Re: Increasing QUIC connection ID size

Mikkel Fahnøe Jørgensen <> Thu, 11 January 2018 23:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1E4181275C5 for <>; Thu, 11 Jan 2018 15:51:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.697
X-Spam-Status: No, score=-2.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8whOfp27WORJ for <>; Thu, 11 Jan 2018 15:51:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 10A661205F0 for <>; Thu, 11 Jan 2018 15:51:41 -0800 (PST)
Received: by with SMTP id b77so7061278itd.0 for <>; Thu, 11 Jan 2018 15:51:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to; bh=h+lpMGjQTv/qQ9I7Vpkv8L50ZdOV2cR/jzYtxjCrBrA=; b=Y2z2TrCo2V2FPTu0dMvnauUAkYkWVAKS6tzxCxUq3IJaJCQf4TS9ITeP/7tUnPrDuz iJVwjlSk/mKsL8W9/dMdyi38xy5dndM57z9ppWarA6PFg0ADYui/vVVMSoRrsrpaJoWn 2N0LxzBWOrTeweZGzbU9QzyhB2zIJhlB6gcm9rvN3o7BwBHo7WTe+hT5UkWgF0nqAu4b adCXJo+M7A/yXm8fUfekqKHvN5kONhaz8TDiZ5QIrQAx1q/DHuisJVB+9BJb1i/kmARO jxhlQldqnoFzXnTxbNdDIMhuq3HdXSjtadnb6YttbTwxjjm+/h5F2nnkDERvkk1ZepXd WZWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to; bh=h+lpMGjQTv/qQ9I7Vpkv8L50ZdOV2cR/jzYtxjCrBrA=; b=ZUw0jI6Z2brruuPU+jilrNdV8YNT/N7YUIDWov2hZD8MGSZjPPg6CYVY+ouVN5Uvj2 pgbXCWqvyXYOBNkB73N8uNDjmzORtwE4tmRvik2XF0+W4hXJhrr8urvm/I6GVe8imLPU So76g+nTeyzoMkXEcUuipyi0vuPL3vnrFleBeTB/tGDv4V+1tNj2Yub7WCgGl7AFvarT ppw1mTPh2nGaL1l8YSY4RKHv0Frx6y2o1PoFnpVfQokccsY2QA/AR0sSq0ic6sEv293a e0GRmSkNwL4c08iTyCE/MRJv5eWqzXPEztHXYcuOU3x0zvBWhsgmX4hBnpqPOQ33qd1k IINQ==
X-Gm-Message-State: AKwxytcszgyYccLwHHVaOGmiVDxPwUVMfcTJnKLATaEcuwDZxKnSeUzh d9RKg4lJCnLR4jsXRwZGNkWD8pBgTH0R3VbU4rkeGQ==
X-Google-Smtp-Source: ACJfBotMpmYezRS+Ta1w7tG0rGHnCNW33FKR7sVTfZhczK4AEBIQSZLTiYUk0py838ljRYHdovFSbekNQf0w5lEhTy0=
X-Received: by with SMTP id n189mr2968153ite.91.1515714700224; Thu, 11 Jan 2018 15:51:40 -0800 (PST)
Received: from 1058052472880 named unknown by with HTTPREST; Thu, 11 Jan 2018 15:51:39 -0800
From: =?UTF-8?Q?Mikkel_Fahn=C3=B8e_J=C3=B8rgensen?= <>
In-Reply-To: <>
References: <>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Thu, 11 Jan 2018 15:51:39 -0800
Message-ID: <>
Subject: Re: Increasing QUIC connection ID size
To: Victor Vasiliev <>, IETF QUIC WG <>
Content-Type: multipart/alternative; boundary="94eb2c11416049aff5056288d49f"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Jan 2018 23:51:44 -0000

I can also see a need for larger connection ID’s for routing purposes in
overlay networks, but I decided it was probably better to prefix the QUIC
header in that case.

It is worth noting that if you have a non-unique tuple of port-address
pairs, you need the connection ID in every packet, and that can be a lot of
overhead. So a large ID would likely isolate that version to a dedicated
purpose, and then you might as well add a packet prefix.

