Stream0 Proposal: CRYPTO_HS frame encoding (Re: Stream0 Design Team Proposal)
Kazuho Oku <kazuhooku@gmail.com> Thu, 24 May 2018 00:06 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31197124217 for <quic@ietfa.amsl.com>; Wed, 23 May 2018 17:06:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkvpdeMNyENL for <quic@ietfa.amsl.com>; Wed, 23 May 2018 17:06:00 -0700 (PDT)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EBAD12D7F7 for <quic@ietf.org>; Wed, 23 May 2018 17:06:00 -0700 (PDT)
Received: by mail-pg0-x229.google.com with SMTP id n9-v6so10117071pgq.5 for <quic@ietf.org>; Wed, 23 May 2018 17:06:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=rOlOMHNI7HB8/LQtP9iI34EJLLR5B4b7B7qTVEQ+s/M=; b=X+qD8olflNv8mxnY3HSsAMI9bXm0o63QNFddFoxNtHBhvIVfImaFQCK8rW/MeOTHda J7CgdC2EVqB0yBcFzVK+cVo/msalwKZ8DFN/41P5dAD38rmfNyBaUT2knO60qyrJHjlT 24rs24sujYKBM0KO+B4g8I/3/w0AScsxCIB8efKbg5eGZGxFQljT53SLw2GdFpHBcoR+ BYeBs4b9TZ7EeZb4AUHnGAtFIuj6rb2uVKTa/P+8VGpEypkQLFlYxSG/AdU6fAr7PnTy rIGg1luIPk+MEhtv94AwgQ0U5Oi+zgrZTZazt6aAJ0UGPBn+wyfbHu8R2ItOp1M6kA8v I/Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=rOlOMHNI7HB8/LQtP9iI34EJLLR5B4b7B7qTVEQ+s/M=; b=nm3ZJmtSXHou6ekGKP66WQwNFgX2Z3n+aWOViAZWvL7oeH6T5NUVHiRS78L1JsfBnu SeoRNBinSfWOz6b1Rl5ZWyzKQFqZWjxVvQrcFtqHbYemjN7EnI/uzLRekr60mqg59QRl 66cU2FpOPmBt1Fr3dE6yAR23Gvi/F5+iJt/j2u64Ot7dBo/wBOB7IGRCWDepkxnDvYdX BRl9pZWCYdSr3WFzIq5LL1GukP5iJQ7Txm5TziDdQ0YlwPqSPAY9nnq0DwHIidNbvzBD s8yFJDTZQQNkl8GR7Z+TzEF+bNHFZH7+rdTwaEg6NRpvHg+jEc9pg2RL/tL+aD9MXHDf jOrw==
X-Gm-Message-State: ALKqPwczR++gxgUcw1eDC3mRVEyCfzGcGtKzvXlE4FmeqeeYl+lBn1cS +jh0KKCBukcuRsC5DnuyhfXVEctAla6o+2PrhCQ=
X-Google-Smtp-Source: AB8JxZqUvLPe5VHrPmkJNxGom3Cw7sOICZa4selQocJgUWrcFDl5/mI/V0lw548G/ye8y/ilNgekmRKfdyeZ2xQwZJo=
X-Received: by 2002:a63:ba1c:: with SMTP id k28-v6mr2137449pgf.179.1527120359531; Wed, 23 May 2018 17:05:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:1189:0:0:0:0 with HTTP; Wed, 23 May 2018 17:05:58 -0700 (PDT)
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 24 May 2018 09:05:58 +0900
Message-ID: <CANatvzyWK3OxTYx6EFRQG_tJ0tYmyvAd9-2HH2=cDVRhuUd2bQ@mail.gmail.com>
Subject: Stream0 Proposal: CRYPTO_HS frame encoding (Re: Stream0 Design Team Proposal)
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Jana Iyengar <jri.ietf@gmail.com>, Eric Rescorla <ekr@mozilla.com>, QUIC WG <quic@ietf.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/X1u1oEdGiVIZt6Py3-7IeRpf5Ic>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 00:06:07 -0000
2018-05-24 8:51 GMT+09:00 Martin Thomson <martin.thomson@gmail.com>: > I'm not a fan of micro-optimizations like this, especially when it means > taking space we don't need. > > We don't need ANY of the bits on the CRYPTO stream. The savings for an > absent length and offset are marginal and not worth burning 8 frame types > on, and the stream never really ends. So if we made it have a type of > 0x18, then you would run it through the same code and get the same result. Clarification question: are you and EKR suggesting something like below? 0x10 - 0x17: STREAM frame 0x18: CRYPTO_HS frame if (0x10 <= type && type <= 0x18) { // STREAM or CRYPTO_HS frame if (type != 0x18) streamID = varint_consume(frame); if ((type & 0x04) || type == 0x18) offset = varint_consume(frame); if ((type & 0x02) || type == 0x18) length = varint_consume(frame); if (type & 0x01) fin = 1; read body if present } I think that is workable, although it makes me sad because we will have more conditional branches. > On Wed, May 23, 2018 at 4:40 PM Jana Iyengar <jri.ietf@gmail.com> wrote: > >> Thank you for your implementation and your report -- this is terrific and > helpful! > >> On your note about CRYPTO_HS frames, I think your idea is clever. Just to > ensure that I am understanding it correctly, I believe you're proposing > defining: >> 0x10 - 0x17: STREAM frame >> 0x18 - 0x1F: CRYPTO_HS frame > >> We can the same frame format for CRYPTO_HS as STREAM except that > CRYPTO_HS will not have the stream ID field. This means an implementation > handling these frames can reuse the stream machinery with a small change to > parse the header bits as follows: > >> if (type & 0x10) { // STREAM or CRYPTO_HS frame >> if (type & 0x08) streamID = varint_consume(frame); >> if (type & 0x04) offset = varint_consume(frame); >> if (type & 0x02) length = varint_consume(frame); >> if (type & 0x01) fin = 1; >> read body if present >> } > >> On Tue, May 22, 2018 at 9:57 PM, Kazuho Oku <kazuhooku@gmail.com> wrote: > >>> FWIW, I am happy to tell you that I have a working PoC code for the >>> proposed approach. > >>> On