Re: Proposal: Run QUIC over DTLS

Mark Nottingham <mnot@mnot.net> Tue, 06 March 2018 01:46 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF3B126DD9 for <quic@ietfa.amsl.com>; Mon, 5 Mar 2018 17:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=ZoIVe55X; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=MsGTLvT1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sb4aw6wwb--K for <quic@ietfa.amsl.com>; Mon, 5 Mar 2018 17:46:22 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4344124217 for <quic@ietf.org>; Mon, 5 Mar 2018 17:46:22 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id E2427212CE; Mon, 5 Mar 2018 20:46:21 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Mon, 05 Mar 2018 20:46:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=TLRrVmzhoK0GG94FUAjIms23tX1/7 SQn0OyiOtha9ck=; b=ZoIVe55XQDsYQGvRk6hT7G/4KlMBVDEk9ynp8N09E3Ub1 yNc9SiJ8jUfZLoaa54MpldHYWJhkkpR9nX9ccDBPC2tAGw6jdEehOxVchdsCPXac PxIm80gjXDHPm3G0hsJsBcA0spNODu+RI2oZq3M2JGe9tSgAw1SrjU0QxU/dyLFZ 5blpfQ9qO7YaEsm62X62fk9gC5AGdaq5/46XGlGtgUz056hc/jlcWRLBo9PwfPFz 25yCf0whIqWf7bOISn1bNSmWaPON42RulFbiIdGr9rMB1BhCPlXr2JHjjJQ7wmKn NsoI8Xdb0qZXIAKShaYwnA2l7hCS92VUAReesOpjw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=TLRrVm zhoK0GG94FUAjIms23tX1/7SQn0OyiOtha9ck=; b=MsGTLvT1W1q4aqxXeIcwxO UTDe1dfOK/od156nrLEs7jCJj0sJQyGcH5B6NZbQTlb6liX6P00HtqgU0wOmWpBH ubt+buISah2b+U6Y6ubjvDZir1iNc1t3uRO0E9WVchKhGo6RVYW4LemCoZvj08gm H4LBNZbrFhclD3P9RBZPgVBYuLVmYDHh9S+psW2UkMQkiD1jqOGDhFaN5mLNd1JH ES2I+tkGr1RISLgE5W4oONDYBTgisje7mqMYClR9Dp0NWZ2S3eICT8CTS1hg0qw6 bUK1w9xRL2UHiE+EKF3Y+JrpblbtwwzH3qa+i6+IAXXFVb8r+zAVEhibEQWCP0+A ==
X-ME-Sender: <xms:7fKdWqROBpdogP8bLa4OIgXeM3uvRVoq7WMI_t26HElMziQsqaJ4Rg>
Received: from [192.168.1.18] (unknown [144.136.175.28]) by mail.messagingengine.com (Postfix) with ESMTPA id 6AB9224313; Mon, 5 Mar 2018 20:46:20 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Subject: Re: Proposal: Run QUIC over DTLS
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CABcZeBO9g5vnPK2aGYEUOYOkT-898Gc0-d4T=kDvxuE2Yg6kMQ@mail.gmail.com>
Date: Tue, 6 Mar 2018 12:46:16 +1100
Cc: IETF QUIC WG <quic@ietf.org>, Lars Eggert <lars@eggert.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1F5ABFEF-64F2-4A53-A35B-DF8A4A2A4446@mnot.net>
References: <CABcZeBO9g5vnPK2aGYEUOYOkT-898Gc0-d4T=kDvxuE2Yg6kMQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ufPvufIJTbvyzxbwR9R9GyzxEv4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 01:46:26 -0000

Thanks for the proposal, EKR. We'll track this as <https://github.com/quicwg/base-drafts/issues/1165>;.

Since we're trying to nail down the invariants in London (or soon afterwards), I'd like to figure out the WG's feelings on this pretty quickly.

I know folks need a chance to read and digest, but it would be extremely helpful if we could have some initial discussion on-list now. Please focus on the technical merit of the proposal, clarifying questions, and statements of support/lack thereof. 

Assuming it's still a topic of interest in two weeks, we'll schedule some time to discuss it in London. EKR, could you please submit a presentation (say, max 20 minutes, plus discussion time afterwards) ASAP?

Cheers,


> On 6 Mar 2018, at 10:05 am, Eric Rescorla <ekr@rtfm.com>; wrote:
> 
> Hi folks,
> 
> Sorry to be the one randomizing things again, but the asymmetric
> conn-id thing went well, so here goes....
> 
> TL;DR.
> I'd like to discuss refactoring things to run QUIC over DTLS.
> 
> DETAILS
> When we originally designed the interaction between TLS and QUIC,
> there seemed like a lot of advantages to embedding the crypto
> handshake on stream 0, in particular the ability to share a common
> reliability and congestion mechanism. However, as we've gotten further
> along in design and implementation, it's also become clear that it's
> archictecturally kind of crufty and this creates a bunch of problems,
> including:
> 
>   * Stream 0 is unencrypted at the beginning of the connection, but
>     encrypted after the handshake completes, and you still need
>     to service it.              
> 
>   * Retransmission of stream 0 frames from lost packets needs special
>     handling to avoid accidentally encrypting them.
> 
>   * Stream 0 is not subject to flow control; it can exceed limits and
>     goes into negative credit after the handshake completes.
> 
>   * There are complicated rules about which packets can ACK other
>     packets, as both cleartext and ciphertext ACKs are possible.
> 
>   * Very tight coupling between the crypto stack and the transport
>     stack, especially in terms of knowing where you are in the
>     crypto state machine.
> 
> I've been looking at an alternative design in which we instead adopt a
> more natural layering of putting QUIC on top of DTLS. The basic
> intuition is that you do a DTLS handshake and just put QUIC frames
> directly in DTLS records (rather than QUIC packets). This
> significantly reduces the degree of entanglement between the two
> components and removes the corner cases above, as well as just
> generally being a more conventional architecture. Of course, no design
> is perfect, but on balance, I think this is a cleaner structure.
> 
> I have a draft for this at:
> https://datatracker.ietf.org/doc/draft-rescorla-quic-over-dtls/
> 
> And a partial implementation of it in Minq at:
> 
> Mint: https://github.com/ekr/mint/tree/dtls_for_quic
> Minq: https://github.com/ekr/minq/tree/quic_over_dtls
> 
> 
> I can't speak for anyone else's implementation, but at least in my
> case, the result was considerable simplification.
> 
> It's natural at this point to say that this is coming late in the
> process after we have a lot invested in the current design, as well as
> to worry that it will delay the process. That's not my intention, and
> as I say in the draft, many of the issues we have struggled over
> (headers especially) can be directly ported into this architecture (or
> perhaps just reused with QUIC-over-DTLS while letting ordinary DTLS do
> its thing) and this change would allow us to sidestep issued we are
> still fighting with, so on balance I believe we can keep the schedule
> impact contained.
> 
> We are designing a protocol that will be used long into the future, so
> having the right architecture is especially important. Our goal has
> always been to guide this effort by implementation experience and we
> are learning about the deficiencies of the Stream 0 design as we go
> down our current path. If the primary concern to this proposal is
> schedule we should have an explicit discussion about those relative
> priorities in the context of the pros and cons of the proposal.
> 
> The hackathon would be a good opportunity to have a face to face chat
> about this in addition to on-list discussion.
> 
> Thanks in advance for taking a look,
> -Ekr
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/