idnits 2.17.1 draft-ietf-quic-load-balancers-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 927 has weird spacing: '...boolean first...' -- The document date (14 August 2020) is 1345 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '16' on line 951 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 QUIC M. Duke 3 Internet-Draft F5 Networks, Inc. 4 Intended status: Standards Track N. Banks 5 Expires: 15 February 2021 Microsoft 6 14 August 2020 8 QUIC-LB: Generating Routable QUIC Connection IDs 9 draft-ietf-quic-load-balancers-04 11 Abstract 13 QUIC connection IDs allow continuation of connections across address/ 14 port 4-tuple changes, and can store routing information for stateless 15 or low-state load balancers. They also can prevent linkability of 16 connections across deliberate address migration through the use of 17 protected communications between client and server. This creates 18 issues for load-balancing intermediaries. This specification 19 standardizes methods for encoding routing information given a small 20 set of configuration parameters. This framework also enables offload 21 of other QUIC functions to trusted intermediaries, given the explicit 22 cooperation of the QUIC server. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 15 February 2021. 41 Copyright Notice 43 Copyright (c) 2020 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 59 2. Protocol Objectives . . . . . . . . . . . . . . . . . . . . . 5 60 2.1. Simplicity . . . . . . . . . . . . . . . . . . . . . . . 5 61 2.2. Security . . . . . . . . . . . . . . . . . . . . . . . . 5 62 3. First CID octet . . . . . . . . . . . . . . . . . . . . . . . 6 63 3.1. Config Rotation . . . . . . . . . . . . . . . . . . . . . 6 64 3.2. Configuration Failover . . . . . . . . . . . . . . . . . 7 65 3.3. Length Self-Description . . . . . . . . . . . . . . . . . 7 66 3.4. Format . . . . . . . . . . . . . . . . . . . . . . . . . 7 67 4. Routing Algorithms . . . . . . . . . . . . . . . . . . . . . 8 68 4.1. Plaintext CID Algorithm . . . . . . . . . . . . . . . . . 9 69 4.1.1. Configuration Agent Actions . . . . . . . . . . . . . 9 70 4.1.2. Load Balancer Actions . . . . . . . . . . . . . . . . 9 71 4.1.3. Server Actions . . . . . . . . . . . . . . . . . . . 10 72 4.2. Stream Cipher CID Algorithm . . . . . . . . . . . . . . . 10 73 4.2.1. Configuration Agent Actions . . . . . . . . . . . . . 10 74 4.2.2. Load Balancer Actions . . . . . . . . . . . . . . . . 10 75 4.2.3. Server Actions . . . . . . . . . . . . . . . . . . . 12 76 4.3. Block Cipher CID Algorithm . . . . . . . . . . . . . . . 12 77 4.3.1. Configuration Agent Actions . . . . . . . . . . . . . 12 78 4.3.2. Load Balancer Actions . . . . . . . . . . . . . . . . 13 79 4.3.3. Server Actions . . . . . . . . . . . . . . . . . . . 13 80 5. ICMP Processing . . . . . . . . . . . . . . . . . . . . . . . 13 81 6. Retry Service . . . . . . . . . . . . . . . . . . . . . . . . 14 82 6.1. Common Requirements . . . . . . . . . . . . . . . . . . . 14 83 6.2. No-Shared-State Retry Service . . . . . . . . . . . . . . 15 84 6.2.1. Configuration Agent Actions . . . . . . . . . . . . . 15 85 6.2.2. Service Requirements . . . . . . . . . . . . . . . . 15 86 6.2.3. Server Requirements . . . . . . . . . . . . . . . . . 17 87 6.3. Shared-State Retry Service . . . . . . . . . . . . . . . 17 88 6.3.1. Configuration Agent Actions . . . . . . . . . . . . . 19 89 6.3.2. Service Requirements . . . . . . . . . . . . . . . . 19 90 6.3.3. Server Requirements . . . . . . . . . . . . . . . . . 19 91 7. Configuration Requirements . . . . . . . . . . . . . . . . . 20 92 8. Additional Use Cases . . . . . . . . . . . . . . . . . . . . 21 93 8.1. Load balancer chains . . . . . . . . . . . . . . . . . . 21 94 8.2. Moving connections between servers . . . . . . . . . . . 22 95 9. Version Invariance of QUIC-LB . . . . . . . . . . . . . . . . 22 96 10. Security Considerations . . . . . . . . . . . . . . . . . . . 23 97 10.1. Attackers not between the load balancer and server . . . 23 98 10.2. Attackers between the load balancer and server . . . . . 24 99 10.3. Multiple Configuration IDs . . . . . . . . . . . . . . . 24 100 10.4. Limited configuration scope . . . . . . . . . . . . . . 24 101 10.5. Stateless Reset Oracle . . . . . . . . . . . . . . . . . 25 102 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 103 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 104 12.1. Normative References . . . . . . . . . . . . . . . . . . 25 105 12.2. Informative References . . . . . . . . . . . . . . . . . 25 106 Appendix A. Load Balancer Test Vectors . . . . . . . . . . . . . 26 107 A.1. Plaintext Connection ID Algorithm . . . . . . . . . . . . 26 108 A.2. Stream Cipher Connection ID Algorithm . . . . . . . . . . 26 109 A.3. Block Cipher Connection ID Algorithm . . . . . . . . . . 27 110 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 28 111 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 28 112 C.1. since-draft-ietf-quic-load-balancers-03 . . . . . . . . . 28 113 C.2. since-draft-ietf-quic-load-balancers-02 . . . . . . . . . 28 114 C.3. since-draft-ietf-quic-load-balancers-01 . . . . . . . . . 28 115 C.4. since-draft-ietf-quic-load-balancers-00 . . . . . . . . . 29 116 C.5. Since draft-duke-quic-load-balancers-06 . . . . . . . . . 29 117 C.6. Since draft-duke-quic-load-balancers-05 . . . . . . . . . 29 118 C.7. Since draft-duke-quic-load-balancers-04 . . . . . . . . . 29 119 C.8. Since draft-duke-quic-load-balancers-03 . . . . . . . . . 29 120 C.9. Since draft-duke-quic-load-balancers-02 . . . . . . . . . 29 121 C.10. Since draft-duke-quic-load-balancers-01 . . . . . . . . . 30 122 C.11. Since draft-duke-quic-load-balancers-00 . . . . . . . . . 30 123 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 125 1. Introduction 127 QUIC packets [QUIC-TRANSPORT] usually contain a connection ID to 128 allow endpoints to associate packets with different address/port 129 4-tuples to the same connection context. This feature makes 130 connections robust in the event of NAT rebinding. QUIC endpoints 131 usually designate the connection ID which peers use to address 132 packets. Server-generated connection IDs create a potential need for 133 out-of-band communication to support QUIC. 135 QUIC allows servers (or load balancers) to designate an initial 136 connection ID to encode useful routing information for load 137 balancers. It also encourages servers, in packets protected by 138 cryptography, to provide additional connection IDs to the client. 139 This allows clients that know they are going to change IP address or 140 port to use a separate connection ID on the new path, thus reducing 141 linkability as clients move through the world. 143 There is a tension between the requirements to provide routing 144 information and mitigate linkability. Ultimately, because new 145 connection IDs are in protected packets, they must be generated at 146 the server if the load balancer does not have access to the 147 connection keys. However, it is the load balancer that has the 148 context necessary to generate a connection ID that encodes useful 149 routing information. In the absence of any shared state between load 150 balancer and server, the load balancer must maintain a relatively 151 expensive table of server-generated connection IDs, and will not 152 route packets correctly if they use a connection ID that was 153 originally communicated in a protected NEW_CONNECTION_ID frame. 