idnits 2.17.1 draft-ietf-quic-invariants-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 10, 2019) is 1751 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 358 -- Looks like a reference, but probably isn't: '2' on line 360 -- Looks like a reference, but probably isn't: '3' on line 362 == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-23 == Outdated reference: A later version (-34) exists of draft-ietf-quic-tls-23 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track July 10, 2019 5 Expires: January 11, 2020 7 Version-Independent Properties of QUIC 8 draft-ietf-quic-invariants-06 10 Abstract 12 This document defines the properties of the QUIC transport protocol 13 that are expected to remain unchanged over time as new versions of 14 the protocol are developed. 16 Note to Readers 18 Discussion of this draft takes place on the QUIC working group 19 mailing list (quic@ietf.org), which is archived at 20 https://mailarchive.ietf.org/arch/search/?email_list=quic [1]. 22 Working Group information can be found at https://github.com/quicwg 23 [2]; source code and issues list for this draft can be found at 24 https://github.com/quicwg/base-drafts/labels/-invariants [3]. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on January 11, 2020. 43 Copyright Notice 45 Copyright (c) 2019 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 62 3. An Extremely Abstract Description of QUIC . . . . . . . . . . 3 63 4. QUIC Packet Headers . . . . . . . . . . . . . . . . . . . . . 3 64 4.1. Long Header . . . . . . . . . . . . . . . . . . . . . . . 3 65 4.2. Short Header . . . . . . . . . . . . . . . . . . . . . . 5 66 4.3. Connection ID . . . . . . . . . . . . . . . . . . . . . . 5 67 4.4. Version . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 6 69 6. Security and Privacy Considerations . . . . . . . . . . . . . 7 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 73 8.2. Informative References . . . . . . . . . . . . . . . . . 8 74 8.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 Appendix A. Incorrect Assumptions . . . . . . . . . . . . . . . 8 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. Introduction 80 In addition to providing secure, multiplexed transport, QUIC 81 [QUIC-TRANSPORT] includes the ability to negotiate a version. This 82 allows the protocol to change over time in response to new 83 requirements. Many characteristics of the protocol will change 84 between versions. 86 This document describes the subset of QUIC that is intended to remain 87 stable as new versions are developed and deployed. All of these 88 invariants are IP-version-independent. 90 The primary goal of this document is to ensure that it is possible to 91 deploy new versions of QUIC. By documenting the properties that 92 can't change, this document aims to preserve the ability to change 93 any other aspect of the protocol. Thus, unless specifically 94 described in this document, any aspect of the protocol can change 95 between different versions. 97 Appendix A is a non-exhaustive list of some incorrect assumptions 98 that might be made based on knowledge of QUIC version 1; these do not 99 apply to every version of QUIC. 101 2. Conventions and Definitions 103 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in BCP 106 14 [RFC2119] [RFC8174] when, and only when, they appear in all 107 capitals, as shown here. 109 This document uses terms and notational conventions from 110 [QUIC-TRANSPORT]. 112 3. An Extremely Abstract Description of QUIC 114 QUIC is a connection-oriented protocol between two endpoints. Those 115 endpoints exchange UDP datagrams. These UDP datagrams contain QUIC 116 packets. QUIC endpoints use QUIC packets to establish a QUIC 117 connection, which is shared protocol state between those endpoints. 119 4. QUIC Packet Headers 121 A QUIC packet is the content of the UDP datagrams exchanged by QUIC 122 endpoints. This document describes the contents of those datagrams. 124 QUIC defines two types of packet header: long and short. Packets 125 with long headers are identified by the most significant bit of the 126 first byte being set; packets with a short header have that bit 127 cleared. 129 Aside from the values described here, the payload of QUIC packets is 130 version-specific and of arbitrary length. 132 4.1. Long Header 134 Long headers take the form described in Figure 1. Bits that have 135 version-specific semantics are marked with an X. 137 0 1 2 3 138 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 139 +-+-+-+-+-+-+-+-+ 140 |1|X X X X X X X| 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 | Version (32) | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 | DCID Len (8) | 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 146 | Destination Connection ID (0..2040) ... 147 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 148 | SCID Len (8) | 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 | Source Connection ID (0..2040) ... 151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 152 |X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ... 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 155 Figure 1: QUIC Long Header 157 A QUIC packet with a long header has the high bit of the first byte 158 set to 1. All other bits in that byte are version specific. 