Re: Proposal: Run QUIC over DTLS

Eric Rescorla <ekr@rtfm.com> Tue, 06 March 2018 01:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59843126DD9 for <quic@ietfa.amsl.com>; Mon, 5 Mar 2018 17:59:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoqGCsCdc1oq for <quic@ietfa.amsl.com>; Mon, 5 Mar 2018 17:59:27 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9447E124217 for <quic@ietf.org>; Mon, 5 Mar 2018 17:59:27 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id 130so23102350qkd.13 for <quic@ietf.org>; Mon, 05 Mar 2018 17:59:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=yk+7uNo/Q4x87OEPdInJzR2k3mYfny4kEAowbbR1B40=; b=V/82XfASIoM9oY6A/2Fii0VSiyEn0IHZLPefDPaQgXvJdPBQ7xGeaBjtq3YPPQMWf+ JoJBJQ7Ltqzz0BLDcUyMLnaYzCHKYj5+NZ1tyRu/guZuS7AWLm6DLwVa/KDB3X986hlJ PkUjTELTFG5a87w0s37ltspyxi75ghSi+d4/LBUS72rCPbkMSwd/RrwY+3inphOfgp0F Ki7iwYGQCtbraCNQJU46Kl1eEsHdy46E07WO/iGayiQofCZKQJ/3F5jJt3wJCkWAwLJ+ VG7rVwjEwk9aRlcVALOkq9wRxVK1PEtXgQU+BtFMUWy+Fhn8E0HworELG0PltL0j1Ygn q5lQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=yk+7uNo/Q4x87OEPdInJzR2k3mYfny4kEAowbbR1B40=; b=TQURQRq/7xu3sVMW33goFaNOVK847lns+f3eSDNkeI+4hr4YM8TNK/egkZDnbjhv/M fbxMCStzp7vCB+umz7dsox26JhoMUG4KH2Gfif9zB4p5PpJYFP6Z4sUt9Fc6+oteZ58U Blu2saBoVoiF1DuTIR/tcv88Osdg85lGn9ggGFxkGfc1IdKLHxgzI3+2aqgzAI7xDtRI ZrUamKq/LitHKB+y+F4/Av/k+tMwS3TrPmV5kCMDQRJ/z4uqnczN5RHTTSZf0oP2ETtl aE/Nita4qtKNaa0GC2fx/T/t31K0LX719nT1/YYYje2w9OIw0EftzhHgOYk06ve3I750 hq0g==
X-Gm-Message-State: AElRT7GoBycmnsw7krr6s1L/CB7eTT5amXBC4H1F/FGv0aO4c9K+vX/X kC/dmNQRYr72EcyTxZwsBlYAGIi4a7ZpangmbvbHW8ti
X-Google-Smtp-Source: AG47ELsPxhuXQaqR54gwrJ20zedzBUqIBMxK/Z1qVksGYD014KYPe3GWSl8LRcdYAewzAv3B+9WQpoq13x1BnKPw3Wk=
X-Received: by 10.55.118.6 with SMTP id r6mr26259963qkc.211.1520301566678; Mon, 05 Mar 2018 17:59:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Mon, 5 Mar 2018 17:58:46 -0800 (PST)
In-Reply-To: <1F5ABFEF-64F2-4A53-A35B-DF8A4A2A4446@mnot.net>
References: <CABcZeBO9g5vnPK2aGYEUOYOkT-898Gc0-d4T=kDvxuE2Yg6kMQ@mail.gmail.com> <1F5ABFEF-64F2-4A53-A35B-DF8A4A2A4446@mnot.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 05 Mar 2018 17:58:46 -0800
Message-ID: <CABcZeBPEPuOGQZ8ZXTz0Qgcs=Lj1H21_gsPFDZC329kBMTTHPw@mail.gmail.com>
Subject: Re: Proposal: Run QUIC over DTLS
To: Mark Nottingham <mnot@mnot.net>
Cc: IETF QUIC WG <quic@ietf.org>, Lars Eggert <lars@eggert.org>
Content-Type: multipart/alternative; boundary="94eb2c062738d570470566b4cadc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/r6dZd9lcoam03SWg0NxAzyiFA1I>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 01:59:30 -0000

