draft-ietf-quic-v2-02.txt   draft-ietf-quic-v2-03.txt 
QUIC M. Duke QUIC M. Duke
Internet-Draft Google LLC Internet-Draft Google LLC
Intended status: Standards Track 28 April 2022 Intended status: Standards Track 12 May 2022
Expires: 30 October 2022 Expires: 13 November 2022
QUIC Version 2 QUIC Version 2
draft-ietf-quic-v2-02 draft-ietf-quic-v2-03
Abstract Abstract
This document specifies QUIC version 2, which is identical to QUIC This document specifies QUIC version 2, which is identical to QUIC
version 1 except for some trivial details. Its purpose is to combat version 1 except for some trivial details. Its purpose is to combat
various ossification vectors and exercise the version negotiation various ossification vectors and exercise the version negotiation
framework. It also serves as a template for the minimum changes in framework. It also serves as a template for the minimum changes in
any future version of QUIC. any future version of QUIC.
Note that "version 2" is an informal name for this proposal that Note that "version 2" is an informal name for this proposal that
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 October 2022. This Internet-Draft will expire on 13 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Changes from QUIC Version 1 . . . . . . . . . . . . . . . . . 4 3. Differences with QUIC Version 1 . . . . . . . . . . . . . . . 4
3.1. Version Field . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Version Field . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Long Header Packet Types . . . . . . . . . . . . . . . . 4 3.2. Long Header Packet Types . . . . . . . . . . . . . . . . 4
3.3. Cryptography changes . . . . . . . . . . . . . . . . . . 4 3.3. Cryptography changes . . . . . . . . . . . . . . . . . . 4
3.3.1. Initial Salt . . . . . . . . . . . . . . . . . . . . 4 3.3.1. Initial Salt . . . . . . . . . . . . . . . . . . . . 4
3.3.2. HKDF Labels . . . . . . . . . . . . . . . . . . . . . 4 3.3.2. HKDF Labels . . . . . . . . . . . . . . . . . . . . . 4
3.3.3. Retry Integrity Tag . . . . . . . . . . . . . . . . . 4 3.3.3. Retry Integrity Tag . . . . . . . . . . . . . . . . . 5
4. Version Negotiation Considerations . . . . . . . . . . . . . 5 4. Version Negotiation Considerations . . . . . . . . . . . . . 5
4.1. Compatible Negotiation Requirements . . . . . . . . . . . 5 4.1. Compatible Negotiation Requirements . . . . . . . . . . . 5
5. TLS Resumption and NEW_TOKEN Tokens . . . . . . . . . . . . . 6 5. TLS Resumption and NEW_TOKEN Tokens . . . . . . . . . . . . . 6
6. Ossification Considerations . . . . . . . . . . . . . . . . . 7 6. Ossification Considerations . . . . . . . . . . . . . . . . . 7
7. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 9 Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 9
A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 9
A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 10 A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 10
A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 12 A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 12
A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 13
A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 13 A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 13
Appendix B. Changelog . . . . . . . . . . . . . . . . . . . . . 15 Appendix B. Changelog . . . . . . . . . . . . . . . . . . . . . 15
B.1. since draft-ietf-quic-v2-01 . . . . . . . . . . . . . . . 15 B.1. since draft-ietf-quic-v2-02 . . . . . . . . . . . . . . . 15
B.2. since draft-ietf-quic-v2-00 . . . . . . . . . . . . . . . 15 B.2. since draft-ietf-quic-v2-01 . . . . . . . . . . . . . . . 15
B.3. since draft-duke-quic-v2-02 . . . . . . . . . . . . . . . 15 B.3. since draft-ietf-quic-v2-00 . . . . . . . . . . . . . . . 15
B.4. since draft-duke-quic-v2-01 . . . . . . . . . . . . . . . 15 B.4. since draft-duke-quic-v2-02 . . . . . . . . . . . . . . . 15
B.5. since draft-duke-quic-v2-00 . . . . . . . . . . . . . . . 15 B.5. since draft-duke-quic-v2-01 . . . . . . . . . . . . . . . 15
B.6. since draft-duke-quic-v2-00 . . . . . . . . . . . . . . . 16
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
QUIC [QUIC] has numerous extension points, including the version QUIC [QUIC] has numerous extension points, including the version
number that occupies the second through fifth octets of every long number that occupies the second through fifth bytes of every long
header (see [RFC8999]). If experimental versions are rare, and QUIC header (see [QUIC-INVARIANTS]). If experimental versions are rare,
version 1 constitutes the vast majority of QUIC traffic, there is the and QUIC version 1 constitutes the vast majority of QUIC traffic,
potential for middleboxes to ossify on the version octets always there is the potential for middleboxes to ossify on the version bytes
being 0x00000001. always being 0x00000001.
