Re: Authentication in draft-kuhn-quic-bdpframe-extension
Q Misell <q@as207960.net> Thu, 16 November 2023 11:16 UTC
Return-Path: <q@as207960.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 873BEC14CE24 for <quic@ietfa.amsl.com>; Thu, 16 Nov 2023 03:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qygASKtBri35 for <quic@ietfa.amsl.com>; Thu, 16 Nov 2023 03:16:29 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5798BC14F748 for <quic@ietf.org>; Thu, 16 Nov 2023 03:16:28 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-5480edd7026so520619a12.0 for <quic@ietf.org>; Thu, 16 Nov 2023 03:16:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1700133386; x=1700738186; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wOhKbZkplPrM9ufd5uG11x5LhB21iZFmKkzw8vTMmx4=; b=IaffSuifvJk2E2vrrzQaoaZ2vhgtmhFGH6DgERSY56AvvE70No0rFzQ1xwJVL9OKKl NFLhHXI+DejLxkoNAEicOC91UW0jXvmsrKg4BAtp81FMIM/65q+dLWfHHb8Hjf4Fd/Ir sEy5ni0zSmMjsRPWtSSpHMF1K6Jlh9At0M+itOce4lJqCdw3l9Wd7Wvj4phAMdbNBEAi dd+Vig+PvpP+qnQJhd2V76mBieY6eIkmH6lBmOe6AeXwaQoWnue8L3YsExaS/AArlyPh nCguzphaw/MR4rirJy/jrNF6xGpTfkdC/N8UYJzNpyE4y48N/astFTxaoLdT0wv3akMl QVVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700133386; x=1700738186; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wOhKbZkplPrM9ufd5uG11x5LhB21iZFmKkzw8vTMmx4=; b=fDN4nZCTYFh800VJvcZ0DEc9++shU4f16Jj7P0hHdcHr8IK+Lc//TWcYZemSlxBzFL DM7WBLoSJz0szMOcVxsFU4wNJY4CgJGE3um8uQyHBzxuMt/P6fzFKClwm4bBwalVl9Nr 1XghsqLBmrJyR4x0N5HYbqdfds9cRtP4DFLwfmYdfHzdlCwOoe5zW65YmtuTRBk0HbzS HjqlvdeRbbImDGY3hog8OGayzqyB8/Kryt/+KC/+vRe/ZgTqNOFLs3MSDS/b3iNM+nsH cBynZPGX3AEMNeCb7Wie5pHP5tQyPGmMyWZ9l+FS6vDqTt6RzlvWfhqRdIx3HnAlETAX RwDQ==
X-Gm-Message-State: AOJu0YxN1F0BXPr6eW4WPiYfdEOFKNXedDpbkLR6EAVngatVhySoFvhw /c1KpV7uXSVzx6La4F2Si6RpiJI91CuFVQ8awAjRfQ==
X-Google-Smtp-Source: AGHT+IHEBaX+Zq07wFByNKlEyoWCNFMsFU8VrRvXCMXxd/9jsyn7hapkMGwRV5jGoMyJutVyITP72oDn5nQy7awYyZA=
X-Received: by 2002:a17:906:140d:b0:9bf:2f84:5de7 with SMTP id p13-20020a170906140d00b009bf2f845de7mr1426002ejc.4.1700133386109; Thu, 16 Nov 2023 03:16:26 -0800 (PST)
MIME-Version: 1.0
References: <CAMEWqGsGCEhC97Yt-r9YBwGCPxH6+OGj7GfTmomMDJBD6S_ZBQ@mail.gmail.com> <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk> <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com> <edb12370-dcba-49d7-9b2a-72660e059513@gmail.com> <18cef84568cc444f95bd8c2bc13e81b1@orange.com> <1ed18563-6de2-4d62-b6f7-b525ef6c1360@erg.abdn.ac.uk> <4f02fdee6cbf4c7aae472f2f0c177cc0@orange.com> <CANatvzzU_8OZuG7MS8dQAcyv0DSj9YegOsG3a6LifjqRncdHbQ@mail.gmail.com> <CAOYVs2o6emJ2FwtsDd83oi2L3T5rK2nB=3MUe82sFPOrtkcE_Q@mail.gmail.com> <b9229510-6c05-4f21-8b07-ea9036dea30a@erg.abdn.ac.uk> <CAOYVs2os7=AVXwp2X2dW43zJzMh8JZ9Wy6WHZWBFi3uUFEZF6g@mail.gmail.com> <CANatvzyVhMO3Zn9pt5sWGOFBbevRSSp1+8QiK+Uvs061trbuaw@mail.gmail.com> <80e7607e-f354-40d4-9346-6bdb798b5ad2@erg.abdn.ac.uk> <CANatvzzL7ip_oAtLwS2BO1qz6ztJzXVfuNnUJDPyuvZn2+9b+A@mail.gmail.com> <bf57250b-1aa2-4b9b-bfff-c3d8ec9bc445@erg.abdn.ac.uk> <CANatvzz3z4Xruf8mp5oB2zzd96iMO9eU1SfbPip6EVDrxL8vnQ@mail.gmail.com> <CAMEWqGv=xbWsDCbreVVMmAowKo2w6ZXeoX2UUADGVjnjKozZog@mail.gmail.com>
In-Reply-To: <CAMEWqGv=xbWsDCbreVVMmAowKo2w6ZXeoX2UUADGVjnjKozZog@mail.gmail.com>
From: Q Misell <q@as207960.net>
Date: Thu, 16 Nov 2023 11:15:49 +0000
Message-ID: <CAMEWqGtoBuxcsrqaqmHs0KCJjvK0ftiHGqYf55D2xAhtCuNniA@mail.gmail.com>
Subject: Re: Authentication in draft-kuhn-quic-bdpframe-extension
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Marten Seemann <martenseemann@gmail.com>, emile.stephan@orange.com, Nicolas Kuhn <nicolas.kuhn.ietf@gmail.com>, "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008cdc0d060a43261b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/nzBehfcyysYGRKV52a6SRpnuTXI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2023 11:16:34 -0000
