idnits 2.17.1 draft-ietf-quic-invariants-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an Introduction section. ** The document seems to lack a Security Considerations section. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (15 January 2021) is 1197 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-tls-33 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track 15 January 2021 5 Expires: 19 July 2021 7 Version-Independent Properties of QUIC 8 draft-ietf-quic-invariants-13 10 Abstract 12 This document defines the properties of the QUIC transport protocol 13 that are common to all versions of the protocol. 15 Note to Readers 17 Discussion of this draft takes place on the QUIC working group 18 mailing list (quic@ietf.org (mailto:quic@ietf.org)), which is 19 archived at https://mailarchive.ietf.org/arch/ 20 search/?email_list=quic. 22 Working Group information can be found at https://github.com/quicwg; 23 source code and issues list for this draft can be found at 24 https://github.com/quicwg/base-drafts/labels/-invariants. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on 19 July 2021. 43 Copyright Notice 45 Copyright (c) 2021 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 50 license-info) in effect on the date of publication of this document. 51 Please review these documents carefully, as they describe your rights 52 and restrictions with respect to this document. Code Components 53 extracted from this document must include Simplified BSD License text 54 as described in Section 4.e of the Trust Legal Provisions and are 55 provided without warranty as described in the Simplified BSD License. 57 Table of Contents 59 1. An Extremely Abstract Description of QUIC . . . . . . . . . . 2 60 2. Fixed Properties of All QUIC Versions . . . . . . . . . . . . 2 61 3. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 62 4. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 63 5. QUIC Packets . . . . . . . . . . . . . . . . . . . . . . . . 4 64 5.1. Long Header . . . . . . . . . . . . . . . . . . . . . . . 4 65 5.2. Short Header . . . . . . . . . . . . . . . . . . . . . . 5 66 5.3. Connection ID . . . . . . . . . . . . . . . . . . . . . . 6 67 5.4. Version . . . . . . . . . . . . . . . . . . . . . . . . . 6 68 6. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 6 69 7. Security and Privacy Considerations . . . . . . . . . . . . . 8 70 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 71 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 73 9.2. Informative References . . . . . . . . . . . . . . . . . 8 74 Appendix A. Incorrect Assumptions . . . . . . . . . . . . . . . 9 75 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 77 1. An Extremely Abstract Description of QUIC 79 QUIC is a connection-oriented protocol between two endpoints. Those 80 endpoints exchange UDP datagrams. These UDP datagrams contain QUIC 81 packets. QUIC endpoints use QUIC packets to establish a QUIC 82 connection, which is shared protocol state between those endpoints. 84 2. Fixed Properties of All QUIC Versions 86 In addition to providing secure, multiplexed transport, QUIC 87 [QUIC-TRANSPORT] allows for the option to negotiate a version. This 88 allows the protocol to change over time in response to new 89 requirements. Many characteristics of the protocol could change 90 between versions. 92 This document describes the subset of QUIC that is intended to remain 93 stable as new versions are developed and deployed. All of these 94 invariants are IP-version-independent. 96 The primary goal of this document is to ensure that it is possible to 97 deploy new versions of QUIC. By documenting the properties that 98 cannot change, this document aims to preserve the ability for QUIC 99 endpoints to negotiate changes to any other aspect of the protocol. 100 As a consequence, this also guarantees a minimal amount of 101 information that is made available to entities other than endpoints. 102 Unless specifically prohibited in this document, any aspect of the 103 protocol can change between different versions. 105 Appendix A contains a non-exhaustive list of some incorrect 106 assumptions that might be made based on knowledge of QUIC version 1; 107 these do not apply to every version of QUIC. 109 3. Conventions and Definitions 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in 114 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 This document defines requirements on future QUIC versions, even 118 where normative language is not used. 120 This document uses terms and notational conventions from 121 [QUIC-TRANSPORT]. 123 4. Notational Conventions 125 The format of packets is described using the notation defined in this 126 section. This notation is the same as that used in [QUIC-TRANSPORT]. 128 Complex fields are named and then followed by a list of fields 129 surrounded by a pair of matching braces. Each field in this list is 130 separated by commas. 132 Individual fields include length information, plus indications about 133 fixed value, optionality, or repetitions. Individual fields use the 134 following notational conventions, with all lengths in bits: 136 x (A): Indicates that x is A bits long 138 x (A..B): Indicates that x can be any length from A to B; A can be 139 omitted to indicate a minimum of zero bits and B can be omitted to 140 indicate no set upper limit; values in this format always end on 141 an byte boundary 143 x (L) = C: Indicates that x, with a length described by L, has a 144 fixed value of C 146 x (L) ...: Indicates that x is repeated zero or more times (and that 147 each instance is length L) 149 This document uses network byte order (that is, big endian) values. 