On Mon, Mar 5, 2018 at 5:46 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Thanks for the proposal, EKR. We'll track this as <
> https://github.com/quicwg/base-drafts/issues/1165>.
>
> Since we're trying to nail down the invariants in London (or soon
> afterwards), I'd like to figure out the WG's feelings on this pretty
> quickly.
>
> I know folks need a chance to read and digest, but it would be extremely
> helpful if we could have some initial discussion on-list now. Please focus
> on the technical merit of the proposal, clarifying questions, and
> statements of support/lack thereof.
>
> Assuming it's still a topic of interest in two weeks, we'll schedule some
> time to discuss it in London. EKR, could you please submit a presentation
> (say, max 20 minutes, plus discussion time afterwards) ASAP?
>

Willdo. It would be especially helpful to have clarifying questions soonish
so that I can either clarify them on-list, or know to hit them in the preso.

-Ekr


>
> Cheers,
>
>
> > On 6 Mar 2018, at 10:05 am, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> > Hi folks,
> >
> > Sorry to be the one randomizing things again, but the asymmetric
> > conn-id thing went well, so here goes....
> >
> > TL;DR.
> > I'd like to discuss refactoring things to run QUIC over DTLS.
> >
> > DETAILS
> > When we originally designed the interaction between TLS and QUIC,
> > there seemed like a lot of advantages to embedding the crypto
> > handshake on stream 0, in particular the ability to share a common
> > reliability and congestion mechanism. However, as we've gotten further
> > along in design and implementation, it's also become clear that it's
> > archictecturally kind of crufty and this creates a bunch of problems,
> > including:
> >
> >   * Stream 0 is unencrypted at the beginning of the connection, but
> >     encrypted after the handshake completes, and you still need
> >     to service it.
> >
> >   * Retransmission of stream 0 frames from lost packets needs special
> >     handling to avoid accidentally encrypting them.
> >
> >   * Stream 0 is not subject to flow control; it can exceed limits and
> >     goes into negative credit after the handshake completes.
> >
> >   * There are complicated rules about which packets can ACK other
> >     packets, as both cleartext and ciphertext ACKs are possible.
> >
> >   * Very tight coupling between the crypto stack and the transport
> >     stack, especially in terms of knowing where you are in the
> >     crypto state machine.
> >
> > I've been looking at an alternative design in which we instead adopt a
> > more natural layering of putting QUIC on top of DTLS. The basic
> > intuition is that you do a DTLS handshake and just put QUIC frames
> > directly in DTLS records (rather than QUIC packets). This
> > significantly reduces the degree of entanglement between the two
> > components and removes the corner cases above, as well as just
> > generally being a more conventional architecture. Of course, no design
> > is perfect, but on balance, I think this is a cleaner structure.
> >
> > I have a draft for this at:
> > https://datatracker.ietf.org/doc/draft-rescorla-quic-over-dtls/
> >
> > And a partial implementation of it in Minq at:
> >
> > Mint: https://github.com/ekr/mint/tree/dtls_for_quic
> > Minq: https://github.com/ekr/minq/tree/quic_over_dtls
> >
> >
> > I can't speak for anyone else's implementation, but at least in my
> > case, the result was considerable simplification.
> >
> > It's natural at this point to say that this is coming late in the
> > process after we have a lot invested in the current design, as well as
> > to worry that it will delay the process. That's not my intention, and
> > as I say in the draft, many of the issues we have struggled over
> > (headers especially) can be directly ported into this architecture (or
> > perhaps just reused with QUIC-over-DTLS while letting ordinary DTLS do
> > its thing) and this change would allow us to sidestep issued we are
> > still fighting with, so on balance I believe we can keep the schedule
> > impact contained.
> >
> > We are designing a protocol that will be used long into the future, so
> > having the right architecture is especially important. Our goal has
> > always been to guide this effort by implementation experience and we
> > are learning about the deficiencies of the Stream 0 design as we go
> > down our current path. If the primary concern to this proposal is
> > schedule we should have an explicit discussion about those relative
> > priorities in the context of the pros and cons of the proposal.
> >
> > The hackathon would be a good opportunity to have a face to face chat
> > about this in addition to on-list discussion.
> >
> > Thanks in advance for taking a look,
> > -Ekr
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>