Hi all, I've just published draft-misell-quic-bdp-token-00 <https://datatracker.ietf.org/doc/draft-misell-quic-bdp-token/> as a rough first draft of this concept. Thanks, Q Misell ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Wed, 15 Nov 2023 at 15:40, Q Misell <q@as207960.net> wrote: > > Hi all, > > I've had a think and some discussion with others about what's been said in > this chain, here are my thoughts. > > > I think I tend to agree with Lucas modulo the point that it would make > more sense to store BDP information in tokens issued by the QUIC servers[1] > than the TLS session ticket. > > The NEW_TOKEN frame would indeed be a very neat way to handle things. > However given that it is opaque this would stop the client from assessing > if it wants to use a token in cases where it is known the BDP has changed > significantly. > > There is one other issue I see with this in that section 8.1.3 says: > "Though saving and using older tokens have no negative consequences, > clients can regard older tokens as being less likely to be useful to the > server for address validation." > An old BDP calculation may have negative consequences, however this could > be mitigated by expiring the BDP calculations in tokens after a certain > time. I'd like some more input on what's the best option here. > > > The BDP_FRAME frame can only be sent in 0-RTT packets (if I understand > correctly, I'm very confused by the phrasing of section 4), so it can’t be > used for non-0-RTT session resumption. > > Agreed that this section needs work on wording. I also think BDP should be > allowed in 0-RTT and 1-RTT, although it provides more value in 0-RTT than > 1-RTT. Allowing 1-RTT BDP also precludes using TLS session resumption > tokens to store BDP data. > > > From a protocol deployability perspective, we should expect that larger > fleets of servers will be wanting to run multivariate testing of CCs in a > way that doesn't require any coordination with the peer. > > This is an excellent point. Might I suggest a compromise[1] in which some > CC parameters are made available to the client to aid in deciding whether > to use a BDP calculation on resumption. The server can signal to the client > that its tokens are encoded with a well-known format akin to the below > using a new bdp_tokens transport parameter. > > BDP Token { > Address Token Length (i), > Address Token Value (..), > Saved Capacity (i), > Saved RTT (i), > BDP Token Length (i), > BDP Token Value(..) > } > > The Address Token is opaque to the client, as is currently the case. The > Saved Capacity and Saved RTT fields are merely hints to the client to help > it decide if it wants to use the token or not. If it decides it doesn't > want to then it can send the token back with the BDP Token set to zero > length, but still preserving the Address Token. The BDP Token contains > opaque data specific to the congestion control algorithm in use by the > server. It is expected the Address Token and the BDP Token contain > appropriate verification to prevent meddling, using whatever method the > server sees fit. > > If the client is unaware of the bgp_tokens parameter it will treat the > entire token as an opaque blob, achieving its intended purpose of > remembering BDP information without client modification. > > I will find some time to write an I-D on this fleshing out the details a > bit more. > > Thanks, > Q Misell > > [1]: compromise, noun: leaving all parties disgruntled; > https://youtu.be/J1Yv24cM2os?t=100 <https://youtu.be/J1Yv24cM2os?t=100> > ------------------------------ > > Any statements contained in this email are personal to the author and are > not necessarily the statements of the company unless specifically stated. > AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, > Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company > registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, > LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 > <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. > EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: > 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru > maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca > Digital, is a company registered in Estonia under № 16755226. Estonian VAT > №: EE102625532. Glauca Digital and the Glauca logo are