Re: Authentication in draft-kuhn-quic-bdpframe-extension
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Mon, 06 November 2023 09:08 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66DE3C1FB875 for <quic@ietfa.amsl.com>; Mon, 6 Nov 2023 01:08:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vv83Bdn0dHYe for <quic@ietfa.amsl.com>; Mon, 6 Nov 2023 01:08:41 -0800 (PST)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:42:150::2]) by ietfa.amsl.com (Postfix) with ESMTP id BF686C1B0308 for <quic@ietf.org>; Mon, 6 Nov 2023 01:08:40 -0800 (PST)
Received: from [172.31.97.54] (unknown [185.249.113.199]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 0D93E1B0019A; Mon, 6 Nov 2023 09:08:31 +0000 (GMT)
Content-Type: multipart/alternative; boundary="------------LFghgFLRuMufcmNhIT56yTXP"
Message-ID: <80e7607e-f354-40d4-9346-6bdb798b5ad2@erg.abdn.ac.uk>
Date: Mon, 06 Nov 2023 09:08:30 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Authentication in draft-kuhn-quic-bdpframe-extension
Content-Language: en-GB
To: Kazuho Oku <kazuhooku@gmail.com>, Marten Seemann <martenseemann@gmail.com>
Cc: emile.stephan@orange.com, Nicolas Kuhn <nicolas.kuhn.ietf@gmail.com>, "quic@ietf.org" <quic@ietf.org>
References: <CAMEWqGsGCEhC97Yt-r9YBwGCPxH6+OGj7GfTmomMDJBD6S_ZBQ@mail.gmail.com> <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk> <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com> <edb12370-dcba-49d7-9b2a-72660e059513@gmail.com> <18cef84568cc444f95bd8c2bc13e81b1@orange.com> <1ed18563-6de2-4d62-b6f7-b525ef6c1360@erg.abdn.ac.uk> <4f02fdee6cbf4c7aae472f2f0c177cc0@orange.com> <CANatvzzU_8OZuG7MS8dQAcyv0DSj9YegOsG3a6LifjqRncdHbQ@mail.gmail.com> <CAOYVs2o6emJ2FwtsDd83oi2L3T5rK2nB=3MUe82sFPOrtkcE_Q@mail.gmail.com> <b9229510-6c05-4f21-8b07-ea9036dea30a@erg.abdn.ac.uk> <CAOYVs2os7=AVXwp2X2dW43zJzMh8JZ9Wy6WHZWBFi3uUFEZF6g@mail.gmail.com> <CANatvzyVhMO3Zn9pt5sWGOFBbevRSSp1+8QiK+Uvs061trbuaw@mail.gmail.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: UNIVERSITY OF ABERDEEN
In-Reply-To: <CANatvzyVhMO3Zn9pt5sWGOFBbevRSSp1+8QiK+Uvs061trbuaw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ogbwb9QKo4tNudghWPA-f1-mF0Q>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 09:08:45 -0000
On 05/11/2023 15:49, Kazuho Oku wrote: > > > 2023年11月5日(日) 16:41 Marten Seemann <martenseemann@gmail.com>: > > > On different CC's: the set of parameters exchanged are fairly > generic, and I think it's very likely a client will use the same > CC to talk to the same server when it next resumes a session, so I > am unsure i share the concern about different CCs. > > Gorry, I might be misreading the draft, but in my understanding > the BDP_FRAME frame is used by servers to offload state to the > client, not the other way around, so your argument should be that > the server will use the same CC on the original and the resumed > connection. The client might also remember CC parameters, but they > wouldn't be sent on the wire. > My argument here is twofold: If this frame is supposed to be read > and acted upon by the client, you now have to deal with the > situation where client and server use different CCs, which will > lead to problems if server and client don't use the same CC. On > the other hand, if the frame is not supposed to be acted upon by > the client, there's no reason to use a frame in the first place, > as servers can just unilaterally decide to put the information > into the token. > > > FWIW, in case of quicly I'm not sure we'd want to use CWND and current > RTT to calculate the jump CWND. > > That is because quicly has a delivery rate estimate based on ACK clock > that gives us a better estimation of the available bandwidth; we'd > prefer using that and the min RTT. Sure. This makes this interesting, and I know that ACK'ed rate can have advantages. > > As such, I'm not sure if having a standard definition of a BDP frame > would help server implementers. I don't agree (yet?) The CC params that are used are to characterise the path, and have two roles - to enable "reconnaisance" in CR and to decide upon the unvalidate jump size. This needs at least a saved RTT value and a rate/window. While I agree using rate is different to cwnd, for this specific purpose, isn't it possible to simply used saved cwnd = rate*RTT? II think we might be able to agree on parameters for this specific use. > > To paraphrase, I think the question is if there is an appetite for the > WG to define a frame solely for communicating the estimate of the > unvalidated phase *to the client,* and if sending that at the end of > the previous connection is the best way to do so. Good questions. Gorry > > > > On Sun, 5 Nov 2023 at 15:32, Gorry Fairhurst > <gorry@erg.abdn.ac.uk> wrote: > > On 05/11/2023 10:04, Marten Seemann wrote: >> In the design of RFC 9000, frames are used to communicate >> information between two endpoints. This is not what the >> BDP_FRAME frame does: It's only saved by the client and >> echoed back to the server on a later connection. It is >> questionable to me if the client’s ability to inspect (but >> not modify) the contents