155 This specification provides common algorithms for encoding the server 156 mapping in a connection ID given some shared parameters. The mapping 157 is generally only discoverable by observers that have the parameters, 158 preserving unlinkability as much as possible. 160 Aside from load balancing, a QUIC server may also desire to offload 161 other protocol functions to trusted intermediaries. These 162 intermediaries might include hardware assist on the server host 163 itself, without access to fully decrypted QUIC packets. For example, 164 this document specifies a means of offloading stateless retry to 165 counter Denial of Service attacks. It also proposes a system for 166 self-encoding connection ID length in all packets, so that crypto 167 offload can consistently look up key information. 169 While this document describes a small set of configuration parameters 170 to make the server mapping intelligible, the means of distributing 171 these parameters between load balancers, servers, and other trusted 172 intermediaries is out of its scope. There are numerous well-known 173 infrastructures for distribution of configuration. 175 1.1. Terminology 177 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 178 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 179 document are to be interpreted as described in RFC 2119 [RFC2119]. 181 In this document, these words will appear with that interpretation 182 only when in ALL CAPS. Lower case uses of these words are not to be 183 interpreted as carrying significance described in RFC 2119. 185 In this document, "client" and "server" refer to the endpoints of a 186 QUIC connection unless otherwise indicated. A "load balancer" is an 187 intermediary for that connection that does not possess QUIC 188 connection keys, but it may rewrite IP addresses or conduct other IP 189 or UDP processing. A "configuration agent" is the entity that 190 determines the QUIC-LB configuration parameters for the network and 191 leverages some system to distribute that configuration. 193 Note that stateful load balancers that act as proxies, by terminating 194 a QUIC connection with the client and then retrieving data from the 195 server using QUIC or another protocol, are treated as a server with 196 respect to this specification. 198 For brevity, "Connection ID" will often be abbreviated as "CID". 200 2. Protocol Objectives 202 2.1. Simplicity 204 QUIC is intended to provide unlinkability across connection 205 migration, but servers are not required to provide additional 206 connection IDs that effectively prevent linkability. If the 207 coordination scheme is too difficult to implement, servers behind 208 load balancers using connection IDs for routing will use trivially 209 linkable connection IDs. Clients will therefore be forced to choose 210 between terminating the connection during migration or remaining 211 linkable, subverting a design objective of QUIC. 213 The solution should be both simple to implement and require little 214 additional infrastructure for cryptographic keys, etc. 216 2.2. Security 218 In the limit where there are very few connections to a pool of 219 servers, no scheme can prevent the linking of two connection IDs with 220 high probability. In the opposite limit, where all servers have many 221 connections that start and end frequently, it will be difficult to 222 associate two connection IDs even if they are known to map to the 223 same server. 225 QUIC-LB is relevant in the region between these extremes: when the 226 information that two connection IDs map to the same server is helpful 227 to linking two connection IDs. Obviously, any scheme that 228 transparently communicates this mapping to outside observers 229 compromises QUIC's defenses against linkability. 231 Though not an explicit goal of the QUIC-LB design, concealing the 232 server mapping also complicates attempts to focus attacks on a 233 specific server in the pool. 235 3. First CID octet 237 The first octet of a Connection ID is reserved for two special 238 purposes, one mandatory (config rotation) and one optional (length 239 self-description). 241 Subsequent sections of this document refer to the contents of this 242 octet as the "first octet." 244 3.1. Config Rotation 246 The first two bits of any connection ID MUST encode an identifier for 247 the configuration that the connection ID uses. This enables 248 incremental deployment of new QUIC-LB settings (e.g., keys). 250 When new configuration is distributed to servers, there will be a 251 transition period when connection IDs reflecting old and new 252 configuration coexist in the network. The rotation bits allow load 253 balancers to apply the correct routing algorithm and parameters to 254 incoming packets. 256 Configuration Agents SHOULD deliver new configurations to load 257 balancers before doing so to servers, so that load balancers are 258 ready to process CIDs using the new parameters when they arrive. 260 A Configuration Agent SHOULD NOT use a codepoint to represent a new 261 configuration until it takes precautions to make sure that all 262 connections using CIDs with an old configuration at that codepoint 263 have closed or transitioned. 265 Servers MUST NOT generate new connection IDs using an old 266 configuration after receiving a new one from the configuration agent. 267 Servers MUST send NEW_CONNECTION_ID frames that provide CIDs using 268 the new configuration, and retire CIDs using the old configuration 269 using the "Retire Prior To" field of that frame. 271 It also possible to use these bits for more long-lived distinction of 272 different configurations, but this has privacy implications (see 273 Section 10.3). 275 3.2. Configuration Failover 277 If a server has not received a valid QUIC-LB configuration, and 278 believes that low-state, Connection-ID aware load balancers are in 279 the path, it SHOULD generate connection IDs with the config rotation 280 bits set to '11' and SHOULD use the "disable_active_migration" 281 transport parameter in all new QUIC connections. It SHOULD NOT send 282 NEW_CONNECTION_ID frames with new values. 284 A load balancer that sees a connection ID with config rotation bits 285 set to '11' MUST revert to 5-tuple routing. 287 3.3. Length Self-Description 289 Local hardware cryptographic offload devices may accelerate QUIC 290 servers by receiving keys from the QUIC implementation indexed to the 291 connection ID. However, on physical devices operating multiple QUIC 292 servers, it is impractical to efficiently lookup these keys if the 293 connection ID does not self-encode its own length. 295 Note that this is a function of particular server devices and is 296 irrelevant to load balancers. As such, load balancers MAY omit this 297 from their configuration. However, the remaining 6 bits in the first 298 octet of the Connection ID are reserved to express the length of the 299 following connection ID, not including the first octet. 