Re: Padding in Initial Packets

Lars Eggert <lars@eggert.org> Wed, 01 July 2020 02:17 UTC

Return-Path: <lars@eggert.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 478C03A090D for <quic@ietfa.amsl.com>; Tue, 30 Jun 2020 19:17:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eggert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jpD7oIBX_pQg for <quic@ietfa.amsl.com>; Tue, 30 Jun 2020 19:17:00 -0700 (PDT)
Received: from mail.eggert.org (mail.eggert.org [IPv6:2a00:ac00:0:35:211:32ff:fe22:186f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76C713A08F8 for <quic@ietf.org>; Tue, 30 Jun 2020 19:17:00 -0700 (PDT)
Received: from [IPv6:2a00:ac00:0:35:881:7bbf:55a7:1186] (unknown [IPv6:2a00:ac00:0:35:881:7bbf:55a7:1186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.eggert.org (Postfix) with ESMTPSA id 86B06611683; Wed, 1 Jul 2020 05:16:53 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eggert.org; s=dkim; t=1593569813; bh=TS5HsPWpkrRXtO14h5eyMAmWpyPIlTMuumoJiNPUNEU=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=wbbzVcFr1VyECrMr1GXajqKEGcAGQmeB1BjEHq3AixY1LLnyOz8Va7mXe/mdz3jEk 0eJIl5JpYKMey7uXMpQcqekHLypYB6ns6RwkQNzexhGKEIAXoZEX1GXVB6sQYTGXu5 S/AwK3uXfJvrfzmsgbut8piNitIeuMZUSkOVXQyM=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Lars Eggert <lars@eggert.org>
Mime-Version: 1.0 (1.0)
Subject: Re: Padding in Initial Packets
Date: Wed, 1 Jul 2020 05:16:50 +0300
Message-Id: <E86FC27B-E38E-4842-BD4F-A316ADD51FE9@eggert.org>
References: <f97dbbe6-e719-4276-bd19-da6589bb2d4e@www.fastmail.com>
Cc: quic@ietf.org
In-Reply-To: <f97dbbe6-e719-4276-bd19-da6589bb2d4e@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-MailScanner-ID: 86B06611683.A14BF
X-MailScanner: Found to be clean
X-MailScanner-From: lars@eggert.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/aHtLj79Xg8niNFNSFmUuvQImRRg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 02:17:02 -0000

Quant similarly pads by coalescing random data (with the first byte massaged to be of short-header type).

-- 
Sent from a mobile device; please excuse typos.

> On Jul 1, 2020, at 04:19, Martin Thomson <mt@lowentropy.net> wrote:
> 
> Hi Tim,
> 
> That's a little curveball that Firefox throws.  Other implementations pad with PADDING frames inside Initial packets.  Our first implementation found that inconvenient and so we padded outside the packet.  The resulting "packets" are clearly not valid, but neither server nor spec cannot require that they be legitimate. QUIC doesn't authenticate the composition of QUIC packets into UDP datagrams.  So the overall result is valid, even if the individual bits are not.
> 
> The number of bugs this behaviour has exposed is so great that we ultimately decided to keep it.  Fixing it would make our code more complicated anyway.
> 
> We might change the value we use for padding from 0 to something else at some point, just to keep things fresh.
> 
> Cheers,
> Martin
> 
>> On Tue, Jun 30, 2020, at 20:15, tim.jebb@bt.com wrote:
>> 
>> Hi All,
>> 
>> 
>> I’m fairly new to QUIC so apologies if the questions in here are dumb.
>> 
>> 
>> I’ve been going through a QUIC pcap, which I captured from a Firefox 
>> implementation of IETF draft 27 QUIC, and am a little confused about 
>> the use of padding in the first Initial packet. According to Wireshark, 
>> the UDP datagram contains a QUIC packet of type initial, length 272, 
>> the payload of which is a Client Hello. 
>> 
>> 
>> The remainder of the UDP datagram is 1055 zero bytes.. According to 
>> Wireshark these zero bytes constitute a QUIC IETF Packet.
>> 
>> 
>> However there doesn’t seem to be a valid QUIC packet header for these 
>> bytes. AIUI according to the QUIC spec padding bytes are frames within 
>> a packet, so these zero bytes seem to be just bytes in the UDP datagram 
>> outside of the QUIC payload. Which would be fine as far as I can see, 
>> but:
>> 
>> 
>> Why does Wireshark say it’s QUIC IETF?
>> 
>> Is there anything in any of the QUIC draft RFCs mandating this 
>> behaviour, if so where?
>> 
>> Why is it being done – can’t see the point?
>> 
>> If padding is to be added surely it should be as part of a QUIC packet 
>> and encrypted – here there’s just a load of plaintext zero bytes.
>> 
>> 
>> 
>> Here is Wireshark’s analysis:
>> 
>> 
>> “QUIC IETF
>> 
>> QUIC Connection information
>> 
>> [Packet Length: 302]
>> 
>> 1... .... = Header Form: Long Header (1)
>> 
>> .1.. .... = Fixed Bit: True
>> 
>> ..00 .... = Packet Type: Initial (0)
>> 
>> .... 00.. = Reserved: 0
>> 
>> .... ..10 = Packet Number Length: 3 bytes (2)
>> 
>> Version: draft-27 (0xff00001b)
>> 
>> Destination Connection ID Length: 17
>> 
>> Destination Connection ID: 76f81a5588b2f25c5ab6dbd461a8d749e1
>> 
>> Source Connection ID Length: 3
>> 
>> Source Connection ID: c5ef02
>> 
>> Token Length: 0
>> 
>> Length: 272
>> 
>> Packet Number: 0
>> 
>> Payload: 04f535177fcbcfd5f06d24ffde66edf10df79205666b1851…
>> 
>> TLSv1.3 Record Layer: Handshake Protocol: Client Hello
>> 
>> Frame Type: CRYPTO (0x0000000000000006)
>> 
>> Offset: 0
>> 
>> Length: 249
>> 
>> Crypto Data
>> 
>> Handshake Protocol: Client Hello
>> 
>> Handshake Type: Client Hello (1)
>> 
>> Length: 245
>> 
>> Version: TLS 1.2 (0x0303)
>> 
>> Random: b1b76126ddab3c639cdfaa7d92d6cabe2ea9c1a19ea86b8b…
>> 
>> Session ID Length: 0
>> 
>> Cipher Suites Length: 4
>> 
>> Cipher Suites (2 suites)
>> 
>> Compression Methods Length: 1
>> 
>> Compression Methods (1 method)
>> 
>> Extensions Length: 200
>> 
>> Extension: server_name (len=15)
>> 
>> Extension: extended_master_secret (len=0)
>> 
>> Extension: renegotiation_info (len=1)
>> 
>> Extension: supported_groups (len=20)
>> 
>> Extension: application_layer_protocol_negotiation (len=8)
>> 
>> Extension: status_request (len=5)
>> 
>> Extension: key_share (len=38)
>> 
>> Extension: supported_versions (len=3)
>> 
>> Extension: signature_algorithms (len=16)
>> 
>> Extension: psk_key_exchange_modes (len=2)
>> 
>> Extension: record_size_limit (len=2)
>> 
>> Extension: quic_transports_parameters (len=42)
>> 
>> QUIC IETF
>> 
>> [Packet Length: 1055]
>> 
>> Remaining Payload: 000000000000000000000000000000000000000000000000…”
>> 
>> 
>> Any comments or explanations?
>> 
>> 
>> Tim
>> 
>