IETF Logo Mail Archive

Re: New Version Notification for draft-duke-quic-v2-00.txt

Martin Duke <martin.h.duke@gmail.com> Mon, 26 April 2021 18:34 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5776E3A2C1D for <quic@ietfa.amsl.com>; Mon, 26 Apr 2021 11:34:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuLVPmC-ghaL for <quic@ietfa.amsl.com>; Mon, 26 Apr 2021 11:34:33 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDD7F3A2C1F for <quic@ietf.org>; Mon, 26 Apr 2021 11:34:32 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id l21so13787641iob.1 for <quic@ietf.org>; Mon, 26 Apr 2021 11:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6JCeEb+p2tlNjmEpBa6+gea1N4pJREAtb5yuWYCCdXU=; b=rTxr36soeJ99nM6XJySj/ISRiQsyxWmb1ICz3EsFepdwTKeNMX5+Fe53/+O7jMq5CM tf2xzbvNu8elVbH9kY4zZBEzhL7teLU7LObMC1Wt9oxxAdLdfZhlDixlRco3gIo2Hv/B alikkDJ1pVHK9p9BijakFEuvNsmAsxXgEa8MNl5bWRuF4knZoGLXvYiQvh3Va8imrXH5 0VflnKFhvR1s+Ptvtq3PgfjGSnNxd1aSaxqRjct/qAqYvJnz1eUkrO/p06TEx83TWnta s1o4pgMiLJ4UX0Rx4gxZpFZzeLYHaQWEfmttR2psZ55KGDt+8bLgURZfrQaR2HziHsXH 68TA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6JCeEb+p2tlNjmEpBa6+gea1N4pJREAtb5yuWYCCdXU=; b=Hn6cROHCRCOaM6wHWn8vG1Omv6kkSmvWbrLF2Mp5swEsRMfMCh7YrCdAD8apTJMn9a 0ZDVqQBiFOhKFPVh+QhNh+ZGK+4xwTJSl0L1Cm90uGCxWHetRlV0ZltuxJJobF+CmsHU HaRh1v0i2CxFb823vBES7c5ECtfjchFtMWLK1iJTqkOWTOLi9KdkFM8nvCVh94wBLPLv RBQoZLUPvhYyptIxHREBRAHbiB2ubW0esM5xW7it5czri9OTbL+zKizJKJXsTmtwnpM6 PlgTp/KXLs7yvDZEAULFxjxiuo0ELhRhHfDUjytYaZSlrco2pNvXdaUKe3pE1oGCpqSe r/bg==
X-Gm-Message-State: AOAM530qg6K3CC6E3dU4dDIYB6hOLt1e2f/hLCrq1W6Gt8GFLY39MiDq ctjmwQagqfRXHr07E91Gk3Vp7TdPtD7bjJwcyUE=
X-Google-Smtp-Source: ABdhPJzl2Jvarji4eo+e1EkW5tHrEE2QApzhG0spUVfmAtCi72FhKpBtf8BGWE6EGqb+iUzhY33tCOxl40qoxCJLDmI=
X-Received: by 2002:a05:6638:bcb:: with SMTP id g11mr17919629jad.144.1619462070761; Mon, 26 Apr 2021 11:34:30 -0700 (PDT)
MIME-Version: 1.0
References: <161911211931.14837.5258716888014139826@ietfa.amsl.com> <CAM4esxQqjy6WC_6xo8c27qX_CFoyrGW=CMc-od-pmijkuptOCw@mail.gmail.com> <CALGR9oYewRHFgKYm8eyxQyB=HU7afsm2XFR3YPGW4RD6bQYysQ@mail.gmail.com> <CAM4esxQes0NBv3_o8LqH7ozrg1_i_VMpzS30c-MyNtHg6n6vRQ@mail.gmail.com> <CAOYVs2pgJmtetCifvtT_9MQes9f57w9=oCdNLGFHcTGJSU1OTQ@mail.gmail.com> <CAM4esxRPbBLV2VaeQMmQ2eCaCYQa3a=ATxMYRZm4WEE813EpYQ@mail.gmail.com> <5aa938d7-609a-f931-bc6f-8e06eb2c881b@huitema.net> <74ca240c-d7c2-dd81-557b-71b35d979e44@huitema.net>
In-Reply-To: <74ca240c-d7c2-dd81-557b-71b35d979e44@huitema.net>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 26 Apr 2021 11:34:24 -0700
Message-ID: <CAM4esxQBfjFrce4dePCecHuY1fgT7d4-DGUpT6+iXwWjwQotuw@mail.gmail.com>
Subject: Re: New Version Notification for draft-duke-quic-v2-00.txt
To: Christian Huitema <huitema@huitema.net>
Cc: Marten Seemann <martenseemann@gmail.com>, IETF QUIC WG <quic@ietf.org>, Lucas Pardue <lucaspardue.24.7@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000747ada05c0e465ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/oFu8TpCjLxB8amM2mBB4HU2xO6k>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2021 18:34:37 -0000