of the frame provides a lot of >> value: Congestion controllers are inherently >> endpoint-specific, and (for example) reusing the parameters >> of an L4S CC with a Cubic CC, and vice versa, doesn't sound >> like a good idea. > > That's not what the ID says. > > On different CC's: the set of parameters exchanged are fairly > generic, and I think it's very likely a client will use the > same CC to talk to the same server when it next resumes a > session, so I am unsure i share the concern about different CCs. > > Section 1.2 of the ID speaks about the possibility to share > the infromation with the application... which might be > important to tuning the use of the token (choosing which > connection ought to use the Careful-Resume), and ensuring > appropriate polices are used for flow-credit, choosing content > encoding appropriate to rate, etc. > >> >> As Kazuho pointed out, RFC 9000 already contains the concept >> of a resumption token. > I'd like to understand more what that is. >> Tokens are opaque, so servers can encode whatever information >> they want into the token. Resumption tokens are used to >> validate the client’s IP address, so they’re inherently bound >> to the path. This is pretty much exactly the property that >> you’d want for resuming CC parameters. Apart from that, using >> tokens has multiple other advantages as well: >> 1. We don’t need interoperability between implementations >> here. The client is resuming the connection with the same >> server (or a different server in the same deployment), so it >> doesn’t matter how the information is encoded. > I like that. >> 2. Depending on their CC, servers might want to encode a >> different set of parameters. This is possible when using a >> token, whereas the BDP_FRAME frame limits us to the few >> fields defined in the draft. > Good - but I do expect that a BDP_FRAME could be made extensible. >> 3. The BDP_FRAME frame can only be sent in 0-RTT packets (if >> I understand correctly, I'm very confused by the phrasing of >> section 4), so it can’t be used for non-0-RTT session resumption. > I think that depends a little on how we decide to finally > transport the parms - we're open to changing this. >> 4. Obviously, using the token doesn’t require clients to be >> aware that this is going on, so it will work with every QUIC >> stack without any modification. > > Yes, that's nice also. > > Best wishes, > > Gorry > >> >> >> On Sun, 5 Nov 2023 at 11:14, Kazuho Oku <kazuhooku@gmail.com> >> wrote: >> >> >> >> 2023年11月4日(土) 15:44 <emile.stephan@orange.com>: >> >> BDP frame is about QUIC transport (RFC9000) >> resumption. IMO, it does not have dependencies on >> RFC9001. >> >> >> I think I tend to agree with Lucas modulo the point that >> it would make more sense to store BDP information in >> tokens issued by the QUIC servers[1] than the TLS session >> ticket. >> >> Tokens are defined in RFC 9000. The only use case being >> mandated at the moment is address validation but it is >> designed so that it can hold arbitrary data. Tokens can >> hold BDP information as well. >> >> 1: >> https://datatracker.ietf.org/doc/html/rfc9000#frame-new-token >> >> Orange Restricted >> >> *De :* Gorry Fairhurst <gorry@erg.abdn.ac.uk> >> *Envoyé :* samedi 4 novembre 2023 14:45 >> *À :* STEPHAN Emile INNOV/NET >> <emile.stephan@orange.com>; Nicolas Kuhn >> <nicolas.kuhn.ietf@gmail.com>; quic@ietf.org >> *Objet :* Re: Authentication in >> draft-kuhn-quic-bdpframe-extension >> >> On 04/11/2023 13:28, emile.stephan@orange.com wrote: >> >> Hi >> >> IMO, we are speaking of QUIC resumption not TLS. >> >> Regards >> >> Emile >> >> I think QUIC CC resumption could be a part of TLS >> resumption. Are there also cases where these could be >> different things? >> >> Gorry >> >> *De :* QUIC <quic-bounces@ietf.org> >> <mailto:quic-bounces@ietf.org> *De la part de* >> Nicolas Kuhn >> *Envoyé :* samedi 4 novembre 2023 12:43 >> *À :* quic@ietf.org >> *Objet :* Re: Authentication in >> draft-kuhn-quic-bdpframe-extension >> >> Dear all, >> >> Thank you for your interest in this work ! >> >> I would tend to agree with Lucas and think we >> should consider scenarios where BDP frames would >> be used with TLS resumption and I do not see the >> need for proposing another trust mechanism; But >> there may be scenarios I do not see ? >> >> More comments inline. >> >> Kind regards, >> >> Nico >> >> On 11/3/23 16:44, Lucas Pardue wrote: >> >> Hi folks, >> >> I'm still trying to come up to speed on this >> spec. But when I've thought about it a >> little, its seemed very natural to associate >> the BDP frame (contents) with the TLS >> session. We already have a lot of text about >> TLS session resumption in QUIC. It feels like >> there is already a template design with >> HTTP/3 - a server sends SETTINGS to tell a >> client something unique about the active QUIC >> connection. RFC 9114 section 7.2.4.2 [1]states >> >> > When a 0-RTT QUIC connection is being used, >> the initial value of each server setting is >> the value used in the previous session. >> Clients *SHOULD* store the settings the >> server provided in the HTTP/3 connection >> where resumption information was provided, >> but they *MAY* opt not to store settings in >> certain cases (e.g., if the session ticket is >> received before the SETTINGS frame). A client >> *MUST* comply with stored settings -- or >> default values if no values are stored -- >> when attempting 0-RTT. Once a server has >> provided new settings, clients *MUST* comply >> with those values.