idnits 2.17.1 draft-ietf-quic-invariants-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 28, 2018) is 2243 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 328 -- Looks like a reference, but probably isn't: '2' on line 330 -- Looks like a reference, but probably isn't: '3' on line 332 == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-09 == Outdated reference: A later version (-34) exists of draft-ietf-quic-tls-09 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track February 28, 2018 5 Expires: September 1, 2018 7 Version-Independent Properties of QUIC 8 draft-ietf-quic-invariants-00 10 Abstract 12 This document defines the properties of the QUIC transport protocol 13 that are expected to remain unchanged over time as new versions of 14 the protocol are developed. 16 Note to Readers 18 Discussion of this draft takes place on the QUIC working group 19 mailing list (quic@ietf.org), which is archived at 20 https://mailarchive.ietf.org/arch/search/?email_list=quic [1]. 22 Working Group information can be found at https://github.com/quicwg 23 [2]; source code and issues list for this draft can be found at 24 https://github.com/quicwg/base-drafts/labels/-invariants [3]. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on September 1, 2018. 43 Copyright Notice 45 Copyright (c) 2018 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 62 3. An Extremely Abstract Description of QUIC . . . . . . . . . . 3 63 4. QUIC Packet Headers . . . . . . . . . . . . . . . . . . . . . 3 64 4.1. Long Header . . . . . . . . . . . . . . . . . . . . . . . 3 65 4.2. Short Header . . . . . . . . . . . . . . . . . . . . . . 4 66 4.3. Connection ID . . . . . . . . . . . . . . . . . . . . . . 5 67 4.4. Version . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 5 69 6. Security and Privacy Considerations . . . . . . . . . . . . . 7 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 73 8.2. Informative References . . . . . . . . . . . . . . . . . 7 74 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 Appendix A. Incorrect Assumptions . . . . . . . . . . . . . . . 8 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 78 1. Introduction 80 In addition to providing secure, multiplexed transport, QUIC 81 [QUIC-TRANSPORT] includes the ability to negotiate a version. This 82 allows the protocol to change over time in response to new 83 requirements. Many characteristics of the protocol will change 84 between versions. 86 This document describes the subset of QUIC that is intended to remain 87 stable as new versions are developed and deployed. 89 The primary goal of this document is to ensure that it is possible 90 deploy new versions of QUIC. By documenting the things that can't 91 change, this document aims to preserve the ability to change any 92 other aspect of the protocol. Thus, unless specifically described in 93 this document, any aspect of the protocol can change between 94 different versions. 96 Appendix A is a non-exhaustive list of some incorrect assumptions 97 that might be made based on knowledge of QUIC version 1; these do not 98 apply to every version of QUIC. 100 2. Conventions and Definitions 102 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 103 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 104 "OPTIONAL" in this document are to be interpreted as described in BCP 105 14 [RFC2119] [RFC8174] when, and only when, they appear in all 106 capitals, as shown here. 108 3. An Extremely Abstract Description of QUIC 110 QUIC is a connection-oriented protocol between two endpoints. Those 111 endpoints exchange UDP datagrams. These UDP datagrams contain QUIC 112 packets. QUIC endpoints use QUIC packets to establish a QUIC 113 connection, which is shared protocol state between those endpoints. 115 4. QUIC Packet Headers 117 A QUIC packet is the content of the UDP datagrams exchanged by QUIC 118 endpoints. This document describes the contents of those datagrams. 120 QUIC defines two types of packet header: long and short. Packets 121 with long headers are identified by the most significant bit of the 122 first octet being set; packets with a short header have that bit 123 cleared. 125 Aside from the values described here, the payload of QUIC packets is 126 version-specific and of arbitrary length. 128 4.1. Long Header 130 Long headers take the form described in Figure 1. Bits that have 131 version-specific semantics are marked with an X. 133 0 1 2 3 134 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 135 +-+-+-+-+-+-+-+-+ 136 |1|X X X X X X X| 137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 138 | | 139 + Connection ID (64) + 140 | | 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 | Version (32) | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 |X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ... 