSwK71hzu_TbzwqhHTJV1uJBKr5g-N3A@mail.gmail.com>
References: <CABcZeBMVabN9LQ42BxpSwK71hzu_TbzwqhHTJV1uJBKr5g-N3A@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Fri, 16 Feb 2018 09:49:03 -0800
Message-ID: <CA+9kkMCobNwvx=_EAFw9er82hqzwP88kFtUyQV0XW6F0h2cHLg@mail.gmail.com>
Subject: Re: Asymmetric CIDs
To: Eric Rescorla <ekr@rtfm.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a113dc276961a28056557f7c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/M4RBYaB6HC-W7IcYs7n27KBMjN0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Feb 2018 17:49:41 -0000

Thanks for the write-up, some questions in-line.

On Fri, Feb 16, 2018 at 9:01 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> Hi folks,
>
> After a bunch of discussion, the CID task force came down to rough
> consensus that asymmetric conn IDs were probably the right
> direction (CID task force members, please feel free to voice dissent
> here). Here's a complete writeup of what I think would be needed
> for asymmetric connection IDs. It's not a PR, because I think
> something self-contained is cleaner.
>
> Note that if we adopt this direction, we would be sacrificing
> public reset under some conditions (see previous emails to the
> list) and we would need to decide if it was worth keeping at all.
>
>
> OVERVIEW
> The basic idea is that each side gets to dictate the connection IDs
> that are used to send to it. During the handshake, you establish those
> CIDs and then each side can issue new CIDs during the connection.  The
> main advantage of this is that it allows for symmetric topologies in which
> the client is also behind some kind of stateless LB/router rather than
> just the server. See Issue #1091 for more info on this.
>
>
> The overall handshake looks something like this:
>
> Client                                      Server
>
> Initial [CID=XXX] {recv-CID=YYY} ---------------->
> <-------------- Cleartext [CID=YYY] {recv-CID=ZZZ}
> Cleartext [CID=ZZZ], {recv-CID=YYY} ------------->
> <-------------------------- Short header [CID=YYY]
> Short header [CID=ZZZ] -------------------------->
>
>
> The client's initial CID (XXX) is special, and either consists of
>
>     (a) a randomly chosen dummy CID. Proposal: require this to be
>         8 bytes or at least a minimum. This should be the same
>         for all Initial packets in a connection (unless a stateless
>         reject is received, as below).
>     (b) a CID which it received from the server in a stateless reject
>
> All the server's packets are sent with the client's receive CID (YYY)
> and all subsequent client packets are sent with the server's receive
> CID (ZZZ). The general rule is that you should send with the
> connection ID that you most recently received (where recently
> is defined as highest PN).
>
> Note: I believe it's safe to just use the sending CID as the mixin
> for the KDF, but I haven't thought this entirely through yet.
>

For the client, is this the dummy randomly generated Initial CID?

If not randomly generated appropriately, is there a risk here that the KDF
isn't as strong (see my concern in a previous email)?


>
> Finally, you can send NEW_CONNECTION_ID in either direction to provide
> a new connection ID for the other side to use. The general assumption
> is that you can do this at any time, just as with current QUIC, and
> that any time you send to a new remote 3-tuple you should change CIDs
> if you can. Note that this means that endpoints should try to make
> sure that the other side has spare CIDs in case they need to migrate.
>

Is there any sense in which you can "go back" to a previously used CID, or
are they burned once a new one is used?  The situation I'm thinking of is a
variant of the parking lot problem--if someone goes in and out of range of
a WiFi service for which they have a current DHCP lease, they can alternate
between Cellular and WiFi without actually changing origin IP.  Can they go
back to a previously used CID in that case?  My intuition is that this
should be no, but the implication is that the stack of spare CIDs may need
to be larger as a result; if we did allow it, then the  minimum number of
spare CIDs is a simple function of the number of available network
interfaces.  We could either estimate that and pick a number or ask each
side to state how many spare CIDs they'd prefer (knowing they may get
fewer).



>
> WIRE ENCODING
> As we discussed in the meeting the short header should just have
> an implicit length CID. This gives us the following short header:
>
>    +-+-+-+-+-+-+-+-+
>    |0|C|K| Type (5)|
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                                                               |
>    +                     [Connection ID (*)]                       +  <-
> change from 64
>    |                                                               |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                      Packet Number (8/16/32)                ...
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                     Protected Payload (*)                   ...
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> Note that we may also be able to dispense with the C bit, if each
> side just gets to say "send me this CID exactly", why do we want
> to say "here is my CID but you can omit it".
>
>
> We have several options about the long header. The first question
> is where recv-CIDs go. In previous versions I suggested putting
> them in transport parameters, or elsewhere in the TLS handshake,
> and that might still be viable, though it has some drawbacks [0],
> so the other alternative is to put both CIDs in in the long header.
> This would look something like:
>
>    +-+-+-+-+-+-+-+-+
>    |1|   Type (7)  |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |  DCID-Length  |                                               |
>    +-+-+-+-+-+-+-+-+   Dst Connection ID (*)                       +
>    |                                                               |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |  SCID-Length  |                                               |
>    +-+-+-+-+-+-+-+-+   Src Connection ID (*)                       +
>    |                                                               |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                         Version (32)                          |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                       Packet Number (32)                      |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                          Payload (*)                        ...
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
> The semantics here are that the first value is the CID you want to
> send to and the second one is the value you want used to send to you
> (I've inverted these to keep the order the same as short header).
>
> Two notes about this encoding:
>
> 1. I think we agreed that we didn't want arbitrary length CIDs up to
> 255 bytes, and yet we have room in this length byte. I propose we
> limit it to 31 bytes and then grease the remaining 3 bits [1].
>
> 2. Because the client sends its CID first, there's no way to get the
> current QUIC semantics of the server just dictates the CID.  I propose
> we fix that by defining a special sentinel CID (all 1s, all 0s,
> whatever) of whatever our maximum length is that means "just use your
> own CID".
>
> We can endlessly bikeshed on this structure.
>
> Well, it's only worth painting if there are bikes coming in. I'm not sure
at this point what having the server dictate both sides of this gives you
in a structure that presumes they are asymmetric.


> Finally, we will need to update NEW_CONNECTION_ID to allow a variable
> length CID. This would look like this:
>
>     0                   1                   2                   3
>     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                          Sequence (i)                       ...
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |  CID-Length   |                                               |
>    +-+-+-+-+-+-+-+-+       Connection ID (*)                       +
>    |                                                               |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>    |                                                               |
>    +                                                               +
>    |                                                               |
>    +                   Stateless Reset Token (128)                 +
>    |                                                               |
>    +                                                               +
>    |                                                               |
>    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
>
>
Ted


>
>
> [0] However, in the transport parameters design, if the server's
> handshake gets reordered, the client might need to send some ACKs with
> the initial CID. However, we've agreed that the client's IP address
> has to be stable, so this isn't a problem. Alternately, you could
> change C->S CIDs in the short header if that was easier.
>
> [1] An alternative would be to have a sparse range (e.g., you can
> express 0-7 and then 8-22 by 2s, assuming I have counted correctly)
> and then we could pack both lengths into a single byte. As I said,
> lots of opportunities for bikeshedding here.
>
>