¶ >> <https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6> >> >> So with a bit of massaging, if we can link >> BDP frame to session resumption. we know that >> it is based on a previous trust relationship. >> >> Is there any scenario where BDP frame would >> want to be used without TLS resumption? >> >> [NK] I agree. >> >> Cheers >> >> Lucas >> >> >> [1] - >> https://www.rfc-editor.org/rfc/rfc9114.html#section-7.2.4.2-6 >> >> On Thu, Nov 2, 2023 at 6:17 PM Gorry >> Fairhurst <gorry@erg.abdn.ac.uk> wrote: >> >> On 02/11/2023 16:43, Q Misell wrote: >> >> Hi all, >> >> I've been working with Gorry (and >> others) on actually implementing the >> BDP frame extension, and further >> refining the draft based on >> experience from implementation. >> >> Q, I think I can help a little, see >> below, but I think there are good >> questions here. >> >> [NK] If the draft is not clear enough on these >> relevant questions, we ought to make things clearer. >> >> One thing that came up that I'd like >> to ask the WG's opinion on is that of >> authentication of the BDP frame, and >> when it should be sent in the >> exchange. I've had a few thoughts on >> this, it'd be great to hear what >> others think of them, or what other >> suggestions people might have. >> >> First, my thoughts on authentication. >> Do the CC parameters need to be >> authenticated at all? I would say >> "yes" as a client sending some >> unauthenticated CC parameters could >> cause a DoS of the server (or any >> other node along the path) by trying >> to send far too much data at once. >> >> The reason for the secure hash around the >> contents of the BDP Frame is to allow a >> server to know the CC params had not been >> modified. Of course you caould ask what >> sort of information contributes to that >> hash, to make the server confident that >> it can accept CC params from the client >> and believe that these have not been >> modifed? That could be important? >> >> [NK] The client should not be able to transmit >> unauthenticated CC parameters that are not >> checked / known by the server. In the current >> spec, the client can only send data previously >> received by the server. Malicious clients could >> try to cause a DoS on the server but that would >> not be specific to BDP Frame but to 0-RTT in >> general. >> >> Should the CC parameters be >> encrypted? Probably not, as a client >> which is aware of a major decrease in >> available capacity could compare the >> new link capacity to its stored CC >> parameters and decide not to send >> them. If they're encrypted the client >> can't inspect what CC parameters the >> server thinks the link will have. >> >> Perhaps the ID ought to be clearer. The >> QUIC Session is of course encrypted and >> authenticated, so, in this respect, the >> BDP Frame is protected in transit along >> the path using TLS. >> >> The current proposal is not to >> additionally encrypt the CC params >> *within* the BDP, so that a client could >> read these and utlise as it sees fit. >> This still needs to authenticate the >> entire set of params, so that the server >> could trust them. >> >> The params include an endpoint token used >> by a server to represent the remote >> endpoint - we could have used the client >> IP source address for this if the client >> had an invariant public IP source >> address. That's not so common with IPv6 >> or the use of IPv4 NAPT - so the server >> has to find a way to represent it's view >> of the client as the endpoint token. >> There could be possibilities to do this >> quite differently. >> >> How should they be authenticated? >> There are a few options I can see >> here, and I'm unsure which is best: >> >> (1) Authenticated with the TLS >> certificate >> >> (2) Authenticated with some other >> asymmetric key >> >> (3) Authenticated using some >> symmetric key known only to the server >> >> (4) Same as 3 but with a key identifier >> >> Options 1 and 2 allow the client to >> verify the authentication over the CC >> parameters, but this doesn't seem to >> be of much use to me. Option 1 >> additionally sets a time limit on use >> of stored CC parameters, as the TLS >> certificate will eventually expire. >> This doesn't seem to me to be much of >> an issue. A new connection far into >> the future (say 1-2 months) would >> almost certainly have different CC >> parameters anyway. >> >> Option 3 seems the best to me. It >> would allow one key to be shared >> across an array of anycast servers, >> without sharing other keying material >> that might be used to protect more >> sensitive parts of the connection. >> Option 4 additionally expands on this >> by allowing