idnits 2.17.1 draft-duke-quic-v2-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (22 April 2021) is 1093 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-quic-version-negotiation-02 == Outdated reference: A later version (-10) exists of draft-duke-quic-version-aliasing-04 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Duke 3 Internet-Draft F5 Networks, Inc. 4 Intended status: Standards Track 22 April 2021 5 Expires: 24 October 2021 7 QUIC Version 2 8 draft-duke-quic-v2-00 10 Abstract 12 This document specifies QUIC version 2, which is identical to QUIC 13 version 1 except for some trivial details. Its purpose is to combat 14 various ossification vectors and exercise the version negotiation 15 framework. Over time, it may also serve as a vehicle for needed 16 protocol design changes. 18 Discussion of this work is encouraged to happen on the QUIC IETF 19 mailing list quic@ietf.org or on the GitHub repository which contains 20 the draft: https://github.com/martinduke/draft-duke-quic-v2. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at https://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on 24 October 2021. 39 Copyright Notice 41 Copyright (c) 2021 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 46 license-info) in effect on the date of publication of this document. 47 Please review these documents carefully, as they describe your rights 48 and restrictions with respect to this document. Code Components 49 extracted from this document must include Simplified BSD License text 50 as described in Section 4.e of the Trust Legal Provisions and are 51 provided without warranty as described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Changes from QUIC Version 1 . . . . . . . . . . . . . . . . . 3 58 4. Version Negotiation Considerations . . . . . . . . . . . . . 3 59 5. Ossification Considerations . . . . . . . . . . . . . . . . . 4 60 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 61 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 62 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 8.1. Normative References . . . . . . . . . . . . . . . . . . 4 64 8.2. Informative References . . . . . . . . . . . . . . . . . 5 65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 67 1. Introduction 69 QUIC [QUIC-TRANSPORT] has numerous extension points, including the 70 version number that occupies the second through fifth octets of every 71 long header (see [I-D.ietf-quic-invariants]). If experimental 72 versions lower in frequency, and QUIC version 1 constitutes the vast 73 majority of QUIC traffic, there is the potential for middleboxes to 74 ossify on the version octets always being 0x00000001. 76 Furthermore, version 1 Initial packets are encrypted with keys 77 derived from a universally known salt, which allow observers to 78 inspect the contents of these packets, which include the TLS Client 79 Hello and Server Hello messages. Again, middleboxes may ossify on 80 the version 1 key derivation and packet formats. 82 Finally [QUIC-VN] provides two mechanisms for endpoints to negotiate 83 the QUIC version to use. The "incompatible" version negotiation 84 method can support switching from any initial QUIC version to any 85 other version with full generality, at the cost of an additional 86 round-trip at the start of the connection. "Compatible" version 87 negotiation eliminates the round-trip penalty but levies some 88 restrictions on how much the two versions can differ semantically. 90 QUIC version 2 is meant to mitigate ossification concerns and 91 exercise the version negotiation mechanisms. The only behavioral 92 changes is that Initial packets use a different salt for key 93 derivation. Any endpoint that supports two versions needs to 94 implement version negotiation to protect against downgrade attacks. 96 This document may, over time, also serve as a vehicle for other 97 needed changes to QUIC version 1. 99 [I-D.duke-quic-version-aliasing] is a more robust, but much more 100 complicated, proposal to address these ossification problems. By 101 design, it requires incompatible version negotiation. QUICv2 enables 102 exercise of compatible version negotiation mechanism. 104 2. Conventions 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 108 document are to be interpreted as described in RFC 2119 [RFC2119]. 110 3. Changes from QUIC Version 1 112 QUIC version 2 endpoints MUST implement the QUIC version 1 113 specification as described in [QUIC-TRANSPORT], [I-D.ietf-quic-tls], 114 and [I-D.ietf-quic-recovery], with the following changes: 116 * The version field of long headers is 0x00000002. 118 * The salt used to derive Initial keys in Sec 5.2 of 119 [I-D.ietf-quic-tls] changes to 121 initial_salt = 0xa707c203a59b47184a1d62ca570406ea7ae3e5d3 123 4. Version Negotiation Considerations 125 QUIC version 2 endpoints SHOULD also support QUIC version 1. Any 126 QUIC endpoint that supports multiple versions MUST fully implement 127 [QUIC-VN] to prevent version downgrade attacks. 129 Note that version 2 meets that document's definition of a compatible 130 version with version 1. Therefore, v2-capable servers MUST use 131 compatible version negotiation unless they do not support version 1. 133 As version 1 support is more likely than version 2 support, a client 134 SHOULD use QUIC version 1 for its original version unless it has out- 135 of-band knowledge that the server supports version 2. 137 Note that the only wire image differences between a version-1-to-2 138 compatible negotiation and a version 1 connection are that (1) 139 Handshake packet headers will encode version 2, and (2) server 140 Initial packets and client second-flight Initial packets will both 141 encode version 2 and use keys derived from the version 2 salt. 143 5. Ossification Considerations 145 QUIC version 2 provides protection against some forms of 146 ossification. Devices that assume that all long headers will contain 147 encode version 1, or that the version 1 Initial key derivation 148 formula will remain version-invariant, will not correctly process 149 version 2 packets. 151 However, many middleboxes such as firewalls focus on the first packet 152 in a connection, which will often remain in the version 1 format due 153 to the considerations above. 155 Clients interested in combating firewall ossification can initiate a 156 connection using version 2 if they are either reasonably certain the 157 server supports it, or are willing to suffer a round-trip penalty if 158 they are incorrect. 160 6. Security Considerations 162 QUIC version 2 introduces no changes to the security or privacy 163 properties of QUIC version 1. 165 The mandatory version negotiation mechanism guards against downgrade 166 attacks, but downgrades have no security implications, as the version 167 properties are identical. 169 7. IANA Considerations 171 This document requests that IANA add the following entry to the QUIC 172 version registry: 174 Value: 0x00000002 176 Status: permanent 178 Specification: This Document 180 Change Controller: IETF 182 Contact: QUIC WG 184 8. References 186 8.1. Normative References 188 [I-D.ietf-quic-recovery] 189 Iyengar, J. and I. Swett, "QUIC Loss Detection and 190 Congestion Control", Work in Progress, Internet-Draft, 191 draft-ietf-quic-recovery-34, 14 January 2021, 192 . 195 [I-D.ietf-quic-tls] 196 Thomson, M. and S. Turner, "Using TLS to Secure QUIC", 197 Work in Progress, Internet-Draft, draft-ietf-quic-tls-34, 198 14 January 2021, . 201 [QUIC-TRANSPORT] 202 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 203 and Secure Transport", Work in Progress, Internet-Draft, 204 draft-ietf-quic-transport-34, 14 January 2021, 205 . 208 [QUIC-VN] Schinazi, D. and E. Rescorla, "Compatible Version 209 Negotiation for QUIC", Work in Progress, Internet-Draft, 210 draft-ietf-quic-version-negotiation-02, 2 November 2020, 211 . 214 8.2. Informative References 216 [I-D.duke-quic-version-aliasing] 217 Duke, M., "QUIC Version Aliasing", Work in Progress, 218 Internet-Draft, draft-duke-quic-version-aliasing-04, 30 219 October 2020, . 222 [I-D.ietf-quic-invariants] 223 Thomson, M., "Version-Independent Properties of QUIC", 224 Work in Progress, Internet-Draft, draft-ietf-quic- 225 invariants-13, 14 January 2021, . 228 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 229 Requirement Levels", BCP 14, RFC 2119, 230 DOI 10.17487/RFC2119, March 1997, 231 . 233 Author's Address 235 Martin Duke 236 F5 Networks, Inc. 238 Email: martin.h.duke@gmail.com