Re: Authentication in draft-kuhn-quic-bdpframe-extension
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Sat, 04 November 2023 13:45 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99B2CC18E18A for <quic@ietfa.amsl.com>; Sat, 4 Nov 2023 06:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DkgOOKh_HTLp for <quic@ietfa.amsl.com>; Sat, 4 Nov 2023 06:45:08 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:42:150::2]) by ietfa.amsl.com (Postfix) with ESMTP id D8E9CC17DC02 for <quic@ietf.org>; Sat, 4 Nov 2023 06:45:06 -0700 (PDT)
Received: from [31.133.136.219] (dhcp-88db.meeting.ietf.org [31.133.136.219]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 160AA1B00120; Sat, 4 Nov 2023 13:45:02 +0000 (GMT)
Content-Type: multipart/alternative; boundary="------------OFe2OofyeKsrX3KSnGbQ0hWR"
Message-ID: <1ed18563-6de2-4d62-b6f7-b525ef6c1360@erg.abdn.ac.uk>
Date: Sat, 04 Nov 2023 13:45:01 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Authentication in draft-kuhn-quic-bdpframe-extension
Content-Language: en-GB
To: emile.stephan@orange.com, Nicolas Kuhn <nicolas.kuhn.ietf@gmail.com>, "quic@ietf.org" <quic@ietf.org>
References: <CAMEWqGsGCEhC97Yt-r9YBwGCPxH6+OGj7GfTmomMDJBD6S_ZBQ@mail.gmail.com> <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk> <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com> <edb12370-dcba-49d7-9b2a-72660e059513@gmail.com> <18cef84568cc444f95bd8c2bc13e81b1@orange.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: UNIVERSITY OF ABERDEEN
In-Reply-To: <18cef84568cc444f95bd8c2bc13e81b1@orange.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/RA-XPIwDc7Wtl9BKzuvg_Ivkd0A>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Nov 2023 13:45:13 -0000
On 04/11/2023 13:28, emile.stephan@orange.com wrote: > > Hi > > IMO, we are speaking of QUIC resumption not TLS. > > Regards > > Emile > I think QUIC CC resumption could be a part of TLS resumption. Are there also cases where these could be different things? Gorry > > *De :* QUIC <quic-bounces@ietf.org> *De la part de* Nicolas Kuhn > *Envoyé :* samedi 4 novembre 2023 12:43 > *À :* quic@ietf.org > *Objet :* Re: Authentication in draft-kuhn-quic-bdpframe-extension > > Dear all, > > Thank you for your interest in this work ! > > I would tend to agree with Lucas and think we should consider > scenarios where BDP frames would be used with TLS resumption and I do > not see the need for proposing another trust mechanism; But there may > be scenarios I do not see ? > > More comments inline. > > Kind regards, > > Nico > > On 11/3/23 16:44, Lucas Pardue wrote: > > Hi folks, > > I'm still trying to come up to speed on this spec. But when I've > thought about it a little, its seemed very natural to associate > the BDP frame (contents) with the TLS session. We already have a > lot of text about TLS session resumption in QUIC. It feels like > there is already a template design with HTTP/3 - a server sends > SETTINGS to tell a client something unique about the active QUIC > connection. RFC 9114 section 7.2.4.2 [1]states > > > When a 0-RTT QUIC connection is being used, the initial value of > each server setting is the value used in the previous session. > Clients *SHOULD* store the settings the server provided in the > HTTP/3 connection where resumption information was provided, but > they *MAY* opt not to store settings in certain cases (e.g., if > the session ticket is received before the SETTINGS frame). A > client *MUST* comply with stored settings -- or default values if > no values are stored -- when attempting 0-RTT. Once a server has > provided new settings, clients *MUST* comply with those values.¶ > <https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6> > > So with a bit of massaging, if we can link BDP frame to session > resumption. we know that it is based on a previous trust relationship. > > Is there any scenario where BDP frame would want to be used > without TLS resumption? > > [NK] I agree. > > Cheers > > Lucas > > > [1] - https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6 > > On Thu, Nov 2, 2023 at 6:17 PM Gorry Fairhurst > <gorry@erg.abdn.ac.uk> wrote: > > On 02/11/2023 16:43, Q Misell wrote: > > Hi all, > > I've been working with Gorry (and others) on actually > implementing the BDP frame extension, and further refining > the draft based on experience from implementation. > > Q, I think I can help a little, see below, but I think there > are good questions here. > > [NK] If the draft is not clear enough on these relevant questions, we > ought to make things clearer. > > One thing that came up that I'd like to ask the WG's > opinion on is that of authentication of the BDP frame, and > when it should be sent in the exchange. I've had a few > thoughts on this, it'd be great to hear what others think > of them, or what other suggestions people might have. > > First, my thoughts on authentication. Do the CC > parameters need to be authenticated at all? I would say > "yes" as a client sending some unauthenticated CC > parameters could cause a DoS of the server (or any other > node along the path) by trying to send far too much data > at once. > > The reason for the secure hash around the contents of the BDP > Frame is to allow a server to know the CC params had not been > modified. Of course you caould ask what sort of information > contributes to that hash, to make the server confident that it > can accept CC params from the client and believe that these > have not been modifed? That could be important? > > [NK] The client should not be able to transmit unauthenticated CC > parameters that are not checked / known by the server. In the current > spec, the client can only send data previously received by the server. > Malicious clients could try to cause a DoS on the server but that > would not be specific to BDP Frame but