idnits 2.17.1 

draft-banks-quic-disable-encryption-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (August 11, 2020) is 1347 days in the past.  Is this
     intentional?


  Checking references for intended status: Experimental
  ----------------------------------------------------------------------------

  == Outdated reference: A later version (-34) exists of
     draft-ietf-quic-transport-29


     Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                           N. Banks
3	Internet-Draft                                     Microsoft Corporation
4	Intended status: Experimental                            August 11, 2020
5	Expires: February 12, 2021

7	                        QUIC Disable Encryption
8	                 draft-banks-quic-disable-encryption-00

10	Abstract

12	   The disable_1rtt_encryption transport parameter can be used to
13	   negotiate the disablement of encryption on 1-RTT packets, allowing
14	   for reduced CPU load and improved performance.  This extension is
15	   only meant to be used in environments where both endpoints completely
16	   trust the path between themselves; not, for instance, on the open
17	   internet.

19	Status of This Memo

21	   This Internet-Draft is submitted in full conformance with the
22	   provisions of BCP 78 and BCP 79.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF).  Note that other groups may also distribute
26	   working documents as Internet-Drafts.  The list of current Internet-
27	   Drafts is at https://datatracker.ietf.org/drafts/current/.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   This Internet-Draft will expire on February 12, 2021.

36	Copyright Notice

38	   Copyright (c) 2020 IETF Trust and the persons identified as the
39	   document authors.  All rights reserved.

41	   This document is subject to BCP 78 and the IETF Trust's Legal
42	   Provisions Relating to IETF Documents
43	   (https://trustee.ietf.org/license-info) in effect on the date of
44	   publication of this document.  Please review these documents
45	   carefully, as they describe your rights and restrictions with respect
46	   to this document.  Code Components extracted from this document must
47	   include Simplified BSD License text as described in Section 4.e of
48	   the Trust Legal Provisions and are provided without warranty as
49	   described in the Simplified BSD License.

51	Table of Contents

53	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
54	     1.1.  Terms and Definitions . . . . . . . . . . . . . . . . . .   2
55	     1.2.  Applicable Scenarios for Use  . . . . . . . . . . . . . .   2
56	   2.  Specification . . . . . . . . . . . . . . . . . . . . . . . .   3
57	     2.1.  Disable 1-RTT Encryption Transport Parameter  . . . . . .   3
58	     2.2.  Negotiating the Extension . . . . . . . . . . . . . . . .   3
59	     2.3.  Disabling 1-RTT Encryption  . . . . . . . . . . . . . . .   4
60	     2.4.  Interactions with Path Changes  . . . . . . . . . . . . .   4
61	   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
62	   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
63	   5.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
64	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

66	1.  Introduction

68	   By default QUIC Transport Protocol [I-D.ietf-quic-transport] provides
69	   secured (authenticated and encrypted) connections via a TLS
70	   handshake.  The handshake allows for the endpoints to be
71	   authenticated by a certificate and then securely generates shared
72	   secrets to encrypt the QUIC packet traffic.  Post-handshake, this
73	   packet encryption can occupy a considerable percentage of CPU usage,
74	   depending on the scenario.  Additionally, there are scenarios where
75	   the protections given by this encryption are either unnecessary or
76	   unwanted.  For these scenarios, this document defines an extension to
77	   the QUIC protocol to allow for mutually participating endpoints to
78	   negotiate the disablement of encryption for the 1-RTT packets sent
79	   after the handshake.

81	1.1.  Terms and Definitions

83	   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
84	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
85	   "OPTIONAL" in this document are to be interpreted as described in BCP
86	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
87	   capitals, as shown here.

89	1.2.  Applicable Scenarios for Use

91	   QUIC connections are generally meant to always be encrypted, to
92	   prevent unauthenticated middleboxes from reading or modifying the
93	   QUIC packets.  This is the desired behavior for most environments;
94	   especially any that go over the open internet.  There are two
95	   possible scenarios where disabling packet encryption makes sense:

97	   o  Trusted Environment/Path - There are scenarios or environments
98	      where there is no need for the additional security measures of
99	      QUIC encryption; such as walled-gardens or tunneled connections.
100	      These scenarios are either already trusted or secured by other
101	      means.

