draft-ietf-quic-v2-03.txt   draft-ietf-quic-v2-04.txt 
QUIC M. Duke QUIC M. Duke
Internet-Draft Google LLC Internet-Draft Google LLC
Intended status: Standards Track 12 May 2022 Intended status: Standards Track 1 June 2022
Expires: 13 November 2022 Expires: 3 December 2022
QUIC Version 2 QUIC Version 2
draft-ietf-quic-v2-03 draft-ietf-quic-v2-04
Abstract Abstract
This document specifies QUIC version 2, which is identical to QUIC This document specifies QUIC version 2, which is identical to QUIC
version 1 except for some trivial details. Its purpose is to combat version 1 except for some trivial details. Its purpose is to combat
various ossification vectors and exercise the version negotiation various ossification vectors and exercise the version negotiation
framework. It also serves as a template for the minimum changes in framework. It also serves as a template for the minimum changes in
any future version of QUIC. any future version of QUIC.
Note that "version 2" is an informal name for this proposal that Note that "version 2" is an informal name for this proposal that
indicates it is the second standards-track QUIC version. The indicates it is the second standards-track QUIC version. The
protocol specified here will receive a version number other than 2 protocol specified here uses a version number other than 2 in the
from IANA. wire image.
Discussion of this work is encouraged to happen on the QUIC IETF
mailing list quic@ietf.org or on the GitHub repository which contains
the draft: https://github.com/quicwg/quic-v2.
About This Document About This Document
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at https://quicwg.org/ The latest revision of this draft can be found at https://quicwg.org/
quic-v2/draft-ietf-quic-v2.html. Status information for this quic-v2/draft-ietf-quic-v2.html. Status information for this
document may be found at https://datatracker.ietf.org/doc/draft-ietf- document may be found at https://datatracker.ietf.org/doc/draft-ietf-
quic-v2/. quic-v2/.
skipping to change at page 2, line 15 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 13 November 2022. This Internet-Draft will expire on 3 December 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Differences with QUIC Version 1 . . . . . . . . . . . . . . . 4 3. Differences with QUIC Version 1 . . . . . . . . . . . . . . . 4
3.1. Version Field . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Version Field . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Long Header Packet Types . . . . . . . . . . . . . . . . 4 3.2. Long Header Packet Types . . . . . . . . . . . . . . . . 4
3.3. Cryptography changes . . . . . . . . . . . . . . . . . . 4 3.3. Cryptography changes . . . . . . . . . . . . . . . . . . 4
3.3.1. Initial Salt . . . . . . . . . . . . . . . . . . . . 4 3.3.1. Initial Salt . . . . . . . . . . . . . . . . . . . . 4
3.3.2. HKDF Labels . . . . . . . . . . . . . . . . . . . . . 4 3.3.2. HKDF Labels . . . . . . . . . . . . . . . . . . . . . 4
3.3.3. Retry Integrity Tag . . . . . . . . . . . . . . . . . 5 3.3.3. Retry Integrity Tag . . . . . . . . . . . . . . . . . 5
4. Version Negotiation Considerations . . . . . . . . . . . . . 5 4. Version Negotiation Considerations . . . . . . . . . . . . . 5
4.1. Compatible Negotiation Requirements . . . . . . . . . . . 5 4.1. Compatible Negotiation Requirements . . . . . . . . . . . 5
5. TLS Resumption and NEW_TOKEN Tokens . . . . . . . . . . . . . 6 5. TLS Resumption and NEW_TOKEN Tokens . . . . . . . . . . . . . 6
skipping to change at page 3, line 9 skipping to change at page 3, line 4
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 8
Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 9 Appendix A. Sample Packet Protection . . . . . . . . . . . . . . 9
A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 9 A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 9
A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 10 A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 10
A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 12 A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 12
A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 13 A.4. Retry . . . . . . . . . . . . . . . . . . . . . . . . . . 13
A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 13 A.5. ChaCha20-Poly1305 Short Header Packet . . . . . . . . . . 13
Appendix B. Changelog . . . . . . . . . . . . . . . . . . . . . 15
B.1. since draft-ietf-quic-v2-02 . . . . . . . . . . . . . . . 15 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 15