An alternative solution is to use the connection ID as an index into a
routing table that has the real details, but this requires that early
packets of the connection carry those details in a way that routers can
pick up which probably isn’t practical.

A more practical solution is to keep the connection ID as is to serve its
primary purpose. A given protocol version could negotiate an extension the
the clear text header. Even if those data are not directly following the
connection ID, they can easily be picked up by router. This is essentially
the same as a packet prefix, except that the QUIC invariants are now

As to encryption: block encryption generally works by xor’ing a “random”
value to the clear text. AES produces such a value from a counter or
similar unique value per block but does not need the clear text data at
all. The output of AES is simply XOR’ed with the clear text data (this can
be different when encrypting multiple blocks). This means that if the block
size is 128 bit you can easily encrypt 64 bytes by XOR’ing with the first
64-bits of the AES output. But you likely want to zero extend instead due
to auth tag:

It is not safe to use block encryption alone. It must nearly always be
associated with an authentication tag as with AES-GCM. Otherwise an
attacker will quickly learn that, say, bit 53 and bit 32 affects routing
and can trivially cause at least 1/4 packets to land somewhere else just be
flipping either bit. A compact auth tag does not have to be very long for
such a short message but it adds to the overall size requirement and
complexity of the solution.It could be generated with CMAC that are two AES
encryption rounds. (CMAC on connection ID could, BTW, also be used to very
quickly reject invalid QUIC packets, which I have proposed earlier). The
CMAC output will be one AES block, but it can be truncated depending on the
security level required.

Kind Regards,
Mikkel Fahnøe Jørgensen

On 12 January 2018 at 00.16.21, Victor Vasiliev ( wrote:

Hi everyone,

In the current version of QUIC, the connection ID size is fixed to be a
64-bit opaque blob, and that is set as an invariant in the protocol.

I’ve looked into possibility of using a connection ID to encode the
specific server details into it (to provide stability of the connection in
case of load balancing changes, especially BGP flaps for anycast IPs), and
have chatted about this with other people I knew were interested in this.
It seems like 64 bits might be too small for this purpose, and we might
want to leave an opportunity to extend the connection ID size.

The basic idea is that you want to be able to:

   1. Store some routing metadata in the connection ID.
   2. Have some entropy that allows distinguish users with identical
   routing metadata.
   3. Have a checksum to ensure the validity of routing information
   4. Encrypt the information above to prevent disclosing the route
   information and allow generating uncorrelatable connection IDs.

There are two underlying issues here.  The first problem is that all of
this does not fit well into 64 bits, and you have to seriously compromise
on the strength of the checksum (which is bad especially if you want it to
be a MAC rather than a checksum).  The second problem is that encrypting
64-bit values fast is actually fairly hard since the block ciphers easily
available in hardware have 128-bit block size, and the performance
requirements on load balancers are tighter than on servers.

In other words, having a 128-bit connection ID provides for an easy secure
way to generate unlinkable connection IDs on migration.

So, the problem we’re trying to solve is that the connection ID is too
small.  There are two questions I believe the working group should answer
at this point:

   1. Do we want to address this problem at this point in standardization
   2. If we don’t address this problem right now, how do we structure the
   standard in a way that we can extend the connection ID in the future?

There are multiple ways to solve the problem of making connection ID
larger.  One is to just add extra bit to the “omit connection ID” field to
allow 128-bit connection IDs.  Another approach is to allow connection ID
size to be explicitly specified by the server, and then assume that the
load balancer knows that size and no one else on the path needs to read it.

There’s also a question of how much of connection IDs do middleboxes
(excluding load balancers and other boxes owned by the same entity as
either client or server) need to know.  We could go for both “middleboxes
should be always able to read the entire ID” and “middleboxes should not
read connection IDs at all options”, but I think there’s also a room for
more flexible formulations like “middleboxes always get first 64 bits and
they have useful entropy to distinguish connections”.

  -- Victor.