Re: Proposal: Run QUIC over DTLS

"Philipp S. Tiesel" <phils@in-panik.de> Wed, 14 March 2018 08:53 UTC

Return-Path: <phils@in-panik.de>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 005361270A3 for <quic@ietfa.amsl.com>; Wed, 14 Mar 2018 01:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuTADvAffa2B for <quic@ietfa.amsl.com>; Wed, 14 Mar 2018 01:53:39 -0700 (PDT)
Received: from einhorn-mail.in-berlin.de (einhorn.in-berlin.de [192.109.42.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9DD61200C5 for <quic@ietf.org>; Wed, 14 Mar 2018 01:53:36 -0700 (PDT)
X-Envelope-From: phils@in-panik.de
Received: from x-berg.in-berlin.de (x-change.in-berlin.de [217.197.86.40]) by einhorn.in-berlin.de (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id w2E8rDNc010921 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Mar 2018 09:53:13 +0100
Received: from [2001:638:809:ff1f::8295:dc66] by x-berg.in-berlin.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <phils@in-panik.de>) id 1ew29C-0006PJ-6I; Wed, 14 Mar 2018 09:52:34 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Subject: Re: Proposal: Run QUIC over DTLS
From: "Philipp S. Tiesel" <phils@in-panik.de>
In-Reply-To: <AC76AF70-C9D1-4EE0-8378-912421E032DE@trammell.ch>
Date: Wed, 14 Mar 2018 09:53:12 +0100
Cc: Eric Rescorla <ekr@rtfm.com>, IETF QUIC WG <quic@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B5CE2833-EABE-4915-9FDA-B72362C266A0@in-panik.de>
References: <CABcZeBO9g5vnPK2aGYEUOYOkT-898Gc0-d4T=kDvxuE2Yg6kMQ@mail.gmail.com> <CABcZeBNAYiTzdyE+UcqvThgnKhDthuq2-UyjEBoJkpep8-t5vg@mail.gmail.com> <AC76AF70-C9D1-4EE0-8378-912421E032DE@trammell.ch>
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/y65EoqGJmanOA1ytQkEQ3YIlG9A>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 08:53:41 -0000

Hi,

> On 14. Mar 2018, at 07:31, Brian Trammell (IETF) <ietf@trammell.ch>; wrote:
> 
> hi ekr,
> 
> Thanks for this reframing of the question. An attempt at an answer, inline:
> 
>> On 13 Mar 2018, at 17:52, Eric Rescorla <ekr@rtfm.com>; wrote:
>> 
>> Hi folks,
>> 
>> Thanks to everyone who commented. Trying to consolidate my responses
>> a bit, it seems like things fit into three major buckets:
>> 
>> - Whether we have a stream 0 problem
>> - Whether a layered architecture is the right thing/solves those
>>  problems
>> - Schedule impact
>> 
>> I'd like to focus on the architectural question for the moment. I
>> think there's broad -- though not universal -- agreement that the
>> stream 0 thing is not great, but a fair amount of debate about
>> what the right architecture and architectural principles are.
>> It's not really productive to talk about schedule impact until
>> we understand what the right thing is.
> 
> Yes, there clearly is a Stream Zero Problem, in that Stream Zero is currently the box into which we are pushing all the complexity related to establishing cryptographic context. To some extent, though, the "layered architecture or not" question is orthogonal to the "DTLS or not" question. The complexity exists, and it needs to go somewhere, if we are to support:
> 
> - establishing a cryptographic association over a datagram service
> - in the presence of loss, reordering, duplication, and attackers on-path and off
> - while minimizing mean association establishment latency, even in less than ideal network conditions
> - and using said cryptographic association to protect transport internals
> - supporting the selective exposure of additional information about the association for selected in-network functions (at the very least, CID).
> 
> In other words, we need three things:
> 
> (1) An encrypted transport protocol
> (2) A method to establish the cryptographic association for (1)
> (3) A transport protocol to provide the reliability guarantees needed by (2)
> 
> In QUIC today, (1) is QUIC, (2) is TLS, and (3) is a transport protocol that shares a lot of semantics with QUIC, and co-exists with QUIC's framing, but (and this, I think, is where the confusion comes from and where things go wrong) *isn't really QUIC*. I'll label this "S0-QUIC" (for "Stream Zero") below:
> 
>  +--------------------+
> 1 |       QUIC         |
>  +--------------------+
> 2 |    TLS 1.3 + PP    |
>  | (handshake)        |
>  +------------+-------+
> 3 |  S0-QUIC   |       |
>  +------------+       |
>  |  QUIC wire image   |
>  +--------------------+
>  |        UDP         |
>  +--------------------+
> 
> If you look at it this way, QUIC is already a strictly-layered architecture, we just aren't treating it at such because S0-QUIC and QUIC look enough alike that we think they are the same thing. I suspect that treating S0-QUIC and QUIC as distinct, with the caveat that they must share a wire image, while seeking to preserve opportunities for code reuse between them, might make cleaning up Stream Zero conceptually cleaner.
> 
> In the DTLS proposal, (1) is QUIC (without its wire image or S0-QUIC) (2) is DTLS, and (3) is the semitransport DTLS uses for its handshake:
> 
>  +--------------------+
> 1 |       QUIC         |
>  +--------------------+
> 2 |     DTLS 1.3       |
>  | (handshake)        |
>  +- - - - - - +-------+
> 3 | semitrans  |       |
>  +------------+       |
>  |  DTLS record layer |
>  +--------------------+
>  |        UDP         |
>  +--------------------+
> 
> In this framing of the question, the Stream Zero problem arises because QUIC's (3) is not as cleanly separated from QUIC as it should be, and most of the architectural win from moving to DTLS comes from the fact that the layer separation is already there.

Looks like there is a third, easier to implement, option lurking:

Throw away S0 QUIC and replace it with a long header packet type to carry DTLS records.

  +--------------------+
1 |       QUIC         |
  +------------+-------+
2 |  DTLS 1.3  |  PP   |
  | (handshake)| (data)|
  +- - - - - - +       |
3 | semitrans  |       |
  +------------+       |
  |  DTLS rl   |       |
  +------------+       |
  |  QUIC framing      |
  +--------------------+
  |         UDP        |
  +--------------------+


The only disadvantage I see with this approach is that it does not hide re-keying from being spotted on the wire.


AVE!
  Philipp S. Tiesel / phils…