Re: Going STEK-less with QUIC?
Martin Duke <martin.h.duke@gmail.com> Thu, 29 July 2021 21:34 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A2F3A08FF for <quic@ietfa.amsl.com>; Thu, 29 Jul 2021 14:34:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1wVG6nfso0UW for <quic@ietfa.amsl.com>; Thu, 29 Jul 2021 14:34:12 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3618C3A08FE for <quic@ietf.org>; Thu, 29 Jul 2021 14:34:12 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id z7so8085796iog.13 for <quic@ietf.org>; Thu, 29 Jul 2021 14:34:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7wph5oZsLxzN04MLhqorSpdsxwcDqg/x2JrxUd2Qqn4=; b=V+fRBcmE4583PbJw+PKX0JDZiO7I4VbUpEN13rvhKP7pnyuGNf3cOz7kMMpdbsZvYW 0m2KLzMKF+Z2zx3qygmVCMsO22ueGYeDhnQcppj3Uub8fbijKGuL7tDGH2yFGKLPmN0c xIPT+g+pe26RmMUN+EVR/f2/WJvU2hdY3KFFEfcUkT5i9A7ePVzvPAdzyhkeOd7+tPG6 d0nlrcnOV6LpQOKxzEKSKUdZ1pCjHGFZshC9Qt12twsUUHe3WgqiiMeiDJ3N0Sm3LQbY LWUlQLpdxcEVY04X8ZCM11HANbCQiZqVs6woFQ6YAl3hj+BJGLZZRqZsGABr7ODznH+3 nFpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7wph5oZsLxzN04MLhqorSpdsxwcDqg/x2JrxUd2Qqn4=; b=RvJze7lpekhK9yZC2hDWOMBws4yg29RRGEUp+5CvDFpkV7lkJ5fSb1P1JBd3/oyx5C hJpgk3hFJHtnPDVb65TiIxnXzHvDJR0B3nVlSdtHx55DXxyaOihiuTFwbrCmi2RICb4R dZZ3utoqb9WJ67jlJNbHCtkXx/UkfdE0T0CEumSFEUkU/g88Cqmcr3psnfjD5gALCHRT aEAx3jeuFDzCCyNZnx2vxISsZWJriZy8+x3DIEoDOvNlHT1iHKk128rq6TNSv092OtLB nJHCUwlkXVIILluvTGGkJ25LAS7ZrI65swqyEsUQoRfyQ0/PVM7aOnKueloqMGIzU61W sf8g==
X-Gm-Message-State: AOAM5316xe2Kz7KIB/39CZ5OTB3bhBlHpSmLk0czFjwAn8876N3IMJ7Z rk6cl8BM+/TV1BonNUK4dTUtc2XR0gRhAwc4r8dC8UtG
X-Google-Smtp-Source: ABdhPJx31DOWHpPu09JxpbbEKqXnXQYdrOhOBWngtSHUI2p+NFQb/kRZfhQWwKei0RhulEbmRnB1uW/GHePb1tTMdyM=
X-Received: by 2002:a05:6602:2245:: with SMTP id o5mr5826479ioo.20.1627594450604; Thu, 29 Jul 2021 14:34:10 -0700 (PDT)
MIME-Version: 1.0
References: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net> <CANatvzxBKNf+YdNLPwG=QpZv33o0Mp7uRU+N4JQUpYfbDypQkQ@mail.gmail.com> <b89f83f8-951d-4407-a12c-9d9e85e46fe0@www.fastmail.com> <9beffffb-e7a6-1c57-be8d-a56f3ef2f1e9@huitema.net> <4a7aea30-9013-4550-b5da-27d7e6ad370d@www.fastmail.com> <1cf23147-d89e-65ce-409c-7a4d5bfe504f@huitema.net>
In-Reply-To: <1cf23147-d89e-65ce-409c-7a4d5bfe504f@huitema.net>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Thu, 29 Jul 2021 14:33:59 -0700
Message-ID: <CAM4esxQK5aBLjSPX_k4mrDCVX+OtKRPuTamLeKLucsNMVB5G5g@mail.gmail.com>
Subject: Re: Going STEK-less with QUIC?
To: Christian Huitema <huitema@huitema.net>
Cc: Martin Thomson <mt@lowentropy.net>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000011174305c849ddfe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/R0wvaKuwuhwPkIH6a05o_jCuEUQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 21:34:17 -0000
I can't speak to the security concerns MT raised, but if we do use NEW_CONNECTION_ID to populate the initial DCID in later connections, I *do* think we need to write down this expectation somewhere, and QUIC-LB may be as good a place as any. 1. How does the client know that the resumption state is local, and therefore that it should use a previously provided connection ID? 2. A Retry would hopefully not divert this to a different server (but maybe under Retry conditions killing resumptions is acceptable) On Wed, Jul 28, 2021 at 10:08 AM Christian Huitema <huitema@huitema.net> wrote: > > On 7/27/2021 11:42 PM, Martin Thomson wrote: > > On Wed, Jul 28, 2021, at 11:55, Christian Huitema wrote: > >> [...] reuse one of the NEW TOKENS as Initial CID, [...] > > Are you talking about NEW_CONNECTION_ID here? > > Yes. Sorry for the confusion. (Skipping comments on the progressive > effect of aging on Christian's brain cells.) My initial idea was for > creating an extension frame, with the server providing a new connection > ID for the specific purpose of use in resumption of this connection. In > a private message, Martin Duke suggested that clients could just as well > use one of the NEW CONNECTION ID provided by the server. Clients can do > that today, no change in spec required. > > > If you are talking about the client taking a connection ID from an old > connection and using that when establishing a new connection, that's an > interesting choice. I don't think it works because it undermines the > return routeability check for the subsequent connection. The server now > knows what the connection ID might be. I can't think of an exploit for > that given that the server has already demonstrated that it is on path, but > we do pretty much say that the connection ID can't be predictable like > that, and there are no firm requirements that the subsequent connection > attempt follow the same network path in any way. > > I was not suggesting that placing a specific value in the ICID replaces > the need for tokens and checking return routeability. Now, it is true > that the servers and the load balancers could also coordinate their > handling of token, and achieve the desired effect of sending connection > resumption attempts to the same server as the original connection. That > may very well be a better design than relying on the client to put > specific values in the ICID. > > > I had assumed that the load balancer would be able to identify an > initial and then route based on the Token field in that packet, rather than > the connection ID. Maybe that's too complicated, but it is something that > could be used without protocol modifications. > > Yes. Looks like the way to go if we want to experiment with STEK-less. > > I think placing the NEW CONNECTION ID in an ICID has a different usage > -- testing the robustness of load balancing... > > -- Christian Huitema > > >
- Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: [EXTERNAL] Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: Going STEK-less with QUIC? Kazuho Oku
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Duke