301 A server not using this functionality SHOULD make the six bits appear 302 to be random. 304 3.4. Format 306 0 1 2 3 307 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 309 |C R| CID Len | 310 +-+-+-+-+-+-+-+-+ 312 Figure 1: First Octet Format 314 The first octet has the following fields: 316 CR: Config Rotation bits. 318 CID Len: Length Self-Description (if applicable). Encodes the length 319 of the Connection ID following the First Octet. 321 4. Routing Algorithms 323 In QUIC-LB, load balancers do not generate individual connection IDs 324 to servers. Instead, they communicate the parameters of an algorithm 325 to generate routable connection IDs. 327 The algorithms differ in the complexity of configuration at both load 328 balancer and server. Increasing complexity improves obfuscation of 329 the server mapping. 331 As clients sometimes generate the DCIDs in long headers, these might 332 not conform to the expectations of the routing algorithm. These are 333 called "non-compliant DCIDs": 335 * The DCID might not be long enough for the routing algorithm to 336 process. 338 * The extracted server mapping might not correspond to an active 339 server. 341 Load balancers MUST forward packets with long headers with non- 342 compliant DCIDs to an active server using an algorithm of its own 343 choosing. It need not coordinate this algorithm with the servers. 344 The algorithm SHOULD be deterministic over short time scales so that 345 related packets go to the same server. The design of this algorithm 346 SHOULD consider the version-invariant properties of QUIC described in 347 [QUIC-INVARIANTS] to maximize its robustness to future versions of 348 QUIC. For example, a non-compliant DCID might be converted to an 349 integer and divided by the number of servers, with the modulus used 350 to forward the packet. The number of servers is usually consistent 351 on the time scale of a QUIC connection handshake. See also 352 Section 9. 354 As a partial exception to the above, load balancers MAY drop packets 355 with long headers and non-compliant DCIDs if and only if it knows 356 that the encoded QUIC version does not allow a non-compliant DCID in 357 a packet with that signature. For example, a load balancer can 358 safely drop a QUIC version 1 Handshake packet with a non-compliant 359 DCIDs. The prohibition against dropping packets with long headers 360 remains for unknown QUIC versions. 362 Load balancers SHOULD drop packets with non-compliant DCIDs in a 363 short header. 365 A QUIC-LB configuration MAY significantly over-provision the server 366 ID space (i.e., provide far more codepoints than there are servers) 367 to increase the probability that a randomly generated Destination 368 Connection ID is non- compliant. 370 Load balancers MUST forward packets with compliant DCIDs to a server 371 in accordance with the chosen routing algorithm. 373 The load balancer MUST NOT make the routing behavior dependent on any 374 bits in the first octet of the QUIC packet header, except the first 375 bit, which indicates a long header. All other bits are QUIC version- 376 dependent and intermediaries would cannot build their design on 377 version-specific templates. 379 There are situations where a server pool might be operating two or 380 more routing algorithms or parameter sets simultaneously. The load 381 balancer uses the first two bits of the connection ID to multiplex 382 incoming DCIDs over these schemes. 384 This section describes three participants: the configuration agent, 385 the load balancer, and the server. 387 4.1. Plaintext CID Algorithm 389 The Plaintext CID Algorithm makes no attempt to obscure the mapping 390 of connections to servers, significantly increasing linkability. The 391 format is depicted in the figure below. 393 0 1 2 3 394 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 396 | First octet | Server ID (X=8..152) | 397 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 398 | Any (0..152-X) | 399 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 401 Figure 2: Plaintext CID Format 403 4.1.1. Configuration Agent Actions 405 The configuration agent selects a number of bytes of the server 406 connection ID to encode individual server IDs, called the "routing 407 bytes". The number of bytes MUST have enough entropy to have a 408 different code point for each server. 410 It also assigns a server ID to each server. 412 4.1.2. Load Balancer Actions 414 On each incoming packet, the load balancer extracts consecutive 415 octets, beginning with the second octet. These bytes represent the 416 server ID. 418 4.1.3. Server Actions 420 The server chooses a connection ID length. This MUST be at least one 421 byte longer than the routing bytes. 423 When a server needs a new connection ID, it encodes its assigned 424 server ID in consecutive octets beginning with the second. All other 425 bits in the connection ID, except for the first octet, MAY be set to 426 any other value. These other bits SHOULD appear random to observers. 428 4.2. Stream Cipher CID Algorithm 430 The Stream Cipher CID algorithm provides cryptographic protection at 431 the cost of additional per-packet processing at the load balancer to 432 decrypt every incoming connection ID. The CID format is depicted 433 below. 435 0 1 2 3 436 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 437 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 438 | First Octet | Nonce (X=64..128) | 439 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 440 | Encrypted Server ID (Y=8..152-X) | 441 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 442 | For server use (0..152-X-Y) | 443 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 Figure 3: Stream Cipher CID Format 447 4.2.1. Configuration Agent Actions 449 The configuration agent assigns a server ID to every server in its 450 pool, and determines a server ID length (in octets) sufficiently 451 large to encode all server IDs, including potential future servers. 453 The configuration agent also selects a nonce length and an 16-octet 454 AES-ECB key to use for connection ID decryption. The nonce length 455 MUST be at least 8 octets and no more than 16 octets. The nonce 456 length and server ID length MUST sum to 19 or fewer octets. 458 4.2.2. Load Balancer Actions 460 Upon receipt of a QUIC packet, the load balancer extracts as many of 461 the earliest octets from the destination connection ID as necessary 462 to match the nonce length. The server ID immediately follows. 464 The load balancer decrypts the nonce and the server ID using the 465 following three pass algorithm: 467 * Pass 1: The load balancer decrypts the server ID using 128-bit AES 468 Electronic Codebook (ECB) mode, much like QUIC header protection. 469 The encrypted nonce octets are zero-padded to 16 octets. AES-ECB 470 encrypts this encrypted nonce using its key to generate a mask 471 which it applies to the encrypted server id. This provides an 472 intermediate value of the server ID, referred to as server-id 473 intermediate. 