103	   o  Performance Testing - When the actual contents of the QUIC packets
104	      are unimportant and the goal is purely to measure the performance
105	      characteristics of either the network, machine or QUIC
106	      implementation without encryption.

108	2.  Specification

110	   The disable_1rtt_encryption transport parameter used for negotiating
111	   the use of the extension is defined below.

113	2.1.  Disable 1-RTT Encryption Transport Parameter

115	   The disable_1rtt_encryption transport parameter can be sent by both a
116	   client and server.  The transport parameter is sent with an optional
117	   variable-length value by the client and an empty value by the server;
118	   a client that understands this transport parameter MUST treat the
119	   receipt of a non-empty value as a connection error of type
120	   TRANSPORT_PARAMETER_ERROR.

122	   Advertising the disable_1rtt_encryption transport parameter indicates
123	   that the endpoint wishes to disable encryption for 1-RTT packets.
124	   Both sides must advertise support for the feature for it to be
125	   considered successfully negotiated.

127	   If successfully negotiated, all packets that would normally be
128	   encrypted with the 1-RTT key are instead sent as cleartext; both
129	   header and packet protections are disabled.

131	2.2.  Negotiating the Extension

133	   The payload sent in the transport parameter by the client, along with
134	   any other information the server has about the client (such as IP
135	   address) may be used to negotiate the extension on the server side.
136	   The TP payload could be considered a key or identifier used by the
137	   server to verify the client should be allowed to disable encryption.
138	   These additional security measures are optional, but RECOMMENDED to
139	   ensure encryption is not accidentally enabled when it should not be.

141	2.3.  Disabling 1-RTT Encryption

143	   When the extension is negotiated, all aspects of encryption on 1-RTT
144	   packets are removed:

146	   o  Header protection

148	   o  Payload protection

150	   o  AEAD tag

152	   This effectively gives the transport an additional 16 bytes per
153	   packet to be used for payload, since it is no longer including an
154	   AEAD tag.

156	   Because the AEAD tag is removed along with the encryption, the UDP
157	   checksum must be relied upon to determine any packet corruption.

159	2.4.  Interactions with Path Changes

161	   When making the trust determination about the path, each endpoints
162	   must take into account possible path changes; NAT rebinding for
163	   instance.  An endpoint MUST NOT enable enable this extension if it is
164	   possible for the path to change during the connection to some
165	   untrusted state.

167	   Additionally, a client MUST NOT try to migrate to any path that is
168	   untrusted if this extension is negotiated.  If a server receives a
169	   packet for a connection with this extension negotiated on an
170	   untrusted path, it MUST silently drop the packet.

172	3.  Security Considerations

174	   Disabling encryption for 1-RTT packets has some fairly obvious
175	   security drawbacks:

177	   o  Packets can be read, modified and injected by any middleboxes

179	   This extension is not meant to be used for any practical application
180	   protocol on the open internet.  Internet facing servers MUST NOT
181	   enable this extension.  Clients that do not trust their network and
182	   path to the server MUST NOT enable this extension.

184	   This extension does not modify the packet protections used during the
185	   handshake, so the handshake can still be securely authenticated.
186	   This prevents scenarios where one endpoint might trust (or think it
187	   trusts) the path, but the other endpoint does not, and a man-in-the-
188	   middle tries to force this extension to be used.

190	   To prevent accidental use of the feature on production systems it is
191	   RECOMMENDED for servers to have additional measures such as IP
192	   filtering or a security key.

194	4.  IANA Considerations

196	   This document registers a new value in the QUIC Transport Parameter
197	   Registry:

199	   Value: TBD (using value 0xBAAD in early deployments)

201	   Parameter Name: disable_1rtt_encryption

203	   Specification: Indicates disabled 1-RTT encryption is being
204	   negotiated

206	5.  Normative References

208	   [I-D.ietf-quic-transport]
209	              Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed
210	              and Secure Transport", draft-ietf-quic-transport-29 (work
211	              in progress), June 2020.

213	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
214	              Requirement Levels", BCP 14, RFC 2119,
215	              DOI 10.17487/RFC2119, March 1997,
216	              <https://www.rfc-editor.org/info/rfc2119>.

218	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
219	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
220	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

222	Author's Address

224	   Nick Banks
225	   Microsoft Corporation

227	   Email: nibanks@microsoft.com