IETF Logo Mail Archive

Re: Version Ossification: Intended Scope for QUICv1

Eric Rescorla <ekr@rtfm.com> Sun, 10 November 2019 22:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4051200E0 for <quic@ietfa.amsl.com>; Sun, 10 Nov 2019 14:54:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zBHURfU5kpjd for <quic@ietfa.amsl.com>; Sun, 10 Nov 2019 14:54:06 -0800 (PST)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEB72120090 for <quic@ietf.org>; Sun, 10 Nov 2019 14:54:05 -0800 (PST)
Received: by mail-lf1-x129.google.com with SMTP id y6so8376599lfj.2 for <quic@ietf.org>; Sun, 10 Nov 2019 14:54:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dUBa5a8Ot09W5mIAaAyLwOj7kyd023RxBwhVNWRzE2k=; b=ml7O/teHb+Ae7auxEuVAHgLAMpjDFQrwaC6W1t//0qHE7oNiEexdhul57lUCKNAvOK gaxPnDbXGJkDQgX+Z+BEBLaZpoEPbtlQ9Bu6b+bSQcBYBD9aYvk6iaExSbBL6O32ajBV dY9yMi7d90bgCidzipqTzv9Ap2pPuBG99TG82uL6W8kmySsThoVIm2MhitTvvDRUhBn4 x9Zug8D5UTqFeL2hsgU86MXH051jR2hko27rORDXV3+B+be5QfmFYOyQlnZ80Jt08T6G SjPl+geig7K0MZzwcdc4hezDlz4V+O1+4gFTF8FnZlDLKyIBVhPLG5Vf0SrcA51qXdvA Dlfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dUBa5a8Ot09W5mIAaAyLwOj7kyd023RxBwhVNWRzE2k=; b=nAullaEFhlSMK8FiVQzfmJTI2Q0+hpGqZMUV0xMVzuuvTtWg/J6MzZn1sDPGicbbLy 716eyybieIrR8Qc3S3wTjWMgbNKY56ihGk3NqNdLZ7NZpFfs6pdQT/bA4FuPvkX+PEMp 5E5OfTOdm9YgUhb2e+phKmJpW/vgRzV1T6saEA7HsP3RejTVJLAZWkkvmXN3e7pADnPa K5NY80rX6ace0gDsA+rftj8VC6HuWPXE7cVg/xi0YZkttjRCnD1cZ1o9HEgQ/CEiZWf4 BNG4lEXcWHJWWa7zFwk81wfLFHumz4cCFqghM/Sph/sVosiNhUJcFNZwW32BwbaZtWzz vHEQ==
X-Gm-Message-State: APjAAAXbQzebsObonFaWL/ybBRG+c8RifMX7LvMqR/mETItiUKP4NYfb lPoqk+nYKgqoSYseu7fgzj21NQLSUQJq3BQ5L5inUw==
X-Google-Smtp-Source: APXvYqwwjG4qHIE1jg2pY3W0+sgvGElX7bMdQDcTyXbI7va0uRcbux+BUVToWe9OZBun0WzdxKkq84t4fU9u5trAkf8=
X-Received: by 2002:a19:6d19:: with SMTP id i25mr8104628lfc.178.1573426444020; Sun, 10 Nov 2019 14:54:04 -0800 (PST)
MIME-Version: 1.0
References: <CAPDSy+6E79OySoOLbJ8eWp0J-+3yeB5iGvj6sW19bEDn_V7-NA@mail.gmail.com>
In-Reply-To: <CAPDSy+6E79OySoOLbJ8eWp0J-+3yeB5iGvj6sW19bEDn_V7-NA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 10 Nov 2019 14:53:26 -0800
Message-ID: <CABcZeBN+6p2k+Kj4K5oKNEqKV50aAU6FLGkiZG0dGPNkg1s_-A@mail.gmail.com>
Subject: Re: Version Ossification: Intended Scope for QUICv1
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: QUIC <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000046bdc7059705e4fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/z0_qzvD309FuBcQURFAy1r3zb5k>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Nov 2019 22:54:09 -0000

I would actually like to suggest something more aggressive (or,
conservative, if you prefer), namely that we punt version ossification
entirely to the future, whether to an extension or QUIVc2. In support
of this proposal, I would make three points:

- We are actually going to be running concurrent versions for quite
  some time. Even if everyone were to aggressively (say 6-12 months)
  deprecate all the draft versions upon shipping the RFC, we're
  looking at something that's 18-24 months out. And of course,
  I expect people to do some simple version greasing. So, that
  probably buys us some time before real bad ossification sets
  in.

- It's turning out to be surprisingly hard to design a mechanism that
  works, as evidenced by David's mechanism. And to that, I would add
  that anything that involves having a server hand out some new set of
  keys/salts is going to run into the same kind of multi-CDN problems
  we had with ESNI (i.e., failures when you get switched between
  CDNs). And then recovering from that cleanly either seems to mean
  some ESNI-style fallback or allowing a middlebox to forge VN to
  force you back to the published version/salt.

- It seems like this would all be a lot easier if we had ESNI, because
  you could tie the use of the new salt/version to the ESNIConfig
  (either as a public or symmetric key, depending on taste).

So what I would propose is that we put this problem on ice for now and
then revisit it as an extension. All of the proposals that we have
seen seem like they could be done as an extension, and then we can (1)
get QUICv1 done and (2) hopefully leverage ESNI once we have some
experience.

-Ekr

On Thu, Oct 31, 2019 at 2:13 PM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> Hi folks,
>
> The conversation around version ossification has been really interesting
> since Cupertino. But at least for me it's reached a level of complexity
> that warrants taking a step back and looking at what we're trying to solve.
> Here's my understanding of where we are:
>
> 1) In Cupertino there was consensus in the room to do something to
> mitigate ossification of QUICv1.
>
> 2) The solution that folks liked was to have a concept of alternative
> versions and alternative salts that act like QUICv1 but are encoded
> differently over the wire.
>
> 3) A concrete proposal for (2) was for servers to have their own set of
> (alternative_version, alternative_salt) pairs, then transmit a random pair
> from that set to each client (i.e. via transport parameters). The server
> can then reconstruct the alternative_salt just by seeing
> the alternative_version.
>
> 4) Kazuho proposed a solution (#3166
> <https://github.com/quicwg/base-drafts/pull/3166>) that was both more
> powerful and more complex: tie the (alternative_version, alternative_salt)
> pair to NEW_TOKEN frames, to allow servers to generate a
> unique alternative_salt per client and encode it in the token.
>
> 5) After some interesting back and forth on that PR, it became clear that
> this is a hard problem to solve: this could cause failures if servers
> forget their token keys, and mitigations for that problem can become
> downgrade attack vectors
>
> 6) While there was clear WG appetite for (1), I'm not sure we have
> consensus to build a more powerful solution like (4)
>
> I fear that solving (5) could take some time, which would delay QUICv1.
> Instead I'd like to propose the following plan:
> a) we take the simpler solution (3) and add that to the spec
> b) we take the more powerful/complex solution (5) a turn it into a QUIC
> extension
>
> That would allow us to ship QUICv1 with some level of ossification
> mitigations without delay.
>
> Thoughts?
>
> David
>
>
>

v2.23.0 | Report a Bug | By Email