registered > trademarks in the UK, under № UK00003718474 and № UK00003718468, > respectively. > > > On Mon, 6 Nov 2023 at 17:55, Kazuho Oku <kazuhooku@gmail.com> wrote: > >> >> >> 2023年11月6日(月) 13:38 Gorry Fairhurst <gorry@erg.abdn.ac.uk>: >> >>> See below: >>> >>> On 06/11/2023 10:59, Kazuho Oku wrote: >>> >>> >>> >>> 2023年11月6日(月) 10:08 Gorry Fairhurst <gorry@erg.abdn.ac.uk>: >>> >>>> On 05/11/2023 15:49, Kazuho Oku wrote: >>>> >>>> >>>> >>>> 2023年11月5日(日) 16:41 Marten Seemann <martenseemann@gmail.com>: >>>> >>>>> > On different CC's: the set of parameters exchanged are fairly >>>>> generic, and I think it's very likely a client will use the same CC to talk >>>>> to the same server when it next resumes a session, so I am unsure i share >>>>> the concern about different CCs. >>>>> >>>>> Gorry, I might be misreading the draft, but in my understanding the >>>>> BDP_FRAME frame is used by servers to offload state to the client, not the >>>>> other way around, so your argument should be that the server will use the >>>>> same CC on the original and the resumed connection. The client might also >>>>> remember CC parameters, but they wouldn't be sent on the wire. >>>>> My argument here is twofold: If this frame is supposed to be read and >>>>> acted upon by the client, you now have to deal with the situation where >>>>> client and server use different CCs, which will lead to problems if server >>>>> and client don't use the same CC. On the other hand, if the frame is not >>>>> supposed to be acted upon by the client, there's no reason to use a frame >>>>> in the first place, as servers can just unilaterally decide to put the >>>>> information into the token. >>>>> >>>> >>>> FWIW, in case of quicly I'm not sure we'd want to use CWND and current >>>> RTT to calculate the jump CWND. >>>> >>>> >>>> That is because quicly has a delivery rate estimate based on ACK clock >>>> that gives us a better estimation of the available bandwidth; we'd prefer >>>> using that and the min RTT. >>>> >>>> Sure. This makes this interesting, and I know that ACK'ed rate can have >>>> advantages. >>>> >>>> >>>> As such, I'm not sure if having a standard definition of a BDP frame >>>> would help server implementers. >>>> >>>> I don't agree (yet?) The CC params that are used are to characterise >>>> the path, and have two roles - to enable "reconnaisance" in CR and to >>>> decide upon the unvalidate jump size. This needs at least a saved RTT >>>> value and a rate/window. >>>> >>>> While I agree using rate is different to cwnd, for this specific >>>> purpose, isn't it possible to simply used saved cwnd = rate*RTT? II think >>>> we might be able to agree on parameters for this specific use. >>>> >>> The problem is that the kind of RTT that we want to choose can be >>> different depending on if we have ack clock or if we rely on CWND. >>> >>> When ack clock is available, it would make sense to use idle RTT, >>> because that resembles the state of connection when we are not sending much >>> data (i.e., at the beginning of the connection). I think we should be >>> comparing the previous idle RTT and the new initial RTT in this case. >>> >>> Right, this seems fine. This is why we called it "capacity" ... in >>> recent drafts, let's agreee on a term for the next rev! >>> >>> >>> But when relying on CWND, it would make more sense to send SRTT, CWND >>> changes depending on the size of the bottleneck buffer as well. >>> >>> Also, because CWND is an unconfirmed estimate of the path, it can be 2x >>> as large (at the end of slow start), calculation of CR has to be more >>> conservative than when jumping based on the ack clock. >>> >>> Sure, so iin observation phase CR stores a "saved_capacity" (if we >>> conbtinue to call it that), which ought toi be calculated in the correct >>> way by the sender to measure the capacity. We have some text in the Careful >>> Resume text to say this ought to not include over buffering or data-limited >>> moments - if people think it useful, we can certainly add more text for >>> scenarios using different CCs. (We