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 147 Figure 1: QUIC Long Header 149 A QUIC packet with a long header has the high bit of the first octet 150 set to 1. 152 A QUIC packet with a long header has two fixed fields immediately 153 following the first octet: a 64-bit Connection ID (see Section 4.3) 154 and a 32-bit Version (see Section 4.4). 156 4.2. Short Header 158 Short headers take the form described in Figure 2. Bits that have 159 version-specific semantics are marked with an X. 161 0 1 2 3 162 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 163 +-+-+-+-+-+-+-+-+ 164 |0|C|X X X X X X| 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 | | 167 + [Connection ID (64)] + 168 | | 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 |X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ... 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 Figure 2: QUIC Short Header 175 A QUIC packet with a short header has the high bit of the first octet 176 set to 0. 178 A QUIC packet with a short header includes an optional connection ID 179 and no version field. The second bit of that octet (that is, 0x40) 180 determines whether the connection ID is present. If the second bit 181 is cleared, a 64-bit connection ID immediately follows the first 182 octet. If the second bit is set, the remainder of the packet has 183 version-specific semantics. 185 4.3. Connection ID 187 A connection ID is an opaque 64-bit field. 189 The primary function of a connection ID is to ensure that changes in 190 addressing at lower protocol layers (UDP, IP, and below) don't cause 191 packets for a QUIC connection to be delivered to the wrong endpoint. 192 The connection ID is used by endpoints and the intermediaries that 193 support them to ensure that each QUIC packet can be delivered to the 194 correct instance of an endpoint. At the endpoint, the connection ID 195 is used to identify which QUIC connection the packet is intended for. 197 The connection ID is chosen by endpoints using version-specific 198 methods. Packets for the same QUIC connection might use different 199 connection ID values. 201 4.4. Version 203 QUIC versions are identified with a 32-bit integer, encoded in 204 network byte order. Version 0 is reserved for version negotiation 205 (see Section 5). All other version numbers are potentially valid. 207 5. Version Negotiation 209 A QUIC endpoint that receives a packet with a long header and a 210 version it either does not understand or does not support sends a 211 Version Negotiation packet in response. Packets with a short header 212 do not trigger version negotiation and are always associated with an 213 existing connection. 215 Consequently, until an endpoint has confirmed that its peer supports 216 the QUIC version it has chosen, it can only send packets that use the 217 long header. 219 A Version Negotiation packet sets the high bit of the first octet, 220 and thus it conforms with the format of a packet with a long header 221 as defined in this document. A Version Negotiation packet is 222 identifiable as such by the Version field, which is set to 223 0x00000000. 225 0 1 2 3 226 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 227 +-+-+-+-+-+-+-+-+ 228 |1|X X X X X X X| 229 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 230 | | 231 + Connection ID (64) + 232 | | 233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 234 | Version (32) = 0 | 235 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 236 | Supported Version 1 (32) | 237 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 238 | [Supported Version 2 (32)] | 239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 240 ... 241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 242 | [Supported Version N (32)] | 243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 245 Figure 3: Version Negotiation Packet 247 The Version Negotiation packet contains a list of Supported Version 248 fields, each identifying a version that the endpoint sending the 249 packet supports. The Supported Version fields follow the Version 250 field. A Version Negotiation packet contains no other fields. An 251 endpoint MUST ignore a packet that contains no Supported Version 252 fields, or a truncated Supported Version. 254 Version Negotiation packets do not use integrity or confidentiality 255 protection. A specific QUIC version might authenticate the packet as 256 part of its connection establishment process. 