Furthermore, version 1 Initial packets are encrypted with keys In QUIC version 1, Initial packets are encrypted with the version-
derived from a universally known salt, which allow observers to specific salt as described in Section 5.2 of [QUIC-TLS]. Protecting
inspect the contents of these packets, which include the TLS Client Initial packets in this way allows observers to inspect their
Hello and Server Hello messages. Again, middleboxes may ossify on contents, which includes the TLS Client Hello or Server Hello
messages. Again, there is the potential for middleboxes to ossify on
the version 1 key derivation and packet formats. the version 1 key derivation and packet formats.
Finally [QUIC-VN] provides two mechanisms for endpoints to negotiate Finally [QUIC-VN] provides two mechanisms for endpoints to negotiate
the QUIC version to use. The "incompatible" version negotiation the QUIC version to use. The "incompatible" version negotiation
method can support switching from any initial QUIC version to any method can support switching from any initial QUIC version to any
other version with full generality, at the cost of an additional other version with full generality, at the cost of an additional
round-trip at the start of the connection. "Compatible" version round-trip at the start of the connection. "Compatible" version
negotiation eliminates the round-trip penalty but levies some negotiation eliminates the round-trip penalty but levies some
restrictions on how much the two versions can differ semantically. restrictions on how much the two versions can differ semantically.
QUIC version 2 is meant to mitigate ossification concerns and QUIC version 2 is meant to mitigate ossification concerns and
exercise the version negotiation mechanisms. The only change is a exercise the version negotiation mechanisms. The only change is a
tweak to the inputs of some crypto derivation functions to enforce tweak to the inputs of some crypto derivation functions to enforce
full key separation. Any endpoint that supports two versions needs full key separation. Any endpoint that supports two versions needs
to implement version negotiation to protect against downgrade to implement version negotiation to protect against downgrade
attacks. attacks.
[I-D.duke-quic-version-aliasing] is a more robust, but much more
complicated, proposal to address these ossification problems. By
design, it requires incompatible version negotiation. QUICv2 enables
exercise of compatible version negotiation mechanism.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
3. Changes from QUIC Version 1 3. Differences with QUIC Version 1
QUIC version 2 endpoints MUST implement the QUIC version 1 QUIC version 2 endpoints MUST implement the QUIC version 1
specification as described in [QUIC], [QUIC-TLS], and [RFC9002], with specification as described in [QUIC], [QUIC-TLS], and [RFC9002].
the following changes. However, the following differences apply in version 2.
3.1. Version Field 3.1. Version Field
The version field of long headers is 0x709a50c4. The Version field of long headers is 0x709a50c4.
3.2. Long Header Packet Types 3.2. Long Header Packet Types
Initial packets use a packet type field of 0b01. 0-RTT packets use a All version 2 long header packet types are different. The Type field
packet type field of 0b10. Handshake packets use a packet type field values are:
of 0b11. Retry packets use a packet type field of 0b00.
* Initial: 0b01
* 0-RTT: 0b10
* Handshake: 0b11
* Retry: 0b00
3.3. Cryptography changes 3.3. Cryptography changes
3.3.1. Initial Salt 3.3.1. Initial Salt
The salt used to derive Initial keys in Section 5.2 of [QUIC-TLS] The salt used to derive Initial keys in Section 5.2 of [QUIC-TLS]
changes to: changes to:
initial_salt = 0xa707c203a59b47184a1d62ca570406ea7ae3e5d3 initial_salt = 0xa707c203a59b47184a1d62ca570406ea7ae3e5d3
skipping to change at page 6, line 43 skipping to change at page 6, line 43
The client MUST NOT send 0-RTT packets using the negotiated version, The client MUST NOT send 0-RTT packets using the negotiated version,
even after processing a packet of that version from the server. even after processing a packet of that version from the server.
Servers can apply original version 0-RTT packets to a connection Servers can apply original version 0-RTT packets to a connection
without additional considerations. without additional considerations.
5. TLS Resumption and NEW_TOKEN Tokens 5. TLS Resumption and NEW_TOKEN Tokens
TLS session tickets and NEW_TOKEN tokens are specific to the QUIC TLS session tickets and NEW_TOKEN tokens are specific to the QUIC
version of the connection that provided them. Clients SHOULD NOT use version of the connection that provided them. Clients SHOULD NOT use
a session ticket or token from a QUICv1 connection to initiate a a session ticket or token from a QUIC version 1 connection to
QUICv2 connection, or vice versa. initiate a QUIC version 2 connection, or vice versa.