haven't yet, because the CC saving the >>> params, is in most cases the CC using the params for CR.) >>> >>> To summarize, even though we can send CWND and RTT in both cases, what >>> they mean and how they should be used are going to be different. >>> >>> When the semantics (i.e., meaning and usage) is going to be different, >>> I'm not sure if there is a reason to standardize an encoding. >>> >>> Again though, this "saved_capacity" is used just to make a jump. If we >>> make this value readable to the client to help inform things, it is just a >>> "value" from the server that it will use to compute the jump ... >>> >> >> If the primary intent is to show the client the jump CWND so that the >> client can make adjustments (e.g., to the flow control credits), I kind of >> wonder if it is the best approach to use the information exchanged in the >> previous session. >> >> I would probably argue that such information should be sent as 0.5 RTT >> data from the server. That information would be more accurate (because it >> can convey what the server *now* thinks), and can take care of the >> non-resuming case as well. >> >> Under the current form of CR that requires one RT before the jump, it's >> only the large scale servers that have the need to store the information >> from the previous session. >> >> FWIW, the other benefit that I see of using tokens is that we can add >>> arbitrary data associated to the values used by CRs. Tokens already have >>> the client IP address and time of the previous connection. To observe how >>> well CR works under various conditions, I think we'd put anything we want >>> to the Token and see if there would be correlations / anomalies. >>> >>> +1 >>> >>> In other words, the format of the Tokens would evolve. That's the other >>> reason I am not interested in standardizing what to send. >>> >>> +1 >>> >>> Gorry >>> >>> >>>> To paraphrase, I think the question is if there is an appetite for the >>>> WG to define a frame solely for communicating the estimate of the >>>> unvalidated phase *to the client,* and if sending that at the end of the >>>> previous connection is the best way to do so. >>>> >>>> Good questions. >>>> >>>> Gorry >>>> >>>> >>>> >>>>> >>>>> On Sun, 5 Nov 2023 at 15:32, Gorry Fairhurst <gorry@erg.abdn.ac.uk> >>>>> wrote: >>>>> >>>>>> On 05/11/2023 10:04, Marten Seemann wrote: >>>>>> >>>>>> In the design of RFC 9000, frames are used to communicate information >>>>>> between two endpoints. This is not what the BDP_FRAME frame does: It's only >>>>>> saved by the client and echoed back to the server on a later connection. It >>>>>> is questionable to me if the client’s ability to inspect (but not modify) >>>>>> the contents of the frame provides a lot of value: Congestion controllers >>>>>> are inherently endpoint-specific, and (for example) reusing the parameters >>>>>> of an L4S CC with a Cubic CC, and vice versa, doesn't sound like a good >>>>>> idea. >>>>>> >>>>>> That's not what the ID says. >>>>>> >>>>>> On different CC's: the set of parameters exchanged are fairly >>>>>> generic, and I think it's very likely a client will use the same CC to talk >>>>>> to the same server when it next resumes a session, so I am unsure i share >>>>>> the concern about different CCs. >>>>>> >>>>>> Section 1.2 of the ID speaks about the possibility to share the >>>>>> infromation with the application... which might be important to tuning the >>>>>> use of the token (choosing which connection ought to use the >>>>>> Careful-Resume), and ensuring appropriate polices are used for flow-credit, >>>>>> choosing content encoding appropriate to rate, etc. >>>>>> >>>>>> >>>>>> As Kazuho pointed out, RFC 9000 already contains the concept of a >>>>>> resumption token. >>>>>> >>>>>> I'd like to understand more what that is. >>>>>> >>>>>> Tokens are opaque, so servers can encode whatever information they >>>>>> want into the token. Resumption tokens are used to validate the client’s IP >>>>>> address, so they’re inherently bound to the path. This is pretty much >>>>>> exactly the property