B.2. since draft-ietf-quic-v2-01 . . . . . . . . . . . . . . . 15 Appendix C. Changelog . . . . . . . . . . . . . . . . . . . . . 15
B.3. since draft-ietf-quic-v2-00 . . . . . . . . . . . . . . . 15 C.1. since draft-ietf-quic-v2-03 . . . . . . . . . . . . . . . 15
B.4. since draft-duke-quic-v2-02 . . . . . . . . . . . . . . . 15 C.2. since draft-ietf-quic-v2-02 . . . . . . . . . . . . . . . 15
B.5. since draft-duke-quic-v2-01 . . . . . . . . . . . . . . . 15 C.3. since draft-ietf-quic-v2-01 . . . . . . . . . . . . . . . 15
B.6. since draft-duke-quic-v2-00 . . . . . . . . . . . . . . . 16 C.4. since draft-ietf-quic-v2-00 . . . . . . . . . . . . . . . 15
C.5. since draft-duke-quic-v2-02 . . . . . . . . . . . . . . . 15
C.6. since draft-duke-quic-v2-01 . . . . . . . . . . . . . . . 16
C.7. since draft-duke-quic-v2-00 . . . . . . . . . . . . . . . 16
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
QUIC [QUIC] has numerous extension points, including the version QUIC [QUIC] has numerous extension points, including the version
number that occupies the second through fifth bytes of every long number that occupies the second through fifth bytes of every long
header (see [QUIC-INVARIANTS]). If experimental versions are rare, header (see [QUIC-INVARIANTS]). If experimental versions are rare,
and QUIC version 1 constitutes the vast majority of QUIC traffic, and QUIC version 1 constitutes the vast majority of QUIC traffic,
there is the potential for middleboxes to ossify on the version bytes there is the potential for middleboxes to ossify on the version bytes
always being 0x00000001. always being 0x00000001.
In QUIC version 1, Initial packets are encrypted with the version- In QUIC version 1, Initial packets are encrypted with the version-
specific salt as described in Section 5.2 of [QUIC-TLS]. Protecting specific salt as described in Section 5.2 of [QUIC-TLS]. Protecting
Initial packets in this way allows observers to inspect their Initial packets in this way allows observers to inspect their
contents, which includes the TLS Client Hello or Server Hello contents, which includes the TLS Client Hello or Server Hello
messages. Again, there is the potential for middleboxes to ossify on messages. Again, there is the potential for middleboxes to ossify on
the version 1 key derivation and packet formats. the version 1 key derivation and packet formats.
Finally [QUIC-VN] provides two mechanisms for endpoints to negotiate Finally [QUIC-VN] provides two mechanisms for endpoints to negotiate
the QUIC version to use. The "incompatible" version negotiation the QUIC version to use. The "incompatible" version negotiation
method can support switching from any initial QUIC version to any method can support switching from any QUIC version to any other
other version with full generality, at the cost of an additional version with full generality, at the cost of an additional round-trip
round-trip at the start of the connection. "Compatible" version at the start of the connection. "Compatible" version negotiation
negotiation eliminates the round-trip penalty but levies some eliminates the round-trip penalty but levies some restrictions on how
restrictions on how much the two versions can differ semantically. much the two versions can differ semantically.
QUIC version 2 is meant to mitigate ossification concerns and QUIC version 2 is meant to mitigate ossification concerns and
exercise the version negotiation mechanisms. The only change is a exercise the version negotiation mechanisms. The only change is a
tweak to the inputs of some crypto derivation functions to enforce tweak to key derivation inputs to enforce full key separation. Any
full key separation. Any endpoint that supports two versions needs endpoint that supports two versions needs to implement version
to implement version negotiation to protect against downgrade negotiation to protect against downgrade attacks.
attacks.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in RFC 2119 [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Differences with QUIC Version 1 3. Differences with QUIC Version 1
QUIC version 2 endpoints MUST implement the QUIC version 1 QUIC version 2 endpoints MUST implement the QUIC version 1
specification as described in [QUIC], [QUIC-TLS], and [RFC9002]. specification as described in [QUIC], [QUIC-TLS], and
However, the following differences apply in version 2. [QUIC-LOSSRECOVERY]. However, the following differences apply in
version 2.
