IETF Logo Mail Archive

Re: Authentication in draft-kuhn-quic-bdpframe-extension

Christian Huitema <huitema@huitema.net> Mon, 06 November 2023 04:07 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3614DC1E4E53 for <quic@ietfa.amsl.com>; Sun, 5 Nov 2023 20:07:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2NSOn8BIrZ8 for <quic@ietfa.amsl.com>; Sun, 5 Nov 2023 20:07:07 -0800 (PST)
Received: from out13-27.antispamcloud.com (out13-27.antispamcloud.com [185.201.17.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87082C1E4E45 for <quic@ietf.org>; Sun, 5 Nov 2023 20:07:07 -0800 (PST)
Received: from xse146.mail2web.com ([66.113.196.146] helo=xse.mail2web.com) by mx195.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1qzqt9-00Gq8H-7n for quic@ietf.org; Mon, 06 Nov 2023 05:07:04 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4SNyTt3Nkzz6G3 for <quic@ietf.org>; Sun, 5 Nov 2023 20:06:58 -0800 (PST)
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1qzqt8-0002nA-AK for quic@ietf.org; Sun, 05 Nov 2023 20:06:58 -0800
Received: (qmail 26086 invoked from network); 6 Nov 2023 04:06:57 -0000
Received: from unknown (HELO [192.168.1.100]) (Authenticated-user:_huitema@huitema.net@[172.56.169.253]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <watsonbladd@gmail.com>; 6 Nov 2023 04:06:57 -0000
Message-ID: <d7c2b33d-5615-4c5e-a31d-5e09d9e0d731@huitema.net>
Date: Sun, 05 Nov 2023 20:06:55 -0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Authentication in draft-kuhn-quic-bdpframe-extension
Content-Language: en-US
To: Watson Ladd <watsonbladd@gmail.com>, Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Q Misell <q=40as207960.net@dmarc.ietf.org>, quic@ietf.org
References: <CAMEWqGsGCEhC97Yt-r9YBwGCPxH6+OGj7GfTmomMDJBD6S_ZBQ@mail.gmail.com> <a7d79746-59b3-4dd5-ad74-2810ac685ec5@erg.abdn.ac.uk> <CALGR9oZRReig2_dEsbtx+ODKoaZTkKp6C5gcQZVPd_gnnWbX1Q@mail.gmail.com> <CACsn0cmPa2tpChSY8qKUQzCGWfW71WWzZ-L-a4H8DpDEK9BwFQ@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <CACsn0cmPa2tpChSY8qKUQzCGWfW71WWzZ-L-a4H8DpDEK9BwFQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.196.146
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCJMV 1ZdPuTjXKnhfaaIEMLjmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7ImcaG8Ul/Shl+CFsEadmDdisuRQ6V51u76v35b1wNe/MvdL22qpm 82rnE7pjN2vlNLVT2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEEIgtEXyXj6S3SDvReMcV 8TXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7iff8pZ9ure3k2YtJj4Q8Z75yU2/k272/C6MSSt5C5ZSV3Ztq52gnExI8WlSbpbdhvk aDTlVwLl9mm4tyQmSLyOoYYpy78/ZfTpWFqEVNffsiyZvdx3ZJDsPzrvEdt+b8mxX4OQOI/UQ6jn FfMBgzwOSHunMg5j/UO+IMRndiIcrm9769o4tTMAuZyc2qhKoDzZcpPgEJKLbDyaC/LdLvvYsMWx +fBmNlv6FsT3Yis69vpVB9v9zY0h8asEYmbGGsJD9ySC20IzFkBtfP+lFUR4pd4g8WUkOht7RTsL /pxHsb13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/vkYvoFW2g7Z0epsFK1FyxsD3Erk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 04:07:08 -0000


On 11/5/2023 4:43 PM, Watson Ladd wrote:
> On Fri, Nov 3, 2023 at 8:45 AM Lucas Pardue <lucaspardue.24.7@gmail.com> wrote:
>>
>> Hi folks,
>>
>> I'm still trying to come up to speed on this spec. But when I've thought about it a little, its seemed very natural to associate the BDP frame (contents) with the TLS session. We already have a lot of text about TLS session resumption in QUIC. It feels like there is already a template design with HTTP/3 - a server sends SETTINGS to tell a client something unique about the active QUIC connection. RFC 9114 section 7.2.4.2 [1]states
>>
>>> When a 0-RTT QUIC connection is being used, the initial value of each server setting is the value used in the previous session. Clients SHOULD store the settings the server provided in the HTTP/3 connection where resumption information was provided, but they MAY opt not to store settings in certain cases (e.g., if the session ticket is received before the SETTINGS frame). A client MUST comply with stored settings -- or default values if no values are stored -- when attempting 0-RTT. Once a server has provided new settings, clients MUST comply with those values.¶
>>
>> So with a bit of massaging, if we can link BDP frame to session resumption. we know that it is based on a previous trust relationship.
> 
> I'd prefer not to incorporate user application related data (which
> QUIC info would be) in TLS resumption tickets. There is not a great
> way to do this, and particularly as BDP can vary over time so the TLS
> layer would have to send more tickets. Not fatal, but more coupling
> than I think is ideal.

That's why it would be better to place the data in the address 
validation tokens, which are explicitly tied to IP addresses.
(Watson: address validation tokens are defined in section 8 of RFC 9000. 
The primary goal is defend against the QUIC equivalent of SYN Attacks, 
but the servers can use them however they see fit.)

-- Christian Huitema

v2.23.0 | Report a Bug | By Email