that you’d want for resuming CC parameters. Apart from >>>>>> that, using tokens has multiple other advantages as well: >>>>>> 1. We don’t need interoperability between implementations here. The >>>>>> client is resuming the connection with the same server (or a different >>>>>> server in the same deployment), so it doesn’t matter how the information is >>>>>> encoded. >>>>>> >>>>>> I like that. >>>>>> >>>>>> 2. Depending on their CC, servers might want to encode a different >>>>>> set of parameters. This is possible when using a token, whereas the >>>>>> BDP_FRAME frame limits us to the few fields defined in the draft. >>>>>> >>>>>> Good - but I do expect that a BDP_FRAME could be made extensible. >>>>>> >>>>>> 3. The BDP_FRAME frame can only be sent in 0-RTT packets (if I >>>>>> understand correctly, I'm very confused by the phrasing of section 4), so >>>>>> it can’t be used for non-0-RTT session resumption. >>>>>> >>>>>> I think that depends a little on how we decide to finally transport >>>>>> the parms - we're open to changing this. >>>>>> >>>>>> 4. Obviously, using the token doesn’t require clients to be aware >>>>>> that this is going on, so it will work with every QUIC stack without any >>>>>> modification. >>>>>> >>>>>> Yes, that's nice also. >>>>>> >>>>>> Best wishes, >>>>>> >>>>>> Gorry >>>>>> >>>>>> >>>>>> >>>>>> On Sun, 5 Nov 2023 at 11:14, Kazuho Oku <kazuhooku@gmail.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> 2023年11月4日(土) 15:44 <emile.stephan@orange.com>: >>>>>>> >>>>>>>> BDP frame is about QUIC transport (RFC9000) resumption. IMO, it >>>>>>>> does not have dependencies on RFC9001. >>>>>>>> >>>>>>> >>>>>>> I think I tend to agree with Lucas modulo the point that it would >>>>>>> make more sense to store BDP information in tokens issued by the QUIC >>>>>>> servers[1] than the TLS session ticket. >>>>>>> >>>>>>> Tokens are defined in RFC 9000. The only use case being mandated at >>>>>>> the moment is address validation but it is designed so that it can hold >>>>>>> arbitrary data. Tokens can hold BDP information as well. >>>>>>> >>>>>>> 1: https://datatracker.ietf.org/doc/html/rfc9000#frame-new-token >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Orange Restricted >>>>>>>> >>>>>>>> *De :* Gorry Fairhurst <gorry@erg.abdn.ac.uk> >>>>>>>> *Envoyé :* samedi 4 novembre 2023 14:45 >>>>>>>> *À :* STEPHAN Emile INNOV/NET <emile.stephan@orange.com>; Nicolas >>>>>>>> Kuhn <nicolas.kuhn.ietf@gmail.com>; quic@ietf.org >>>>>>>> *Objet :* Re: Authentication in draft-kuhn-quic-bdpframe-extension >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 04/11/2023 13:28, emile.stephan@orange.com wrote: >>>>>>>> >>>>>>>> Hi >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> IMO, we are speaking of QUIC resumption not TLS. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> Emile >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I think QUIC CC resumption could be a part of TLS resumption. Are >>>>>>>> there also cases where these could be different things? >>>>>>>> >>>>>>>> Gorry >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *De :* QUIC <quic-bounces@ietf.org> <quic-bounces@ietf.org> *De la >>>>>>>> part de* Nicolas Kuhn >>>>>>>> *Envoyé :* samedi 4 novembre 2023 12:43 >>>>>>>> *À :* quic@ietf.org >>>>>>>> *Objet :* Re: Authentication in draft-kuhn-quic-bdpframe-extension >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Dear all, >>>>>>>> >>>>>>>> Thank you for your interest in this work ! >>>>>>>> >>>>>>>> I would tend to agree with Lucas and think we should consider >>>>>>>> scenarios where BDP frames would be used with TLS resumption and I do not >>>>>>>> see the need for proposing another trust mechanism; But there may be >>>>>>>> scenarios I do not see ? >>>>>>>> >>>>>>>> More comments inline. >>>>>>>> >>>>>>>> Kind regards, >>>>>>>> >>>>>>>> Nico >>>>>>>> >>>>>>>> On 11/3/23 16:44, Lucas Pardue wrote: >>>>>>>> >>>>>>>> Hi folks, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I'm still trying to come up to speed on this spec. But when I've >>>>>>>> thought