Re: Version Ossification: Intended Scope for QUICv1
Kazuho Oku <kazuhooku@gmail.com> Thu, 31 October 2019 21:34 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 033741201A3 for <quic@ietfa.amsl.com>; Thu, 31 Oct 2019 14:34:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVTZ47Vo4CGe for <quic@ietfa.amsl.com>; Thu, 31 Oct 2019 14:34:01 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00A461200FF for <quic@ietf.org>; Thu, 31 Oct 2019 14:34:00 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id q2so1638679ljg.7 for <quic@ietf.org>; Thu, 31 Oct 2019 14:34:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kouyCfcUERnzavQ9xx7a9rHsslTaYZ07miw8C8xrBCE=; b=bpKJY/MBjJDjjMMpJisMvTYJXOSfvFBNDcmIMGBGC/SjQKPflKHbfwLNn4KFYWX6ec 1dsjRiq7Scqcd4bigNbqCe7vZUvZEj8JBO7k16W7w2+zBLkYMexOis54gCIataj9u4cH XEGx8lPvWTOzL6EY3UgInIEYz8O2TvDJ+mbzCbsLiAGuMKMfIch3wcS6m91Zk0534ni1 m/0SHELPMZ7VJzOhKX6DTACotSwdJWCxuxUkmIUZgR8WGpSnp0YHu2zsjZimRMLjqScI L65dwa/QMUdobkoyZ4AjBIViIKz3WEs4S7Jx8e/FnkiVnljEPhI0ejSkWWyEojPhdBox xM9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kouyCfcUERnzavQ9xx7a9rHsslTaYZ07miw8C8xrBCE=; b=Inq4rOKS1BaFE9kX/Yed6GOenPm9vvNrtyzR7UrYCkWU1h8oC5BXkCeJitayaM4BKU 6OOPJSVLQbkPKRH91nNu2i9Bb+PA6wOEh1Av9KM8UvRfNnKFPPdpp12xLxxzhr857/1G WDkH6xBW8LpBumxa9Reezo9gAfc+afBPK69c1wWboYJ8Rrw7nr3heAoivIQxx2ujAkVR 0x9SJXwbshBMrvQVauDv8IaFBScc9ZA86SO+VFDRAnLeJ/fbuCNBkTxmrREBduWSED2g RWpQAaAAnB7Kb1EvMlU7RYQWhGFSMZkrLTrrXlJZ97uQ2ksS1Z25YRKuiq5gLcm0EvjM 6r7Q==
X-Gm-Message-State: APjAAAVrJTczzogc1xkK8AZc6GhjLIQEW/MY4u0zel4LFmbp9fYUvHTB 3YeJ7cH2VlN3TaMRnYyeasCwf0XKy0HPRoobaPw=
X-Google-Smtp-Source: APXvYqw/tuI85BFfJLqKa5Qs7uIZHULR+WC/6kiloeSxDlbCHy2bNsesqZedvWw87b7Xy/MRQaisu7qbFxYvnYp2b3A=
X-Received: by 2002:a05:651c:326:: with SMTP id b6mr5699972ljp.119.1572557639321; Thu, 31 Oct 2019 14:33:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDSy+6E79OySoOLbJ8eWp0J-+3yeB5iGvj6sW19bEDn_V7-NA@mail.gmail.com>
In-Reply-To: <CAPDSy+6E79OySoOLbJ8eWp0J-+3yeB5iGvj6sW19bEDn_V7-NA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 01 Nov 2019 06:33:48 +0900
Message-ID: <CANatvzzaWFgrvnaV=VeZRAVvxqSBeMSZT5aMUu7-Vh9raeZJFw@mail.gmail.com>
Subject: Re: Version Ossification: Intended Scope for QUICv1
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: QUIC <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b0eb305963b9b94"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/fs4kMHrHx6h82za-s-hP5aJ6Law>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 21:34:04 -0000
Hi David, Thank you for summarizing the high-level options. I think it's very useful to have this discussion. Please see my comments below. 2019年11月1日(金) 6:13 David Schinazi <dschinazi.ietf@gmail.com>: > Hi folks, > > The conversation around version ossification has been really interesting > since Cupertino. But at least for me it's reached a level of complexity > that warrants taking a step back and looking at what we're trying to solve. > Here's my understanding of where we are: > > 1) In Cupertino there was consensus in the room to do something to > mitigate ossification of QUICv1. > > 2) The solution that folks liked was to have a concept of alternative > versions and alternative salts that act like QUICv1 but are encoded > differently over the wire. > > 3) A concrete proposal for (2) was for servers to have their own set of > (alternative_version, alternative_salt) pairs, then transmit a random pair > from that set to each client (i.e. via transport parameters). The server > can then reconstruct the alternative_salt just by seeing > the alternative_version. > > 4) Kazuho proposed a solution (#3166 > <https://github.com/quicwg/base-drafts/pull/3166>) that was both more > powerful and more complex: tie the (alternative_version, alternative_salt) > pair to NEW_TOKEN frames, to allow servers to generate a > unique alternative_salt per client and encode it in the token. > I dispute the argument that #3166 is more complex. My view is that #3166 is more powerful and simpler than (3) (the PR being #2573). Reasons: * For a server associating one initial salt with one alternative version, #3166 and #2573 are identical with the exception being how the information is carryied (i.e. TP vs. NEW_TOKEN). * For a client, bundling the alternative seeds in a NEW_TOKEN makes things simpler, as clients are not required to have a new state that has to be retained across multiple connections. > 5) After some interesting back and forth on that PR, it became clear that > this is a hard problem to solve: this could cause failures if servers > forget their token keys, and mitigations for that problem can become > downgrade attack vectors > The proposal for 3 has this problem. It leads to a failure when a server forgets the alternative initial salts. > > 6) While there was clear WG appetite for (1), I'm not sure we have > consensus to build a more powerful solution like (4) > > I fear that solving (5) could take some time, which would delay QUICv1. > Instead I'd like to propose the following plan: > a) we take the simpler solution (3) and add that to the spec > b) we take the more powerful/complex solution (5) a turn it into a QUIC > extension > > That would allow us to ship QUICv1 with some level of ossification > mitigations without delay. > As stated, the proposed solution for (4) is simpler than (3), can be used to implement (3), and also provides a stronger protection for servers certain that they can retain the token unprotection keys. I agree that solving (5) for all parties might be hard, and that we might want to punt that to v2. But, I think we should adopt (4) than (3) due to the aforementioned reasons. > Thoughts? > > David > > > -- Kazuho Oku
- Version Ossification: Intended Scope for QUICv1 David Schinazi
- Re: Version Ossification: Intended Scope for QUIC… Kazuho Oku
- RE: Version Ossification: Intended Scope for QUIC… Mike Bishop
- Re: Version Ossification: Intended Scope for QUIC… Martin Thomson
- Re: Version Ossification: Intended Scope for QUIC… Jana Iyengar
- Re: Version Ossification: Intended Scope for QUIC… Martin Thomson
- Re: Version Ossification: Intended Scope for QUIC… Jana Iyengar
- Re: Version Ossification: Intended Scope for QUIC… Mikkel Fahnøe Jørgensen
- RE: Version Ossification: Intended Scope for QUIC… Lubashev, Igor
- Re: Version Ossification: Intended Scope for QUIC… Eric Rescorla
- Re: Version Ossification: Intended Scope for QUIC… Christian Huitema
- Re: Version Ossification: Intended Scope for QUIC… Ian Swett
- Re: Version Ossification: Intended Scope for QUIC… Roberto Peon
- Re: Version Ossification: Intended Scope for QUIC… Marten Seemann
- Re: Version Ossification: Intended Scope for QUIC… Eric Rescorla
- Re: Version Ossification: Intended Scope for QUIC… Martin Thomson
- Re: Version Ossification: Intended Scope for QUIC… Ian Swett