--- 1/draft-ietf-quic-v2-02.txt 2022-05-12 13:13:15.040965599 -0700 +++ 2/draft-ietf-quic-v2-03.txt 2022-05-12 13:13:15.076966518 -0700 @@ -1,18 +1,18 @@ QUIC M. Duke Internet-Draft Google LLC -Intended status: Standards Track 28 April 2022 -Expires: 30 October 2022 +Intended status: Standards Track 12 May 2022 +Expires: 13 November 2022 QUIC Version 2 - draft-ietf-quic-v2-02 + draft-ietf-quic-v2-03 Abstract This document specifies QUIC version 2, which is identical to QUIC version 1 except for some trivial details. Its purpose is to combat various ossification vectors and exercise the version negotiation framework. It also serves as a template for the minimum changes in any future version of QUIC. Note that "version 2" is an informal name for this proposal that @@ -48,127 +48,131 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 30 October 2022. + This Internet-Draft will expire on 13 November 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 3. Changes from QUIC Version 1 . . . . . . . . . . . . . . . . . 4 + 3. Differences with QUIC Version 1 . . . . . . . . . . . . . . . 4 3.1. Version Field . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Long Header Packet Types . . . . . . . . . . . . . . . . 4 3.3. Cryptography changes . . . . . . . . . . . . . . . . . . 4 3.3.1. Initial Salt . . . . . . . . . . . . . . . . . . . . 4 3.3.2. HKDF Labels . . . . . . . . . . . . . . . . . . . . . 4 - 3.3.3. Retry Integrity Tag . . . . . . . . . . . . . . . . . 4 + 3.3.3. Retry Integrity Tag . . . . . . . . . . . . . . . . . 5 4. Version Negotiation Considerations . . . . . . . . . . . . . 5 4.1. Compatible Negotiation Requirements . . . . . . . . . . . 5 5. TLS Resumption and NEW_TOKEN Tokens . . . . . . . . . . . . . 6 6. Ossification Considerations . . . . . . . . . . . . . . . . . 7 7. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 8 Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 9 A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 10 A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 12 A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 13 Appendix B. Changelog . . . . . . . . . . . . . . . . . . . . . 15 - B.1. since draft-ietf-quic-v2-01 . . . . . . . . . . . . . . . 15 - B.2. since draft-ietf-quic-v2-00 . . . . . . . . . . . . . . . 15 - B.3. since draft-duke-quic-v2-02 . . . . . . . . . . . . . . . 15 - B.4. since draft-duke-quic-v2-01 . . . . . . . . . . . . . . . 15 - B.5. since draft-duke-quic-v2-00 . . . . . . . . . . . . . . . 15 + B.1. since draft-ietf-quic-v2-02 . . . . . . . . . . . . . . . 15 + B.2. since draft-ietf-quic-v2-01 . . . . . . . . . . . . . . . 15 + B.3. since draft-ietf-quic-v2-00 . . . . . . . . . . . . . . . 15 + B.4. since draft-duke-quic-v2-02 . . . . . . . . . . . . . . . 15 + B.5. since draft-duke-quic-v2-01 . . . . . . . . . . . . . . . 15 + B.6. since draft-duke-quic-v2-00 . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 1. Introduction QUIC [QUIC] has numerous extension points, including the version - number that occupies the second through fifth octets of every long - header (see [RFC8999]). If experimental versions are rare, and QUIC - version 1 constitutes the vast majority of QUIC traffic, there is the - potential for middleboxes to ossify on the version octets always - being 0x00000001. + number that occupies the second through fifth bytes of every long + header (see [QUIC-INVARIANTS]). If experimental versions are rare, + and QUIC version 1 constitutes the vast majority of QUIC traffic, + there is the potential for middleboxes to ossify on the version bytes + always being 0x00000001. - Furthermore, version 1 Initial packets are encrypted with keys - derived from a universally known salt, which allow observers to - inspect the contents of these packets, which include the TLS Client - Hello and Server Hello messages. Again, middleboxes may ossify on + In QUIC version 1, Initial packets are encrypted with the version- + specific salt as described in Section 5.2 of [QUIC-TLS]. Protecting + Initial packets in this way allows observers to inspect their + contents, which includes