| rfc9368.original | rfc9368.txt | |||
|---|---|---|---|---|
| QUIC D. Schinazi | Internet Engineering Task Force (IETF) D. Schinazi | |||
| Internet-Draft Google LLC | Request for Comments: 9368 Google LLC | |||
| Updates: 8999 (if approved) E. Rescorla | Updates: 8999 E. Rescorla | |||
| Intended status: Standards Track Mozilla | Category: Standards Track Mozilla | |||
| Expires: 22 June 2023 19 December 2022 | ISSN: 2070-1721 May 2023 | |||
| Compatible Version Negotiation for QUIC | Compatible Version Negotiation for QUIC | |||
| draft-ietf-quic-version-negotiation-14 | ||||
| Abstract | Abstract | |||
| QUIC does not provide a complete version negotiation mechanism but | QUIC does not provide a complete version negotiation mechanism but | |||
| instead only provides a way for the server to indicate that the | instead only provides a way for the server to indicate that the | |||
| version the client chose is unacceptable. This document describes a | version the client chose is unacceptable. This document describes a | |||
| version negotiation mechanism that allows a client and server to | version negotiation mechanism that allows a client and server to | |||
| select a mutually supported version. Optionally, if the client's | select a mutually supported version. Optionally, if the client's | |||
| chosen version and the negotiated version share a compatible first | chosen version and the negotiated version share a compatible first | |||
| flight format, the negotiation can take place without incurring an | flight format, the negotiation can take place without incurring an | |||
| extra round trip. This document updates RFC 8999. | extra round trip. This document updates RFC 8999. | |||
| About This Document | ||||
| This note is to be removed before publishing as an RFC. | ||||
| The latest revision of this draft can be found at | ||||
| https://quicwg.github.io/version-negotiation/draft-ietf-quic-version- | ||||
| negotiation.html. Status information for this document may be found | ||||
| at https://datatracker.ietf.org/doc/draft-ietf-quic-version- | ||||
| negotiation/. | ||||
| Discussion of this document takes place on the QUIC Working Group | ||||
| mailing list (mailto:quic@ietf.org), which is archived at | ||||
| https://mailarchive.ietf.org/arch/browse/quic/. Subscribe at | ||||
| https://www.ietf.org/mailman/listinfo/quic/. | ||||
| Source for this draft and an issue tracker can be found at | ||||
| https://github.com/quicwg/version-negotiation. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 22 June 2023. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9368. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction | |||
| 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Conventions | |||
| 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Definitions | |||
| 2. Version Negotiation Mechanism . . . . . . . . . . . . . . . . 4 | 2. Version Negotiation Mechanism | |||
| 2.1. Incompatible Version Negotiation . . . . . . . . . . . . 5 | 2.1. Incompatible Version Negotiation | |||
| 2.2. Compatible Versions . . . . . . . . . . . . . . . . . . . 5 | 2.2. Compatible Versions | |||
| 2.3. Compatible Version Negotiation . . . . . . . . . . . . . 6 | 2.3. Compatible Version Negotiation | |||
| 2.4. Connections and Version Negotiation . . . . . . . . . . . 8 | 2.4. Connections and Version Negotiation | |||
| 2.5. Client Choice of Original Version . . . . . . . . . . . . 8 | 2.5. Client Choice of Original Version | |||
| 3. Version Information . . . . . . . . . . . . . . . . . . . . . 9 | 3. Version Information | |||
| 4. Version Downgrade Prevention . . . . . . . . . . . . . . . . 10 | 4. Version Downgrade Prevention | |||
| 5. Server Deployments of QUIC . . . . . . . . . . . . . . . . . 12 | 5. Server Deployments of QUIC | |||
| 6. Application Layer Protocol Considerations . . . . . . . . . . 14 | 6. Application-Layer Protocol Considerations | |||
| 7. Considerations for Future Versions . . . . . . . . . . . . . 14 | 7. Considerations for Future Versions | |||
| 7.1. Interaction with Retry . . . . . . . . . . . . . . . . . 15 | 7.1. Interaction with Retry | |||
| 7.2. Interaction with TLS resumption . . . . . . . . . . . . . 15 | 7.2. Interaction with TLS Resumption | |||
| 7.3. Interaction with 0-RTT . . . . . . . . . . . . . . . . . 15 | 7.3. Interaction with 0-RTT | |||
| 8. Special Handling for QUIC Version 1 . . . . . . . . . . . . . 16 | 8. Special Handling for QUIC Version 1 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 9. Security Considerations | |||
| 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 | 10. IANA Considerations | |||
| 10.1. QUIC Transport Parameter . . . . . . . . . . . . . . . . 16 | 10.1. QUIC Transport Parameter | |||
| 10.2. QUIC Transport Error Code . . . . . . . . . . . . . . . 16 | 10.2. QUIC Transport Error Code | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 | 11. References | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 17 | 11.1. Normative References | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 17 | 11.2. Informative References | |||
| Acknowledgments | ||||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | ||||
| 1. Introduction | 1. Introduction | |||
| The version-invariant properties of QUIC [QUIC-INVARIANTS] define a | The version-invariant properties of QUIC [QUIC-INVARIANTS] define a | |||
| Version Negotiation packet but do not specify how an endpoint reacts | Version Negotiation packet but do not specify how an endpoint reacts | |||
| when it receives one. QUIC version 1 [QUIC] allows the server to use | when it receives one. QUIC version 1 [QUIC] allows the server to use | |||
| a Version Negotiation packet to indicate that the version the client | a Version Negotiation packet to indicate that the version the client | |||
| chose is unacceptable, but doesn't allow the client to safely make | chose is unacceptable, but it doesn't allow the client to safely make | |||
| use of that information to create a new connection with a mutually | use of that information to create a new connection with a mutually | |||
