idnits 2.17.1 draft-ietf-quic-invariants-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (20 May 2020) is 1408 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-28 == Outdated reference: A later version (-34) exists of draft-ietf-quic-tls-28 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track 20 May 2020 5 Expires: 21 November 2020 7 Version-Independent Properties of QUIC 8 draft-ietf-quic-invariants-08 10 Abstract 12 This document defines the properties of the QUIC transport protocol 13 that are expected to remain unchanged over time as new versions of 14 the protocol are developed. 16 Note to Readers 18 Discussion of this draft takes place on the QUIC working group 19 mailing list (quic@ietf.org (mailto:quic@ietf.org)), which is 20 archived at https://mailarchive.ietf.org/arch/ 21 search/?email_list=quic. 23 Working Group information can be found at https://github.com/quicwg; 24 source code and issues list for this draft can be found at 25 https://github.com/quicwg/base-drafts/labels/-invariants. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on 21 November 2020. 44 Copyright Notice 46 Copyright (c) 2020 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 51 license-info) in effect on the date of publication of this document. 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. Code Components 54 extracted from this document must include Simplified BSD License text 55 as described in Section 4.e of the Trust Legal Provisions and are 56 provided without warranty as described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 62 3. An Extremely Abstract Description of QUIC . . . . . . . . . . 3 63 4. QUIC Packet Headers . . . . . . . . . . . . . . . . . . . . . 3 64 4.1. Long Header . . . . . . . . . . . . . . . . . . . . . . . 3 65 4.2. Short Header . . . . . . . . . . . . . . . . . . . . . . 4 66 4.3. Connection ID . . . . . . . . . . . . . . . . . . . . . . 5 67 4.4. Version . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 5. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 5 69 6. Security and Privacy Considerations . . . . . . . . . . . . . 7 70 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 71 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 72 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 73 8.2. Informative References . . . . . . . . . . . . . . . . . 7 74 Appendix A. Incorrect Assumptions . . . . . . . . . . . . . . . 8 75 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 77 1. Introduction 79 In addition to providing secure, multiplexed transport, QUIC 80 [QUIC-TRANSPORT] includes the ability to negotiate a version. This 81 allows the protocol to change over time in response to new 82 requirements. Many characteristics of the protocol will change 83 between versions. 85 This document describes the subset of QUIC that is intended to remain 86 stable as new versions are developed and deployed. All of these 87 invariants are IP-version-independent. 89 The primary goal of this document is to ensure that it is possible to 90 deploy new versions of QUIC. By documenting the properties that 91 can't change, this document aims to preserve the ability to change 92 any other aspect of the protocol. Thus, unless specifically 93 described in this document, any aspect of the protocol can change 94 between different versions. 96 Appendix A is a non-exhaustive list of some incorrect assumptions 97 that might be made based on knowledge of QUIC version 1; these do not 98 apply to every version of QUIC. 100 2. Conventions and Definitions 102 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 103 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 104 "OPTIONAL" in this document are to be interpreted as described in 105 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 106 capitals, as shown here. 108 This document uses terms and notational conventions from 109 [QUIC-TRANSPORT]. 111 3. An Extremely Abstract Description of QUIC 113 QUIC is a connection-oriented protocol between two endpoints. Those 114 endpoints exchange UDP datagrams. These UDP datagrams contain QUIC 115 packets. QUIC endpoints use QUIC packets to establish a QUIC 116 connection, which is shared protocol state between those endpoints. 118 4. QUIC Packet Headers 120 A QUIC packet is the content of the UDP datagrams exchanged by QUIC 121 endpoints. This document describes the contents of those datagrams. 123 QUIC defines two types of packet header: long and short. Packets 124 with long headers are identified by the most significant bit of the 125 first byte being set; packets with a short header have that bit 126 cleared. 128 Aside from the values described here, the payload of QUIC packets is 129 version-specific and of arbitrary length. 131 4.1. Long Header 133 Long headers take the form described in Figure 1. 135 Long Header Packet { 136 Header Form (1) = 1, 137 Version-Specific Bits (7), 138 Version (32), 139 DCID Len (8), 140 Destination Connection ID (0..2040), 141 SCID Len (8), 142 Source Connection ID (0..2040), 143 Version-Specific Data (..), 144 } 146 Figure 1: QUIC Long Header 148 A QUIC packet with a long header has the high bit of the first byte 149 set to 1. All other bits in that byte are version specific. 151 The next four bytes include a 32-bit Version field (see Section 4.4). 153 The next byte contains the length in bytes of the Destination 154 Connection ID (see Section 4.3) field that follows it. This length 155 is encoded as an 8-bit unsigned integer. The Destination Connection 156 ID field follows the DCID Len field and is between 0 and 255 bytes in 157 length. 159 The next byte contains the length in bytes of the Source Connection 160 ID field that follows it. This length is encoded as a 8-bit unsigned 161 integer. The Source Connection ID field follows the SCID Len field 162 and is between 0 and 255 bytes in length. 164 The remainder of the packet contains version-specific content. 166 4.2. Short Header 168 Short headers take the form described in Figure 2. 170 Short Header Packet { 171 Header Form (1) = 0, 172 Version-Specific Bits (7), 173 Destination Connection ID (..), 174 Version-Specific Data (..), 175 } 177 Figure 2: QUIC Short Header 179 A QUIC packet with a short header has the high bit of the first byte 180 set to 0. 182 A QUIC packet with a short header includes a Destination Connection 183 ID immediately following the first byte. The short header does not 184 include the Connection ID Lengths, Source Connection ID, or Version 185 fields. The length of the Destination Connection ID is not specified 186 in packets with a short header and is not constrained by this 187 specification. 189 The remainder of the packet has version-specific semantics. 191 4.3. Connection ID 193 A connection ID is an opaque field of arbitrary length. 195 The primary function of a connection ID is to ensure that changes in 196 addressing at lower protocol layers (UDP, IP, and below) don't cause 197 packets for a QUIC connection to be delivered to the wrong endpoint. 198 The connection ID is used by endpoints and the intermediaries that 199 support them to ensure that each QUIC packet can be delivered to the 200 correct instance of an endpoint. At the endpoint, the connection ID 201 is used to identify which QUIC connection the packet is intended for. 203 The connection ID is chosen by each endpoint using version-specific 204 methods. Packets for the same QUIC connection might use different 205 connection ID values. 207 4.4. Version 209 QUIC versions are identified with a 32-bit integer, encoded in 210 network byte order. Version 0 is reserved for version negotiation 211 (see Section 5). All other version numbers are potentially valid. 213 The properties described in this document apply to all versions of 214 QUIC. A protocol that does not conform to the properties described 215 in this document is not QUIC. Future documents might describe 216 additional properties which apply to a specific QUIC version, or to a 217 range of QUIC versions. 219 5. Version Negotiation 221 A QUIC endpoint that receives a packet with a long header and a 222 version it either does not understand or does not support might send 223 a Version Negotiation packet in response. Packets with a short 224 header do not trigger version negotiation. 226 A Version Negotiation packet sets the high bit of the first byte, and 227 thus it conforms with the format of a packet with a long header as 228 defined in Section 4.1. A Version Negotiation packet is identifiable 229 as such by the Version field, which is set to 0x00000000. 231 Version Negotiation Packet { 232 Header Form (1) = 1, 233 Unused (7), 234 Version (32) = 0, 235 DCID Len (8), 236 Destination Connection ID (0..2040), 237 SCID Len (8), 238 Source Connection ID (0..2040), 239 Supported Version (32) ..., 240 } 242 Figure 3: Version Negotiation Packet 244 The Version Negotiation packet contains a list of Supported Version 245 fields, each identifying a version that the endpoint sending the 246 packet supports. The Supported Version fields follow the Version 247 field. A Version Negotiation packet contains no other fields. An 248 endpoint MUST ignore a packet that contains no Supported Version 249 fields, or a truncated Supported Version. 251 Version Negotiation packets do not use integrity or confidentiality 252 protection. A specific QUIC version might authenticate the packet as 253 part of its connection establishment process. 