Hi Christian,

I'm in the process of changing the Retry Integrity tag, as you suggest.

Question for you: would it be best to change the HKDF labels to get total
key separation between v2 and v1? That seems cleaner but I don't want to
create too much additional work for you.

Martin

On Sat, Apr 24, 2021 at 9:10 PM Christian Huitema <huitema@huitema.net>
wrote:

> I just implemented in picoquic the compatible version negotiation
> defined in https://github.com/quicwg/version-negotiation/, using
> Martin's draft V2 version as a test case. The unit tests validate a
> negotiated update from v=0x00000001 to v=0xff010000. For those who like
> to look at code, the picoquic PR is at
> https://github.com/private-octopus/picoquic/pull/1202. I found a few
> issues when doing that implementation:
>
> 1) The server fills the version_negotiation TP with the negotiated
> version and the complete list of supported version. The client checks
> that the negotiated version is being used, but ignores the list of
> supported versions. Do we really need to transmit that? The is already
> an issue for that, https://github.com/quicwg/version-negotiation/issues/19
> .
>
> 2) In case of incompatible upgrades, the client sends the original
> version and the list of versions proposed in the VN. The server checks
> the original version to detect a downgrade attack, but just ignores the
> list of versions proposed in the VN. That's me being lazy. I suspect I
> won't be the only lazy one. Issue
> https://github.com/quicwg/version-negotiation/issues/35
>
> 3) Synchronization is hard. The server knows the negotiated version at
> the end of the client first flight. My implementation assume that the
> server uses this negotiated version for its own first flight. The client
> monitors the incoming version numbers; if it sees a change to the
> compatible version, it upgrade its own context, starts using the new
> version, then validates that upgrade when receiving the server's TP.
> This gets more complicated if we consider packet losses, issue:
> https://github.com/quicwg/version-negotiation/issues/39.
>
> I also think that we need to rethink the protection against spoofed
> incompatible versions. The client signals its current version, the
> original version, and a list of compatible versions. Admittedly, the
> client prefers the compatible versions to both the current and original
> version, so if the server negotiates a compatible version life is good
> and there is no point worrying about downgrades. If there is no
> compatible version and the server supports the original version, it
> could negotiate that too, which would largely mitigate the downgrade
> attack. Why exactly do we insist on tearing down the connection?
>
> -- Christian Huitema
>
> On 4/23/2021 12:38 PM, Christian Huitema wrote:
> > Martin,
> >
> > For V1, we had a rule that the version "0x00000001" would only be used
> > after we had finalized the RFC. Before that, drafts would define
> > versions such as "0xFF00001D" for draft 29. Should you not follow a
> > similar mechansim, and define something like version "0xFF0100nn" for
> > the draft-nn of the V2 spec?
> >
> > -- Christian Huitema
> >
> > On 4/23/2021 8:44 AM, Martin Duke wrote:
> >> Hi Marten,
> >>
> >> I believe everything you say is true, but to me the main intent of
> >> the v2
> >> draft is in fact to exercise VN.
> >>
> >> On Fri, Apr 23, 2021 at 5:29 AM Marten Seemann <martenseemann@gmail.com
> >
> >> wrote:
> >>
> >>> Hi Martin,
> >>>