3.1. Version Field 3.1. Version Field
The Version field of long headers is 0x709a50c4. The Version field of long headers is 0x709a50c4.
*RFC Editor's Note:* Please remove the sentence below prior to
publication of a final version of this document.
This version number will not change in subsequent versions of this
draft, unless there is a behavior change that breaks compatibility.
3.2. Long Header Packet Types 3.2. Long Header Packet Types
All version 2 long header packet types are different. The Type field All version 2 long header packet types are different. The Type field
values are: values are:
* Initial: 0b01 * Initial: 0b01
* 0-RTT: 0b10 * 0-RTT: 0b10
* Handshake: 0b11 * Handshake: 0b11
skipping to change at page 5, line 19 skipping to change at page 5, line 19
secret = secret =
0x3425c20cf88779df2ff71e8abfa78249891e763bbed2f13c048343d348c060e2 0x3425c20cf88779df2ff71e8abfa78249891e763bbed2f13c048343d348c060e2
key = 0xba858dc7b43de5dbf87617ff4ab253db key = 0xba858dc7b43de5dbf87617ff4ab253db
nonce = 0x141b99c239b03e785d6a2e9f nonce = 0x141b99c239b03e785d6a2e9f
4. Version Negotiation Considerations 4. Version Negotiation Considerations
QUIC version 2 is not intended to deprecate version 1. Endpoints QUIC version 2 is not intended to deprecate version 1. Endpoints
that support version 2 might continue support for version 1 to that support version 2 might continue support for version 1 to
maximize compatibility with clients. In particular, HTTP clients maximize compatibility with other endpoints. In particular, HTTP
often use Alt-Svc [RFC7838] to discover QUIC support. As this clients often use Alt-Svc [RFC7838] to discover QUIC support. As
mechanism does not currently distinguish between QUIC versions, HTTP this mechanism does not currently distinguish between QUIC versions,
servers that support multiple versions reduce the probability of HTTP servers that support multiple versions reduce the probability of
incompatibility and the cost associated with QUIC version negotiation incompatibility and the cost associated with QUIC version negotiation
or TCP fallback. For example, an origin advertising support for "h3" or TCP fallback. For example, an origin advertising support for "h3"
in Alt-Svc SHOULD support QUIC version 1 as it was the original QUIC in Alt-Svc SHOULD support QUIC version 1 as it was the original QUIC
version used by HTTP/3 and therefore some clients will only support version used by HTTP/3 and therefore some clients will only support
that version. that version.
Any QUIC endpoint that supports QUIC version 2 MUST send, process, Any QUIC endpoint that supports QUIC version 2 MUST send, process,
and validate the version_information transport parameter specified in and validate the version_information transport parameter specified in
[QUIC-VN] to prevent version downgrade attacks. [QUIC-VN] to prevent version downgrade attacks.
skipping to change at page 6, line 10 skipping to change at page 6, line 10
MUST NOT use a different version in the subsequent Initial that MUST NOT use a different version in the subsequent Initial that
contains the Retry token. The server MAY encode the QUIC version in contains the Retry token. The server MAY encode the QUIC version in
its Retry token to validate that the client did not switch versions, its Retry token to validate that the client did not switch versions,
and drop the packet if it switched. and drop the packet if it switched.
QUIC version 2 uses the same transport parameters to authenticate the QUIC version 2 uses the same transport parameters to authenticate the
Retry as QUIC version 1. After switching to a negotiated version Retry as QUIC version 1. After switching to a negotiated version
after a Retry, the server MUST include the relevant transport after a Retry, the server MUST include the relevant transport
parameters to validate that the server sent the Retry and the parameters to validate that the server sent the Retry and the
connection IDs used in the exchange, as described in Section 7.3 of connection IDs used in the exchange, as described in Section 7.3 of
[QUIC]. Note that the version of the first Initial and the [QUIC].
subsequent Retry are not authenticated by transport parameters.