150 Fields are placed starting from the high-order bits of each byte. 152 Figure 1 shows an example structure: 154 Example Structure { 155 One-bit Field (1), 156 7-bit Field with Fixed Value (7) = 61, 157 Arbitrary-Length Field (..), 158 Variable-Length Field (8..24), 159 Repeated Field (8) ..., 160 } 162 Figure 1: Example Format 164 5. QUIC Packets 166 QUIC endpoints exchange UDP datagrams that contain one or more QUIC 167 packets. This section describes the invariant characteristics of a 168 QUIC packet. A version of QUIC could permit multiple QUIC packets in 169 a single UDP datagram, but the invariant properties only describe the 170 first packet in a datagram. 172 QUIC defines two types of packet header: long and short. Packets 173 with long headers are identified by the most significant bit of the 174 first byte being set; packets with a short header have that bit 175 cleared. 177 QUIC packets might be integrity protected, including the header. 178 However, QUIC Version Negotiation packets are not integrity 179 protected; see Section 6. 181 Aside from the values described here, the payload of QUIC packets is 182 version-specific and of arbitrary length. 184 5.1. Long Header 186 Long headers take the form described in Figure 2. 188 Long Header Packet { 189 Header Form (1) = 1, 190 Version-Specific Bits (7), 191 Version (32), 192 Destination Connection ID Length (8), 193 Destination Connection ID (0..2040), 194 Source Connection ID Length (8), 195 Source Connection ID (0..2040), 196 Version-Specific Data (..), 197 } 199 Figure 2: QUIC Long Header 201 A QUIC packet with a long header has the high bit of the first byte 202 set to 1. All other bits in that byte are version specific. 204 The next four bytes include a 32-bit Version field. Versions are 205 described in Section 5.4. 207 The next byte contains the length in bytes of the Destination 208 Connection ID field that follows it. This length is encoded as an 209 8-bit unsigned integer. The Destination Connection ID field follows 210 the Destination Connection ID Length field and is between 0 and 255 211 bytes in length. Connection IDs are described in Section 5.3. 213 The next byte contains the length in bytes of the Source Connection 214 ID field that follows it. This length is encoded as an 8-bit 215 unsigned integer. The Source Connection ID field follows the Source 216 Connection ID Length field and is between 0 and 255 bytes in length. 218 The remainder of the packet contains version-specific content. 220 5.2. Short Header 222 Short headers take the form described in Figure 3. 224 Short Header Packet { 225 Header Form (1) = 0, 226 Version-Specific Bits (7), 227 Destination Connection ID (..), 228 Version-Specific Data (..), 229 } 231 Figure 3: QUIC Short Header 233 A QUIC packet with a short header has the high bit of the first byte 234 set to 0. 236 A QUIC packet with a short header includes a Destination Connection 237 ID immediately following the first byte. The short header does not 238 include the Connection ID Lengths, Source Connection ID, or Version 239 fields. The length of the Destination Connection ID is not encoded 240 in packets with a short header and is not constrained by this 241 specification. 243 The remainder of the packet has version-specific semantics. 245 5.3. Connection ID 247 A connection ID is an opaque field of arbitrary length. 249 The primary function of a connection ID is to ensure that changes in 250 addressing at lower protocol layers (UDP, IP, and below) do not cause 251 packets for a QUIC connection to be delivered to the wrong QUIC 252 endpoint. The connection ID is used by endpoints and the 253 intermediaries that support them to ensure that each QUIC packet can 254 be delivered to the correct instance of an endpoint. At the 255 endpoint, the connection ID is used to identify the QUIC connection 256 for which the packet is intended. 258 The connection ID is chosen by each endpoint using version-specific 259 methods. Packets for the same QUIC connection might use different 260 connection ID values. 262 5.4. Version 264 The Version field contains a 4-byte identifier. This value can be 265 used by endpoints to identify a QUIC Version. A Version field with a 266 value of 0x00000000 is reserved for version negotiation; see 267 Section 6. All other values are potentially valid. 269 The properties described in this document apply to all versions of 270 QUIC. A protocol that does not conform to the properties described 271 in this document is not QUIC. Future documents might describe 272 additional properties that apply to a specific QUIC version, or to a 273 range of QUIC versions. 275 6. Version Negotiation 277 A QUIC endpoint that receives a packet with a long header and a 278 version it either does not understand or does not support might send 279 a Version Negotiation packet in response. Packets with a short 280 header do not trigger version negotiation. 282 A Version Negotiation packet sets the high bit of the first byte, and 283 thus it conforms with the format of a packet with a long header as 284 defined in Section 5.1. A Version Negotiation packet is identifiable 285 as such by the Version field, which is set to 0x00000000. 287 Version Negotiation Packet { 288 Header Form (1) = 1, 289 Unused (7), 290 Version (32) = 0, 291 Destination Connection ID Length (8), 292 Destination Connection ID (0..2040), 293 Source Connection ID Length (8), 294 Source Connection ID (0..2040), 295 Supported Version (32) ..., 296 } 298 Figure 4: Version Negotiation Packet 300 Only the most significant bit of the first byte of a Version 301 Negotiation packet has any defined value. The remaining 7 bits, 302 labeled Unused, can be set to any value when sending and MUST be 303 ignored on receipt. 