Servers MUST validate the originating version of any session ticket Servers MUST validate the originating version of any session ticket
or token and not accept one issued from a different version. A or token and not accept one issued from a different version. A
rejected ticket results in falling back to a full TLS handshake, rejected ticket results in falling back to a full TLS handshake,
without 0-RTT. A rejected token results in the client address without 0-RTT. A rejected token results in the client address
remaining unverified, which limits the amount of data the server can remaining unverified, which limits the amount of data the server can
send. send.
After compatible version negotiation, any resulting session ticket After compatible version negotiation, any resulting session ticket
maps to the negotiated version rather than original one. maps to the negotiated version rather than original one.
6. Ossification Considerations 6. Ossification Considerations
QUIC version 2 provides protection against some forms of QUIC version 2 provides protection against some forms of
ossification. Devices that assume that all long headers will contain ossification. Devices that assume that all long headers will encode
encode version 1, or that the version 1 Initial key derivation version 1, or that the version 1 Initial key derivation formula will
formula will remain version-invariant, will not correctly process remain version-invariant, will not correctly process version 2
version 2 packets. packets.
However, many middleboxes such as firewalls focus on the first packet However, many middleboxes such as firewalls focus on the first packet
in a connection, which will often remain in the version 1 format due in a connection, which will often remain in the version 1 format due
to the considerations above. to the considerations above.
Clients interested in combating firewall ossification can initiate a Clients interested in combating firewall ossification can initiate a
connection using version 2 if they are either reasonably certain the connection using version 2 if they are either reasonably certain the
server supports it, or are willing to suffer a round-trip penalty if server supports it, or are willing to suffer a round-trip penalty if
they are incorrect. they are incorrect.
7. Applicability 7. Applicability
This version of QUIC provides no change from QUIC version 1 relating This version of QUIC provides no change from QUIC version 1 relating
to the capabilities available to applications. Therefore, all to the capabilities available to applications. Therefore, all
Application Layer Protocol Negotiation (ALPN) ([RFC7301]) codepoints Application Layer Protocol Negotiation (ALPN) ([RFC7301]) codepoints
specified to operate over QUICv1 can also operate over this version specified to operate over QUIC version 1 can also operate over this
of QUIC. In particular, both the "h3" [I-D.ietf-quic-http] and "doq" version of QUIC. In particular, both the "h3" [I-D.ietf-quic-http]
[I-D.ietf-dprive-dnsoquic] ALPNs can operate over QUICv2. and "doq" [I-D.ietf-dprive-dnsoquic] ALPNs can operate over QUIC
version 2.
All QUIC extensions defined to work with version 1 also work with All QUIC extensions defined to work with version 1 also work with
version 2. version 2.
8. Security Considerations 8. Security Considerations
QUIC version 2 introduces no changes to the security or privacy QUIC version 2 introduces no changes to the security or privacy
properties of QUIC version 1. properties of QUIC version 1.
The mandatory version negotiation mechanism guards against downgrade The mandatory version negotiation mechanism guards against downgrade
skipping to change at page 8, line 37 skipping to change at page 8, line 37
draft-ietf-quic-version-negotiation-07, 5 April 2022, draft-ietf-quic-version-negotiation-07, 5 April 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-quic- <https://datatracker.ietf.org/doc/html/draft-ietf-quic-
version-negotiation-07>. version-negotiation-07>.
[RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection [RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", RFC 9002, DOI 10.17487/RFC9002, and Congestion Control", RFC 9002, DOI 10.17487/RFC9002,
May 2021, <https://www.rfc-editor.org/rfc/rfc9002>. May 2021, <https://www.rfc-editor.org/rfc/rfc9002>.
10.2. Informative References 10.2. Informative References
[I-D.duke-quic-version-aliasing]
Duke, M., "QUIC Version Aliasing", Work in Progress,
Internet-Draft, draft-duke-quic-version-aliasing-07, 25
October 2021, <https://datatracker.ietf.org/doc/html/
draft-duke-quic-version-aliasing-07>.
[I-D.ietf-dprive-dnsoquic] [I-D.ietf-dprive-dnsoquic]
Huitema, C., Dickinson, S., and A. Mankin, "DNS over Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", Work in Progress, Internet- Dedicated QUIC Connections", Work in Progress, Internet-
Draft, draft-ietf-dprive-dnsoquic-12, 20 April 2022, Draft, draft-ietf-dprive-dnsoquic-12, 20 April 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-dprive- <https://datatracker.ietf.org/doc/html/draft-ietf-dprive-
dnsoquic-12>. dnsoquic-12>.