The server SHOULD start sending its Initial packets using the The server SHOULD start sending its Initial packets using the
negotiated version as soon as it decides to change. Before the negotiated version as soon as it decides to change. Before the
server is able to process transport parameters from the client, it server is able to process transport parameters from the client, it
might need to respond to Initial packets from the client. For these might need to respond to Initial packets from the client. For these
packets the server uses the original version. packets the server uses the original version.
Once the client has processed a packet using the negotiated version, Once the client has processed a packet using the negotiated version,
it SHOULD send subsequent Initial packets using that version. The it SHOULD send subsequent Initial packets using that version. The
server MUST NOT discard its original version Initial receive keys server MUST NOT discard its original version Initial receive keys
until it successfully processes a packet with the negotiated version. until it successfully processes a packet with the negotiated version.
Both endpoints MUST send Handshake or 1-RTT packets using the Both endpoints MUST send Handshake or 1-RTT packets using the
negotiated version. An endpoint MUST drop packets using any other negotiated version. An endpoint MUST drop packets using any other
version. Endpoints have no need to generate the keying material that version. Endpoints have no need to generate the keying material that
would allow them to decrypt or authenticate these packets. would allow them to decrypt or authenticate these packets.
If the server's version_information transport parameter does not
contain a Chosen Version field equivalent to the version in the
server's Handshake packet headers, the client MUST terminate the
connection with a VERSION_NEGOTIATION_ERROR.
The client MUST NOT send 0-RTT packets using the negotiated version, The client MUST NOT send 0-RTT packets using the negotiated version,
even after processing a packet of that version from the server. even after processing a packet of that version from the server.
Servers can apply original version 0-RTT packets to a connection Servers can apply original version 0-RTT packets to a connection
without additional considerations. without additional considerations.
5. TLS Resumption and NEW_TOKEN Tokens 5. TLS Resumption and NEW_TOKEN Tokens
TLS session tickets and NEW_TOKEN tokens are specific to the QUIC TLS session tickets and NEW_TOKEN tokens are specific to the QUIC
version of the connection that provided them. Clients SHOULD NOT use version of the connection that provided them. Clients SHOULD NOT use
a session ticket or token from a QUIC version 1 connection to a session ticket or token from a QUIC version 1 connection to
skipping to change at page 7, line 23 skipping to change at page 7, line 20
remain version-invariant, will not correctly process version 2 remain version-invariant, will not correctly process version 2
packets. packets.
However, many middleboxes such as firewalls focus on the first packet However, many middleboxes such as firewalls focus on the first packet
in a connection, which will often remain in the version 1 format due in a connection, which will often remain in the version 1 format due
to the considerations above. to the considerations above.
Clients interested in combating firewall ossification can initiate a Clients interested in combating firewall ossification can initiate a
connection using version 2 if they are either reasonably certain the connection using version 2 if they are either reasonably certain the
server supports it, or are willing to suffer a round-trip penalty if server supports it, or are willing to suffer a round-trip penalty if
they are incorrect. they are incorrect. In particular, a server that issues a session
ticket for version 2 indicates an intent to maintain version 2
support while the ticket remains valid, even if support cannot be
guaranteed.
7. Applicability 7. Applicability
This version of QUIC provides no change from QUIC version 1 relating This version of QUIC provides no change from QUIC version 1 relating
to the capabilities available to applications. Therefore, all to the capabilities available to applications. Therefore, all
Application Layer Protocol Negotiation (ALPN) ([RFC7301]) codepoints Application Layer Protocol Negotiation (ALPN) ([RFC7301]) codepoints
specified to operate over QUIC version 1 can also operate over this specified to operate over QUIC version 1 can also operate over this
version of QUIC. In particular, both the "h3" [I-D.ietf-quic-http] version of QUIC. In particular, both the "h3" [I-D.ietf-quic-http]
and "doq" [I-D.ietf-dprive-dnsoquic] ALPNs can operate over QUIC and "doq" [RFC9250] ALPNs can operate over QUIC version 2.
version 2.