the QUIC side, I saw 2% (124 lines) increase in code size (more on >>> that below). On the TLS side, I also saw 2% (175 lines) increase. >>> However please look at the code size change especially on the QUIC >>> side with grain of salt, as it is just a PoC. > >>> As expected, the key and encryption-level management on the QUIC side >>> became very clean. Following are some of the design decisions I made >>> as well as the outcomes: > >>> * All the interaction between picotls and quicly are accompanied by >>> "epoch". Handshake messages are attributed with their epochs so that >>> they do not get protected by the wrong key, or so that octets received >>> under an incorrect encryption context cannot be misused. > >>> * All the traffic keys are governed by quicly (managing some traffic >>> keys in TLS while managing PNE key in QUIC seems messy). > >>> * The Initial key is setup by quicly, wheeras other traffic keys are >>> installed by picotls by calling a callback named >>> update_traffic_key_cb. The callback accepts and installs 6 keys in >>> total: for three levels (i.e. 0-RTT, handshake, 1-RTT) in two >>> directions (send-side and receive-side). > >>> * Three PN spaces have their own AEAD encryption key. Initial PN and >>> Handshake PN spaces have one aead decryption key each. Application PN >>> space has up to two decryption keys: either for 0-RTT and 1-RTT or for >>> two 1-RTT keys during key update. > >>> It was a pain to have a dedicated frame encoding for CRYPTO_HS, even >>> though we can reuse (and I reused) the retransmission and reassembly >>> logic of QUIC streams for the handshake flows. About a half of the >>> code size increase comes from that (the other half comes from the >>> added abstraction for having two contexts for the handshake). I would >>> prefer reusing the STREAM frame encoding for the handshake data. We >>> could possibly use a different base offset (i.e. for CRYPTO_HS frames >>> we could use 0b00011XXX, whereas the STREAM frames use 0b00010XXX), as >>> well as omitting the Stream ID field. > >>> Overall, now that I have a PoC, I am more confident that the proposed >>> approach is the correct path forward. It *simplifies* the QUIC stack >>> at the same time giving us better security properties as well as >>> fixing various issues in the current design (as discussed in the >>> design doc). > > >>> 2018-05-23 10:30 GMT+09:00 Ian Swett <ianswett= > 40google.com@dmarc.ietf.org>: >>> > Dear QUIC WG, >>> > >>> > >>> > On behalf of the Stream 0 Design Team, I am pleased to report that we > have >>> > consensus on a proposed approach to share with the WG. The DT's > proposal >>> > will make QUIC and TLS work closer together and incorporates ideas from >>> > DTLS, but it does not use the DTLS protocol itself. >>> > >>> > >>> > The DT believes this solves the important open Stream 0 issues. The > proposal >>> > will be a bit more invasive in TLS, but we believe it is the right > long-term >>> > direction and several TLS stacks (BoringSSL, PicoTLS, NSS, and Mint) > are >>> > willing and able to do the work necessary.. A number of stacks are > currently >>> > working on implementations of this new approach, which we hope to have > in >>> > time for the Interim meeting. >>> > >>> > >>> > A design document describing the overall approach can be found at: >>> > >>> > > https://docs.google.com/document/d/1fRsJqPinJl8N3b-bflDRV6auojfJLkxddT93j6SwHY8/edit >>> > >>> > >>> > A PR making the changes to the QUIC documents can be found at: >>> > >>> > https://github.com/quicwg/base-drafts/pull/1377 >>> > >>> > >>> > A few design details did not have clear consensus, but it was felt it > would >>> > be better to discuss those in the wider WG than delay the design team. > A >>> > consistent choice was made in the PR and these issues are mentioned in >>> > Appendix B of the design doc. >>> > >>> > >>> > As always, comments and questions welcome. That said, this is a big PR > and >>> > we recognize that some editorial work is going to be needed before > merging. >>> > In the interest of letting people follow along, and to keep github from >>> > falling over, we ask people to keep discussion on the mailing list and >>> > refrain from making PR comments. >>> > >>> > >>> > See you in Kista! >>> > >>> > >>> > Ian and Eric > > > >>> -- >>> Kazuho Oku -- Kazuho Oku
- Stream0 Proposal: CRYPTO_HS frame encoding (Re: S… Kazuho Oku
- Re: Stream0 Proposal: CRYPTO_HS frame encoding (R… Martin Thomson
- Re: Stream0 Proposal: CRYPTO_HS frame encoding (R… Christian Huitema
- Re: Stream0 Proposal: CRYPTO_HS frame encoding (R… Kazuho Oku