475 server_id_intermediate = encrypted_server_id ^ AES-ECB(key, padded- 476 encrypted-nonce) 478 * Pass 2: The load balancer decrypts the nonce octets using 128-bit 479 AES ECB mode, using the server-id intermediate as "nonce" for this 480 pass. The server-id intermediate octets are zero-padded to 16 481 octets. AES-ECB encrypts this padded server-id intermediate using 482 its key to generate a mask which it applies to the encrypted 483 nonce. This provides the decrypted nonce value. 485 nonce = encrypted_nonce ^ AES-ECB(key, padded-server_id_intermediate) 487 * Pass 3: The load balancer decrypts the server ID using 128-bit AES 488 ECB mode. The nonce octets are zero-padded to 16 octets. AES-ECB 489 encrypts this nonce using its key to generate a mask which it 490 applies to the intermediate server id. This provides the 491 decrypted server ID. 493 server_id = server_id_intermediate ^ AES-ECB(key, padded-nonce) 495 For example, if the nonce length is 10 octets and the server ID 496 length is 2 octets, the connection ID can be as small as 13 octets. 497 The load balancer uses the the second through eleventh octets of the 498 connection ID for the nonce, zero-pads it to 16 octets, uses xors the 499 result with the twelfth and thirteenth octet. The result is padded 500 with 14 octets of zeros and encrypted to obtain a mask that is xored 501 with the nonce octets. Finally, the nonce octets are padded with six 502 octets of zeros, encrypted, and the first two octets xored with the 503 server ID octets to obtain the actual server ID. 505 This three-pass algorithm is a simplified version of the FFX 506 algorithm, with the property that each encrypted nonce value depends 507 on all server ID bits, and each encrypted server ID bit depends on 508 all nonce bits and all server ID bits. This mitigates attacks 509 against stream ciphers in which attackers simply flip encrypted 510 server-ID bits. 512 The output of the decryption is the server ID that the load balancer 513 uses for routing. 515 4.2.3. Server Actions 517 When generating a routable connection ID, the server writes arbitrary 518 bits into its nonce octets, and its provided server ID into the 519 server ID octets. Servers MAY opt to have a longer connection ID 520 beyond the nonce and server ID. The additional bits MAY encode 521 additional information, but SHOULD appear essentially random to 522 observers. 524 If the decrypted nonce bits increase monotonically, that guarantees 525 that nonces are not reused between connection IDs from the same 526 server. 528 The server encrypts the server ID using exactly the algorithm as 529 described in Section 4.2.2, performing the three passes in reverse 530 order. 532 4.3. Block Cipher CID Algorithm 534 The Block Cipher CID Algorithm, by using a full 16 octets of 535 plaintext and a 128-bit cipher, provides higher cryptographic 536 protection and detection of non-compliant connection IDs. However, 537 it also requires connection IDs of at least 17 octets, increasing 538 overhead of client-to-server packets. 540 0 1 2 3 541 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 543 | First octet | Encrypted server ID (X=8..128) | 544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 545 | Encrypted bits for server use (128-X) | 546 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 547 | Unencrypted bits for server use (0..24) | 548 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 550 Figure 4: Block Cipher CID Format 552 4.3.1. Configuration Agent Actions 554 The configuration agent assigns a server ID to every server in its 555 pool, and determines a server ID length (in octets) sufficiently 556 large to encode all server IDs, including potential future servers. 557 The server ID will start in the second octet of the decrypted 558 connection ID and occupy continuous octets beyond that. 560 They server ID length MUST be no more than 16 octets and SHOULD sum 561 to no more than 12 octets, to provide servers adequate space to 562 encode their own opaque data. 564 The configuration agent also selects an 16-octet AES-ECB key to use 565 for connection ID decryption. 567 4.3.2. Load Balancer Actions 569 Upon receipt of a QUIC packet, the load balancer reads the first 570 octet to obtain the config rotation bits. It then decrypts the 571 subsequent 16 octets using AES-ECB decryption and the chosen key. 573 The decrypted plaintext contains the server id and opaque server data 574 in that order. The load balancer uses the server ID octets for 575 routing. 577 4.3.3. Server Actions 579 When generating a routable connection ID, the server MUST choose a 580 connection ID length between 17 and 20 octets. The server writes its 581 provided server ID into the server ID octets and arbitrary bits into 582 the remaining bits. These arbitrary bits MAY encode additional 583 information. Bits in the eighteenth, nineteenth, and twentieth 584 octets SHOULD appear essentially random to observers. The first 585 octet is reserved as described in Section 3. 587 The server then encrypts the second through seventeenth octets using 588 the 128-bit AES-ECB cipher. 590 5. ICMP Processing 592 For protocols where 4-tuple load balancing is sufficient, it is 593 straightforward to deliver ICMP packets from the network to the 594 correct server, by reading the IP and transport-layer headers to 595 obtain the 4-tuple. When routing is based on connection ID, further 596 measures are required, as most QUIC packets that trigger ICMP 597 responses will only contain a client-generated connection ID that 598 contains no routing information. 600 To solve this problem, load balancers MAY maintain a mapping of 601 Client IP and port to server ID based on recently observed packets. 603 Alternatively, servers MAY implement the technique described in 604 Section 14.4.1 of [QUIC-TRANSPORT] to increase the likelihood a 605 Source Connection ID is included in ICMP responses to Path Maximum 606 Transmission Unit (PMTU) probes. Load balancers MAY parse the echoed 607 packet to extract the Source Connection ID, if it contains a QUIC 608 long header, and extract the Server ID as if it were in a Destination 609 CID. 611 6. Retry Service 613 When a server is under load, QUICv1 allows it to defer storage of 614 connection state until the client proves it can receive packets at 615 its advertised IP address. Through the use of a Retry packet, a 616 token in subsequent client Initial packets, and the 617 original_destination_connection_id transport parameter, servers 618 verify address ownership and clients verify that there is no "man in 619 the middle" generating Retry packets. 621 As a trusted Retry Service is literally a "man in the middle," the 622 service must communicate the original_destination_connection_id back 623 to the server so that it can pass client verification. It also must 624 either verify the address itself (with the server trusting this 625 verification) or make sure there is common context for the server to 626 verify the address using a service-generated token. 628 The service must also communicate the source connection ID of the 629 Retry packet to the server so that it can include it in a transport 630 parameter for client verification. 