| supported version. This document updates [QUIC-INVARIANTS] by | supported version. This document updates [QUIC-INVARIANTS] by | |||
| defining version negotiation mechanisms that leverage the Version | defining version negotiation mechanisms that leverage the Version | |||
| Negotiation packet. | Negotiation packet. | |||
| With proper safety mechanisms in place, the Version Negotiation | With proper safety mechanisms in place, the Version Negotiation | |||
| packet can be part of a mechanism to allow two QUIC implementations | packet can be part of a mechanism to allow two QUIC implementations | |||
| to negotiate between two totally disjoint versions of QUIC. This | to negotiate between two totally disjoint versions of QUIC. This | |||
| document specifies version negotiation using Version Negotiation | document specifies version negotiation using Version Negotiation | |||
| packets, which adds an extra round trip to connection establishment | packets, which adds an extra round trip to connection establishment | |||
| skipping to change at page 3, line 51 ¶ | skipping to change at line 123 ¶ | |||
| 1.2. Definitions | 1.2. Definitions | |||
| The document uses the following terms: | The document uses the following terms: | |||
| * In the context of a given QUIC connection, the "first flight" of | * In the context of a given QUIC connection, the "first flight" of | |||
| packets refers to the set of packets the client creates and sends | packets refers to the set of packets the client creates and sends | |||
| to initiate the connection before it has heard back from the | to initiate the connection before it has heard back from the | |||
| server. | server. | |||
| * In the context of a given QUIC connection, the "client's chosen | * In the context of a given QUIC connection, the "client's Chosen | |||
| version" is the QUIC version of the connection's first flight. | Version" is the QUIC version of the connection's first flight. | |||
| * The "original version" is the QUIC version of the very first | * The "Original Version" is the QUIC version of the very first | |||
| packet the client sends to the server. If version negotiation | packet the client sends to the server. If version negotiation | |||
| spans multiple connections (see Section 2.4), the original version | spans multiple connections (see Section 2.4), the Original Version | |||
| is equal to the client's chosen version of the first QUIC | is equal to the client's Chosen Version of the first QUIC | |||
| connection. | connection. | |||
| * The "negotiated version" is the QUIC version in use on the | * The "Negotiated Version" is the QUIC version in use on the | |||
| connection once the version negotiation process completes. | connection once the version negotiation process completes. | |||
| * The "Maximum Segment Lifetime" (MSL) represents the time a QUIC | * The "Maximum Segment Lifetime" (MSL) represents the time a QUIC | |||
| packet can exist in the network. Implementations can make this | packet can exist in the network. Implementations can make this | |||
| configurable, and a RECOMMENDED value is one minute. Note that | configurable, and a RECOMMENDED value is one minute. Note that | |||
| the term "segment" here originated in Section 3.4.1 of [TCP]. | the term "segment" here originated in Section 3.4.1 of [TCP]. | |||
| 2. Version Negotiation Mechanism | 2. Version Negotiation Mechanism | |||
| This document specifies two means of performing version negotiation: | This document specifies two means of performing version negotiation: | |||
| one "incompatible" which requires a round trip and is applicable to | 1) "incompatible", which requires a round trip and is applicable to | |||
| all versions, and one "compatible" that allows saving the round trip | all versions, and 2) "compatible", which allows saving the round trip | |||
| but only applies when the versions are compatible (see Section 2.2). | but only applies when the versions are compatible (see Section 2.2). | |||
| The client initiates a QUIC connection by choosing an original | The client initiates a QUIC connection by choosing an Original | |||
| version and sending a first flight of QUIC packets with a long header | Version and sending a first flight of QUIC packets with a long header | |||
| to the server [QUIC-INVARIANTS]. The client's first flight includes | to the server [QUIC-INVARIANTS]. The client's first flight includes | |||
| Version Information (see Section 3) which will be used to optionally | Version Information (see Section 3), which will be used to optionally | |||
| enable compatible version negotiation (see Section 2.3), and to | enable compatible version negotiation (see Section 2.3) and to | |||
| prevent version downgrade attacks (see Section 4). | prevent version downgrade attacks (see Section 4). | |||
| Upon receiving this first flight, the server verifies whether it | Upon receiving this first flight, the server verifies whether it | |||
| knows how to parse first flights from the original version. If it | knows how to parse first flights from the Chosen Version (which is | |||
| does not, then it starts incompatible version negotiation, see | also the Original Version in this case). If it does not, then it | |||
| Section 2.1, which causes the client to initiate a new connection | starts incompatible version negotiation (see Section 2.1), which | |||
| with a different version. For instance, if the client initiates a | causes the client to initiate a new connection with a different | |||
| connection with version A and the server starts incompatible version | version. For instance, if the client initiates a connection with | |||
| negotiation and the client then initiates a new connection with | version A that the server can't parse, the server starts incompatible | |||
| version B, we say that the first connection's client chosen version | version negotiation; then, when the client initiates a new connection | |||