about it a little, its seemed very natural to associate the BDP >>>>>>>> frame (contents) with the TLS session. We already have a lot of text about >>>>>>>> TLS session resumption in QUIC. It feels like there is already a template >>>>>>>> design with HTTP/3 - a server sends SETTINGS to tell a client something >>>>>>>> unique about the active QUIC connection. RFC 9114 section 7.2.4.2 [1]states >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> > When a 0-RTT QUIC connection is being used, the initial value of >>>>>>>> each server setting is the value used in the previous session. Clients >>>>>>>> *SHOULD* store the settings the server provided in the HTTP/3 >>>>>>>> connection where resumption information was provided, but they >>>>>>>> *MAY* opt not to store settings in certain cases (e.g., if the >>>>>>>> session ticket is received before the SETTINGS frame). A client >>>>>>>> *MUST* comply with stored settings -- or default values if no >>>>>>>> values are stored -- when attempting 0-RTT. Once a server has provided new >>>>>>>> settings, clients *MUST* comply with those values.¶ >>>>>>>> <https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6> >>>>>>>> >>>>>>>> So with a bit of massaging, if we can link BDP frame to session >>>>>>>> resumption. we know that it is based on a previous trust relationship. >>>>>>>> >>>>>>>> Is there any scenario where BDP frame would want to be used without >>>>>>>> TLS resumption? >>>>>>>> >>>>>>>> [NK] I agree. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Cheers >>>>>>>> >>>>>>>> Lucas >>>>>>>> >>>>>>>> >>>>>>>> [1] - https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Nov 2, 2023 at 6:17 PM Gorry Fairhurst < >>>>>>>> gorry@erg.abdn.ac.uk> wrote: >>>>>>>> >>>>>>>> On 02/11/2023 16:43, Q Misell wrote: >>>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> I've been working with Gorry (and others) on actually implementing >>>>>>>> the BDP frame extension, and further refining the draft based on experience >>>>>>>> from implementation. >>>>>>>> >>>>>>>> Q, I think I can help a little, see below, but I think there are >>>>>>>> good questions here. >>>>>>>> >>>>>>>> [NK] If the draft is not clear enough on these relevant questions, >>>>>>>> we ought to make things clearer. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> One thing that came up that I'd like to ask the WG's opinion on is >>>>>>>> that of authentication of the BDP frame, and when it should be sent in the >>>>>>>> exchange. I've had a few thoughts on this, it'd be great to hear what >>>>>>>> others think of them, or what other suggestions people might have. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> First, my thoughts on authentication. Do the CC parameters need to >>>>>>>> be authenticated at all? I would say "yes" as a client sending some >>>>>>>> unauthenticated CC parameters could cause a DoS of the server (or any other >>>>>>>> node along the path) by trying to send far too much data at once. >>>>>>>> >>>>>>>> The reason for the secure hash around the contents of the BDP Frame >>>>>>>> is to allow a server to know the CC params had not been modified. Of course >>>>>>>> you caould ask what sort of information contributes to that hash, to make >>>>>>>> the server confident that it can accept CC params from the client and >>>>>>>> believe that these have not been modifed? That could be important? >>>>>>>> >>>>>>>> [NK] The client should not be able to transmit unauthenticated CC >>>>>>>> parameters that are not checked / known by the server. In the current spec, >>>>>>>> the client can only send data previously received by the server. Malicious >>>>>>>> clients could try to cause a DoS on the server but that would not be >>>>>>>> specific to BDP Frame but to 0-RTT in general. >>>>>>>> >>>>>>>> Should the CC parameters be encrypted? Probably not, as a client >>>>>>>> which is aware of a major decrease in available capacity could compare the >>>>>>>> new link capacity to its stored CC parameters and decide not to send them. >>>>>>>> If they're encrypted the client