All QUIC extensions defined to work with version 1 also work with Unless otherwise stated, all QUIC extensions defined to work with
version 2. version 1 also work with version 2.
8. Security Considerations 8. Security Considerations
QUIC version 2 introduces no changes to the security or privacy QUIC version 2 introduces no changes to the security or privacy
properties of QUIC version 1. properties of QUIC version 1.
The mandatory version negotiation mechanism guards against downgrade The mandatory version negotiation mechanism guards against downgrade
attacks, but downgrades have no security implications, as the version attacks, but downgrades have no security implications, as the version
properties are identical. properties are identical.
skipping to change at page 8, line 21 skipping to change at page 8, line 21
10. References 10. References
10.1. Normative References 10.1. Normative References
[QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based [QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000, Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021, DOI 10.17487/RFC9000, May 2021,
<https://www.rfc-editor.org/rfc/rfc9000>. <https://www.rfc-editor.org/rfc/rfc9000>.
[QUIC-LOSSRECOVERY]
Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", RFC 9002, DOI 10.17487/RFC9002,
May 2021, <https://www.rfc-editor.org/rfc/rfc9002>.
[QUIC-TLS] Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure [QUIC-TLS] Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure
QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021, QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021,
<https://www.rfc-editor.org/rfc/rfc9001>. <https://www.rfc-editor.org/rfc/rfc9001>.
[QUIC-VN] Schinazi, D. and E. Rescorla, "Compatible Version [QUIC-VN] Schinazi, D. and E. Rescorla, "Compatible Version
Negotiation for QUIC", Work in Progress, Internet-Draft, Negotiation for QUIC", Work in Progress, Internet-Draft,
draft-ietf-quic-version-negotiation-07, 5 April 2022, draft-ietf-quic-version-negotiation-07, 5 April 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-quic- <https://datatracker.ietf.org/doc/html/draft-ietf-quic-
version-negotiation-07>. version-negotiation-07>.
[RFC9002] Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
and Congestion Control", RFC 9002, DOI 10.17487/RFC9002, Requirement Levels", BCP 14, RFC 2119,
May 2021, <https://www.rfc-editor.org/rfc/rfc9002>. DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
10.2. Informative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[I-D.ietf-dprive-dnsoquic] 10.2. Informative References
Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", Work in Progress, Internet-
Draft, draft-ietf-dprive-dnsoquic-12, 20 April 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-dprive-
dnsoquic-12>.
[I-D.ietf-quic-http] [I-D.ietf-quic-http]
Bishop, M., "Hypertext Transfer Protocol Version 3 Bishop, M., "Hypertext Transfer Protocol Version 3
(HTTP/3)", Work in Progress, Internet-Draft, draft-ietf- (HTTP/3)", Work in Progress, Internet-Draft, draft-ietf-
quic-http-34, 2 February 2021, quic-http-34, 2 February 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-quic- <https://datatracker.ietf.org/doc/html/draft-ietf-quic-
http-34>. http-34>.
[QUIC-INVARIANTS] [QUIC-INVARIANTS]
Thomson, M., "Version-Independent Properties of QUIC", Thomson, M., "Version-Independent Properties of QUIC",
RFC 8999, DOI 10.17487/RFC8999, May 2021, RFC 8999, DOI 10.17487/RFC8999, May 2021,
<https://www.rfc-editor.org/rfc/rfc8999>. <https://www.rfc-editor.org/rfc/rfc8999>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol "Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/rfc/rfc7301>. July 2014, <https://www.rfc-editor.org/rfc/rfc7301>.
[RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP
Alternative Services", RFC 7838, DOI 10.17487/RFC7838, Alternative Services", RFC 7838, DOI 10.17487/RFC7838,
April 2016, <https://www.rfc-editor.org/rfc/rfc7838>. April 2016, <https://www.rfc-editor.org/rfc/rfc7838>.