> >>> Thanks for writing this up. If there's interest in deploying v1 and
> >>> v2 at
> >>> the same time, we could scratch the requirement to implement the
> >>> version
> >>> negotiation draft. This would open us up to version "downgrade"
> >>> attacks,
> >>> but given that the two versions have identical security properties (by
> >>> design), do we actually care?
> >>>
> >>> On the other hand, I'm not sure if deploying v2 right now would
> >>> actually
> >>> help prevent ossification. Middleboxes are already used to seeing
> >>> multiple
> >>> QUIC versions on the wire, since we have quite broad deployment of
> >>> draft
> >>> versions, and some people controlling both endpoints are even using
> >>> private
> >>> version numbers. One might argue that the one thing that will actually
> >>> prevent ossification won't be shipping one v2, but only proper
> >>> greasing of
> >>> the field, e.g. by implementing some variant of your version alias
> >>> draft.
> >>>
> >>> Regards,
> >>> Marten
> >>>
> >>> On Fri, Apr 23, 2021 at 1:22 AM Martin Duke <martin.h.duke@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi Lucas,
> >>>>
> >>>> That's a great question that I hadn't considered.
> >>>>
> >>>> The answer depends on what the WG does with the scope of this, and
> >>>> how VN
> >>>> evolves.
> >>>>
> >>>> 1. If it turns out there are some useful v1 patches we want to land
> >>>> here,
> >>>> then there will be some churn.
> >>>> 2. The VN design is baked into v2, and that is not stable yet.
> >>>> While "v2"
> >>>> might never change, an implementation that advertises v2 may in fact
> >>>> instantiate non-interoperable VN designs that should not be
> >>>> aggregated into
> >>>> a single version codepoint (though I'd have to think through how to
> >>>> negotiate through mutating VN designs; I have probably made a
> >>>> conceptual
> >>>> error here). In fact this draft is probably a necessary component
> >>>> to doing
> >>>> proper implementation and testing of compatible VN (unless people
> >>>> keep the
> >>>> draft versions around).
> >>>>
> >>>> IMO if this gets to the point of implementation, it would be wise
> >>>> to use
> >>>> experimental versions until it progresses to RFC. I filed an issue
> >>>> to fix
> >>>> this: https://github.com/martinduke/draft-duke-quic-v2/issues/1
> >>>>
> >>>> Thanks,
> >>>> Martin
> >>>>
> >>>> On Thu, Apr 22, 2021 at 11:07 AM Lucas Pardue
> >>>> <lucaspardue.24.7@gmail.com>
> >>>> wrote:
> >>>>
> >>>>> Hi Martin,
> >>>>>
> >>>>> Thanks for writing this up.
> >>>>>
> >>>>> Speaking as an individual, I have some naive questions. Is this
> >>>>> document
> >>>>> so trivial that it would never change between revisions? Or is
> >>>>> there a risk
> >>>>> that something like initial salt in there might need to rev? To
> >>>>> rephrase,
> >>>>> would the document be better off starting with a different QUIC
> >>>>> version
> >>>>> value before interoperability discovers a problem and we've blown
> >>>>> that code
> >>>>> point? We can always develop such a document with a target code
> >>>>> point in
> >>>>> mind for use if the doc were to get adopted and run through all
> >>>>> due process.
> >>>>>
> >>>>> Cheers
> >>>>> Lucas
> >>>>>
> >>>>> On Thu, Apr 22, 2021 at 6:52 PM Martin Duke <martin.h.duke@gmail.com
> >
> >>>>> wrote:
> >>>>>
> >>>>>> Hello QUIC,
> >>>>>>
> >>>>>> I believe it was MT that threatened to do this a long time ago,
> >>>>>> but to
> >>>>>> work through compatible version negotiation I wrote up a trivial