632 There are two different mechanisms to allow offload of DoS mitigation 633 to a trusted network service. One requires no shared state; the 634 server need only be configured to trust a retry service, though this 635 imposes other operational constraints. The other requires shared 636 key, but has no such constraints. 638 Retry services MUST forward all QUIC packets that are not of type 639 Initial or 0-RTT. Other packets types might involve changed IP 640 addresses or connection IDs, so it is not practical for Retry 641 Services to identify such packets as valid or invalid. 643 6.1. Common Requirements 645 Regardless of mechanism, a retry service has an active mode, where it 646 is generating Retry packets, and an inactive mode, where it is not, 647 based on its assessment of server load and the likelihood an attack 648 is underway. The choice of mode MAY be made on a per-packet or per- 649 connection basis, through a stochastic process or based on client 650 address. 652 A retry service MUST forward all packets for a QUIC version it does 653 not understand. Note that if servers support versions the retry 654 service does not, this may increase load on the servers. However, 655 dropping these packets would introduce chokepoints to block 656 deployment of new QUIC versions. Note that future versions of QUIC 657 might not have Retry packets, require different information in Retry, 658 or use different packet type indicators. 660 6.2. No-Shared-State Retry Service 662 The no-shared-state retry service requires no coordination, except 663 that the server must be configured to accept this service and know 664 which QUIC versions the retry service supports. The scheme uses the 665 first bit of the token to distinguish between tokens from Retry 666 packets (codepoint '0') and tokens from NEW_TOKEN frames (codepoint 667 '1'). 669 6.2.1. Configuration Agent Actions 671 The configuration agent distributes a list of QUIC versions to be 672 served by the Retry Service. 674 6.2.2. Service Requirements 676 A no-shared-state retry service MUST be present on all paths from 677 potential clients to the server. These paths MUST fail to pass QUIC 678 traffic should the service fail for any reason. That is, if the 679 service is not operational, the server MUST NOT be exposed to client 680 traffic. Otherwise, servers that have already disabled their Retry 681 capability would be vulnerable to attack. 683 The path between service and server MUST be free of any potential 684 attackers. Note that this and other requirements above severely 685 restrict the operational conditions in which a no-shared-state retry 686 service can safely operate. 688 Retry tokens generated by the service MUST have the format below. 690 0 1 2 3 691 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 692 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 693 |0| ODCIL (7) | RSCIL (8) | 694 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 695 | Original Destination Connection ID (0..160) | 696 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 697 | ... | 698 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 699 | Retry Source Connection ID (0..160) | 700 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 701 | ... | 702 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 703 | Opaque Data (variable) | 704 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 706 Figure 5: Format of non-shared-state retry service tokens 708 The first bit of retry tokens generated by the service MUST be zero. 709 The token has the following additional fields: 711 ODCIL: The length of the original destination connection ID from the 712 triggering Initial packet. This is in cleartext to be readable for 713 the server, but authenticated later in the token. 715 RSCIL: The retry source connection ID length. 717 Original Destination Connection ID: This also in cleartext and 718 authenticated later. 720 Retry Source Connection ID: This also in cleartext and authenticated 721 later. 723 Opaque Data: This data MUST contain encrypted information that allows 724 the retry service to validate the client's IP address, in accordance 725 with the QUIC specification. It MUST also provide a 726 cryptographically secure means to validate the integrity of the 727 entire token. 729 Upon receipt of an Initial packet with a token that begins with '0', 730 the retry service MUST validate the token in accordance with the QUIC 731 specification. 733 In active mode, the service MUST issue Retry packets for all Client 734 initial packets that contain no token, or a token that has the first 735 bit set to '1'. It MUST NOT forward the packet to the server. The 736 service MUST validate all tokens with the first bit set to '0'. If 737 successful, the service MUST forward the packet with the token 738 intact. If unsuccessful, it MUST drop the packet. The Retry Service 739 MAY send an Initial Packet containing a CONNECTION_CLOSE frame with 740 the INVALID_TOKEN error code when dropping the packet. 742 Note that this scheme has a performance drawback. When the retry 743 service is in active mode, clients with a token from a NEW_TOKEN 744 frame will suffer a 1-RTT penalty even though it has proof of address 745 with its token. 747 In inactive mode, the service MUST forward all packets that have no 748 token or a token with the first bit set to '1'. It MUST validate all 749 tokens with the first bit set to '0'. If successful, the service 750 MUST forward the packet with the token intact. If unsuccessful, it 751 MUST either drop the packet or forward it with the token removed. 752 The latter requires decryption and re-encryption of the entire 753 Initial packet to avoid authentication failure. Forwarding the 754 packet causes the server to respond without the 755 original_destination_connection_id transport parameter, which 756 preserves the normal QUIC signal to the client that there is an 757 unauthorized man in the middle. 759 6.2.3. Server Requirements 761 A server behind a non-shared-state retry service MUST NOT send Retry 762 packets for a QUIC version the retry service understands. It MAY 763 send Retry for QUIC versions the Retry Service does not understand. 765 Tokens sent in NEW_TOKEN frames MUST have the first bit be set to 766 '1'. 768 If a server receives an Initial Packet with the first bit set to '1', 769 it could be from a server-generated NEW_TOKEN frame and should be 770 processed in accordance with the QUIC specification. If a server 771 receives an Initial Packet with the first bit to '0', it is a Retry 772 token and the server MUST NOT attempt to validate it. Instead, it 773 MUST assume the address is validated and MUST extract the Original 774 Destination Connection ID and Retry Source Connection ID, assuming 775 the format described in Section 6.2.2. 777 6.3. Shared-State Retry Service 779 A shared-state retry service uses a shared key, so that the server 780 can decode the service's retry tokens. It does not require that all 781 traffic pass through the Retry service, so servers MAY send Retry 782 packets in response to Initial packets that don't include a valid 783 token. 785 Both server and service must have access to Universal time, though 786 tight synchronization is not necessary. 