305 After the Source Connection ID field, the Version Negotiation packet 306 contains a list of Supported Version fields, each identifying a 307 version that the endpoint sending the packet supports. A Version 308 Negotiation packet contains no other fields. An endpoint MUST ignore 309 a packet that contains no Supported Version fields, or a truncated 310 Supported Version. 312 Version Negotiation packets do not use integrity or confidentiality 313 protection. Specific QUIC versions might include protocol elements 314 that allow endpoints to detect modification or corruption in the set 315 of supported versions. 317 An endpoint MUST include the value from the Source Connection ID 318 field of the packet it receives in the Destination Connection ID 319 field. The value for Source Connection ID MUST be copied from the 320 Destination Connection ID of the received packet, which is initially 321 randomly selected by a client. Echoing both connection IDs gives 322 clients some assurance that the server received the packet and that 323 the Version Negotiation packet was not generated by an attacker that 324 is unable to observe packets. 326 An endpoint that receives a Version Negotiation packet might change 327 the version that it decides to use for subsequent packets. The 328 conditions under which an endpoint changes QUIC version will depend 329 on the version of QUIC that it chooses. 331 See [QUIC-TRANSPORT] for a more thorough description of how an 332 endpoint that supports QUIC version 1 generates and consumes a 333 Version Negotiation packet. 335 7. Security and Privacy Considerations 337 It is possible that middleboxes could observe traits of a specific 338 version of QUIC and assume that when other versions of QUIC exhibit 339 similar traits the same underlying semantic is being expressed. 340 There are potentially many such traits; see Appendix A. Some effort 341 has been made to either eliminate or obscure some observable traits 342 in QUIC version 1, but many of these remain. Other QUIC versions 343 might make different design decisions and so exhibit different 344 traits. 346 The QUIC version number does not appear in all QUIC packets, which 347 means that reliably extracting information from a flow based on 348 version-specific traits requires that middleboxes retain state for 349 every connection ID they see. 351 The Version Negotiation packet described in this document is not 352 integrity-protected; it only has modest protection against insertion 353 by attackers. An endpoint MUST authenticate the semantic content of 354 a Version Negotiation packet if it attempts a different QUIC version 355 as a result. 357 8. IANA Considerations 359 This document makes no request of IANA. 361 9. References 363 9.1. Normative References 365 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 366 Requirement Levels", BCP 14, RFC 2119, 367 DOI 10.17487/RFC2119, March 1997, 368 . 370 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 371 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 372 May 2017, . 374 9.2. Informative References 376 [QUIC-TLS] Thomson, M., Ed. and S. Turner, Ed., "Using Transport 377 Layer Security (TLS) to Secure QUIC", Work in Progress, 378 Internet-Draft, draft-ietf-quic-tls-33, 15 January 2021, 379 . 381 [QUIC-TRANSPORT] 382 Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based 383 Multiplexed and Secure Transport", Work in Progress, 384 Internet-Draft, draft-ietf-quic-transport-34, 15 January 385 2021, . 388 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 389 Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, 390 . 392 Appendix A. Incorrect Assumptions 394 There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are 395 not protected from observation, but are nonetheless considered to be 396 changeable when a new version is deployed. 398 This section lists a sampling of incorrect assumptions that might be 399 made about QUIC based on knowledge of QUIC version 1. Some of these 400 statements are not even true for QUIC version 1. This is not an 401 exhaustive list; it is intended to be illustrative only. 403 *Any and all of the following statements can be false for a given 404 QUIC version:* 406 * QUIC uses TLS [QUIC-TLS] and some TLS messages are visible on the 407 wire 409 * QUIC long headers are only exchanged during connection 410 establishment 412 * Every flow on a given 5-tuple will include a connection 413 establishment phase 415 * The first packets exchanged on a flow use the long header 417 * The last packet before a long period of quiescence might be 418 assumed to contain only an acknowledgment 420 * QUIC uses an AEAD (AEAD_AES_128_GCM [RFC5116]) to protect the 421 packets it exchanges during connection establishment 423 * QUIC packet numbers are encrypted and appear as the first 424 encrypted bytes 426 * QUIC packet numbers increase by one for every packet sent 428 * QUIC has a minimum size for the first handshake packet sent by a 429 client 431 * QUIC stipulates that a client speaks first 433 * QUIC packets always have the second bit of the first byte (0x40) 434 set 436 * A QUIC Version Negotiation packet is only sent by a server 438 * A QUIC connection ID changes infrequently 440 * QUIC endpoints change the version they speak if they are sent a 441 Version Negotiation packet 443 * The Version field in a QUIC long header is the same in both 444 directions 446 * A QUIC packet with a particular value in the Version field means 447 that the corresponding version of QUIC is in use 449 * Only one connection at a time is established between any pair of 450 QUIC endpoints 452 Author's Address 454 Martin Thomson 455 Mozilla 457 Email: mt@lowentropy.net