| is A, the second connection's client chosen version is B, and the | with version B, we say that the first connection's client Chosen | |||
| original version for the entire sequence is A. | Version is A, the second connection's client Chosen Version is B, and | |||
| the Original Version for the entire sequence is A. | ||||
| If the server can parse the first flight, it can either establish the | If the server can parse the first flight, it can establish the | |||
| connection using the client's chosen version, or it MAY select any | connection using the client's Chosen Version, or it MAY select any | |||
| other compatible version, as described in Section 2.3. | other compatible version, as described in Section 2.3. | |||
| Note that it is possible for a server to have the ability to parse | Note that it is possible for a server to have the ability to parse | |||
| the first flight of a given version without fully supporting it, in | the first flight of a given version without fully supporting it, in | |||
| the sense that it implements enough of the version's specification to | the sense that it implements enough of the version's specification to | |||
| parse first flight packets but not enough to fully establish a | parse first flight packets but not enough to fully establish a | |||
| connection using that version. | connection using that version. | |||
| 2.1. Incompatible Version Negotiation | 2.1. Incompatible Version Negotiation | |||
| The server starts incompatible version negotiation by sending a | The server starts incompatible version negotiation by sending a | |||
| Version Negotiation packet. This packet SHALL include each entry | Version Negotiation packet. This packet SHALL include each entry | |||
| from the server's set of Offered Versions (see Section 5) in a | from the server's set of Offered Versions (see Section 5) in a | |||
| Supported Version field. The server MAY add reserved versions (as | Supported Version field. The server MAY add reserved versions (as | |||
| defined in Section 6.3 of [QUIC]) in Supported Version fields. | defined in Section 6.3 of [QUIC]) in Supported Version fields. | |||
| Clients will ignore a Version Negotiation packet if it contains the | Clients will ignore a Version Negotiation packet if it contains the | |||
| original version attempted by the client; see Section 4. The client | Original Version attempted by the client, as required by Section 4. | |||
| also ignores a Version Negotiation packet that contains incorrect | The client also ignores a Version Negotiation packet that contains | |||
| connection ID fields; see Section 6 of [QUIC-INVARIANTS]. | incorrect connection ID fields, as required by Section 6 of | |||
| [QUIC-INVARIANTS]. | ||||
| Upon receiving the Version Negotiation packet, the client SHALL | Upon receiving the Version Negotiation packet, the client SHALL | |||
| search for a version it supports in the list provided by the server. | search for a version it supports in the list provided by the server. | |||
| If it doesn't find one, it SHALL abort the connection attempt. | If it doesn't find one, it SHALL abort the connection attempt. | |||
| Otherwise, it SHALL select a mutually supported version and send a | Otherwise, it SHALL select a mutually supported version and send a | |||
| new first flight with that version - this version is now the | new first flight with that version -- this version is now the | |||
| negotiated version. | Negotiated Version. | |||
| The new first flight will allow the endpoints to establish a | The new first flight will allow the endpoints to establish a | |||
| connection using the negotiated version. The handshake of the | connection using the Negotiated Version. The handshake of the | |||
| negotiated version will exchange version information (see Section 3) | Negotiated Version will exchange Version Information (see Section 3) | |||
| required to ensure that version negotiation was genuine, i.e. that no | that is required to ensure that version negotiation was genuine, | |||
| attacker injected packets in order to influence the version | i.e., that no attacker injected packets in order to influence the | |||
| negotiation process, see Section 4. | version negotiation process (see Section 4). | |||
| Only servers can start incompatible version negotiation: clients MUST | Only servers can start incompatible version negotiation. Clients | |||
| NOT send Version Negotiation packets and servers MUST ignore all | MUST NOT send Version Negotiation packets and servers MUST ignore all | |||
| received Version Negotiation packets. | received Version Negotiation packets. | |||
| 2.2. Compatible Versions | 2.2. Compatible Versions | |||
| If A and B are two distinct versions of QUIC, A is said to be | If A and B are two distinct versions of QUIC, A is said to be | |||
| "compatible" with B if it is possible to take a first flight of | "compatible" with B if it is possible to take a first flight of | |||
| packets from version A and convert it into a first flight of packets | packets from version A and convert it into a first flight of packets | |||
| from version B. As an example, if versions A and B are absolutely | from version B. As an example, if versions A and B are absolutely | |||
| equal in their wire image and behavior during the handshake but | equal in their wire image and behavior during the handshake but | |||
| differ after the handshake, then A is compatible with B and B is | differ after the handshake, then A is compatible with B and B is | |||
| compatible with A. Note that the conversion of the first flight can | compatible with A. Note that the conversion of the first flight can | |||
| be lossy: some data such as QUIC version 1 0-RTT packets could be | be lossy; some data, such as QUIC version 1 0-RTT packets, could be | |||
| ignored during conversion and retransmitted later. | ignored during conversion and retransmitted later. | |||
| Version compatibility is not symmetric: it is possible for version A | Version compatibility is not symmetric. It is possible for version A | |||