788 All tokens, generated by either the server or retry service, MUST use 789 the following format. This format is the cleartext version. On the 790 wire, these fields are encrypted using an AES-ECB cipher and the 791 token key. If the token is not a multiple of 16 octets, the last 792 block is padded with zeroes. 794 0 1 2 3 795 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 796 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 797 | ODCIL | RSCIL | 798 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 799 | Original Destination Connection ID (0..160) | 800 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 801 | ... | 802 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 803 | Retry Source Connection ID (0..160) | 804 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 805 | ... | 806 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 807 | | 808 + + 809 | | 810 + Client IP Address (128) + 811 | | 812 + + 813 | | 814 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 815 | | 816 + + 817 | | 818 + + 819 | date-time (160) | 820 + + 821 | | 822 + + 823 | | 824 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 825 | Opaque Data (optional) | 826 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 828 Figure 6: Cleartext format of shared-state retry tokens 830 The tokens have the following fields: 832 ODCIL: The original destination connection ID length. Tokens in 833 NEW_TOKEN frames MUST set this field to zero. 835 RSCIL: The retry source connection ID length. Tokens in NEW_TOKEN 836 frames MUST set this field to zero. 838 Original Destination Connection ID: The server or Retry Service 839 copies this from the field in the client Initial packet. 841 Retry Source Connection ID: The server or Retry service copies this 842 from the Source Connection ID of the Retry packet. 844 Client IP Address: The source IP address from the triggering Initial 845 packet. The client IP address is 16 octets. If an IPv4 address, the 846 last 12 octets are zeroes. 848 date-time: The date-time string is a total of 20 octets and encodes 849 the time the token was generated. The format of date-time is 850 described in Section 5.6 of [RFC3339]. This ASCII field MUST use the 851 "Z" character for time-offset. 853 Opaque Data: The server may use this field to encode additional 854 information, such as congestion window, RTT, or MTU. Opaque data 855 SHOULD also allow servers to distinguish between retry tokens (which 856 trigger use of the original_destination_connection_id transport 857 parameter) and NEW_TOKEN frame tokens. 859 6.3.1. Configuration Agent Actions 861 The configuration agent generates and distributes a "token key." 863 6.3.2. Service Requirements 865 When in active mode, the service MUST generate Retry tokens with the 866 format described above when it receives a client Initial packet with 867 no token. 869 In active mode, the service SHOULD decrypt incoming tokens. The 870 service SHOULD drop packets with an IP address that does not match, 871 and SHOULD forward packets that do, regardless of the other fields. 873 In inactive mode, the service SHOULD forward all packets to the 874 server so that the server can issue an up-to-date token to the 875 client. 877 6.3.3. Server Requirements 879 The server MUST validate all tokens that arrive in Initial packets, 880 as they may have bypassed the Retry service. It SHOULD use the date- 881 time field to apply its expiration limits for tokens. This need not 882 be synchronized with the retry service. However, servers MAY allow 883 retry tokens marked as being a few seconds in the future, due to 884 possible clock synchronization issues. 886 After decrypting the token, the server uses the corresponding fields 887 to populate the original_destination_connection_id transport 888 parameter, with a length equal to ODCIL, and the 889 retry_source_connection_id transport parameter, with length equal to 890 RSCIL. 892 As discussed in [QUIC-TRANSPORT], a server MUST NOT send a Retry 893 packet in response to an Initial packet that contains a retry token. 895 7. Configuration Requirements 897 QUIC-LB requires common configuration to synchronize understanding of 898 encodings and guarantee explicit consent of the server. 900 The load balancer and server MUST agree on a routing algorithm and 901 the relevant parameters for that algorithm. 903 For Plaintext CID Routing, this consists of the Server ID and the 904 routing bytes. The Server ID is unique to each server, and the 905 routing bytes are global. 907 For Stream Cipher CID Routing, this consists of the Server ID, Server 908 ID Length, Key, and Nonce Length. The Server ID is unique to each 909 server, but the others MUST be global. The authentication token MUST 910 be distributed out of band for this algorithm to operate. 912 For Block Cipher CID Routing, this consists of the Server ID, Server 913 ID Length, Key, and Zero-Padding Length. The Server ID is unique to 914 each server, but the others MUST be global. 916 A full QUIC-LB configuration MUST also specify the information 917 content of the first CID octet and the presence and mode of any Retry 918 Service. 920 The following pseudocode describes the data items necessary to store 921 a full QUIC-LB configuration at the server. It is meant to describe 922 the conceptual range and not specify the presentation of such 923 configuration in an internet packet. The comments signify the range 924 of acceptable values where applicable. 926 uint2 config_rotation_bits; 927 boolean first_octet_encodes_cid_length; 928 enum { none, non_shared_state, shared_state } retry_service; 929 select (retry_service) { 930 case none: null; 931 case non_shared_state: uint32 list_of_quic_versions[]; 932 case shared_state: uint8 key[16]; 933 } retry_service_config; 934 enum { none, plaintext, stream_cipher, block_cipher } 935 routing_algorithm; 936 select (routing_algorithm) { 937 case none: null; 938 case plaintext: struct { 939 uint8 server_id_length; /* 1..19 */ 940 uint8 server_id[server_id_length]; 941 } plaintext_config; 942 case stream_cipher: struct { 943 uint8 nonce_length; /* 8..16 */ 944 uint8 server_id_length; /* 1..(19 - nonce_length) */ 945 uint8 server_id[server_id_length]; 946 uint8 key[16]; 947 } stream_cipher_config; 948 case block_cipher: struct { 949 uint8 server_id_length; 950 uint8 server_id[server_id_length]; 951 uint8 key[16]; 952 } block_cipher_config; 953 } routing_algorithm_config; 955 8. Additional Use Cases 957 This section discusses considerations for some deployment scenarios 958 not implied by the specification above. 960 8.1. Load balancer chains 962 Some network architectures may have multiple tiers of low-state load 963 balancers, where a first tier of devices makes a routing decision to 964 the next tier, and so on until packets reach the server. Although 965 QUIC-LB is not explicitly designed for this use case, it is possible 966 to support it. 968 If each load balancer is assigned a range of server IDs that is a 969 subset of the range of IDs assigned to devices that are closer to the 970 client, then the first devices to process an incoming packet can 971 extract the server ID and then map it to the correct forwrading 972 address. Note that this solution is extensible to arbitrarily large 973 numbers of load-balancing tiers, as the maximum server ID space is 974 quite large. 