Re: Analysis of version negotiation
Martin Thomson <mt@lowentropy.net> Wed, 21 April 2021 07:38 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5CDD3A18CA for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 00:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=CGCF18m3; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wUpSgGGT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQMCgHBv-KJK for <quic@ietfa.amsl.com>; Wed, 21 Apr 2021 00:37:59 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E19D3A18C5 for <quic@ietf.org>; Wed, 21 Apr 2021 00:37:59 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 6CD885C013F for <quic@ietf.org>; Wed, 21 Apr 2021 03:37:55 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Wed, 21 Apr 2021 03:37:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=UaWQTbc95/Re5uATcw2xc6WhT3RlMEq F854B+Osjc/0=; b=CGCF18m318GzBCJX71a6o/pV7lT84PC1BTSelGD8JUwV0cW 9yyuqW7g3qMw7nU3RdTdmngQopYkeuEeRQkzujwpZFhF6i/zmETkhwKx17HiV1Np oTrT6EWlhbLa9bG2P/8D7wzh3waTJlL5yuEqGVVXJQxZo1XEOJKEATztJOPLld82 elhMkH2ZaGLCGbx0F6QN/fmCQSbS3Th0RnK47yYezcUIXhrrOeI0NBhj0PKR34Ww a1Peuv7BJHxq2wJ0B8gMwccECqSxjiItx3tD3547A9hsWi1TgPZHU3i5r3AbcqTr iE0o19exxxvZXoCqyrnBLto5Mbr7pShatPJG2SA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=UaWQTb c95/Re5uATcw2xc6WhT3RlMEqF854B+Osjc/0=; b=wUpSgGGTXBALmwT3JfVmDB 44nbNNtFCYfhERSK15nPs7wjht8QSbqf4+MrgU+TZD5vB4k9fNCuOoAgWqBhCVag mLWABCNG3KsQmsdsN6dBigiSOpSeI75KzYXLqGLAy47J5JJpX4xNIfeio0N8nbOR SwoX0+TVdjudF746Qh73iH4jTyAVjrKwdKoB+W5ewT+zsOsyb6DHoa6366VH/zDp jdhQ0Kq2e6sWI0g/vvOkc00rTHTefBDwOnsr+KowNESWXaPsbj5Cr6ISyepmMIza PlT73RbCYY2pJBlrVynT4Q6g2bZKlwsZ0I4fcnlWxEPtXkPcHod/9ta6inUtTDnw ==
X-ME-Sender: <xms:UtZ_YEw8LzY9a-fy02Vfmyo3HCqy8mN6ZEcusLZ3yy1SIn22UZ1PHQ> <xme:UtZ_YIQQT0jFA3fE4Mm15bx33sZfM15O0I1goehNFj_60KEYaORoUgmgXfN5xgkIx XWOtMpVrXU_Tp98L5c>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtjedguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecuogfuuhhsphgvtghtffhomhgrihhnucdlgeelmd enucfjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgr rhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenuc ggtffrrghtthgvrhhnpefgieevueeiieduleeihfellefgteegfeehveegteejvdelkeel leetjedvleeijeenucffohhmrghinhepghhoohhglhgvrdgtohhmnecuvehluhhsthgvrh fuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhp hidrnhgvth
X-ME-Proxy: <xmx:UtZ_YGX4kHskGNXEsGPeM3qaGxaW2xo_gEwaChNfYtuztVoaEmBm6Q> <xmx:UtZ_YCjt47OPRIq07hOlfAm9mv1srDVfgLHt9Nlr8ICn1vHqXhYuuA> <xmx:UtZ_YGCuQezEpvCeKO_dUFafoWqkdCoBSf0EHzArlDQC2VIjQw5HHw> <xmx:U9Z_YJNk1slmoqxTf5Amb3w40-AhK3MVZ0HSmG2-tIav7qu5UorPeQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A0A704E010E; Wed, 21 Apr 2021 03:37:54 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-403-gbc3c488b23-fm-20210419.005-gbc3c488b
Mime-Version: 1.0
Message-Id: <d48054a0-8650-475f-9bcd-3ebdfae03cc6@www.fastmail.com>
In-Reply-To: <267ea876-66d9-40f6-a588-7df127519155@www.fastmail.com>
References: <267ea876-66d9-40f6-a588-7df127519155@www.fastmail.com>
Date: Wed, 21 Apr 2021 17:37:35 +1000
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Analysis of version negotiation
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/yPn2khQHEkz0Lvm9YGXp-fZmeKU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 07:38:05 -0000
Hey folks, I spent a few minutes and updated this document. Part of that involved removing another field (the most tricky one). The resulting protocol can be very simple in the end: A simple transport parameter is needed for each endpoint with a list of values: the client sends all compatible versions, with its chosen version listed first the server sends all versions (optionally excluding compatible versions, and always excluding versions that aren't fully deployed at the server) Validation/negotiation is: the server verifies that the first version listed by the client is the version that was used by the client the server then chooses its most-preferred compatible version from the set provided by the client the client verifies that it wouldn't have chosen something different from the set provided by server This is at least as simple as the design Christian describes. I believe that the analysis supports the conclusion that this is secure (but it's amateur work so it's not worth much). What I find encouraging is that this design is very flexible in terms of being able to support both compatible and incompatible negotiation while allowing progressive rollout (or rollback) of new versions. That might mean we don't have to sacrifice flexibility or use cases at all. On Wed, Mar 24, 2021, at 14:25, Martin Thomson wrote: > Hey everyone, > > https://docs.google.com/document/d/1HXu7LoMP8Z30JkHyMOuVOtG5W9AFOQtsL8vuSbFxXUw/edit?usp=sharing is my crude attempt at an analysis of the security of the version negotiation draft, including some suggestions that might make the protocol more efficient. > > I will you reach your own conclusion, but I found some cuts that can be > made in the design. Not as many as I expected originally though. I > did just realize that an entire component can come out, but I haven't > edited it out yet; I'll leave that in case others disagree with my > assessment there. > > It's long and complicated, sadly. That's the one thing that I might > regret most about the decision to defer solving this problem properly > in the first place. In any case, I hope that this is a useful > contribution to the discussion. > > Cheers, > Martin
- Analysis of version negotiation Martin Thomson
- Re: Analysis of version negotiation Martin Thomson
- Re: Analysis of version negotiation Kazuho Oku