[RFC9250] Huitema, C., Dickinson, S., and A. Mankin, "DNS over
Dedicated QUIC Connections", RFC 9250,
DOI 10.17487/RFC9250, May 2022,
<https://www.rfc-editor.org/rfc/rfc9250>.
Appendix A. Sample Packet Protection Appendix A. Sample Packet Protection
This section shows examples of packet protection so that This section shows examples of packet protection so that
implementations can be verified incrementally. Samples of Initial implementations can be verified incrementally. Samples of Initial
packets from both client and server plus a Retry packet are defined. packets from both client and server plus a Retry packet are defined.
These packets use an 8-byte client-chosen Destination Connection ID These packets use an 8-byte client-chosen Destination Connection ID
of 0x8394c8f03e515708. Some intermediate values are included. All of 0x8394c8f03e515708. Some intermediate values are included. All
values are shown in hexadecimal. values are shown in hexadecimal.
A.1. Keys A.1. Keys
skipping to change at page 15, line 5 skipping to change at page 15, line 5
sample = e7b6b932bc27d786f4bc2bb20f2162ba sample = e7b6b932bc27d786f4bc2bb20f2162ba
mask = 97580e32bf mask = 97580e32bf
header = 5558b1c6 header = 5558b1c6
The protected packet is the smallest possible packet size of 21 The protected packet is the smallest possible packet size of 21
bytes. bytes.
packet = 5558b1c60ae7b6b932bc27d786f4bc2bb20f2162ba packet = 5558b1c60ae7b6b932bc27d786f4bc2bb20f2162ba
Appendix B. Changelog Appendix B. Acknowledgments
The author would like to thank Lucas Pardue, David Schinazi, and
Martin Thomson for their helpful suggestions.
Appendix C. Changelog
*RFC Editor's Note:* Please remove this section prior to *RFC Editor's Note:* Please remove this section prior to
publication of a final version of this document. publication of a final version of this document.
B.1. since draft-ietf-quic-v2-02 C.1. since draft-ietf-quic-v2-03
* a v2 session ticket is an indication of v2 support
* a v1-only extension is theoretically possible
* editorial fixes
C.2. since draft-ietf-quic-v2-02
* Editorial comments from Lucas Pardue * Editorial comments from Lucas Pardue
B.2. since draft-ietf-quic-v2-01 C.3. since draft-ietf-quic-v2-01
* Ban use of NEW_TOKEN tokens across versions * Ban use of NEW_TOKEN tokens across versions
* version-info transport parameter required for all v2 endpoints * version-info transport parameter required for all v2 endpoints
* Explicitly list known ALPN compatibility * Explicitly list known ALPN compatibility
B.3. since draft-ietf-quic-v2-00 C.4. since draft-ietf-quic-v2-00
* Expanded requirements for compatible version negotiation * Expanded requirements for compatible version negotiation
* Added test vectors * Added test vectors
* Greased the packet type codepoints * Greased the packet type codepoints
* Random version number * Random version number
* Clarified requirement to use QUIC-VN * Clarified requirement to use QUIC-VN
* Banned use of resumption tokens across versions * Banned use of resumption tokens across versions
B.4. since draft-duke-quic-v2-02 C.5. since draft-duke-quic-v2-02
* Converted to adopted draft * Converted to adopted draft
* Deleted references to QUIC improvements * Deleted references to QUIC improvements
* Clarified status of QUIC extensions * Clarified status of QUIC extensions
B.5. since draft-duke-quic-v2-01 C.6. since draft-duke-quic-v2-01
* Made the final version number TBD. * Made the final version number TBD.
* Added ALPN considerations * Added ALPN considerations
B.6. since draft-duke-quic-v2-00 C.7. since draft-duke-quic-v2-00
* Added provisional versions for interop * Added provisional versions for interop
* Change the v1 Retry Tag secret * Change the v1 Retry Tag secret
* Change labels to create full key separation * Change labels to create full key separation
Author's Address Author's Address
Martin Duke Martin Duke
 End of changes. 31 change blocks. 
70 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/