Alternate Version + Salt in Alt-Svc

Ryan Hamilton <rch@google.com> Mon, 04 November 2019 20:34 UTC

Return-Path: <rch@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87F35120041 for <quic@ietfa.amsl.com>; Mon, 4 Nov 2019 12:34:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xtIcmDleaQp for <quic@ietfa.amsl.com>; Mon, 4 Nov 2019 12:34:21 -0800 (PST)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C11CF120018 for <quic@ietf.org>; Mon, 4 Nov 2019 12:34:20 -0800 (PST)
Received: by mail-wm1-x32c.google.com with SMTP id m17so8948548wmi.5 for <quic@ietf.org>; Mon, 04 Nov 2019 12:34:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=FqwXcOXhRdNA0/ZjlFXkXyvpc997v3+m4vlV5KV0X/A=; b=uEv0WpfLPW89axelB9FOlExGrtlSuS+EeiaHfGrmgLziOLhhjpqV9qo6e/bDkbSQGW t5jeLsZAq0LaKjlGw4nHDSG0TnA/uefjdFtZmtZVdgSHDQl6Cce4AXRa0lAOkKnAITbt URXTSmMQxgpcnybBlfB+7yy/WBGpIoF6FnVD4lIv4j1DTsANK0opZVlkYGY9r6nzOyPX D9/OE0i7/ZWO99XSgtKXJaPwsmk4rMxntOlNmwF8hhMKs85zjYIyTmw2UP3kGbqMDcU3 UCLa/X8VwjOpY/wRlEO+p9JWaVKpLtiVNGbXM+1bcQPuHyM3edGkYXvWfmDt/E/iBlJp nH7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=FqwXcOXhRdNA0/ZjlFXkXyvpc997v3+m4vlV5KV0X/A=; b=PyfPmF1O6uaJuIUxh0DePfZZhSvpCnPkyie8C6rMDKfhBW//1p1k8YzYksushpajzz phDM4biB4w7o0fH/DGIfVSUASuyaGhlD1t8qAEOgb5U0gcbwfGPEXrkzWnSjV9V6VJ3J OkRY7CyWOha+9hogI4V4Ew5fp159Md7pfsSfZ4OJXFadbYvW4jniFdX1ErTk5kFowBBY qRPWSlHRIMqa4Iv4BmJE5c7JoPRcsE5iPxO29fnyar8O5RKeGT9GS6+l18FVU1ojG/9k ppAaS9TGYMfIh3kxrKAUlq+uGSjpygnDmFmf4JvN6KFRsmqrvIxyDac1YZOKs4xshPfd lBCQ==
X-Gm-Message-State: APjAAAWZINi4Pv+pNGjRrEpZKNPsAWLUgBAT/Zp0BGaDHhG6FyrlS6nu 3F9nsALlR7RF/8f21XtVrmNxdb7dkhM5Ei2BVusZgiuN910=
X-Google-Smtp-Source: APXvYqxNsJiRC4BmC8YBhmYw1x05RUtndAEVzJBMDuSCn9sgiiAR+wQP2r9FU56sLfh/x9Yff3ybTHC3+CzFKxcd8Hk=
X-Received: by 2002:a05:600c:2944:: with SMTP id n4mr826247wmd.57.1572899658244; Mon, 04 Nov 2019 12:34:18 -0800 (PST)
MIME-Version: 1.0
From: Ryan Hamilton <rch@google.com>
Date: Mon, 4 Nov 2019 12:34:06 -0800
Message-ID: <CAJ_4DfTN-25ZpDmGBFXxmz9RZCT=8JbpFoDX71eyhE1rEtPkMg@mail.gmail.com>
Subject: Alternate Version + Salt in Alt-Svc
To: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000066279605968b3d9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/YJWsqLK2HAQEtpHGY8VbmR4lmHc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 20:34:23 -0000

Howdy Folks,

We've discussed the idea of attempting to reduce ossification by allowing
the server to deliver an alternative version and initial salt to the client
which can be used to speak "QUIC v1". One such mechanism for delivering
this version to the client is Alt-Svc. In the context of HTTP/3 this has
the wonderful property that even the first connection from a client to the
server can use this alternative version.

However, it seems that there might be a privacy/linkability issue with this
approach that I'm curious to get the groups' take on. If this information
were delivered via Alt-Svc, I would imagine that the naïve implementation
would be to cache the Alt-Svc info as until it expires (via the ma=
attribute) and use the alternative version/salt in each subsequent QUIC
connection. Since the version field is 32 bits, that potentially allows
each user to use a distinct version. This is great for anti-ossification,
but seems problematic for linkability/privacy.

I can think of solutions/mitigations for this issue (like restricting the
number of bits which can be flipped by the server, or expiring the
alternative version in the client on first use, etc) but I'd be curious if
this seems like an issue to other folks first.

Cheers,

Ryan