RE: Proposal: Run QUIC over DTLS

Lucas Pardue <> Mon, 05 March 2018 23:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7341212EB95 for <>; Mon, 5 Mar 2018 15:58:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VGLTiG8PyV5I for <>; Mon, 5 Mar 2018 15:58:09 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A99F412EB33 for <>; Mon, 5 Mar 2018 15:58:06 -0800 (PST)
Received: from ([]) by (8.15.2/8.15.2) with ESMTP id w25Nw4H3027876; Mon, 5 Mar 2018 23:58:04 GMT
Received: from ([]) by ([]) with mapi id 14.03.0361.001; Mon, 5 Mar 2018 23:58:04 +0000
From: Lucas Pardue <>
To: Eric Rescorla <>, IETF QUIC WG <>
Subject: RE: Proposal: Run QUIC over DTLS
Thread-Topic: Proposal: Run QUIC over DTLS
Thread-Index: AQHTtNasRSJyGeXsQkuB73WZyQ8CZKPCTlaz
Date: Mon, 5 Mar 2018 23:58:03 +0000
Message-ID: <7CF7F94CB496BF4FAB1676F375F9666A3BAE6477@bgb01xud1012>
References: <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-GB
x-originating-ip: []
x-exclaimer-md-config: 1cd3ac1c-62e5-43f2-8404-6b688271c769
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--12.377800-0.000000-31
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_7CF7F94CB496BF4FAB1676F375F9666A3BAE6477bgb01xud1012_"
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Mar 2018 23:58:16 -0000


This is a very interesting proposal, especially because I have little experience with DTLS. (I also have little experience with QUIC's use of TLS 1.3 so can't comment too strongly in that regard).

One aspect of the current QUIC design I like is the separation between key exchange and packet protection. Which allows some alternative use cases. So I read your draft and was not sure if DTLS maintains that possibility or not. Section 6.4 seems to touch on this topic but I wasn't sure if you are asserting the flexibility exists nor or could exist with some work. The link to draft-putman-tls13-preshared-dh "Authenticated Key Agreement using Pre-Shared Asymmetric Keypairs" is quite well aligned to to the use case I was thinking of. It would be nice to leverage such work rather than have to reinvent it for QUIC's current design.

From: QUIC [] on behalf of Eric Rescorla []
Sent: 05 March 2018 23:05
Subject: Proposal: Run QUIC over DTLS

Hi folks,

Sorry to be the one randomizing things again, but the asymmetric
conn-id thing went well, so here goes....

I'd like to discuss refactoring things to run QUIC over DTLS.

When we originally designed the interaction between TLS and QUIC,
there seemed like a lot of advantages to embedding the crypto
handshake on stream 0, in particular the ability to share a common
reliability and congestion mechanism. However, as we've gotten further
along in design and implementation, it's also become clear that it's
archictecturally kind of crufty and this creates a bunch of problems,

  * Stream 0 is unencrypted at the beginning of the connection, but
    encrypted after the handshake completes, and you still need
    to service it.

  * Retransmission of stream 0 frames from lost packets needs special
    handling to avoid accidentally encrypting them.

  * Stream 0 is not subject to flow control; it can exceed limits and
    goes into negative credit after the handshake completes.

  * There are complicated rules about which packets can ACK other
    packets, as both cleartext and ciphertext ACKs are possible.

  * Very tight coupling between the crypto stack and the transport
    stack, especially in terms of knowing where you are in the
    crypto state machine.

I've been looking at an alternative design in which we instead adopt a
more natural layering of putting QUIC on top of DTLS. The basic
intuition is that you do a DTLS handshake and just put QUIC frames
directly in DTLS records (rather than QUIC packets). This
significantly reduces the degree of entanglement between the two
components and removes the corner cases above, as well as just
generally being a more conventional architecture. Of course, no design
is perfect, but on balance, I think this is a cleaner structure.

I have a draft for this at:

And a partial implementation of it in Minq at:


I can't speak for anyone else's implementation, but at least in my
case, the result was considerable simplification.

It's natural at this point to say that this is coming late in the
process after we have a lot invested in the current design, as well as
to worry that it will delay the process. That's not my intention, and
as I say in the draft, many of the issues we have struggled over
(headers especially) can be directly ported into this architecture (or
perhaps just reused with QUIC-over-DTLS while letting ordinary DTLS do
its thing) and this change would allow us to sidestep issued we are
still fighting with, so on balance I believe we can keep the schedule
impact contained.

We are designing a protocol that will be used long into the future, so
having the right architecture is especially important. Our goal has
always been to guide this effort by implementation experience and we
are learning about the deficiencies of the Stream 0 design as we go
down our current path. If the primary concern to this proposal is
schedule we should have an explicit discussion about those relative
priorities in the context of the pros and cons of the proposal.

The hackathon would be a good opportunity to have a face to face chat
about this in addition to on-list discussion.

Thanks in advance for taking a look,

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.