can't inspect what CC parameters the server >>>>>>>> thinks the link will have. >>>>>>>> >>>>>>>> Perhaps the ID ought to be clearer. The QUIC Session is of course >>>>>>>> encrypted and authenticated, so, in this respect, the BDP Frame is >>>>>>>> protected in transit along the path using TLS. >>>>>>>> >>>>>>>> The current proposal is not to additionally encrypt the CC params >>>>>>>> *within* the BDP, so that a client could read these and utlise as it sees >>>>>>>> fit. This still needs to authenticate the entire set of params, so that the >>>>>>>> server could trust them. >>>>>>>> >>>>>>>> The params include an endpoint token used by a server to represent >>>>>>>> the remote endpoint - we could have used the client IP source address for >>>>>>>> this if the client had an invariant public IP source address. That's not >>>>>>>> so common with IPv6 or the use of IPv4 NAPT - so the server has to find a >>>>>>>> way to represent it's view of the client as the endpoint token. There could >>>>>>>> be possibilities to do this quite differently. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> How should they be authenticated? There are a few options I can see >>>>>>>> here, and I'm unsure which is best: >>>>>>>> >>>>>>>> (1) Authenticated with the TLS certificate >>>>>>>> >>>>>>>> (2) Authenticated with some other asymmetric key >>>>>>>> >>>>>>>> (3) Authenticated using some symmetric key known only to the server >>>>>>>> >>>>>>>> (4) Same as 3 but with a key identifier >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Options 1 and 2 allow the client to verify the authentication over >>>>>>>> the CC parameters, but this doesn't seem to be of much use to me. Option 1 >>>>>>>> additionally sets a time limit on use of stored CC parameters, as the TLS >>>>>>>> certificate will eventually expire. This doesn't seem to me to be much of >>>>>>>> an issue. A new connection far into the future (say 1-2 months) would >>>>>>>> almost certainly have different CC parameters anyway. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Option 3 seems the best to me. It would allow one key to be shared >>>>>>>> across an array of anycast servers, without sharing other keying material >>>>>>>> that might be used to protect more sensitive parts of the connection. >>>>>>>> Option 4 additionally expands on this by allowing key rotation without >>>>>>>> immediately invalidating all current stored CC parameters. >>>>>>>> >>>>>>>> So, if this is about how to construct the secure hash, irt seems >>>>>>>> like an interesting topic to find out more, I'd agree. >>>>>>>> >>>>>>>> [NK] We may not specify how to compute the secure hash but that >>>>>>>> could be interesting discussions if you think the draft needs to be more >>>>>>>> specific on this. IMHO the client does not need to know how the secure hash >>>>>>>> is compute and thus not sure we need interoperability. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> When should the BDP frame be sent? There are two places I can see >>>>>>>> BDP frames being useful to send: >>>>>>>> >>>>>>>> (1) After initial frames but before crypto frames >>>>>>>> >>>>>>>> (2) After crypto frames and before application data >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Option 1 allows for the previously calculated CC parameters to be >>>>>>>> used for the sometimes quite large TLS handshake, but also precludes >>>>>>>> options 1 and 2 for authentication. Option 2 allows for greater flexibility >>>>>>>> in authentication, and also makes the BDP frame encrypted in transit. I'm >>>>>>>> unsure what the privacy implications of an unencrypted BDP frame are, so if >>>>>>>> anyone can come up with a reason CC data shouldn't be observable to an >>>>>>>> intermediary that would be greatly appreciated. >>>>>>>> >>>>>>>> :-) >>>>>>>> >>>>>>>> [NK] Do we need to specify this in the draft or should this be let >>>>>>>> to implementers to define the most relevant approach (w.r.t. frame >>>>>>>> scheduling to format QUIC packets). >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Looking