160 The next four bytes include a 32-bit Version field (see Section 4.4). 162 The next byte contains the length in bytes of the two Connection IDs 163 (see Section 4.3) that follow. Each length is encoded as a 4-bit 164 unsigned integer. The length of the Destination Connection ID (DCIL) 165 occupies the high bits of the byte and the length of the Source 166 Connection ID (SCIL) occupies the low bits of the byte. An encoded 167 length of 0 indicates that the connection ID is also 0 bytes in 168 length. Non-zero encoded lengths are increased by 3 to get the full 169 length of the connection ID; the final value is therefore either 0 or 170 between 4 and 18 bytes in length (inclusive). For example, a byte 171 with the value 0xe0 describes a 17 byte Destination Connection ID and 172 a zero byte Source Connection ID. 174 The connection ID lengths are followed by two connection IDs. The 175 connection ID associated with the recipient of the packet (the 176 Destination Connection ID) is followed by the connection ID 177 associated with the sender of the packet (the Source Connection ID). 179 The remainder of the packet contains version-specific content. 181 4.2. Short Header 183 Short headers take the form described in Figure 2. Bits that have 184 version-specific semantics are marked with an X. 186 0 1 2 3 187 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 188 +-+-+-+-+-+-+-+-+ 189 |0|X X X X X X X| 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 | Destination Connection ID (*) ... 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 193 |X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X ... 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 Figure 2: QUIC Short Header 198 A QUIC packet with a short header has the high bit of the first byte 199 set to 0. 201 A QUIC packet with a short header includes a Destination Connection 202 ID. The short header does not include the Connection ID Lengths, 203 Source Connection ID, or Version fields. 205 The remainder of the packet has version-specific semantics. 207 4.3. Connection ID 209 A connection ID is an opaque field of arbitrary length. 211 The primary function of a connection ID is to ensure that changes in 212 addressing at lower protocol layers (UDP, IP, and below) don't cause 213 packets for a QUIC connection to be delivered to the wrong endpoint. 214 The connection ID is used by endpoints and the intermediaries that 215 support them to ensure that each QUIC packet can be delivered to the 216 correct instance of an endpoint. At the endpoint, the connection ID 217 is used to identify which QUIC connection the packet is intended for. 219 The connection ID is chosen by each endpoint using version-specific 220 methods. Packets for the same QUIC connection might use different 221 connection ID values. 223 4.4. Version 225 QUIC versions are identified with a 32-bit integer, encoded in 226 network byte order. Version 0 is reserved for version negotiation 227 (see Section 5). All other version numbers are potentially valid. 229 The properties described in this document apply to all versions of 230 QUIC. A protocol that does not conform to the properties described 231 in this document is not QUIC. Future documents might describe 232 additional properties which apply to a specific QUIC version, or to a 233 range of QUIC versions. 235 5. Version Negotiation 237 A QUIC endpoint that receives a packet with a long header and a 238 version it either does not understand or does not support might send 239 a Version Negotiation packet in response. Packets with a short 240 header do not trigger version negotiation. 242 A Version Negotiation packet sets the high bit of the first byte, and 243 thus it conforms with the format of a packet with a long header as 244 defined in Section 4.1. A Version Negotiation packet is identifiable 245 as such by the Version field, which is set to 0x00000000. 247 0 1 2 3 248 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 249 +-+-+-+-+-+-+-+-+ 250 |1|X X X X X X X| 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 252 | Version (32) = 0 | 253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 254 | DCID Len (8) | 255 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 | Destination Connection ID (0..2040) ... 257 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 258 | SCID Len (8) | 259 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 260 | Source Connection ID (0..2040) ... 261 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 262 | Supported Version 1 (32) | 263 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 264 | [Supported Version 2 (32)] | 265 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 266 ... 267 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 268 | [Supported Version N (32)] | 269 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 271 Figure 3: Version Negotiation Packet 273 The Version Negotiation packet contains a list of Supported Version 274 fields, each identifying a version that the endpoint sending the 275 packet supports. The Supported Version fields follow the Version 276 field. A Version Negotiation packet contains no other fields. An 277 endpoint MUST ignore a packet that contains no Supported Version 278 fields, or a truncated Supported Version. 