the TLS Client Hello or Server Hello + messages. Again, there is the potential for middleboxes to ossify on the version 1 key derivation and packet formats. Finally [QUIC-VN] provides two mechanisms for endpoints to negotiate the QUIC version to use. The "incompatible" version negotiation method can support switching from any initial QUIC version to any other version with full generality, at the cost of an additional round-trip at the start of the connection. "Compatible" version negotiation eliminates the round-trip penalty but levies some restrictions on how much the two versions can differ semantically. QUIC version 2 is meant to mitigate ossification concerns and exercise the version negotiation mechanisms. The only change is a tweak to the inputs of some crypto derivation functions to enforce full key separation. Any endpoint that supports two versions needs to implement version negotiation to protect against downgrade attacks. - [I-D.duke-quic-version-aliasing] is a more robust, but much more - complicated, proposal to address these ossification problems. By - design, it requires incompatible version negotiation. QUICv2 enables - exercise of compatible version negotiation mechanism. - 2. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. -3. Changes from QUIC Version 1 +3. Differences with QUIC Version 1 QUIC version 2 endpoints MUST implement the QUIC version 1 - specification as described in [QUIC], [QUIC-TLS], and [RFC9002], with - the following changes. + specification as described in [QUIC], [QUIC-TLS], and [RFC9002]. + However, the following differences apply in version 2. 3.1. Version Field - The version field of long headers is 0x709a50c4. + The Version field of long headers is 0x709a50c4. 3.2. Long Header Packet Types - Initial packets use a packet type field of 0b01. 0-RTT packets use a - packet type field of 0b10. Handshake packets use a packet type field - of 0b11. Retry packets use a packet type field of 0b00. + All version 2 long header packet types are different. The Type field + values are: + + * Initial: 0b01 + + * 0-RTT: 0b10 + + * Handshake: 0b11 + + * Retry: 0b00 3.3. Cryptography changes 3.3.1. Initial Salt The salt used to derive Initial keys in Section 5.2 of [QUIC-TLS] changes to: initial_salt = 0xa707c203a59b47184a1d62ca570406ea7ae3e5d3 @@ -260,58 +264,59 @@ The client MUST NOT send 0-RTT packets using the negotiated version, even after processing a packet of that version from the server. Servers can apply original version 0-RTT packets to a connection without additional considerations. 5. TLS Resumption and NEW_TOKEN Tokens TLS session tickets and NEW_TOKEN tokens are specific to the QUIC version of the connection that provided them. Clients SHOULD NOT use - a session ticket or token from a QUICv1 connection to initiate a - QUICv2 connection, or vice versa. + a session ticket or token from a QUIC version 1 connection to + initiate a QUIC version 2 connection, or vice versa. Servers MUST validate the originating version of any session ticket or token and not accept one issued from a different version. A rejected ticket results in falling back to a full TLS handshake, without 0-RTT. A rejected token results in the client address remaining unverified, which limits the amount of data the server can send. After compatible version negotiation, any resulting session ticket maps to the negotiated version rather than original one. 6. Ossification Considerations QUIC version 2 provides protection against some forms of - ossification. Devices that assume that all long headers will contain - encode version 1, or that the version 1 Initial key derivation - formula will remain version-invariant, will not correctly process - version 2 packets. + ossification. Devices that assume that all long headers will encode + version 1, or that the version 1 Initial key derivation formula will + remain version-invariant, will not correctly process version 2 + packets. However, many middleboxes such as firewalls focus on the first packet in a connection, which will often remain in the version 1 format due to the considerations above. Clients interested in combating firewall ossification can initiate a connection using version 2 if they are either reasonably certain the server supports it, or are willing to suffer a round-trip penalty if they are incorrect. 