976 8.2. Moving connections between servers 978 Some deployments may transparently move a connection from one server 979 to another. The means of transferring connection state between 980 servers is out of scope of this document. 982 To support a handover, a server involved in the transition could 983 issue CIDs that map to the new server via a NEW_CONNECTION_ID frame, 984 and retire CIDs associated with the new server using the "Retire 985 Prior To" field in that frame. 987 Alternately, if the old server is going offline, the load balancer 988 could simply map its server ID to the new server's address. 990 9. Version Invariance of QUIC-LB 992 Retry Services are inherently dependent on the format (and existence) 993 of Retry Packets in each version of QUIC, and so Retry Service 994 configuration explicitly includes the supported QUIC versions. 996 The server ID encodings, and requirements for their handling, are 997 designed to be QUIC version independent (see [QUIC-INVARIANTS]). A 998 QUIC-LB load balancer will generally not require changes as servers 999 deploy new versions of QUIC. However, there are several unlikely 1000 future design decisions that could impact the operation of QUIC-LB. 1002 The maximum Connection ID length could be below the minimum necessary 1003 for one or more encoding algorithms. 1005 Section 4 provides guidance about how load balancers should handle 1006 non-compliant DCIDs. This guidance, and the implementation of an 1007 algorithm to handle these DCIDs, rests on some assumptions: 1009 * Incoming short headers do not contain DCIDs that are client- 1010 generated. 1012 * The use of client-generated incoming DCIDs does not persist beyond 1013 a few round trips in the connection. 1015 * While the client is using DCIDs it generated, some exposed fields 1016 (IP address, UDP port, client-generated destination Connection ID) 1017 remain constant for all packets sent on the same connection. 1019 While this document does not update the commitments in 1020 [QUIC-INVARIANTS], the additional assumptions are minimal and 1021 narrowly scoped, and provide a likely set of constants that load 1022 balancers can use with minimal risk of version- dependence. 1024 If these assumptions are invalid, this specification is likely to 1025 lead to loss of packets that contain non-compliant DCIDs, and in 1026 extreme cases connection failure. 1028 10. Security Considerations 1030 QUIC-LB is intended to prevent linkability. Attacks would therefore 1031 attempt to subvert this purpose. 1033 Note that the Plaintext CID algorithm makes no attempt to obscure the 1034 server mapping, and therefore does not address these concerns. It 1035 exists to allow consistent CID encoding for compatibility across a 1036 network infrastructure, which makes QUIC robust to NAT rebinding. 1037 Servers that are running the Plaintext CID algorithm SHOULD only use 1038 it to generate new CIDs for the Server Initial Packet and SHOULD NOT 1039 send CIDs in QUIC NEW_CONNECTION_ID frames, except that it sends one 1040 new Connection ID in the event of config rotation Section 3.1. Doing 1041 so might falsely suggest to the client that said CIDs were generated 1042 in a secure fashion. 1044 A linkability attack would find some means of determining that two 1045 connection IDs route to the same server. As described above, there 1046 is no scheme that strictly prevents linkability for all traffic 1047 patterns, and therefore efforts to frustrate any analysis of server 1048 ID encoding have diminishing returns. 1050 10.1. Attackers not between the load balancer and server 1052 Any attacker might open a connection to the server infrastructure and 1053 aggressively simulate migration to obtain a large sample of IDs that 1054 map to the same server. It could then apply analytical techniques to 1055 try to obtain the server encoding. 1057 The Stream and Block Cipher CID algorithms provide robust protection 1058 against any sort of linkage. The Plaintext CID algorithm makes no 1059 attempt to protect this encoding. 1061 Were this analysis to obtain the server encoding, then on-path 1062 observers might apply this analysis to correlating different client 1063 IP addresses. 1065 10.2. Attackers between the load balancer and server 1067 Attackers in this privileged position are intrinsically able to map 1068 two connection IDs to the same server. The QUIC-LB algorithms do 1069 prevent the linkage of two connection IDs to the same individual 1070 connection if servers make reasonable selections when generating new 1071 IDs for that connection. 1073 10.3. Multiple Configuration IDs 1075 During the period in which there are multiple deployed configuration 1076 IDs (see Section 3.1), there is a slight increase in linkability. 1077 The server space is effectively divided into segments with CIDs that 1078 have different config rotation bits. Entities that manage servers 1079 SHOULD strive to minimize these periods by quickly deploying new 1080 configurations across the server pool. 1082 10.4. Limited configuration scope 1084 A simple deployment of QUIC-LB in a cloud provider might use the same 1085 global QUIC-LB configuration across all its load balancers that route 1086 to customer servers. An attacker could then simply become a 1087 customer, obtain the configuration, and then extract server IDs of 1088 other customers' connections at will. 1090 To avoid this, the configuration agent SHOULD issue QUIC-LB 1091 configurations to mutually distrustful servers that have different 1092 keys for encryption algorithms. The load balancers can distinguish 1093 these configurations by external IP address, or by assigning 1094 different values to the config rotation bits (Section 3.1). Note 1095 that either solution has a privacy impact; see Section 10.3. 1097 These techniques are not necessary for the plaintext algorithm, as it 1098 does not attempt to conceal the server ID. 1100 10.5. Stateless Reset Oracle 1102 Section 21.9 of [QUIC-TRANSPORT] discusses the Stateless Reset Oracle 1103 attack. For a server deployment to be vulnerable, an attacking 1104 client must be able to cause two packets with the same Destination 1105 CID to arrive at two different servers that share the same 1106 cryptographic context for Stateless Reset tokens. As QUIC-LB 1107 requires deterministic routing of DCIDs over the life of a 1108 connection, it is a sufficient means of avoiding an Oracle without 1109 additional measures. 1111 11. IANA Considerations 1113 There are no IANA requirements. 1115 12. References 1117 12.1. Normative References 1119 [QUIC-INVARIANTS] 1120 Thomson, M., Ed., "Version-Independent Properties of 1121 QUIC", Work in Progress, Internet-Draft, draft-ietf-quic- 1122 invariants, 1123 . 1125 [QUIC-TRANSPORT] 1126 Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based 1127 Multiplexed and Secure Transport", Work in Progress, 1128 Internet-Draft, draft-ietf-quic-transport, 1129 . 1131 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 1132 Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, 1133 . 