key rotation without >> immediately invalidating all current >> stored CC parameters. >> >> So, if this is about how to construct the >> secure hash, irt seems like an >> interesting topic to find out more, I'd >> agree. >> >> [NK] We may not specify how to compute the secure >> hash but that could be interesting discussions if >> you think the draft needs to be more specific on >> this. IMHO the client does not need to know how >> the secure hash is compute and thus not sure we >> need interoperability. >> >> When should the BDP frame be sent? >> There are two places I can see BDP >> frames being useful to send: >> >> (1) After initial frames but before >> crypto frames >> >> (2) After crypto frames and before >> application data >> >> Option 1 allows for the previously >> calculated CC parameters to be used >> for the sometimes quite large TLS >> handshake, but also precludes options >> 1 and 2 for authentication. Option 2 >> allows for greater flexibility in >> authentication, and also makes the >> BDP frame encrypted in transit. I'm >> unsure what the privacy implications >> of an unencrypted BDP frame are, so >> if anyone can come up with a reason >> CC data shouldn't be observable to an >> intermediary that would be greatly >> appreciated. >> >> :-) >> >> [NK] Do we need to specify this in the draft or >> should this be let to implementers to define the >> most relevant approach (w.r.t. frame scheduling >> to format QUIC packets). >> >> Looking forward to hearing your thoughts. >> >> [NK] Thank you for your comments ! >> >> Cheers, >> >> Q Misell >> >> Gorry >> >> ------------------------------------------------------------------------ >> >> Any statements contained in this >> email are personal to the author and >> are not necessarily the statements of >> the company unless specifically >> stated. AS207960 Cyfyngedig, having a >> registered office at 13 Pen-y-lan >> Terrace, Caerdydd, Cymru, CF23 9EU, >> trading as Glauca Digital, is a >> company registered in Wales under № >> 12417574 >> <https://find-and-update.company-information.service.gov.uk/company/12417574>, >> LEI 875500FXNCJPAPF3PD10. ICO >> register №: ZA782876 >> <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. >> UK VAT №: GB378323867. EU VAT №: >> EU372013983. Turkish VAT №: >> 0861333524. South Korean VAT №: >> 522-80-03080. AS207960 Ewrop OÜ, >> having a registered office at >> Lääne-Viru maakond, Tapa vald, >> Porkuni küla, Lossi tn 1, 46001, >> trading as Glauca Digital, is a >> company registered in Estonia under № >> 16755226. Estonian VAT №: >> EE102625532. Glauca Digital and the >> Glauca logo are registered trademarks >> in the UK, under № UK00003718474 and >> № UK00003718468, respectively. >> >> ____________________________________________________________________________________________________________ >> >> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >> >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >> >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >> >> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >> >> >> >> This message and its attachments may contain confidential or privileged information that may be protected by law; >> >> they should not be distributed, used or copied without authorisation. >> >> If you have received this email in error, please notify the sender and delete this message and its attachments. >> >> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >> >> Thank you. >> >> ____________________________________________________________________________________________________________ >> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged information that may be protected by law; >> they should not be distributed, used or copied without authorisation. >> If you have received this email in error, please notify the sender and delete this message and its attachments. >> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >> Thank you. >> >> >> >> -- >> Kazuho Oku >> > > > > -- > Kazuho Oku
- Authentication in draft-kuhn-quic-bdpframe-extens… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Lucas Pardue
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Nicolas Kuhn
- RE: Authentication in draft-kuhn-quic-bdpframe-ex… emile.stephan
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- RE: Authentication in draft-kuhn-quic-bdpframe-ex… emile.stephan
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Marten Seemann
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Nicolas Kuhn
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Marten Seemann
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Christian Huitema
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Watson Ladd
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Christian Huitema
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Martin Thomson
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Lucas Pardue
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Kazuho Oku
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Q Misell
- Re: Authentication in draft-kuhn-quic-bdpframe-ex… Gorry Fairhurst