[I-D.ietf-quic-http] [I-D.ietf-quic-http]
Bishop, M., "Hypertext Transfer Protocol Version 3 Bishop, M., "Hypertext Transfer Protocol Version 3
(HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf-
quic-http-34, 2 February 2021, quic-http-34, 2 February 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-quic- <https://datatracker.ietf.org/doc/html/draft-ietf-quic-
http-34>. http-34>.
[QUIC-INVARIANTS]
Thomson, M., "Version-Independent Properties of QUIC",
RFC 8999, DOI 10.17487/RFC8999, May 2021,
<https://www.rfc-editor.org/rfc/rfc8999>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol "Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/rfc/rfc7301>. July 2014, <https://www.rfc-editor.org/rfc/rfc7301>.
[RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP
Alternative Services", RFC 7838, DOI 10.17487/RFC7838, Alternative Services", RFC 7838, DOI 10.17487/RFC7838,
April 2016, <https://www.rfc-editor.org/rfc/rfc7838>. April 2016, <https://www.rfc-editor.org/rfc/rfc7838>.
[RFC8999] Thomson, M., "Version-Independent Properties of QUIC",
RFC 8999, DOI 10.17487/RFC8999, May 2021,
<https://www.rfc-editor.org/rfc/rfc8999>.
Appendix A. Sample Packet Protection Appendix A. Sample Packet Protection
This section shows examples of packet protection so that This section shows examples of packet protection so that
implementations can be verified incrementally. Samples of Initial implementations can be verified incrementally. Samples of Initial
packets from both client and server plus a Retry packet are defined. packets from both client and server plus a Retry packet are defined.
These packets use an 8-byte client-chosen Destination Connection ID These packets use an 8-byte client-chosen Destination Connection ID
of 0x8394c8f03e515708. Some intermediate values are included. All of 0x8394c8f03e515708. Some intermediate values are included. All
values are shown in hexadecimal. values are shown in hexadecimal.
A.1. Keys A.1. Keys
skipping to change at page 15, line 10 skipping to change at page 15, line 10
The protected packet is the smallest possible packet size of 21 The protected packet is the smallest possible packet size of 21
bytes. bytes.
packet = 5558b1c60ae7b6b932bc27d786f4bc2bb20f2162ba packet = 5558b1c60ae7b6b932bc27d786f4bc2bb20f2162ba
Appendix B. Changelog Appendix B. Changelog
*RFC Editor's Note:* Please remove this section prior to *RFC Editor's Note:* Please remove this section prior to
publication of a final version of this document. publication of a final version of this document.
B.1. since draft-ietf-quic-v2-01 B.1. since draft-ietf-quic-v2-02
* Editorial comments from Lucas Pardue
B.2. since draft-ietf-quic-v2-01
* Ban use of NEW_TOKEN tokens across versions * Ban use of NEW_TOKEN tokens across versions
* version-info transport parameter required for all v2 endpoints * version-info transport parameter required for all v2 endpoints
* Explicitly list known ALPN compatibility * Explicitly list known ALPN compatibility
B.2. since draft-ietf-quic-v2-00 B.3. since draft-ietf-quic-v2-00
* Expanded requirements for compatible version negotiation * Expanded requirements for compatible version negotiation
* Added test vectors * Added test vectors
* Greased the packet type codepoints * Greased the packet type codepoints
* Random version number * Random version number
* Clarified requirement to use QUIC-VN * Clarified requirement to use QUIC-VN
* Banned use of resumption tokens across versions * Banned use of resumption tokens across versions
B.3. since draft-duke-quic-v2-02 B.4. since draft-duke-quic-v2-02
* Converted to adopted draft * Converted to adopted draft
* Deleted references to QUIC improvements * Deleted references to QUIC improvements
* Clarified status of QUIC extensions * Clarified status of QUIC extensions
B.4. since draft-duke-quic-v2-01 B.5. since draft-duke-quic-v2-01
* Made the final version number TBD. * Made the final version number TBD.
* Added ALPN considerations * Added ALPN considerations
B.5. since draft-duke-quic-v2-00 B.6. since draft-duke-quic-v2-00
* Added provisional versions for interop * Added provisional versions for interop
* Change the v1 Retry Tag secret * Change the v1 Retry Tag secret
* Change labels to create full key separation * Change labels to create full key separation
Author's Address Author's Address
Martin Duke Martin Duke
 End of changes. 24 change blocks. 
56 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/