258 The Connection ID field in a Version Negotiation packet contains the 259 Connection ID from the packet that was received. This provides some 260 protection against injection of Version Negotiation packets by off- 261 path attackers. 263 An endpoint that receives a Version Negotiation packet might change 264 the version that it decides to use for subsequent packets. The 265 conditions under which an endpoint changes QUIC version will depend 266 on the version of QUIC that it chooses. 268 See [QUIC-TRANSPORT] for a more thorough description of how an 269 endpoint that supports QUIC version 1 generates and consumes a 270 Version Negotiation packet. 272 6. Security and Privacy Considerations 274 It is possible that middleboxes could use traits of a specific 275 version of QUIC and assume that when other versions of QUIC exhibit 276 similar traits the same underlying semantic is being expressed. 277 There are potentially many such traits (see Appendix A). Some effort 278 has been made to either eliminate or obscure some observable traits 279 in QUIC version 1, but many of these remain. Other QUIC versions 280 might make different design decisions and so exhibit different 281 traits. 283 The QUIC version number does not appear in all QUIC packets, which 284 means that reliably extracting information from a flow based on 285 version-specific traits requires that middleboxes retain state for 286 every connection ID they see. 288 The Version Negotiation packet described in this document is not 289 integrity-protected, it only has modest protection against insertion 290 by off-path attackers. QUIC versions MUST define a mechanism that 291 authenticates the values it contains. 293 7. IANA Considerations 295 This document makes no request of IANA. 297 8. References 299 8.1. Normative References 301 [QUIC-TRANSPORT] 302 Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based 303 Multiplexed and Secure Transport", draft-ietf-quic- 304 transport-09 (work in progress), February 2018. 306 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 307 Requirement Levels", BCP 14, RFC 2119, 308 DOI 10.17487/RFC2119, March 1997, 309 . 311 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 312 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 313 May 2017, . 315 8.2. Informative References 317 [QUIC-TLS] 318 Thomson, M., Ed. and S. Turner, Ed., "Using Transport 319 Layer Security (TLS) to Secure QUIC", draft-ietf-quic- 320 tls-09 (work in progress), February 2018. 322 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 323 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 324 . 326 8.3. URIs 328 [1] https://mailarchive.ietf.org/arch/search/?email_list=quic 330 [2] https://github.com/quicwg 332 [3] https://github.com/quicwg/base-drafts/labels/-invariants 334 Appendix A. Incorrect Assumptions 336 There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are 337 not protected from observation, but are nonetheless considered to be 338 changeable when a new version is deployed. 340 This section lists a sampling of incorrect assumptions that might be 341 made based on knowledge of QUIC version 1. Some of these statements 342 are not even true for QUIC version 1. This is not an exhaustive 343 list, it is intended to be illustrative only. 345 The following statements are NOT guaranteed to be true for every QUIC 346 version: 348 o QUIC uses TLS [QUIC-TLS] and some TLS messages are visible on the 349 wire 351 o QUIC long headers are only exchanged during connection 352 establishment 354 o Every flow on a given 5-tuple will include a connection 355 establishment phase 357 o QUIC forbids acknowledgments of packets that only contain ACK 358 frames, therefore the last packet before a long period of 359 quiescence might be assumed to contain an acknowledgment 361 o QUIC uses an AEAD (AEAD_AES_128_GCM [RFC5116]) to protect the 362 packets it exchanges during connection establishment 364 o QUIC packet numbers appear after the Version field 365 o QUIC packet numbers increase by one for every packet sent 367 o QUIC has a minimum size for the first handshake packet sent by a 368 client 370 o QUIC stipulates that a client speaks first 372 o A QUIC Version Negotiation packet is only sent by a server 374 o A QUIC connection ID changes infrequently 376 o The same connection ID is used for packets sent by both endpoints 378 o A QUIC server chooses the connection ID 380 o QUIC endpoints change the version they speak if they are sent a 381 Version Negotiation packet 383 o Only one connection at a time is established between any pair of 384 QUIC endpoints 386 Author's Address 388 Martin Thomson 389 Mozilla 391 Email: martin.thomson@gmail.com