to 0-RTT in general. > > Should the CC parameters be encrypted? Probably not, as a > client which is aware of a major decrease in available > capacity could compare the new link capacity to its stored > CC parameters and decide not to send them. If they're > encrypted the client can't inspect what CC parameters the > server thinks the link will have. > > Perhaps the ID ought to be clearer. The QUIC Session is of > course encrypted and authenticated, so, in this respect, the > BDP Frame is protected in transit along the path using TLS. > > The current proposal is not to additionally encrypt the CC > params *within* the BDP, so that a client could read these and > utlise as it sees fit. This still needs to authenticate the > entire set of params, so that the server could trust them. > > The params include an endpoint token used by a server to > represent the remote endpoint - we could have used the client > IP source address for this if the client had an invariant > public IP source address. That's not so common with IPv6 or > the use of IPv4 NAPT - so the server has to find a way to > represent it's view of the client as the endpoint token. There > could be possibilities to do this quite differently. > > How should they be authenticated? There are a few options > I can see here, and I'm unsure which is best: > > (1) Authenticated with the TLS certificate > > (2) Authenticated with some other asymmetric key > > (3) Authenticated using some symmetric key known only to > the server > > (4) Same as 3 but with a key identifier > > Options 1 and 2 allow the client to verify the > authentication over the CC parameters, but this doesn't > seem to be of much use to me. Option 1 additionally sets a > time limit on use of stored CC parameters, as the TLS > certificate will eventually expire. This doesn't seem to > me to be much of an issue. A new connection far into the > future (say 1-2 months) would almost certainly have > different CC parameters anyway. > > Option 3 seems the best to me. It would allow one key to > be shared across an array of anycast servers, without > sharing other keying material that might be used to > protect more sensitive parts of the connection. Option 4 > additionally expands on this by allowing key rotation > without immediately invalidating all current stored CC > parameters. > > So, if this is about how to construct the secure hash, irt > seems like an interesting topic to find out more, I'd agree. > > [NK] We may not specify how to compute the secure hash but that could > be interesting discussions if you think the draft needs to be more > specific on this. IMHO the client does not need to know how the secure > hash is compute and thus not sure we need interoperability. > > When should the BDP frame be sent? There are two places I > can see BDP frames being useful to send: > > (1) After initial frames but before crypto frames > > (2) After crypto frames and before application data > > Option 1 allows for the previously calculated CC > parameters to be used for the sometimes quite large TLS > handshake, but also precludes options 1 and 2 for > authentication. Option 2 allows for greater flexibility in > authentication, and also makes the BDP frame encrypted in > transit. I'm unsure what the privacy implications of an > unencrypted BDP frame are, so if anyone can come up with a > reason CC data shouldn't be observable to an intermediary > that would be greatly appreciated. > > :-) > > [NK] Do we need to specify this in the draft or should this be let to > implementers to define the most relevant approach (w.r.t. frame > scheduling to format QUIC packets). > > Looking forward to hearing your thoughts. > > [NK] Thank you for your comments ! > > Cheers, > > Q Misell > > Gorry > > ------------------------------------------------------------------------ > > Any statements contained in this email are personal to the > author and are not necessarily the statements of the > company unless specifically stated. AS207960 Cyfyngedig, > having a registered office at 13 Pen-y-lan Terrace, > Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a > company registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, > LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: > GB378323867. EU VAT №: EU372013983. Turkish VAT №: > 0861333524. South Korean VAT №: 522-80-03080. AS207960 > Ewrop OÜ, having a registered office at Lääne-Viru > maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, > trading as Glauca Digital, is a company registered in > Estonia under № 16755226. Estonian VAT №: EE102625532. > Glauca Digital and the Glauca logo are registered > trademarks in the UK, under № UK00003718474 and № > UK00003718468, respectively. > > ____________________________________________________________________________________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you.
- Authentication in draft-kuhn-quic-bdpframe-extens… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Lucas Pardue
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Nicolas Kuhn
- RE: Authentication in draft-kuhn-quic-bdpframe-ex… emile.stephan
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- RE: Authentication in draft-kuhn-quic-bdpframe-ex… emile.stephan
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Marten Seemann
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Nicolas Kuhn
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Marten Seemann
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Christian Huitema
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Watson Ladd
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Christian Huitema
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Martin Thomson
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Lucas Pardue
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst