Re: Potential conflict between draft-ietf-quic-transport and RFC 7983
Jana Iyengar <jri@google.com> Thu, 18 May 2017 01:02 UTC
Return-Path: <jri@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32B4D127F0E for <quic@ietfa.amsl.com>; Wed, 17 May 2017 18:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLlZF6DYkX4v for <quic@ietfa.amsl.com>; Wed, 17 May 2017 18:02:44 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD9D9124BE8 for <quic@ietf.org>; Wed, 17 May 2017 18:02:44 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id n23so15336987pfb.2 for <quic@ietf.org>; Wed, 17 May 2017 18:02:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ACNe+S57ILBct5VnuZsXHfSuj3RVHcGuhmCc82Xpdu8=; b=vFJKbio6WotxrDtJW2TGaS58NvNzxdK8SV4j+T1cathQC/Xk4Mt2ES4jnzacssvyB9 Om5l2qcUwnIvEEF1jejtlU8QYw+1M6oRBs759cyKuhlz3hmetXBwuPSrPE9pPa7vVKL/ cjoIbLOwa6eknTjumCMNQhfOi0TMII/VYb7yapRRgE5qlCPYI85OqCc1e7GxOylAIWAl KF7zOycwjmsgiOpp4bz9be6xXklQmNDNJKwAIwNRK/YQOTQ7wEBs7CdgUkmfdAikHm43 JUDrY0ibL49IQoFOBlg2aapUjcpnZsm0N70BAyWc+/NifrtyGQSy+X5TjHXay0T9uJ/o iZiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ACNe+S57ILBct5VnuZsXHfSuj3RVHcGuhmCc82Xpdu8=; b=ZxISNrbRHCrtWAPb+syEm0s1oqKPWM7LQpMbmKLCFOOBgbJ+JriWfCmgRQ5GhXdH6j G8g2MNK2sdqvoAyTDJO2J1MEiULX+7Czcn9QBNz+q0CsgfFRXqtB0EyasFmgcPJsRTO1 ce5vtBn+PU+eMvnYRiXAy0OXHrqeWNoVCh0GmzZeSnyKrAQkWAE2gdRsd3qyKA9t2PHi O4Cp3HZBLSF3UigN/KqPB7UpL9Xrz934YBB/eXGZC8T1JppPUWewdhtuvkz7OBN6j3mR D2vJdYmLPoVTlOrWN6qKAzY8L320EaWqRLD2v6xl0MEK8pmhU2/NJ4c+4cggKe1xMsdd cYbg==
X-Gm-Message-State: AODbwcBSQoeBPK76UJy58WuWwQczSrzr4PYdWkzaFZRLixJpaTwdUQd2 nuox4t61xya11H7z5fb2AlFL8FblSvN/
X-Received: by 10.98.76.155 with SMTP id e27mr1452661pfj.77.1495069364041; Wed, 17 May 2017 18:02:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.181.165 with HTTP; Wed, 17 May 2017 18:02:43 -0700 (PDT)
In-Reply-To: <CAOW+2dv-UR5DonWQG4Zm_U9u2A8L+s6a8Eh32fhU9Mhg2qB_gQ@mail.gmail.com>
References: <CAOW+2dtLDB+hq2u9BA4JYBOt+nRv0G3P+00c7wfPyz5+ftEiRA@mail.gmail.com> <BN6PR03MB27088B21ED2D58F609EBA50287E70@BN6PR03MB2708.namprd03.prod.outlook.com> <CAOW+2dv-UR5DonWQG4Zm_U9u2A8L+s6a8Eh32fhU9Mhg2qB_gQ@mail.gmail.com>
From: Jana Iyengar <jri@google.com>
Date: Wed, 17 May 2017 18:02:43 -0700
Message-ID: <CAGD1bZZUAAV4fUFK+752Rh+77iKQfJysVqHN3sRLG=ibfy5y6w@mail.gmail.com>
Subject: Re: Potential conflict between draft-ietf-quic-transport and RFC 7983
To: Bernard Aboba <bernard.aboba@gmail.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, "marc@petit-huguenin.org" <marc@petit-huguenin.org>, "quic@ietf.org" <quic@ietf.org>, "pthatcher@google.com" <pthatcher@google.com>
Content-Type: multipart/alternative; boundary="001a1135da9a5c1f3e054fc1f695"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/U3LpRAkcd7fq6tczbREqhF6fj8o>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 01:02:47 -0000
This *may* be one of those things where keeping WebRTC in the back of our minds might help QUIC not get stuck badly in the future. So, as a thought exercise (not assuming that we need to solve this problem here) I'd like to walk through what we *could* do if we actually supported both WebRTC protocols and QUIC on the same port. I think the simplest thing to do would be to pass everything through a QUIC "dispatcher" that determines if this packet belongs to QUIC --- basically confirms whether this packet should be consumed by QUIC or not --- and if it isn't consumed by QUIC (including packets that QUIC decides MUST be dropped because they are QUIC packets but violate some property) then it can be consumed by non-QUIC applications on the same port. The question of course is how bad is the likelihood of false positives/negatives. With the encrypted packet types in QUIC, the QUIC dispatcher will safely reject non-QUIC packets. With the plaintext types, which are used during handshake, QUIC packets are covered by a non-crypto FNV-1a hash. The cost that QUIC bears of a mis-classification among plaintext packets as a QUIC packet is limited to cases where the contents of the packet are not part of the final key derivation. These packet types are limited to a few long-form packet types, all of which have a number of version-independent fields upfront, including version, which could be checked for sanity (since connection ID and packet number can be arbitrary.) This still doesn't seem great, since 0x0001 is a fine version number to have in QUIC and may be a completely reasonable string in RTP. So alternatively, we could renumber the long-form packet types to start at 255 and count down, since 192 - 255 is left open by RFC 7983, and since we just need 6 cleartext packet types at the moment to be distinct from the RTP packet types (it's smaller than that, since Stateless Reject and Version Negotiation packets need to echo stuff from the client's packets.) TL;DR of this is that *if* we wanted to allow for a future coexistence of WebRTC protocols with QUIC on the same port -- and this is a big "if", since I wonder if they need to be on the same port --- we could renumber just the long-form packets to start at 255 and grow downwards. We only need <= 6 plaintext packet types to be out of the collision region with RFC 7983. On Wed, May 17, 2017 at 3:31 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote: > Mike asked: > > "Is it a goal for QUIC and DTLS-SRTP to coexist on the same port"? > > [BA] RFC 7983 enables DTLS, SRTP/SRTCP, ZRTP, STUN and TURN to co-exist on > the same port. Within the scheme, DTLS is used for transport of WebRTC's > DTLS/SCTP/UDP data channel and DTLS-SRTP is used for key management of > SRTP/SRTCP. > > While within WebRTC, DTLS currently provides both data channel transport > as well as SRTP key management, it is not clear that initial QUIC > implementations within WebRTC will attempt to provide alternatives for both > of these functions. > > For example, experimental implementations of a QUIC data channel may wish > to focus solely on that objective without having to provide an alternative > to DTLS-SRTP. In such an implementation, QUIC and DTLS-SRTP would need to > co-exist on the same port. > > > > On Wed, May 17, 2017 at 2:52 PM, Mike Bishop <Michael.Bishop@microsoft.com > > wrote: > >> 7983 is a bugfix to 5764 section 5.1.2, per a quick perusal. I didn’t >> read either of those RFCs as purporting to constrain the first byte of all >> future UDP-based protocols. 5764 says: >> >> >> >> When DTLS-SRTP is used to protect an RTP session, the RTP receiver >> >> needs to demultiplex packets that are arriving on the RTP port. >> >> ... >> >> If other packet types are to be multiplexed as well, implementors >> >> and/or designers SHOULD ensure that they can be demultiplexed from >> >> these three *[or five, given 7983]* packet types. >> >> >> >> Is it a goal for QUIC and DTLS-SRTP to coexist on the same port? >> >> >> >> *From:* QUIC [mailto:quic-bounces@ietf.org] *On Behalf Of *Bernard Aboba >> *Sent:* Wednesday, May 17, 2017 2:37 PM >> *To:* quic@ietf.org >> *Cc:* marc@petit-huguenin.org; pthatcher@google.com >> *Subject:* Potential conflict between draft-ietf-quic-transport and RFC >> 7983 >> >> >> >> There appears to be a potential conflict between >> draft-ietf-quic-transport and RFC 7983. Looking at >> draft-ietf-quic-transport, both the short and the long headers appear to >> conflict with the de-multiplexing scheme defined in RFC 7983, which is >> based on the value of the first byte of multi-plexed protocols: >> >> >> >> The process for demultiplexing a packet is as follows. The receiver >> >> looks at the first byte of the packet. If the value of this byte is >> >> in between 0 and 3 (inclusive), then the packet is STUN. If the >> >> value is between 16 and 19 (inclusive), then the packet is ZRTP. If >> >> the value is between 20 and 63 (inclusive), then the packet is DTLS. >> >> If the value is between 64 and 79 (inclusive), then the packet is >> >> TURN Channel. If the value is in between 128 and 191 (inclusive), >> >> then the packet is RTP (or RTCP, if both RTCP and RTP are being >> >> multiplexed over the same destination port). If the value does not >> >> match any known range, then the packet MUST be dropped and an alert >> >> MAY be logged. This process is summarized in Figure 3. >> >> >> >> +----------------+ >> >> | [0..3] -+--> forward to STUN >> >> | | >> >> | [16..19] -+--> forward to ZRTP >> >> | | >> >> packet --> | [20..63] -+--> forward to DTLS >> >> | | >> >> | [64..79] -+--> forward to TURN Channel >> >> | | >> >> | [128..191] -+--> forward to RTP/RTCP >> >> +----------------+ >> >> >> >> Figure 3: The DTLS-SRTP receiver's packet demultiplexing algorithm. >> >> >> >> >> >> >
- Potential conflict between draft-ietf-quic-transp… Bernard Aboba
- RE: Potential conflict between draft-ietf-quic-tr… Mike Bishop
- Re: Potential conflict between draft-ietf-quic-tr… Bernard Aboba
- Re: Potential conflict between draft-ietf-quic-tr… Jana Iyengar
- Re: Potential conflict between draft-ietf-quic-tr… Eggert, Lars
- Re: Potential conflict between draft-ietf-quic-tr… Colin Perkins
- Re: Potential conflict between draft-ietf-quic-tr… Colin Perkins