> >>>>>> QUICv2
> >>>>>> (below) that just changes the initial salts. This caused me to
> >>>>>> figure out a
> >>>>>> couple of things about VN that may have been obvious to others
> >>>>>> but not to
> >>>>>> me.
> >>>>>>
> >>>>>> TL;DR we made the right decision to keep both in the draft.
> >>>>>>
> >>>>>> 1. One very possible world is one where firewalls ossify on
> >>>>>> expecting
> >>>>>> v1 in the first packet, but don't care about subsequent packets.
> >>>>>> Compatible
> >>>>>> VN is well-designed for this world, as Client Initials (and 0RTT,
> >>>>>> sadly)
> >>>>>> can be v1 essentially forever and subsequent packets can be
> >>>>>> whatever we
> >>>>>> want.
> >>>>>>
> >>>>>> 2. If all versions are compatible, choice of VN method is
> >>>>>> essentially
> >>>>>> up to the client, but not quite deterministically: it can pick
> >>>>>> either a
> >>>>>> likely supported version or an unlikely one. If unlikely, the
> >>>>>> server will
> >>>>>> either accept it or send a VN. If likely, the server MUST use
> >>>>>> compatible VN
> >>>>>> to change the version, since it can't send a VN packet that
> >>>>>> contains the
> >>>>>> initial version unless it doesn't have full support for it.
> >>>>>>
> >>>>>> Anyway, this v2 draft is available for your consideration if people
> >>>>>> want to quickly iterate a new version, and/or we need a vehicle
> >>>>>> for fixes
> >>>>>> to v1.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Martin
> >>>>>>
> >>>>>>
> >>>>>> ---------- Forwarded message ---------
> >>>>>> From: <internet-drafts@ietf.org>
> >>>>>> Date: Thu, Apr 22, 2021 at 10:22 AM
> >>>>>> Subject: New Version Notification for draft-duke-quic-v2-00.txt
> >>>>>> To: Martin Duke <martin.h.duke@gmail.com>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> A new version of I-D, draft-duke-quic-v2-00.txt
> >>>>>> has been successfully submitted by Martin Duke and posted to the
> >>>>>> IETF repository.
> >>>>>>
> >>>>>> Name:           draft-duke-quic-v2
> >>>>>> Revision:       00
> >>>>>> Title:          QUIC Version 2
> >>>>>> Document date:  2021-04-22
> >>>>>> Group:          Individual Submission
> >>>>>> Pages:          5
> >>>>>> URL:
> >>>>>> https://www.ietf.org/archive/id/draft-duke-quic-v2-00.txt
> >>>>>> Status: https://datatracker.ietf.org/doc/draft-duke-quic-v2/
> >>>>>> Html:
> >>>>>> https://www.ietf.org/archive/id/draft-duke-quic-v2-00.html
> >>>>>> Htmlized: https://tools.ietf.org/html/draft-duke-quic-v2-00
> >>>>>>
> >>>>>>
> >>>>>> Abstract:
> >>>>>>     This document specifies QUIC version 2, which is identical to
> >>>>>> QUIC
> >>>>>>     version 1 except for some trivial details.
> Its purpose is to
> >>>>>> combat
> >>>>>>     various ossification vectors and exercise the version
> >>>>>> negotiation
> >>>>>>     framework.  Over time, it may also serve as a vehicle for needed
> >>>>>>     protocol design changes.
> >>>>>>
> >>>>>>     Discussion of this work is encouraged to happen
> on the QUIC IETF
> >>>>>>     mailing list quic@ietf.org or on the GitHub repository which
> >>>>>> contains
> >>>>>>     the draft: https://github.com/martinduke/draft-duke-quic-v2.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Please note that it may take a couple of minutes from the time of
> >>>>>> submission
> >>>>>> until the htmlized version and diff are available at tools.ietf.org
> .
> >>>>>>
> >>>>>> The IETF Secretariat
> >>>>>>
> >>>>>>
> >>>>>>
> >
>
>

v2.23.0 | Report a Bug | By Email