| to be compatible with version B and for B not to be compatible with | to be compatible with version B and for version B not to be | |||
| A. This could happen for example if version B is a strict superset | compatible with version A. This could happen, for example, if | |||
| of version A: if version A includes the concept of streams and STREAM | version B is a strict superset of version A, i.e., if version A | |||
| frames, and version B includes the concept of streams and the | includes the concept of streams and STREAM frames and version B | |||
| hypothetical concept of tubes along with STREAM and TUBE frames, then | includes the concept of streams and the hypothetical concept of tubes | |||
| A would be compatible with B but B would not be compatible with A. | along with STREAM and TUBE frames, then A would be compatible with B, | |||
| but B would not be compatible with A. | ||||
| Note that version compatibility does not mean that every single | Note that version compatibility does not mean that every single | |||
| possible instance of a first flight will succeed in conversion to the | possible instance of a first flight will succeed in conversion to the | |||
| other version. A first flight using version A is said to be | other version. A first flight using version A is said to be | |||
| "compatible" with version B if two conditions are met: first that | "compatible" with version B if two conditions are met: (1) version A | |||
| version A is compatible with version B, and second that the | is compatible with version B and (2) the conversion of this first | |||
| conversion of this first flight to version B is well-defined. For | flight to version B is well defined. For example, if version B is | |||
| example, if version B is equal to A in all aspects except it | equal to version A in all aspects except it introduced a new frame in | |||
| introduced a new frame in its first flight that version A cannot | its first flight that version A cannot parse or even ignore, then | |||
| parse or even ignore, then B could still be compatible with A as | version B could still be compatible with version A, as conversions | |||
| conversions would succeed for connections where that frame is not | would succeed for connections where that frame is not used. In this | |||
| used. In this example, first flights using version B that carry this | example, first flights using version B that carry this new frame | |||
| new frame would not be compatible with version A. | would not be compatible with version A. | |||
| When a new version of QUIC is defined, it is assumed to not be | When a new version of QUIC is defined, it is assumed to not be | |||
| compatible with any other version unless otherwise specified. | compatible with any other version unless otherwise specified. | |||
| Similarly, no other version is compatible with the new version unless | Similarly, no other version is compatible with the new version unless | |||
| otherwise specified. Implementations MUST NOT assume compatibility | otherwise specified. Implementations MUST NOT assume compatibility | |||
| between versions unless explicitly specified. | between versions unless explicitly specified. | |||
| Note that both endpoints might disagree on whether two versions are | Note that both endpoints might disagree on whether two versions are | |||
| compatible or not. For example, two versions could have been defined | compatible or not. For example, two versions could have been defined | |||
| concurrently and then specified as compatible in a third document | concurrently and then specified as compatible in a third document | |||
| much later - in that scenario one endpoint might be aware of the | much later -- in that scenario, one endpoint might be aware of the | |||
| compatibility document while the other may not. | compatibility document, while the other may not. | |||
| 2.3. Compatible Version Negotiation | 2.3. Compatible Version Negotiation | |||
| When the server can parse the client's first flight using the | When the server can parse the client's first flight using the | |||
| client's chosen version, it can extract the client's Version | client's Chosen Version, it can extract the client's Version | |||
| Information structure (see Section 3). This contains the list of | Information structure (see Section 3). This contains the list of | |||
| versions that the client knows its first flight is compatible with. | versions that the client knows its first flight is compatible with. | |||
| In order to perform compatible version negotiation, the server MUST | In order to perform compatible version negotiation, the server MUST | |||
| select one of these versions that (1) it supports and (2) it knows | select one of these versions that it (1) supports and (2) knows the | |||
| the client's chosen version to be compatible with. This selected | client's Chosen Version is compatible with. This selected version is | |||
| version is now the negotiated version. After selecting it, the | now the Negotiated Version. After selecting it, the server attempts | |||
| server attempts to convert the client's first flight into that | to convert the client's first flight into that version and replies to | |||
| version, and replies to the client as if it had received the | the client as if it had received the converted first flight. | |||
| converted first flight. | ||||
| If those formats are identical, as in cases where the negotiated | If those formats are identical, as in cases where the Negotiated | |||
| version is the same as the client's chosen version, then this will be | Version is the same as the client's Chosen Version, then this will be | |||
| the identity transform. If the first flight is correctly formatted, | the identity transformation. If the first flight is correctly | |||
| then this conversion process cannot fail by definition of the first | formatted, then this conversion process cannot fail by definition of | |||
| flight being compatible; if the server is unable to convert the first | the first flight being compatible; if the server is unable to convert | |||
