Re: Proposal: Run QUIC over DTLS

Mark Nottingham <> Tue, 06 March 2018 01:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFF3B126DD9 for <>; Mon, 5 Mar 2018 17:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=ZoIVe55X; dkim=pass (2048-bit key) header.b=MsGTLvT1
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sb4aw6wwb--K for <>; Mon, 5 Mar 2018 17:46:22 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C4344124217 for <>; Mon, 5 Mar 2018 17:46:22 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id E2427212CE; Mon, 5 Mar 2018 20:46:21 -0500 (EST)
Received: from frontend2 ([]) by compute3.internal (MEProxy); Mon, 05 Mar 2018 20:46:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=TLRrVmzhoK0GG94FUAjIms23tX1/7 SQn0OyiOtha9ck=; b=ZoIVe55XQDsYQGvRk6hT7G/4KlMBVDEk9ynp8N09E3Ub1 yNc9SiJ8jUfZLoaa54MpldHYWJhkkpR9nX9ccDBPC2tAGw6jdEehOxVchdsCPXac PxIm80gjXDHPm3G0hsJsBcA0spNODu+RI2oZq3M2JGe9tSgAw1SrjU0QxU/dyLFZ 5blpfQ9qO7YaEsm62X62fk9gC5AGdaq5/46XGlGtgUz056hc/jlcWRLBo9PwfPFz 25yCf0whIqWf7bOISn1bNSmWaPON42RulFbiIdGr9rMB1BhCPlXr2JHjjJQ7wmKn NsoI8Xdb0qZXIAKShaYwnA2l7hCS92VUAReesOpjw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=TLRrVm zhoK0GG94FUAjIms23tX1/7SQn0OyiOtha9ck=; b=MsGTLvT1W1q4aqxXeIcwxO UTDe1dfOK/od156nrLEs7jCJj0sJQyGcH5B6NZbQTlb6liX6P00HtqgU0wOmWpBH ubt+buISah2b+U6Y6ubjvDZir1iNc1t3uRO0E9WVchKhGo6RVYW4LemCoZvj08gm H4LBNZbrFhclD3P9RBZPgVBYuLVmYDHh9S+psW2UkMQkiD1jqOGDhFaN5mLNd1JH ES2I+tkGr1RISLgE5W4oONDYBTgisje7mqMYClR9Dp0NWZ2S3eICT8CTS1hg0qw6 bUK1w9xRL2UHiE+EKF3Y+JrpblbtwwzH3qa+i6+IAXXFVb8r+zAVEhibEQWCP0+A ==
X-ME-Sender: <xms:7fKdWqROBpdogP8bLa4OIgXeM3uvRVoq7WMI_t26HElMziQsqaJ4Rg>
Received: from [] (unknown []) by (Postfix) with ESMTPA id 6AB9224313; Mon, 5 Mar 2018 20:46:20 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Subject: Re: Proposal: Run QUIC over DTLS
From: Mark Nottingham <>
In-Reply-To: <>
Date: Tue, 06 Mar 2018 12:46:16 +1100
Cc: IETF QUIC WG <>, Lars Eggert <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Eric Rescorla <>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Mar 2018 01:46:26 -0000

Thanks for the proposal, EKR. We'll track this as <>.

Since we're trying to nail down the invariants in London (or soon afterwards), I'd like to figure out the WG's feelings on this pretty quickly.

I know folks need a chance to read and digest, but it would be extremely helpful if we could have some initial discussion on-list now. Please focus on the technical merit of the proposal, clarifying questions, and statements of support/lack thereof. 

Assuming it's still a topic of interest in two weeks, we'll schedule some time to discuss it in London. EKR, could you please submit a presentation (say, max 20 minutes, plus discussion time afterwards) ASAP?


> On 6 Mar 2018, at 10:05 am, Eric Rescorla <> wrote:
> Hi folks,
> Sorry to be the one randomizing things again, but the asymmetric
> conn-id thing went well, so here goes....
> TL;DR.
> I'd like to discuss refactoring things to run QUIC over DTLS.
> When we originally designed the interaction between TLS and QUIC,
> there seemed like a lot of advantages to embedding the crypto
> handshake on stream 0, in particular the ability to share a common
> reliability and congestion mechanism. However, as we've gotten further
> along in design and implementation, it's also become clear that it's
> archictecturally kind of crufty and this creates a bunch of problems,
> including:
>   * Stream 0 is unencrypted at the beginning of the connection, but
>     encrypted after the handshake completes, and you still need
>     to service it.              
>   * Retransmission of stream 0 frames from lost packets needs special
>     handling to avoid accidentally encrypting them.
>   * Stream 0 is not subject to flow control; it can exceed limits and
>     goes into negative credit after the handshake completes.
>   * There are complicated rules about which packets can ACK other
>     packets, as both cleartext and ciphertext ACKs are possible.
>   * Very tight coupling between the crypto stack and the transport
>     stack, especially in terms of knowing where you are in the
>     crypto state machine.
> I've been looking at an alternative design in which we instead adopt a
> more natural layering of putting QUIC on top of DTLS. The basic
> intuition is that you do a DTLS handshake and just put QUIC frames
> directly in DTLS records (rather than QUIC packets). This
> significantly reduces the degree of entanglement between the two
> components and removes the corner cases above, as well as just
> generally being a more conventional architecture. Of course, no design
> is perfect, but on balance, I think this is a cleaner structure.
> I have a draft for this at:
> And a partial implementation of it in Minq at:
> Mint:
> Minq:
> I can't speak for anyone else's implementation, but at least in my
> case, the result was considerable simplification.
> It's natural at this point to say that this is coming late in the
> process after we have a lot invested in the current design, as well as
> to worry that it will delay the process. That's not my intention, and
> as I say in the draft, many of the issues we have struggled over
> (headers especially) can be directly ported into this architecture (or
> perhaps just reused with QUIC-over-DTLS while letting ordinary DTLS do
> its thing) and this change would allow us to sidestep issued we are
> still fighting with, so on balance I believe we can keep the schedule
> impact contained.
> We are designing a protocol that will be used long into the future, so
> having the right architecture is especially important. Our goal has
> always been to guide this effort by implementation experience and we
> are learning about the deficiencies of the Stream 0 design as we go
> down our current path. If the primary concern to this proposal is
> schedule we should have an explicit discussion about those relative
> priorities in the context of the pros and cons of the proposal.
> The hackathon would be a good opportunity to have a face to face chat
> about this in addition to on-list discussion.
> Thanks in advance for taking a look,
> -Ekr

Mark Nottingham