Re: New Version Notification for draft-duke-quic-v2-00.txt
Martin Duke <martin.h.duke@gmail.com> Mon, 26 April 2021 18:34 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5776E3A2C1D for <quic@ietfa.amsl.com>; Mon, 26 Apr 2021 11:34:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuLVPmC-ghaL for <quic@ietfa.amsl.com>; Mon, 26 Apr 2021 11:34:33 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD7F3A2C1F for <quic@ietf.org>; Mon, 26 Apr 2021 11:34:32 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id l21so13787641iob.1 for <quic@ietf.org>; Mon, 26 Apr 2021 11:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6JCeEb+p2tlNjmEpBa6+gea1N4pJREAtb5yuWYCCdXU=; b=rTxr36soeJ99nM6XJySj/ISRiQsyxWmb1ICz3EsFepdwTKeNMX5+Fe53/+O7jMq5CM tf2xzbvNu8elVbH9kY4zZBEzhL7teLU7LObMC1Wt9oxxAdLdfZhlDixlRco3gIo2Hv/B alikkDJ1pVHK9p9BijakFEuvNsmAsxXgEa8MNl5bWRuF4knZoGLXvYiQvh3Va8imrXH5 0VflnKFhvR1s+Ptvtq3PgfjGSnNxd1aSaxqRjct/qAqYvJnz1eUkrO/p06TEx83TWnta s1o4pgMiLJ4UX0Rx4gxZpFZzeLYHaQWEfmttR2psZ55KGDt+8bLgURZfrQaR2HziHsXH 68TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6JCeEb+p2tlNjmEpBa6+gea1N4pJREAtb5yuWYCCdXU=; b=Hn6cROHCRCOaM6wHWn8vG1Omv6kkSmvWbrLF2Mp5swEsRMfMCh7YrCdAD8apTJMn9a 0ZDVqQBiFOhKFPVh+QhNh+ZGK+4xwTJSl0L1Cm90uGCxWHetRlV0ZltuxJJobF+CmsHU HaRh1v0i2CxFb823vBES7c5ECtfjchFtMWLK1iJTqkOWTOLi9KdkFM8nvCVh94wBLPLv RBQoZLUPvhYyptIxHREBRAHbiB2ubW0esM5xW7it5czri9OTbL+zKizJKJXsTmtwnpM6 PlgTp/KXLs7yvDZEAULFxjxiuo0ELhRhHfDUjytYaZSlrco2pNvXdaUKe3pE1oGCpqSe r/bg==
X-Gm-Message-State: AOAM530qg6K3CC6E3dU4dDIYB6hOLt1e2f/hLCrq1W6Gt8GFLY39MiDq ctjmwQagqfRXHr07E91Gk3Vp7TdPtD7bjJwcyUE=
X-Google-Smtp-Source: ABdhPJzl2Jvarji4eo+e1EkW5tHrEE2QApzhG0spUVfmAtCi72FhKpBtf8BGWE6EGqb+iUzhY33tCOxl40qoxCJLDmI=
X-Received: by 2002:a05:6638:bcb:: with SMTP id g11mr17919629jad.144.1619462070761; Mon, 26 Apr 2021 11:34:30 -0700 (PDT)
MIME-Version: 1.0
References: <161911211931.14837.5258716888014139826@ietfa.amsl.com> <CAM4esxQqjy6WC_6xo8c27qX_CFoyrGW=CMc-od-pmijkuptOCw@mail.gmail.com> <CALGR9oYewRHFgKYm8eyxQyB=HU7afsm2XFR3YPGW4RD6bQYysQ@mail.gmail.com> <CAM4esxQes0NBv3_o8LqH7ozrg1_i_VMpzS30c-MyNtHg6n6vRQ@mail.gmail.com> <CAOYVs2pgJmtetCifvtT_9MQes9f57w9=oCdNLGFHcTGJSU1OTQ@mail.gmail.com> <CAM4esxRPbBLV2VaeQMmQ2eCaCYQa3a=ATxMYRZm4WEE813EpYQ@mail.gmail.com> <5aa938d7-609a-f931-bc6f-8e06eb2c881b@huitema.net> <74ca240c-d7c2-dd81-557b-71b35d979e44@huitema.net>
In-Reply-To: <74ca240c-d7c2-dd81-557b-71b35d979e44@huitema.net>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 26 Apr 2021 11:34:24 -0700
Message-ID: <CAM4esxQBfjFrce4dePCecHuY1fgT7d4-DGUpT6+iXwWjwQotuw@mail.gmail.com>
Subject: Re: New Version Notification for draft-duke-quic-v2-00.txt
To: Christian Huitema <huitema@huitema.net>
Cc: Marten Seemann <martenseemann@gmail.com>, IETF QUIC WG <quic@ietf.org>, Lucas Pardue <lucaspardue.24.7@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000747ada05c0e465ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/oFu8TpCjLxB8amM2mBB4HU2xO6k>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2021 18:34:37 -0000
Hi Christian, I'm in the process of changing the Retry Integrity tag, as you suggest. Question for you: would it be best to change the HKDF labels to get total key separation between v2 and v1? That seems cleaner but I don't want to create too much additional work for you. Martin On Sat, Apr 24, 2021 at 9:10 PM Christian Huitema <huitema@huitema.net> wrote: > I just implemented in picoquic the compatible version negotiation > defined in https://github.com/quicwg/version-negotiation/, using > Martin's draft V2 version as a test case. The unit tests validate a > negotiated update from v=0x00000001 to v=0xff010000. For those who like > to look at code, the picoquic PR is at > https://github.com/private-octopus/picoquic/pull/1202. I found a few > issues when doing that implementation: > > 1) The server fills the version_negotiation TP with the negotiated > version and the complete list of supported version. The client checks > that the negotiated version is being used, but ignores the list of > supported versions. Do we really need to transmit that? The is already > an issue for that, https://github.com/quicwg/version-negotiation/issues/19 > . > > 2) In case of incompatible upgrades, the client sends the original > version and the list of versions proposed in the VN. The server checks > the original version to detect a downgrade attack, but just ignores the > list of versions proposed in the VN. That's me being lazy. I suspect I > won't be the only lazy one. Issue > https://github.com/quicwg/version-negotiation/issues/35 > > 3) Synchronization is hard. The server knows the negotiated version at > the end of the client first flight. My implementation assume that the > server uses this negotiated version for its own first flight. The client > monitors the incoming version numbers; if it sees a change to the > compatible version, it upgrade its own context, starts using the new > version, then validates that upgrade when receiving the server's TP. > This gets more complicated if we consider packet losses, issue: > https://github.com/quicwg/version-negotiation/issues/39. > > I also think that we need to rethink the protection against spoofed > incompatible versions. The client signals its current version, the > original version, and a list of compatible versions. Admittedly, the > client prefers the compatible versions to both the current and original > version, so if the server negotiates a compatible version life is good > and there is no point worrying about downgrades. If there is no > compatible version and the server supports the original version, it > could negotiate that too, which would largely mitigate the downgrade > attack. Why exactly do we insist on tearing down the connection? > > -- Christian Huitema > > On 4/23/2021 12:38 PM, Christian Huitema wrote: > > Martin, > > > > For V1, we had a rule that the version "0x00000001" would only be used > > after we had finalized the RFC. Before that, drafts would define > > versions such as "0xFF00001D" for draft 29. Should you not follow a > > similar mechansim, and define something like version "0xFF0100nn" for > > the draft-nn of the V2 spec? > > > > -- Christian Huitema > > > > On 4/23/2021 8:44 AM, Martin Duke wrote: > >> Hi Marten, > >> > >> I believe everything you say is true, but to me the main intent of > >> the v2 > >> draft is in fact to exercise VN. > >> > >> On Fri, Apr 23, 2021 at 5:29 AM Marten Seemann <martenseemann@gmail.com > > > >> wrote: > >> > >>> Hi Martin, > >>> > >>> Thanks for writing this up. If there's interest in deploying v1 and > >>> v2 at > >>> the same time, we could scratch the requirement to implement the > >>> version > >>> negotiation draft. This would open us up to version "downgrade" > >>> attacks, > >>> but given that the two versions have identical security properties (by > >>> design), do we actually care? > >>> > >>> On the other hand, I'm not sure