| flight, it MUST abort the handshake. | the first flight, it MUST abort the handshake. | |||
| If a document specifies that a QUIC version is compatible with | If a document specifies that a QUIC version is compatible with | |||
| another, that document MUST specify the mechanism by which clients | another, that document MUST specify the mechanism by which clients | |||
| are made aware of the negotiated version. An example of such a | are made aware of the Negotiated Version. An example of such a | |||
| mechanism is to have the client determine the server's negotiated | mechanism is to have the client determine the server's Negotiated | |||
| version by examining the QUIC long header Version field. Note that, | Version by examining the QUIC long header Version field. Note that, | |||
| in this example mechanism, it is possible for the server to initially | in this example mechanism, it is possible for the server to initially | |||
| send packets with the client's chosen version before switching to the | send packets with the client's Chosen Version before switching to the | |||
| negotiated version (this can happen when the client's Version | Negotiated Version (this can happen when the client's Version | |||
| Information structure spans multiple packets; in that case the server | Information structure spans multiple packets; in that case, the | |||
| might acknowledge the first packet in the client's chosen version and | server might acknowledge the first packet in the client's Chosen | |||
| later switch to a different negotiated version). Mutually compatible | Version and later switch to a different Negotiated Version). | |||
| versions SHOULD use the same mechanism. | Mutually compatible versions SHOULD use the same mechanism. | |||
| Note that, after the first flight is converted to the negotiated | Note that, after the first flight is converted to the Negotiated | |||
| version, the handshake completes in the negotiated version. If the | Version, the handshake completes in the Negotiated Version. If the | |||
| negotiated version has requirements that apply during the handshake, | Negotiated Version has requirements that apply during the handshake, | |||
| those requirements apply to the entire handshake, including the | those requirements apply to the entire handshake, including the | |||
| converted first flight. In particular, if the negotiated version | converted first flight. In particular, if the Negotiated Version | |||
| mandates that endpoints perform validations on handshake packets, | mandates that endpoints perform validations on Handshake packets, | |||
| endpoints MUST also perform such validations on the converted first | endpoints MUST also perform such validations on the converted first | |||
| flight. For instance, if the negotiated version requires that the | flight. For instance, if the Negotiated Version requires that the | |||
| 5-tuple remain stable for the entire handshake (as QUIC version 1 | 5-tuple remain stable for the entire handshake (as QUIC version 1 | |||
| does), then both endpoints need to validate the 5-tuple of all | does), then both endpoints need to validate the 5-tuple of all | |||
| handshake packets, including the converted first flight. | packets received during the handshake, including the converted first | |||
| flight. | ||||
| Note also that the client can disable compatible version negotiation | Note also that the client can disable compatible version negotiation | |||
| by only including the Chosen Version in the Available Versions field | by only including the Chosen Version in the Available Versions field | |||
| of the Version Information; see Section 3. | of the Version Information (see Section 3). | |||
| If the server does not find a compatible version (including the | If the server does not find a compatible version (including the | |||
| client's chosen version), it will perform incompatible version | client's Chosen Version), it will perform incompatible version | |||
| negotiation instead, see Section 2.1. | negotiation instead (see Section 2.1). | |||
| Note that it is possible to have incompatible version negotiation | Note that it is possible to have incompatible version negotiation | |||
| followed by compatible version negotiation. For instance, if version | followed by compatible version negotiation. For instance, if version | |||
| A is compatible with B and C is compatible with D, the following | A is compatible with version B and version C is compatible with | |||
| scenario could occur: | version D, the following scenario could occur: | |||
| Client Server | Client Server | |||
| Chosen = A, Available Versions = (A, B) -------------> | Chosen = A, Available Versions = (A, B) -------------> | |||
| <------------------------ Version Negotiation = (D, C) | <------------------------ Version Negotiation = (D, C) | |||
| Chosen = C, Available Versions = (C, D) -------------> | Chosen = C, Available Versions = (C, D) -------------> | |||
| <------------- Chosen = D, Available Versions = (D, C) | <------------- Chosen = D, Available Versions = (D, C) | |||
| Figure 1: Combined Negotiation Example | Figure 1: Combined Negotiation Example | |||
| In this example, the client selected C from the server's Version | In this example, the client selected C from the server's Version | |||
| Negotiation packet, but the server preferred D and then selected it | Negotiation packet, but the server preferred D and then selected it | |||
| from the client's offer. | from the client's offer. | |||
| 2.4. Connections and Version Negotiation | 2.4. Connections and Version Negotiation | |||
| QUIC connections are shared state between a client and a server | QUIC connections are shared state between a client and a server | |||
| [QUIC-INVARIANTS]. The compatible version negotiation mechanism | [QUIC-INVARIANTS]. The compatible version negotiation mechanism | |||
| defined in this document (see Section 2.3) is performed as part of a | defined in this document (see Section 2.3) is performed as part of a | |||
| single QUIC connection; that is, the packets with the client's chosen | single QUIC connection; that is, the packets with the client's Chosen | |||
| version are part of the same connection as the packets with the | Version are part of the same connection as the packets with the | |||
| negotiated version. | Negotiated Version. | |||
| In comparison, the incompatible version negotiation mechanism, which | In comparison, the incompatible version negotiation mechanism, which | |||
| leverages QUIC Version Negotiation packets (see Section 2.1) | leverages QUIC Version Negotiation packets (see Section 2.1), | |||
| conceptually operates across two QUIC connections: the connection | conceptually operates across two QUIC connections, i.e., the | |||
| attempt prior to receiving the Version Negotiation packet is distinct | connection attempt prior to receiving the Version Negotiation packet | |||
| from the connection with the incompatible version that follows. | is distinct from the connection with the incompatible version that | |||
| follows. | ||||
| Note that this separation across two connections is conceptual: it | Note that this separation across two connections is conceptual, i.e., | |||
| applies to normative requirements on QUIC connections, but does not | it applies to normative requirements on QUIC connections, but it does | |||
| require implementations to internally use two distinct connection | not require implementations to internally use two distinct connection | |||
| objects. | objects. | |||
| 2.5. Client Choice of Original Version | 2.5. Client Choice of Original Version | |||
| When the client picks its original version, it will try to avoid | When the client picks its Original Version, it SHOULD try to avoid | |||
| incompatible version negotiation to save a round trip. Therefore, | incompatible version negotiation to save a round trip. Therefore, | |||
| the client SHOULD pick an original version to maximize the combined | the client SHOULD pick an Original Version to maximize the combined | |||
| probability that both: | probability that both: | |||
| * The server knows how to parse first flights from the original | * the server knows how to parse first flights from the Original | |||
| version. | Version and | |||
| * The original version is compatible with the client's preferred | * the Original Version is compatible with the client's preferred | |||
| version. | version. | |||
| Without additional information, this could mean selecting the oldest | Without additional information, this could mean selecting the oldest | |||
| version that the client supports, while advertising newer compatible | version that the client supports while advertising newer compatible | |||
| versions in the client's first flight. | versions in the client's first flight. | |||
| 3. Version Information | 3. Version Information | |||
| During the handshake, endpoints will exchange Version Information, | During the handshake, endpoints will exchange Version Information, | |||
| which consists of a chosen version and a list of available versions. | which consists of a Chosen Version and a list of Available Versions. | |||
| Any version of QUIC that supports this mechanism MUST provide a | Any version of QUIC that supports this mechanism MUST provide a | |||
| mechanism to exchange Version Information in both directions during | mechanism to exchange Version Information in both directions during | |||
| the handshake, such that this data is authenticated. | the handshake, such that this data is authenticated. | |||
| In QUIC version 1, the Version Information is transmitted using a new | In QUIC version 1, the Version Information is transmitted using a new | |||
| "version_information" transport parameter; see Section 7.4 of [QUIC]. | version_information transport parameter (see Section 7.4 of [QUIC]). | |||
| The contents of Version Information are shown below (using the | The contents of Version Information are shown below (using the | |||
| notation from the "Notational Conventions" section of [QUIC]): | notation from Section 1.3 of [QUIC]): | |||
| Version Information { | Version Information { | |||
| Chosen Version (32), | Chosen Version (32), | |||
| Available Versions (32) ..., | Available Versions (32) ..., | |||
| } | } | |||
| Figure 2: Version Information Format | Figure 2: Version Information Format | |||
| The content of each field is described below: | The content of each field is described below: | |||
| Chosen Version: The version that the sender has chosen to use for | Chosen Version: The version that the sender has chosen to use for | |||
| this connection. In most cases, this field will be equal to the | this connection. In most cases, this field will be equal to the | |||
| value of the Version field in the long header that carries this | value of the Version field in the long header that carries this | |||
| data; however future versions or extensions can choose to set | data; however, future versions or extensions can choose to set | |||
| different values in the long header Version field. | different values in the long header Version field. | |||
| The contents of the Available Versions field depends on whether it is | The contents of the Available Versions field depend on whether it is | |||
| sent by the client or by the server. | sent by the client or by the server. | |||
| Client-Sent Available Versions: When sent by a client, the Available | Client-Sent Available Versions: When sent by a client, the Available | |||
| Versions field lists all the versions that this first flight is | Versions field lists all the versions that this first flight is | |||
| compatible with, ordered by descending preference. Note that the | compatible with, ordered by descending preference. Note that the | |||
| version in the Chosen Version field MUST be included in this list | version in the Chosen Version field MUST be included in this list | |||
| to allow the client to communicate the chosen version's | to allow the client to communicate the Chosen Version's | |||
| preference. Note that this preference is only advisory, servers | preference. Note that this preference is only advisory; servers | |||
| MAY choose to use their own preference instead. | MAY choose to use their own preference instead. | |||
| Server-Sent Available Versions: When sent by a server, the Available | Server-Sent Available Versions: When sent by a server, the Available | |||
| Versions field lists all the Fully-Deployed Versions of this | Versions field lists all the Fully Deployed Versions of this | |||
| server deployment, see Section 5. The ordering of the versions in | server deployment (see Section 5). The ordering of the versions | |||
| this field does not carry any semantics. Note that the version in | in this field does not carry any semantics. Note that the version | |||
| the Chosen Version field is not necessarily included in this list, | in the Chosen Version field is not necessarily included in this | |||
| because the server operator could be in the process of removing | list, because the server operator could be in the process of | |||
| support for this version. For the same reason, the Available | removing support for this version. For the same reason, the | |||
| Versions field MAY be empty. | Available Versions field MAY be empty. | |||
| Clients and servers MAY both include versions following the pattern | Clients and servers MAY both include versions following the pattern | |||
| 0x?a?a?a?a in their Available Versions list. Those versions are | 0x?a?a?a?a in their Available Versions list. Those versions are | |||
| reserved to exercise version negotiation (see the Versions section of | reserved to exercise version negotiation (see Section 15 of [QUIC]) | |||
| [QUIC]), and will never be selected when choosing a version to use. | and will never be selected when choosing a version to use. | |||
| 4. Version Downgrade Prevention | 4. Version Downgrade Prevention | |||
| A version downgrade is an attack where a malicious entity manages to | A version downgrade is an attack where a malicious entity manages to | |||
| make the QUIC endpoints negotiate a QUIC version different from the | make the QUIC endpoints negotiate a QUIC version different from the | |||
| one they would have negotiated in the absence of the attack. The | one they would have negotiated in the absence of the attack. The | |||
| mechanism described in this document is designed to prevent downgrade | mechanism described in this document is designed to prevent downgrade | |||
| attacks. | attacks. | |||
| Clients MUST ignore any received Version Negotiation packets that | Clients MUST ignore any received Version Negotiation packets that | |||
| contain the original version. A client that makes a connection | contain the Original Version. A client that makes a connection | |||
| attempt based on information received from a Version Negotiation | attempt based on information received from a Version Negotiation | |||
| packet MUST ignore any Version Negotiation packets it receives in | packet MUST ignore any Version Negotiation packets it receives in | |||
| response to that connection attempt. | response to that connection attempt. | |||
| Both endpoints MUST parse their peer's Version Information during the | Both endpoints MUST parse their peer's Version Information during the | |||
| handshake. If that leads to a parsing failure (for example, if it is | handshake. If that leads to a parsing failure (for example, if it is | |||
| too short or if its length is not divisible by four), then the | too short or if its length is not divisible by four), then the | |||
| endpoint MUST close the connection; if the connection was using QUIC | endpoint MUST close the connection; if the connection was using QUIC | |||
| version 1, that connection closure MUST use a transport error of type | version 1, that connection closure MUST use a transport error of type | |||
| TRANSPORT_PARAMETER_ERROR. If an endpoint receives a Chosen Version | TRANSPORT_PARAMETER_ERROR. If an endpoint receives a Chosen Version | |||
| equal to zero, or any Available Version equal to zero, it MUST treat | equal to zero, or any Available Version equal to zero, it MUST treat | |||
| it as a parsing failure. If a server receives a Version Information | it as a parsing failure. If a server receives Version Information | |||
| where the Chosen Version is not included in Available Versions, it | where the Chosen Version is not included in Available Versions, it | |||
| MUST treat it as a parsing failure. | MUST treat it as a parsing failure. | |||
| Every QUIC version that supports version negotiation MUST define a | Every QUIC version that supports version negotiation MUST define a | |||
| method for closing the connection with a version negotiation error. | method for closing the connection with a version negotiation error. | |||
| For QUIC version 1, version negotiation errors are signaled using a | For QUIC version 1, version negotiation errors are signaled using a | |||
| transport error of type VERSION_NEGOTIATION_ERROR; see Section 10.2. | transport error of type VERSION_NEGOTIATION_ERROR (see Section 10.2). | |||
| When a server receives a client's first flight, the server will first | When a server receives a client's first flight, the server will first | |||
| establish which QUIC version is in use for this connection in order | establish which QUIC version is in use for this connection in order | |||
| to properly parse the first flight. For example, the server | to properly parse the first flight. This may involve examining data | |||
| determines that QUIC version 1 is in use by observing that the | that is not part of the handshake transcript, such as parts of the | |||
| Version field of the first Long Header packet it receives is set to | packet header. When the server then processes the client's Version | |||
| 0x00000001. When the server then processes the client's Version | ||||
| Information, the server MUST validate that the client's Chosen | Information, the server MUST validate that the client's Chosen | |||
| Version matches the version in use for the connection. If the two | Version matches the version in use for the connection. If the two | |||
| differ, the server MUST close the connection with a version | differ, the server MUST close the connection with a version | |||
| negotiation error. For example, if a server receives the client's | negotiation error. | |||
| Version Information over QUIC version 1 (as indicated by the Version | ||||
| field of the Long Header packets that carried the transport | ||||
| parameters) and the client's Chosen Version is not set to 0x00000001, | ||||
| the server will close the connection with a version negotiation | ||||
| error. | ||||
| If a client receives a Version Information where the server's Chosen | In the specific case of QUIC version 1, the server determines that | |||
| version 1 is in use by observing that the Version field of the first | ||||
| Long Header packet it receives is set to 0x00000001. Subsequently, | ||||
| if the server receives the client's Version Information over QUIC | ||||
| version 1 (as indicated by the Version field of the Long Header | ||||
| packets that carried the transport parameters) and the client's | ||||
| Chosen Version is not set to 0x00000001, the server MUST close the | ||||
| connection with a version negotiation error. | ||||
| Servers MAY complete the handshake even if the Version Information is | ||||
| missing. Clients MUST NOT complete the handshake if they are | ||||
| reacting to a Version Negotiation packet and the Version Information | ||||
| is missing, but MAY do so otherwise. | ||||
| If a client receives Version Information where the server's Chosen | ||||
| Version was not sent by the client as part of its Available Versions, | Version was not sent by the client as part of its Available Versions, | |||
| the client MUST close the connection with a version negotiation | the client MUST close the connection with a version negotiation | |||
| error. | error. If a client has reacted to a Version Negotiation packet and | |||
| the server's Version Information was missing, the client MUST close | ||||
| If the Version Information was missing, the endpoints MAY complete | the connection with a version negotiation error. | |||
| the handshake. However, if a client has reacted to a Version | ||||
| Negotiation packet and the Version Information was missing, the | ||||
| client MUST close the connection with a version negotiation error. | ||||
| If the client received and acted on a Version Negotiation packet, the | If the client received and acted on a Version Negotiation packet, the | |||
| client MUST validate the server's Available Versions field. The | client MUST validate the server's Available Versions field. The | |||
| Available Versions field is validated by confirming that the client | Available Versions field is validated by confirming that the client | |||
| would have attempted the same version with knowledge of the versions | would have attempted the same version with knowledge of the versions | |||
| the server supports. That is, the client would have selected the | the server supports. That is, the client would have selected the | |||
| same version if it received a Version Negotiation packet that listed | same version if it received a Version Negotiation packet that listed | |||
| the versions in the server's Available Versions field, plus the | the versions in the server's Available Versions field, plus the | |||
| negotiated version. If the client would have selected a different | Negotiated Version. If the client would have selected a different | |||
| version, the client MUST close the connection with a version | version, the client MUST close the connection with a version | |||
| negotiation error. In particular, if the client reacted to a Version | negotiation error. In particular, if the client reacted to a Version | |||
| Negotiation packet and the server's Available Versions field is | Negotiation packet and the server's Available Versions field is | |||
| empty, the client MUST close the connection with a version | empty, the client MUST close the connection with a version | |||
| negotiation error. These connection closures prevent an attacker | negotiation error. These connection closures prevent an attacker | |||
| from being able to use forged Version Negotiation packets to force a | from being able to use forged Version Negotiation packets to force a | |||
| version downgrade. | version downgrade. | |||
| As an example, let's assume a client supports hypothetical QUIC | As an example, let's assume a client supports hypothetical QUIC | |||
| versions 10, 12, and 14 with a preference for higher versions. The | versions 10, 12, and 14 with a preference for higher versions. The | |||
| client initiates a connection attempt with version 12. Let's explore | client initiates a connection attempt with version 12. Let's explore | |||
| two independent example scenarios: | two independent example scenarios: | |||
| * In the first scenario, the server supports versions 10, 13, and 14 | * In the first scenario, the server supports versions 10, 13, and | |||
| but only 13 and 14 are Fully-Deployed (see Section 5). The server | 14, but only 13 and 14 are Fully Deployed (see Section 5). The | |||
| sends a Version Negotiation packet with versions 10, 13, and 14. | server sends a Version Negotiation packet with versions 10, 13, | |||
| This triggers an incompatible version negotiation and the client | and 14. This triggers an incompatible version negotiation, and | |||
| initiates a new connection with version 14. Then the server's | the client initiates a new connection with version 14. Then, the | |||
| Available Versions field contains 13 and 14. In that scenario, | server's Available Versions field contains 13 and 14. In that | |||
| the client would have also picked 14 if it had received a Version | scenario, the client would have also picked 14 if it had received | |||
| