idnits 2.17.1 draft-ietf-quic-invariants-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (13 December 2020) is 1230 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-tls-33 == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-33 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track 13 December 2020 5 Expires: 16 June 2021 7 Version-Independent Properties of QUIC 8 draft-ietf-quic-invariants-12 10 Abstract 12 This document defines the properties of the QUIC transport protocol 13 that are expected to remain unchanged over time as new versions of 14 the protocol are developed. 16 Note to Readers 18 Discussion of this draft takes place on the QUIC working group 19 mailing list (quic@ietf.org (mailto:quic@ietf.org)), which is 20 archived at https://mailarchive.ietf.org/arch/ 21 search/?email_list=quic. 23 Working Group information can be found at https://github.com/quicwg; 24 source code and issues list for this draft can be found at 25 https://github.com/quicwg/base-drafts/labels/-invariants. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on 16 June 2021. 44 Copyright Notice 46 Copyright (c) 2020 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 51 license-info) in effect on the date of publication of this document. 52 Please review these documents carefully, as they describe your rights 53 and restrictions with respect to this document. Code Components 54 extracted from this document must include Simplified BSD License text 55 as described in Section 4.e of the Trust Legal Provisions and are 56 provided without warranty as described in the Simplified BSD License. 58 Table of Contents 60 1. An Extremely Abstract Description of QUIC . . . . . . . . . . 2 61 2. Fixed Properties of All QUIC Versions . . . . . . . . . . . . 2 62 3. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 63 4. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 64 5. QUIC Packets . . . . . . . . . . . . . . . . . . . . . . . . 4 65 5.1. Long Header . . . . . . . . . . . . . . . . . . . . . . . 4 66 5.2. Short Header . . . . . . . . . . . . . . . . . . . . . . 5 67 5.3. Connection ID . . . . . . . . . . . . . . . . . . . . . . 6 68 5.4. Version . . . . . . . . . . . . . . . . . . . . . . . . . 6 69 6. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 6 70 7. Security and Privacy Considerations . . . . . . . . . . . . . 8 71 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 72 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 73 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 74 9.2. Informative References . . . . . . . . . . . . . . . . . 8 75 Appendix A. Incorrect Assumptions . . . . . . . . . . . . . . . 9 76 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. An Extremely Abstract Description of QUIC 80 QUIC is a connection-oriented protocol between two endpoints. Those 81 endpoints exchange UDP datagrams. These UDP datagrams contain QUIC 82 packets. QUIC endpoints use QUIC packets to establish a QUIC 83 connection, which is shared protocol state between those endpoints. 85 2. Fixed Properties of All QUIC Versions 87 In addition to providing secure, multiplexed transport, QUIC 88 [QUIC-TRANSPORT] allows for the option to negotiate a version. This 89 allows the protocol to change over time in response to new 90 requirements. Many characteristics of the protocol could change 91 between versions. 93 This document describes the subset of QUIC that is intended to remain 94 stable as new versions are developed and deployed. All of these 95 invariants are IP-version-independent. 97 The primary goal of this document is to ensure that it is possible to 98 deploy new versions of QUIC. By documenting the properties that 99 cannot change, this document aims to preserve the ability for QUIC 100 endpoints to negotiate changes to any other aspect of the protocol. 101 As a consequence, this also guarantees a minimal amount of 102 information that is made available to entities other than endpoints. 103 Unless specifically prohibited in this document, any aspect of the 104 protocol can change between different versions. 106 Appendix A is a non-exhaustive list of some incorrect assumptions 107 that might be made based on knowledge of QUIC version 1; these do not 108 apply to every version of QUIC. 110 3. Conventions and Definitions 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 114 "OPTIONAL" in this document are to be interpreted as described in 115 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 116 capitals, as shown here. 118 This document defines requirements on future QUIC versions, even 119 where normative language is not used. 121 This document uses terms and notational conventions from 122 [QUIC-TRANSPORT]. 124 4. Notational Conventions 126 Packet diagrams in this document use a format defined in 127 [QUIC-TRANSPORT] to illustrate the order and size of fields. 129 Complex fields are named and then followed by a list of fields 130 surrounded by a pair of matching braces. Each field in this list is 131 separated by commas. 133 Individual fields include length information, plus indications about 134 fixed value, optionality, or repetitions. Individual fields use the 135 following notational conventions, with all lengths in bits: 137 x (A): Indicates that x is A bits long 139 x (A..B): Indicates that x can be any length from A to B; A can be 140 omitted to indicate a minimum of zero bits and B can be omitted to 141 indicate no set upper limit; values in this format always end on 142 an octet boundary 144 x (?) = C: Indicates that x has a fixed value of C 145 x (E) ...: Indicates that x is repeated zero or more times (and that 146 each instance is length E) 148 This document uses network byte order (that is, big endian) values. 149 Fields are placed starting from the high-order bits of each byte. 151 Figure 1 shows an example structure: 153 Example Structure { 154 One-bit Field (1), 155 7-bit Field with Fixed Value (7) = 61, 156 Arbitrary-Length Field (..), 157 Variable-Length Field (8..24), 158 Repeated Field (8) ..., 159 } 161 Figure 1: Example Format 163 5. QUIC Packets 165 QUIC endpoints exchange UDP datagrams that contain one or more QUIC 166 packets. This section describes the invariant characteristics of a 167 QUIC packet. A version of QUIC could permit multiple QUIC packets in 168 a single UDP datagram, but the invariant properties only describe the 169 first packet in a datagram. 171 QUIC defines two types of packet header: long and short. Packets 172 with long headers are identified by the most significant bit of the 173 first byte being set; packets with a short header have that bit 174 cleared. 176 QUIC packets might be integrity protected, including the header. 177 However, QUIC Version Negotiation packets are not integrity 178 protected; see Section 6. 180 Aside from the values described here, the payload of QUIC packets is 181 version-specific and of arbitrary length. 183 5.1. Long Header 185 Long headers take the form described in Figure 2. 187 Long Header Packet { 188 Header Form (1) = 1, 189 Version-Specific Bits (7), 190 Version (32), 191 Destination Connection ID Length (8), 192 Destination Connection ID (0..2040), 193 Source Connection ID Length (8), 194 Source Connection ID (0..2040), 195 Version-Specific Data (..), 196 } 198 Figure 2: QUIC Long Header 200 A QUIC packet with a long header has the high bit of the first byte 201 set to 1. All other bits in that byte are version specific. 203 The next four bytes include a 32-bit Version field. Versions are 204 described in Section 5.4. 206 The next byte contains the length in bytes of the Destination 207 Connection ID field that follows it. This length is encoded as an 208 8-bit unsigned integer. The Destination Connection ID field follows 209 the Destination Connection ID Length field and is between 0 and 255 210 bytes in length. Connection IDs are described in Section 5.3. 212 The next byte contains the length in bytes of the Source Connection 213 ID field that follows it. This length is encoded as an 8-bit 214 unsigned integer. The Source Connection ID field follows the Source 215 Connection ID Length field and is between 0 and 255 bytes in length. 217 The remainder of the packet contains version-specific content. 219 5.2. Short Header 221 Short headers take the form described in Figure 3. 223 Short Header Packet { 224 Header Form (1) = 0, 225 Version-Specific Bits (7), 226 Destination Connection ID (..), 227 Version-Specific Data (..), 228 } 230 Figure 3: QUIC Short Header 232 A QUIC packet with a short header has the high bit of the first byte 233 set to 0. 235 A QUIC packet with a short header includes a Destination Connection 236 ID immediately following the first byte. The short header does not 237 include the Connection ID Lengths, Source Connection ID, or Version 238 fields. The length of the Destination Connection ID is not encoded 239 in packets with a short header and is not constrained by this 240 specification. 242 The remainder of the packet has version-specific semantics. 244 5.3. Connection ID 246 A connection ID is an opaque field of arbitrary length. 248 The primary function of a connection ID is to ensure that changes in 249 addressing at lower protocol layers (UDP, IP, and below) do not cause 250 packets for a QUIC connection to be delivered to the wrong QUIC 251 endpoint. The connection ID is used by endpoints and the 252 intermediaries that support them to ensure that each QUIC packet can 253 be delivered to the correct instance of an endpoint. At the 254 endpoint, the connection ID is used to identify the QUIC connection 255 for which the packet is intended. 257 The connection ID is chosen by each endpoint using version-specific 258 methods. Packets for the same QUIC connection might use different 259 connection ID values. 261 5.4. Version 263 The Version field contains a 4-byte identifier. This value can be 264 used by endpoints to identify a QUIC Version. A Version field with a 265 value of 0x00000000 is reserved for version negotiation; see 266 Section 6. All other values are potentially valid. 268 The properties described in this document apply to all versions of 269 QUIC. A protocol that does not conform to the properties described 270 in this document is not QUIC. Future documents might describe 271 additional properties that apply to a specific QUIC version, or to a 272 range of QUIC versions. 274 6. Version Negotiation 276 A QUIC endpoint that receives a packet with a long header and a 277 version it either does not understand or does not support might send 278 a Version Negotiation packet in response. Packets with a short 279 header do not trigger version negotiation. 281 A Version Negotiation packet sets the high bit of the first byte, and 282 thus it conforms with the format of a packet with a long header as 283 defined in Section 5.1. A Version Negotiation packet is identifiable 284 as such by the Version field, which is set to 0x00000000. 286 Version Negotiation Packet { 287 Header Form (1) = 1, 288 Unused (7), 289 Version (32) = 0, 290 Destination Connection ID Length (8), 291 Destination Connection ID (0..2040), 292 Source Connection ID Length (8), 293 Source Connection ID (0..2040), 294 Supported Version (32) ..., 295 } 297 Figure 4: Version Negotiation Packet 299 Only the most significant bit of the first byte of a Version 300 Negotiation packet has any defined value. The remaining 7 bits, 301 labeled Unused, can be set to any value when sending and MUST be 302 ignored on receipt. 304 After the Source Connection ID field, the Version Negotiation packet 305 contains a list of Supported Version fields, each identifying a 306 version that the endpoint sending the packet supports. A Version 307 Negotiation packet contains no other fields. An endpoint MUST ignore 308 a packet that contains no Supported Version fields, or a truncated 309 Supported Version. 311 Version Negotiation packets do not use integrity or confidentiality 312 protection. Specific QUIC versions might include protocol elements 313 that allow endpoints to detect modification or corruption in the set 314 of supported versions. 316 An endpoint MUST include the value from the Source Connection ID 317 field of the packet it receives in the Destination Connection ID 318 field. The value for Source Connection ID MUST be copied from the 319 Destination Connection ID of the received packet, which is initially 320 randomly selected by a client. Echoing both connection IDs gives 321 clients some assurance that the server received the packet and that 322 the Version Negotiation packet was not generated by an off-path 323 attacker. 325 An endpoint that receives a Version Negotiation packet might change 326 the version that it decides to use for subsequent packets. The 327 conditions under which an endpoint changes QUIC version will depend 328 on the version of QUIC that it chooses. 330 See [QUIC-TRANSPORT] for a more thorough description of how an 331 endpoint that supports QUIC version 1 generates and consumes a 332 Version Negotiation packet. 334 7. Security and Privacy Considerations 336 It is possible that middleboxes could observe traits of a specific 337 version of QUIC and assume that when other versions of QUIC exhibit 338 similar traits the same underlying semantic is being expressed. 339 There are potentially many such traits; see Appendix A. Some effort 340 has been made to either eliminate or obscure some observable traits 341 in QUIC version 1, but many of these remain. Other QUIC versions 342 might make different design decisions and so exhibit different 343 traits. 345 The QUIC version number does not appear in all QUIC packets, which 346 means that reliably extracting information from a flow based on 347 version-specific traits requires that middleboxes retain state for 348 every connection ID they see. 350 The Version Negotiation packet described in this document is not 351 integrity-protected; it only has modest protection against insertion 352 by off-path attackers. An endpoint MUST authenticate the contents of 353 a Version Negotiation packet if it attempts a different QUIC version 354 as a result. 356 8. IANA Considerations 358 This document makes no request of IANA. 360 9. References 362 9.1. Normative References 364 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 365 Requirement Levels", BCP 14, RFC 2119, 366 DOI 10.17487/RFC2119, March 1997, 367 . 369 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 370 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 371 May 2017, . 373 9.2. Informative References 375 [QUIC-TLS] Thomson, M., Ed. and S. Turner, Ed., "Using Transport 376 Layer Security (TLS) to Secure QUIC", Work in Progress, 377 Internet-Draft, draft-ietf-quic-tls-33, 13 December 2020, 378 . 380 [QUIC-TRANSPORT] 381 Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based 382 Multiplexed and Secure Transport", Work in Progress, 383 Internet-Draft, draft-ietf-quic-transport-33, 13 December 384 2020, . 387 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 388 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 389 . 391 Appendix A. Incorrect Assumptions 393 There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are 394 not protected from observation, but are nonetheless considered to be 395 changeable when a new version is deployed. 397 This section lists a sampling of incorrect assumptions that might be 398 made based on knowledge of QUIC version 1. Some of these statements 399 are not even true for QUIC version 1. This is not an exhaustive 400 list; it is intended to be illustrative only. 402 *Any and all of the following statements can be false for a given 403 QUIC version:* 405 * QUIC uses TLS [QUIC-TLS] and some TLS messages are visible on the 406 wire 408 * QUIC long headers are only exchanged during connection 409 establishment 411 * Every flow on a given 5-tuple will include a connection 412 establishment phase 414 * The first packets exchanged on a flow use the long header 416 * The last packet before a long period of quiescence might be 417 assumed to contain only an acknowledgment 419 * QUIC uses an AEAD (AEAD_AES_128_GCM [RFC5116]) to protect the 420 packets it exchanges during connection establishment 422 * QUIC packet numbers are encrypted and appear as the first 423 encrypted bytes 425 * QUIC packet numbers increase by one for every packet sent 427 * QUIC has a minimum size for the first handshake packet sent by a 428 client 430 * QUIC stipulates that a client speaks first 432 * QUIC packets always have the second bit of the first byte (0x40) 433 set 435 * A QUIC Version Negotiation packet is only sent by a server 437 * A QUIC connection ID changes infrequently 439 * QUIC endpoints change the version they speak if they are sent a 440 Version Negotiation packet 442 * The Version field in a QUIC long header is the same in both 443 directions 445 * A QUIC packet with a particular value in the Version field means 446 that the corresponding version of QUIC is in use 448 * Only one connection at a time is established between any pair of 449 QUIC endpoints 451 Author's Address 453 Martin Thomson 454 Mozilla 456 Email: mt@lowentropy.net