7. Applicability This version of QUIC provides no change from QUIC version 1 relating to the capabilities available to applications. Therefore, all Application Layer Protocol Negotiation (ALPN) ([RFC7301]) codepoints - specified to operate over QUICv1 can also operate over this version - of QUIC. In particular, both the "h3" [I-D.ietf-quic-http] and "doq" - [I-D.ietf-dprive-dnsoquic] ALPNs can operate over QUICv2. + specified to operate over QUIC version 1 can also operate over this + version of QUIC. In particular, both the "h3" [I-D.ietf-quic-http] + and "doq" [I-D.ietf-dprive-dnsoquic] ALPNs can operate over QUIC + version 2. All QUIC extensions defined to work with version 1 also work with version 2. 8. Security Considerations QUIC version 2 introduces no changes to the security or privacy properties of QUIC version 1. The mandatory version negotiation mechanism guards against downgrade @@ -350,58 +355,53 @@ draft-ietf-quic-version-negotiation-07, 5 April 2022, . [RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection and Congestion Control", RFC 9002, DOI 10.17487/RFC9002, May 2021, . 10.2. Informative References - [I-D.duke-quic-version-aliasing] - Duke, M., "QUIC Version Aliasing", Work in Progress, - Internet-Draft, draft-duke-quic-version-aliasing-07, 25 - October 2021, . - [I-D.ietf-dprive-dnsoquic] Huitema, C., Dickinson, S., and A. Mankin, "DNS over Dedicated QUIC Connections", Work in Progress, Internet- Draft, draft-ietf-dprive-dnsoquic-12, 20 April 2022, . [I-D.ietf-quic-http] Bishop, M., "Hypertext Transfer Protocol Version 3 (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- quic-http-34, 2 February 2021, . + [QUIC-INVARIANTS] + Thomson, M., "Version-Independent Properties of QUIC", + RFC 8999, DOI 10.17487/RFC8999, May 2021, + . + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, July 2014, . [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP Alternative Services", RFC 7838, DOI 10.17487/RFC7838, April 2016, . - [RFC8999] Thomson, M., "Version-Independent Properties of QUIC", - RFC 8999, DOI 10.17487/RFC8999, May 2021, - . - Appendix A. Sample Packet Protection This section shows examples of packet protection so that implementations can be verified incrementally. Samples of Initial packets from both client and server plus a Retry packet are defined. These packets use an 8-byte client-chosen Destination Connection ID of 0x8394c8f03e515708. Some intermediate values are included. All values are shown in hexadecimal. A.1. Keys @@ -627,57 +628,61 @@ The protected packet is the smallest possible packet size of 21 bytes. packet = 5558b1c60ae7b6b932bc27d786f4bc2bb20f2162ba Appendix B. Changelog *RFC Editor's Note:* Please remove this section prior to publication of a final version of this document. -B.1. since draft-ietf-quic-v2-01 +B.1. since draft-ietf-quic-v2-02 + + * Editorial comments from Lucas Pardue + +B.2. since draft-ietf-quic-v2-01 * Ban use of NEW_TOKEN tokens across versions * version-info transport parameter required for all v2 endpoints * Explicitly list known ALPN compatibility -B.2. since draft-ietf-quic-v2-00 +B.3. since draft-ietf-quic-v2-00 * Expanded requirements for compatible version negotiation * Added test vectors * Greased the packet type codepoints * Random version number * Clarified requirement to use QUIC-VN * Banned use of resumption tokens across versions -B.3. since draft-duke-quic-v2-02 +B.4. since draft-duke-quic-v2-02 * Converted to adopted draft * Deleted references to QUIC improvements * Clarified status of QUIC extensions -B.4. since draft-duke-quic-v2-01 +B.5. since draft-duke-quic-v2-01 * Made the final version number TBD. * Added ALPN considerations -B.5. since draft-duke-quic-v2-00 +B.6. since draft-duke-quic-v2-00 * Added provisional versions for interop * Change the v1 Retry Tag secret * Change labels to create full key separation Author's Address Martin Duke