if deploying v2 right now would > >>> actually > >>> help prevent ossification. Middleboxes are already used to seeing > >>> multiple > >>> QUIC versions on the wire, since we have quite broad deployment of > >>> draft > >>> versions, and some people controlling both endpoints are even using > >>> private > >>> version numbers. One might argue that the one thing that will actually > >>> prevent ossification won't be shipping one v2, but only proper > >>> greasing of > >>> the field, e.g. by implementing some variant of your version alias > >>> draft. > >>> > >>> Regards, > >>> Marten > >>> > >>> On Fri, Apr 23, 2021 at 1:22 AM Martin Duke <martin.h.duke@gmail.com> > >>> wrote: > >>> > >>>> Hi Lucas, > >>>> > >>>> That's a great question that I hadn't considered. > >>>> > >>>> The answer depends on what the WG does with the scope of this, and > >>>> how VN > >>>> evolves. > >>>> > >>>> 1. If it turns out there are some useful v1 patches we want to land > >>>> here, > >>>> then there will be some churn. > >>>> 2. The VN design is baked into v2, and that is not stable yet. > >>>> While "v2" > >>>> might never change, an implementation that advertises v2 may in fact > >>>> instantiate non-interoperable VN designs that should not be > >>>> aggregated into > >>>> a single version codepoint (though I'd have to think through how to > >>>> negotiate through mutating VN designs; I have probably made a > >>>> conceptual > >>>> error here). In fact this draft is probably a necessary component > >>>> to doing > >>>> proper implementation and testing of compatible VN (unless people > >>>> keep the > >>>> draft versions around). > >>>> > >>>> IMO if this gets to the point of implementation, it would be wise > >>>> to use > >>>> experimental versions until it progresses to RFC. I filed an issue > >>>> to fix > >>>> this: https://github.com/martinduke/draft-duke-quic-v2/issues/1 > >>>> > >>>> Thanks, > >>>> Martin > >>>> > >>>> On Thu, Apr 22, 2021 at 11:07 AM Lucas Pardue > >>>> <lucaspardue.24.7@gmail.com> > >>>> wrote: > >>>> > >>>>> Hi Martin, > >>>>> > >>>>> Thanks for writing this up. > >>>>> > >>>>> Speaking as an individual, I have some naive questions. Is this > >>>>> document > >>>>> so trivial that it would never change between revisions? Or is > >>>>> there a risk > >>>>> that something like initial salt in there might need to rev? To > >>>>> rephrase, > >>>>> would the document be better off starting with a different QUIC > >>>>> version > >>>>> value before interoperability discovers a problem and we've blown > >>>>> that code > >>>>> point? We can always develop such a document with a target code > >>>>> point in > >>>>> mind for use if the doc were to get adopted and run through all > >>>>> due process. > >>>>> > >>>>> Cheers > >>>>> Lucas > >>>>> > >>>>> On Thu, Apr 22, 2021 at 6:52 PM Martin Duke <martin.h.duke@gmail.com > > > >>>>> wrote: > >>>>> > >>>>>> Hello QUIC, > >>>>>> > >>>>>> I believe it was MT that threatened to do this a long time ago, > >>>>>> but to > >>>>>> work through compatible version negotiation I wrote up a trivial > >>>>>> QUICv2 > >>>>>> (below) that just changes the initial salts. This caused me to > >>>>>> figure out a > >>>>>> couple of things about VN that may have been obvious to others > >>>>>> but not to > >>>>>> me. > >>>>>> > >>>>>> TL;DR we made the right decision to keep both in the draft. > >>>>>> > >>>>>> 1. One very possible world is one where firewalls ossify on > >>>>>> expecting > >>>>>> v1 in the first packet, but don't care about subsequent packets. > >>>>>> Compatible > >>>>>> VN is well-designed for this world, as Client Initials (and 0RTT, > >>>>>> sadly) > >>>>>> can be v1 essentially forever and subsequent packets can be > >>>>>> whatever we > >>>>>> want. > >>>>>> > >>>>>> 2. If all versions are compatible, choice of VN method is > >>>>>> essentially > >>>>>> up to the client, but not quite deterministically: it can pick > >>>>>> either a > >>>>>> likely supported version or an unlikely one. If unlikely, the > >>>>>> server will > >>>>>> either accept it or send a VN. If likely, the server MUST use > >>>>>> compatible VN > >>>>>> to change the version, since it can't send a VN packet that > >>>>>> contains the > >>>>>> initial version unless it doesn't have full support for it. > >>>>>> > >>>>>> Anyway, this v2 draft is available for your consideration if people > >>>>>> want to quickly iterate a new version, and/or we need a vehicle > >>>>>> for fixes > >>>>>> to v1. > >>>>>> > >>>>>> Thanks > >>>>>> Martin > >>>>>> > >>>>>> > >>>>>> ---------- Forwarded message --------- > >>>>>> From: <internet-drafts@ietf.org> > >>>>>> Date: Thu, Apr 22, 2021 at 10:22 AM > >>>>>> Subject: New Version Notification for draft-duke-quic-v2-00.txt > >>>>>> To: Martin Duke <martin.h.duke@gmail.com> > >>>>>> > >>>>>> > >>>>>> > >>>>>> A new version of I-D, draft-duke-quic-v2-00.txt > >>>>>> has been successfully submitted by Martin Duke and posted to the > >>>>>> IETF repository. > >>>>>> > >>>>>> Name: draft-duke-quic-v2 > >>>>>> Revision: 00 > >>>>>> Title: QUIC Version 2 > >>>>>> Document date: 2021-04-22 > >>>>>> Group: Individual Submission > >>>>>> Pages: 5 > >>>>>> URL: > >>>>>> https://www.ietf.org/archive/id/draft-duke-quic-v2-00.txt > >>>>>> Status: https://datatracker.ietf.org/doc/draft-duke-quic-v2/ > >>>>>> Html: > >>>>>> https://www.ietf.org/archive/id/draft-duke-quic-v2-00.html > >>>>>> Htmlized: https://tools.ietf.org/html/draft-duke-quic-v2-00 > >>>>>> > >>>>>> > >>>>>> Abstract: > >>>>>> This document specifies QUIC version 2, which is identical to > >>>>>> QUIC > >>>>>> version 1 except for some trivial details. > Its purpose is to > >>>>>> combat > >>>>>> various ossification vectors and exercise the version > >>>>>> negotiation > >>>>>> framework. Over time, it may also serve as a vehicle for needed > >>>>>> protocol design changes. > >>>>>> > >>>>>> Discussion of this work is encouraged to happen > on the QUIC IETF > >>>>>> mailing list quic@ietf.org or on the GitHub repository which > >>>>>> contains > >>>>>> the draft: https://github.com/martinduke/draft-duke-quic-v2. > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> Please note that it may take a couple of minutes from the time of > >>>>>> submission > >>>>>> until the htmlized version and diff are available at tools.ietf.org > . > >>>>>> > >>>>>> The IETF Secretariat > >>>>>> > >>>>>> > >>>>>> > > > >
- Fwd: New Version Notification for draft-duke-quic… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Lucas Pardue
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Marten Seemann
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Christian Huitema
- Re: New Version Notification for draft-duke-quic-… Christian Huitema
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: Fwd: New Version Notification for draft-duke-… Martin Thomson
- Re: Fwd: New Version Notification for draft-duke-… Martin Duke