280 Version Negotiation packets do not use integrity or confidentiality 281 protection. A specific QUIC version might authenticate the packet as 282 part of its connection establishment process. 284 An endpoint MUST include the value from the Source Connection ID 285 field of the packet it receives in the Destination Connection ID 286 field. The value for Source Connection ID MUST be copied from the 287 Destination Connection ID of the received packet, which is initially 288 randomly selected by a client. Echoing both connection IDs gives 289 clients some assurance that the server received the packet and that 290 the Version Negotiation packet was not generated by an off-path 291 attacker. 293 An endpoint that receives a Version Negotiation packet might change 294 the version that it decides to use for subsequent packets. The 295 conditions under which an endpoint changes QUIC version will depend 296 on the version of QUIC that it chooses. 298 See [QUIC-TRANSPORT] for a more thorough description of how an 299 endpoint that supports QUIC version 1 generates and consumes a 300 Version Negotiation packet. 302 6. Security and Privacy Considerations 304 It is possible that middleboxes could use traits of a specific 305 version of QUIC and assume that when other versions of QUIC exhibit 306 similar traits the same underlying semantic is being expressed. 307 There are potentially many such traits (see Appendix A). Some effort 308 has been made to either eliminate or obscure some observable traits 309 in QUIC version 1, but many of these remain. Other QUIC versions 310 might make different design decisions and so exhibit different 311 traits. 313 The QUIC version number does not appear in all QUIC packets, which 314 means that reliably extracting information from a flow based on 315 version-specific traits requires that middleboxes retain state for 316 every connection ID they see. 318 The Version Negotiation packet described in this document is not 319 integrity-protected; it only has modest protection against insertion 320 by off-path attackers. QUIC versions MUST define a mechanism that 321 authenticates the values it contains. 323 7. IANA Considerations 325 This document makes no request of IANA. 327 8. References 329 8.1. Normative References 331 [QUIC-TRANSPORT] 332 Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based 333 Multiplexed and Secure Transport", draft-ietf-quic- 334 transport-23 (work in progress), July 2019. 336 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 337 Requirement Levels", BCP 14, RFC 2119, 338 DOI 10.17487/RFC2119, March 1997, 339 . 341 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 342 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 343 May 2017, . 345 8.2. Informative References 347 [QUIC-TLS] 348 Thomson, M., Ed. and S. Turner, Ed., "Using Transport 349 Layer Security (TLS) to Secure QUIC", draft-ietf-quic- 350 tls-23 (work in progress), July 2019. 352 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 353 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 354 . 356 8.3. URIs 358 [1] https://mailarchive.ietf.org/arch/search/?email_list=quic 360 [2] https://github.com/quicwg 362 [3] https://github.com/quicwg/base-drafts/labels/-invariants 364 Appendix A. Incorrect Assumptions 366 There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are 367 not protected from observation, but are nonetheless considered to be 368 changeable when a new version is deployed. 370 This section lists a sampling of incorrect assumptions that might be 371 made based on knowledge of QUIC version 1. Some of these statements 372 are not even true for QUIC version 1. This is not an exhaustive 373 list, it is intended to be illustrative only. 375 The following statements are NOT guaranteed to be true for every QUIC 376 version: 378 o QUIC uses TLS [QUIC-TLS] and some TLS messages are visible on the 379 wire 381 o QUIC long headers are only exchanged during connection 382 establishment 384 o Every flow on a given 5-tuple will include a connection 385 establishment phase 387 o The first packets exchanged on a flow use the long header 389 o QUIC forbids acknowledgments of packets that only contain ACK 390 frames, therefore the last packet before a long period of 391 quiescence might be assumed to contain an acknowledgment 393 o QUIC uses an AEAD (AEAD_AES_128_GCM [RFC5116]) to protect the 394 packets it exchanges during connection establishment 396 o QUIC packet numbers appear after the Version field 398 o QUIC packet numbers increase by one for every packet sent 400 o QUIC has a minimum size for the first handshake packet sent by a 401 client 403 o QUIC stipulates that a client speaks first 405 o A QUIC Version Negotiation packet is only sent by a server 407 o A QUIC connection ID changes infrequently 409 o QUIC endpoints change the version they speak if they are sent a 410 Version Negotiation packet 412 o The version field in a QUIC long header is the same in both 413 directions 415 o Only one connection at a time is established between any pair of 416 QUIC endpoints 418 Author's Address 420 Martin Thomson 421 Mozilla 423 Email: mt@lowentropy.net