forward to hearing your thoughts. >>>>>>>> >>>>>>>> [NK] Thank you for your comments ! >>>>>>>> >>>>>>>> Cheers, >>>>>>>> >>>>>>>> Q Misell >>>>>>>> >>>>>>>> Gorry >>>>>>>> >>>>>>>> ------------------------------ >>>>>>>> >>>>>>>> Any statements contained in this email are personal to the author >>>>>>>> and are not necessarily the statements of the company unless specifically >>>>>>>> stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan >>>>>>>> Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company >>>>>>>> registered in Wales under № 12417574 >>>>>>>> <https://find-and-update.company-information.service.gov.uk/company/12417574>, >>>>>>>> LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 >>>>>>>> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: >>>>>>>> GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean >>>>>>>> VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at >>>>>>>> Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as >>>>>>>> Glauca Digital, is a company registered in Estonia under № 16755226. >>>>>>>> Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are >>>>>>>> registered trademarks in the UK, under № UK00003718474 and № UK00003718468, >>>>>>>> respectively. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ____________________________________________________________________________________________________________ >>>>>>>> >>>>>>>> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >>>>>>>> >>>>>>>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >>>>>>>> >>>>>>>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >>>>>>>> >>>>>>>> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> This message and its attachments may contain confidential or privileged information that may be protected by law; >>>>>>>> >>>>>>>> they should not be distributed, used or copied without authorisation. >>>>>>>> >>>>>>>> If you have received this email in error, please notify the sender and delete this message and its attachments. >>>>>>>> >>>>>>>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >>>>>>>> >>>>>>>> Thank you. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ____________________________________________________________________________________________________________ >>>>>>>> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >>>>>>>> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >>>>>>>> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >>>>>>>> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >>>>>>>> >>>>>>>> This message and its attachments may contain confidential or privileged information that may be protected by law; >>>>>>>> they should not be distributed, used or copied without authorisation. >>>>>>>> If you have received this email in error, please notify the sender and delete this message and its attachments. >>>>>>>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >>>>>>>> Thank you. >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Kazuho Oku >>>>>>> >>>>>> >>>>>> >>>> >>>> -- >>>> Kazuho Oku >>>> >>>> >>>> >>> >>> -- >>> Kazuho Oku >>> >>> >>> >> >> -- >> Kazuho Oku >> >
- Authentication in draft-kuhn-quic-bdpframe-extens… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Lucas Pardue
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Nicolas Kuhn
- RE: Authentication in draft-kuhn-quic-bdpframe-ex… emile.stephan
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- RE: Authentication in draft-kuhn-quic-bdpframe-ex… emile.stephan
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Marten Seemann
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Nicolas Kuhn
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Marten Seemann
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Christian Huitema
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Watson Ladd
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Christian Huitema
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Martin Thomson
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Lucas Pardue
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst