Re: Proposal: Run QUIC over DTLS

Brian Trammell (IETF) <> Wed, 14 March 2018 06:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B9C4F127735 for <>; Tue, 13 Mar 2018 23:32:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DtruyI5MHnUL for <>; Tue, 13 Mar 2018 23:32:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 88C1912778E for <>; Tue, 13 Mar 2018 23:32:02 -0700 (PDT)
Received: from (localhost []) by localhost (Postfix) with ESMTP id 5159B340FC5; Wed, 14 Mar 2018 07:32:00 +0100 (CET)
Received: from localhost (localhost []) by localhost (ACF/6597.3504); Wed, 14 Mar 2018 07:32:00 +0100 (CET)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Wed, 14 Mar 2018 07:32:00 +0100 (CET)
Received: from [] (account HELO []) by (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 48282729; Wed, 14 Mar 2018 07:31:59 +0100
From: Brian Trammell (IETF) <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_D35C4645-16F7-4E76-893C-0285B87C80ED"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Subject: Re: Proposal: Run QUIC over DTLS
Date: Wed, 14 Mar 2018 07:31:58 +0100
In-Reply-To: <>
To: Eric Rescorla <>
References: <> <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Mar 2018 06:32:08 -0000

hi ekr,

Thanks for this reframing of the question. An attempt at an answer, inline:

> On 13 Mar 2018, at 17:52, Eric Rescorla <> wrote:
> Hi folks,
> Thanks to everyone who commented. Trying to consolidate my responses
> a bit, it seems like things fit into three major buckets:
> - Whether we have a stream 0 problem
> - Whether a layered architecture is the right thing/solves those
>   problems
> - Schedule impact
> I'd like to focus on the architectural question for the moment. I
> think there's broad -- though not universal -- agreement that the
> stream 0 thing is not great, but a fair amount of debate about
> what the right architecture and architectural principles are.
> It's not really productive to talk about schedule impact until
> we understand what the right thing is.

Yes, there clearly is a Stream Zero Problem, in that Stream Zero is currently the box into which we are pushing all the complexity related to establishing cryptographic context. To some extent, though, the "layered architecture or not" question is orthogonal to the "DTLS or not" question. The complexity exists, and it needs to go somewhere, if we are to support:

- establishing a cryptographic association over a datagram service
- in the presence of loss, reordering, duplication, and attackers on-path and off
- while minimizing mean association establishment latency, even in less than ideal network conditions
- and using said cryptographic association to protect transport internals
- supporting the selective exposure of additional information about the association for selected in-network functions (at the very least, CID).

In other words, we need three things:

(1) An encrypted transport protocol
(2) A method to establish the cryptographic association for (1)
(3) A transport protocol to provide the reliability guarantees needed by (2)

In QUIC today, (1) is QUIC, (2) is TLS, and (3) is a transport protocol that shares a lot of semantics with QUIC, and co-exists with QUIC's framing, but (and this, I think, is where the confusion comes from and where things go wrong) *isn't really QUIC*. I'll label this "S0-QUIC" (for "Stream Zero") below:

1 |       QUIC         |
2 |    TLS 1.3 + PP    |
  | (handshake)        |
3 |  S0-QUIC   |       |
  +------------+       |
  |  QUIC wire image   |
  |        UDP         |

If you look at it this way, QUIC is already a strictly-layered architecture, we just aren't treating it at such because S0-QUIC and QUIC look enough alike that we think they are the same thing. I suspect that treating S0-QUIC and QUIC as distinct, with the caveat that they must share a wire image, while seeking to preserve opportunities for code reuse between them, might make cleaning up Stream Zero conceptually cleaner.

In the DTLS proposal, (1) is QUIC (without its wire image or S0-QUIC) (2) is DTLS, and (3) is the semitransport DTLS uses for its handshake:

1 |       QUIC         |
2 |     DTLS 1.3       |
  | (handshake)        |
  +- - - - - - +-------+
3 | semitrans  |       |
  +------------+       |
  |  DTLS record layer |
  |        UDP         |

In this framing of the question, the Stream Zero problem arises because QUIC's (3) is not as cleanly separated from QUIC as it should be, and most of the architectural win from moving to DTLS comes from the fact that the layer separation is already there.

> <snip>

> Are there other infelicities I'm missing here?

By running QUIC over DTLS, we're essentially moving (or alternately, ceding) all the discussion about what the transport's wire image should look like to DTLS. From an architectural standpoint, this might actually be cleaner: there is something elegant about defining DTLS itself as the "path layer" proposed back in PLUS, a common wire image over which many future transports, of which QUIC is the first, can run.

But it's more work to do: everything we've done on QUIC's wire image would have to be replaced with equivalents for DTLS:

- For the connection ID, I note that draft-ietf-tls-dtls-connection-id-00 looks a lot like #1151, so that's nice.

- The low-order 30 bits of the sequence number are exposed in DTLS. If we come to consensus that this is a problem, we could possibly apply an encryption scheme as proposed in #1079 to this, but this would be a larger change to the record format than the connection ID.

- The spin bit (#1046) -- or bits, depending on where we think the overhead / bad-condition-resistence tradeoff falls out -- is transport-independent and could be ported to DTLS without changes to the mechanism, but it would need a place in the DTLS record format, and unlike the QUIC short header, there doesn't appear (on my cursory search) to be an almost-zero-cost place to take it from.

All three could be implemented as negotiated DTLS extensions; I'm not yet sure of my opinion about how good a thing that is.