Re: Stream0 Design Team Proposal

Ted Hardie <> Wed, 23 May 2018 21:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 18874129C51 for <>; Wed, 23 May 2018 14:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vmrMuHlszxjM for <>; Wed, 23 May 2018 14:00:48 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2CD70127010 for <>; Wed, 23 May 2018 14:00:48 -0700 (PDT)
Received: by with SMTP id 77-v6so26885197otd.4 for <>; Wed, 23 May 2018 14:00:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5gf4Sj9VzpQDVG7KVhv4a/QZZUZRnrUEbChqwQrbBk0=; b=RfvJbWNsfRdHWYVbGbzDxYnaZaIlHdpExa5sVNioXmzo1/ykx2ANJBgLDU1H7NMaRX Nrn/uUj8/tiJHAO0llBcxAg5fKm4kLiWG+W3xzXYxkTOpesrJUZ0Q2gWjaJB4lzkCMFR 3fSIKGgaL50vQezOfwRySaBvlbihPsQnKIlXQFccnjME3gYvVRWWQtp4IeWasJKdTPPF lRqTamxAb4hFALj/iJh/hFVijDZylD3pMDWyt240DFR27TSztu+rzem9ODiIZ+ONq9Kn nJcItSJVwvM73rWn4O1vfgzYoVRpws2ONNnc+hSlmCBG/v+iVh+Yb8wkucX8/AM571r0 ZRMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5gf4Sj9VzpQDVG7KVhv4a/QZZUZRnrUEbChqwQrbBk0=; b=rca9LV7HY1+cbpfu4G7BQWVgskrK4CwV6JTSCSCpT39iPYt1tVZUO4QScOrnO7bwdT CRJgQ+hCfePEB3kuQOAwq66G7qMTbAladI3h2M/9Bg6gLdlUJaZYV5+djpaTECDIKjDW YtUd89vbJuUtL9TtEvq8TVI1vKhKEnbf8A8GZ7TtHSVcIisV+fNnamA460Lwdy9G4enc mAntHwx4T0jMBmMHRVyjCLk7LB0PMUqXDZQoJXCSicPaq3QLNwB1240r8JuVa8ApiznX 3o/blAKlBEK5AUruH9okNMcusLAG5EAPiL6+uJRIr0b+ARSwwJbfuF4V/zd3CsJIR+bO LFzw==
X-Gm-Message-State: ALKqPwfY13SuUBzWWmicYweWNjO4hpqJ9UBZvrj2aWhqquxggMtoNXJ+ P1t8DTxW9/woTBmohvve6FhH4fiexHE9CPcVt9I=
X-Google-Smtp-Source: AB8JxZrx/En9qizNq2XxFTYeOZddbIpreyUWghLWzRRPu+5qvT9ms6l2JfFSq7usGwrXIxbY+bzuTDHPkyBcG0YmhLo=
X-Received: by 2002:a9d:25c6:: with SMTP id q64-v6mr3010252ota.193.1527109245456; Wed, 23 May 2018 14:00:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:4399:0:0:0:0:0 with HTTP; Wed, 23 May 2018 14:00:14 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Ted Hardie <>
Date: Wed, 23 May 2018 14:00:14 -0700
Message-ID: <>
Subject: Re: Stream0 Design Team Proposal
To: Eric Rescorla <>
Cc: Ian Swett <>, Eric Rescorla <>, IETF QUIC WG <>
Content-Type: multipart/alternative; boundary="0000000000001bd744056ce5d4b6"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 May 2018 21:00:51 -0000

On Wed, May 23, 2018 at 1:23 PM, Eric Rescorla <> wrote:

> On Wed, May 23, 2018 at 12:42 PM, Ted Hardie <> wrote:
>> Howdy,
>> Thanks for sharing the document.  I have a couple of detailed comments,
>> and then some high level comments which I will put into a separate email.
>> First, the document says this:
>> Though proper analysis is needed, it is not likely that the removal of
>> the TLS record layer will cause a security concern, because the security
>> properties provided by QUIC packets are identical to what have been
>> provided by TLS records.
>> I'm not sure that this is actually the statement we need to analyze,
>> though. We need to be sure that the security properties of TLS records used
>> in TCP packets are available in QUIC streams in QUIC packets using UDP as a
>> multiplexing layer. There appear to be some difference in where the
>> facilities the overall system provides that may require more description.
>> As an example, I think the way padding works in this proposal needs more
>> description. If I understand correctly, each TLS record is encrypted
>> separately and the presence or absence of padding is indicated by a
>> padding_length byte present in each record. That means the padding is
>> related to the record, not the packet; by removing the record layer and
>> using QUIC frames, though, we seem to have a different padding structure.
>> QUIC uses padding frames, not padding within other frame types which is
>> both conceptually and practically different.
> I believe you have misunderstood. In this document, there are no TLS
> records and TLS handshake messages are carried in CRYPTO_HS frames.
> Accordingly, padding is provided in the same fashion as QUIC ordinarily
> does, i.e., using PADDING frames.
> That's what I understood from the design document.  The point I'm making
is that this actually a substantive change to the padding structure that
was previously present (in TLS records), and the security analysis has to
take that into account, so it (and similar things) should be described.

Similarly, I'd be interested in more text on the interaction with
> precedence, since the loss of the record layer means that the former
> guarantee that the record layer makes records available in the order in
> which they were protected now seems to be unavailable.

I'm not quite sure I follow what you are asking about here. In both cases,
TLS sits on top of QUIC's reliable in-order deliver guarantees. Is the
point you are making that formerly, if QUIC violated these guarantees, that
would result in TLS handshake failure, whereas now it does not?

This just related to the general point I was making above.  When the design
shifts where it was getting a function, it would be helpful if it called it
out more directly, to facilitate the analysis.



>> regards,
>> Ted
>> On Tue, May 22, 2018 at 6:30 PM, Ian Swett <
>>> wrote:
>>> *Dear QUIC WG,On behalf of the Stream 0 Design Team, I am pleased to
>>> report that we have consensus on a proposed approach to share with the WG.
>>> The DT's proposal will make QUIC and TLS work closer together and
>>> incorporates ideas from DTLS, but it does not use the DTLS protocol itself.
>>> The DT believes this solves the important open Stream 0 issues. The
>>> proposal will be a bit more invasive in TLS, but we believe it is the right
>>> long-term direction and several TLS stacks (BoringSSL, PicoTLS, NSS, and
>>> Mint) are willing and able to do the work necessary.. A number of stacks
>>> are currently working on implementations of this new approach, which we
>>> hope to have in time for the Interim meeting.A design document describing
>>> the overall approach can be found
>>> at:
>>> <>A
>>> PR making the changes to the QUIC documents can be found
>>> at:
>>> <>A few design details did not
>>> have clear consensus, but it was felt it would be better to discuss those
>>> in the wider WG than delay the design team.  A consistent choice was made
>>> in the PR and these issues are mentioned in Appendix B of the design doc.As
>>> always, comments and questions welcome. That said, this is a big PR and we
>>> recognize that some editorial work is going to be needed before merging. In
>>> the interest of letting people follow along, and to keep github from
>>> falling over, we ask people to keep discussion on the mailing list and
>>> refrain from making PR comments.See you in Kista!*
>>> Ian and Eric