1135 12.2. Informative References 1137 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1138 Requirement Levels", BCP 14, RFC 2119, 1139 DOI 10.17487/RFC2119, March 1997, 1140 . 1142 Appendix A. Load Balancer Test Vectors 1144 Because any connection ID encoding in this specification includes 1145 many bits for server use without affecting extraction of the server 1146 ID, there are many possible connection IDs for any given set of 1147 parameters. However, every connection ID should result in a unique 1148 server ID. The following connection IDs can be used to verify that a 1149 load balancer implementation extracts the correct server ID. 1151 A.1. Plaintext Connection ID Algorithm 1153 TBD 1155 A.2. Stream Cipher Connection ID Algorithm 1157 cr_bits 0x0 length_self_encoding: y nonce_len 10 sid_len 1 key 1158 9c46142f1597511357cf437841721d4b 1160 cid 0b05be7bf896ed26cb4cc59a sid ab cid 0b43909398577dd7df1597d4 sid 1161 37 cid 0bf85fa27034785803747464 sid 0e cid 0bc630c588fdecbfbdb62e61 1162 sid 44 cid 0b8788901684f5d4e4dc6aeb sid 83 1164 cr_bits 0x0 length_self_encoding: n nonce_len 9 sid_len 2 key 1165 434ae6fbf36aca0773a6a75f10e3f747 1167 cid 08644a29067622f363d4c83e sid 846a cid 234b2899f9b213a70abfe193 1168 sid 4417 cid 3ff4ef53bbaad327c1e18fa5 sid 7554 cid 1169 08a0eaf4cc08f184e6cf7743 sid b78a cid 3fb2f5cf1b3e08bf97709c42 sid 1170 ed7e 1172 cr_bits 0x0 length_self_encoding: y nonce_len 12 sid_len 3 key 1173 02e895bf84f6a80c3c7156da88a96755 1175 cid 0f7405813570b8f9a6a10564d7b92834 sid 49023c cid 1176 0f3bb656319c6af210239dcaef77d3b9 sid b0a8ce cid 1177 0f3ae6d54ee97fc6907b5e2d60436caf sid 21f035 cid 1178 0f4774918a6576c88f85829306f6450f sid 9e46ea cid 1179 0f7467db6ca1eb4c185e642b0c9f8f44 sid c33db0 1181 cr_bits 0x0 length_self_encoding: n nonce_len 11 sid_len 4 key 1182 ccb612da03f5dc205faf9b0b1d5429cb 1184 cid 0c4b23e27639aef72f861ad2dce39d96 sid 125fdba1 cid 1185 063ed9a173d22be11818b77a3bd5ec37 sid 0f3f82bc cid 1186 1a14e39b0f6ca6a3a48f6fdd2083fa09 sid 05950af2 cid 1187 36cb4df5a7776edb21ec87c35c24e988 sid 3cb80d59 cid 1188 05749809112a91327fef4b3152335298 sid 4746cb79 1189 cr_bits 0x0 length_self_encoding: y nonce_len 8 sid_len 5 key 1190 625696d413ea1a352401afce6eec2432 1192 cid 0d2a7b43eeaac8b36fce2c14ac96 sid 4b00da143a cid 1193 0ddd6cdb6685e75b91f4a1bb0dde sid f9aa795663 cid 1194 0d870ea4d173d29484e41ea4a189 sid e430dcfb3f cid 1195 0df12abe175241b5ab035d23910f sid 8bc66a2596 cid 1196 0d390df5de76903ca94b2e9daa49 sid 7637d0c172 1198 A.3. Block Cipher Connection ID Algorithm 1200 Like the previous section, the text below lists a set of load 1201 balancer configuration and 5 CIDs generated with that configuration. 1203 cr_bits 0x0 length_self_encoding: y sid_len 1 zp_len 11 key 1204 8c24cb9b9c3289b4ee63c3f3d7f93a9a 1206 cid: 1378e44f874642624fa69e7b4aec15a2a678b8b5 sid: 48 1207 cid: 13772c82fe8ce6a00813f76a211b730eb4b20363 sid: 66 1208 cid: 135ccf507b1c209457f80df0217b9a1df439c4b2 sid: 30 1209 cid: 13898459900426c073c66b1001c867f9098a7aab sid: fe 1210 cid: 1397a18da00bf912f20049d9f0a007444f8b6699 sid: 30 1212 cr_bits 0x0 length_self_encoding: n sid_len 2 zp_len 10 key 1213 cc7ec42794664a8428250c12a7fb16fa 1215 cid: 0cb28bfc1f65c3de14752bc0fc734ef824ce8f78 sid: 33fa 1216 cid: 2345e9fc7a7be55b4ba1ff6ffa04f3f5f8c67009 sid: ee47 1217 cid: 0d32102be441600f608c95841fd40ce978aa7a02 sid: 0c8b 1218 cid: 2e6bfc53c91c275019cd809200fa8e23836565ab sid: feca 1219 cid: 29b87a902ed129c26f7e4e918a68703dc71a6e0a sid: 8941 1221 cr_bits 0x1 length_self_encoding: y sid_len 3 zp_len 9 key 1222 42e657946b96b7052ab8e6eeb863ee24 1224 cid: 53c48f7884d73fd9016f63e50453bfd9bcfc637d sid: b46b68 1225 cid: 53f45532f6a4f0e1757fa15c35f9a2ab0fcce621 sid: 2147b4 1226 cid: 5361fd4bbcee881a637210f4fffc02134772cc76 sid: e4bf4b 1227 cid: 53881ffde14e613ef151e50ba875769d6392809b sid: c2afee 1228 cid: 53ad0d60204d88343492334e6c4c4be88d4a3add sid: ae0331 1230 cr_bits 0x0 length_self_encoding: n sid_len 4 zp_len 8 key 1231 ee2dc6a3359a94b0043ca0c82715ce71 1232 cid: 058b9da37f436868cca3cef40c7f98001797c611 sid: eaf846c7 1233 cid: 1259fc97439adaf87f61250afea059e5ddf66e44 sid: 4cc5e84a 1234 cid: 202f424376f234d5f014f41cebc38de2619c6c71 sid: f94ff800 1235 cid: 146ac3e4bbb750d3bfb617ef4b0cb51a1cae5868 sid: c2071b1b 1236 cid: 36dfe886538af7eb16a196935b3705c9d741479f sid: 26359dbb 1238 cr_bits 0x2 length_self_encoding: y sid_len 5 zp_len 7 key 1239 700837da8834840afe7720186ec610c9 1241 cid: 931ef3cc07e2eaf08d4c1902cd564d907cc3377c sid: 759b1d419a 1242 cid: 9398c3d0203ab15f1dfeb5aa8f81e52888c32008 sid: 77cc0d3310 1243 cid: 93f4ba09ab08a9ef997db4fa37a97dbf2b4c5481 sid: f7db9dce32 1244 cid: 93744f4bedf95e04dd6607592ecf775825403093 sid: e264d714d2 1245 cid: 93256308e3d349f8839dec840b0a90c7e7a1fc20 sid: 618b07791f 1247 Appendix B. Acknowledgments 1249 Appendix C. Change Log 1251 *RFC Editor's Note:* Please remove this section prior to 1252 publication of a final version of this document. 1254 C.1. since-draft-ietf-quic-load-balancers-03 1256 * Improved Config Rotation text 1258 * Added stream cipher test vectors 1260 * Deleted the Obfuscated CID algorithm 1262 C.2. since-draft-ietf-quic-load-balancers-02 1264 * Replaced stream cipher algorithm with three-pass version 1266 * Updated Retry format to encode info for required TPs 1268 * Added discussion of version invariance 1270 * Cleaned up text about config rotation 1272 * Added Reset Oracle and limited configuration considerations 1274 * Allow dropped long-header packets for known QUIC versions 1276 C.3. since-draft-ietf-quic-load-balancers-01 1278 * Test vectors for load balancer decoding 1279 * Deleted remnants of in-band protocol 1281 * Light edit of Retry Services section 1283 * Discussed load balancer chains 1285 C.4. since-draft-ietf-quic-load-balancers-00 1287 * Removed in-band protocol from the document 1289 C.5. Since draft-duke-quic-load-balancers-06 1291 * Switch to IETF WG draft. 1293 C.6. Since draft-duke-quic-load-balancers-05 1295 * Editorial changes 1297 * Made load balancer behavior independent of QUIC version 1299 * Got rid of token in stream cipher encoding, because server might 1300 not have it 1302 * Defined "non-compliant DCID" and specified rules for handling 1303 them. 1305 * Added psuedocode for config schema 1307 C.7. Since draft-duke-quic-load-balancers-04 1309 * Added standard for retry services 1311 C.8. Since draft-duke-quic-load-balancers-03 1313 * Renamed Plaintext CID algorithm as Obfuscated CID 1315 * Added new Plaintext CID algorithm 1317 * Updated to allow 20B CIDs 1319 * Added self-encoding of CID length 1321 C.9. Since draft-duke-quic-load-balancers-02 1323 * Added Config Rotation 1325 * Added failover mode 1326 * Tweaks to existing CID algorithms 1328 * Added Block Cipher CID algorithm 1330 * Reformatted QUIC-LB packets 1332 C.10. Since draft-duke-quic-load-balancers-01 1334 * Complete rewrite 1336 * Supports multiple security levels 1338 * Lightweight messages 1340 C.11. Since draft-duke-quic-load-balancers-00 1342 * Converted to markdown 1344 * Added variable length connection IDs 1346 Authors' Addresses 1348 Martin Duke 1349 F5 Networks, Inc. 1351 Email: martin.h.duke@gmail.com 1353 Nick Banks 1354 Microsoft 1356 Email: nibanks@microsoft.com