255 An endpoint MUST include the value from the Source Connection ID 256 field of the packet it receives in the Destination Connection ID 257 field. The value for Source Connection ID MUST be copied from the 258 Destination Connection ID of the received packet, which is initially 259 randomly selected by a client. Echoing both connection IDs gives 260 clients some assurance that the server received the packet and that 261 the Version Negotiation packet was not generated by an off-path 262 attacker. 264 An endpoint that receives a Version Negotiation packet might change 265 the version that it decides to use for subsequent packets. The 266 conditions under which an endpoint changes QUIC version will depend 267 on the version of QUIC that it chooses. 269 See [QUIC-TRANSPORT] for a more thorough description of how an 270 endpoint that supports QUIC version 1 generates and consumes a 271 Version Negotiation packet. 273 6. Security and Privacy Considerations 275 It is possible that middleboxes could use traits of a specific 276 version of QUIC and assume that when other versions of QUIC exhibit 277 similar traits the same underlying semantic is being expressed. 278 There are potentially many such traits (see Appendix A). Some effort 279 has been made to either eliminate or obscure some observable traits 280 in QUIC version 1, but many of these remain. Other QUIC versions 281 might make different design decisions and so exhibit different 282 traits. 284 The QUIC version number does not appear in all QUIC packets, which 285 means that reliably extracting information from a flow based on 286 version-specific traits requires that middleboxes retain state for 287 every connection ID they see. 289 The Version Negotiation packet described in this document is not 290 integrity-protected; it only has modest protection against insertion 291 by off-path attackers. QUIC versions MUST define a mechanism that 292 authenticates the values it contains. 294 7. IANA Considerations 296 This document makes no request of IANA. 298 8. References 300 8.1. Normative References 302 [QUIC-TRANSPORT] 303 Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based 304 Multiplexed and Secure Transport", Work in Progress, 305 Internet-Draft, draft-ietf-quic-transport-28, 20 May 2020, 306 . 309 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 310 Requirement Levels", BCP 14, RFC 2119, 311 DOI 10.17487/RFC2119, March 1997, 312 . 314 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 315 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 316 May 2017, . 318 8.2. Informative References 320 [QUIC-TLS] Thomson, M., Ed. and S. Turner, Ed., "Using Transport 321 Layer Security (TLS) to Secure QUIC", Work in Progress, 322 Internet-Draft, draft-ietf-quic-tls-28, 20 May 2020, 323 . 325 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 326 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 327 . 329 Appendix A. Incorrect Assumptions 331 There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are 332 not protected from observation, but are nonetheless considered to be 333 changeable when a new version is deployed. 335 This section lists a sampling of incorrect assumptions that might be 336 made based on knowledge of QUIC version 1. Some of these statements 337 are not even true for QUIC version 1. This is not an exhaustive 338 list, it is intended to be illustrative only. 340 The following statements are NOT guaranteed to be true for every QUIC 341 version: 343 * QUIC uses TLS [QUIC-TLS] and some TLS messages are visible on the 344 wire 346 * QUIC long headers are only exchanged during connection 347 establishment 349 * Every flow on a given 5-tuple will include a connection 350 establishment phase 352 * The first packets exchanged on a flow use the long header 354 * QUIC forbids acknowledgments of packets that only contain ACK 355 frames, therefore the last packet before a long period of 356 quiescence might be assumed to contain an acknowledgment 358 * QUIC uses an AEAD (AEAD_AES_128_GCM [RFC5116]) to protect the 359 packets it exchanges during connection establishment 361 * QUIC packet numbers are encrypted and appear as the first 362 encrypted bytes 364 * QUIC packet numbers increase by one for every packet sent 366 * QUIC has a minimum size for the first handshake packet sent by a 367 client 369 * QUIC stipulates that a client speaks first 371 * QUIC packets always have the second bit of the first byte (0x40) 372 set 374 * A QUIC Version Negotiation packet is only sent by a server 376 * A QUIC connection ID changes infrequently 378 * QUIC endpoints change the version they speak if they are sent a 379 Version Negotiation packet 381 * The version field in a QUIC long header is the same in both 382 directions 384 * Only one connection at a time is established between any pair of 385 QUIC endpoints 387 Author's Address 389 Martin Thomson 390 Mozilla 392 Email: mt@lowentropy.net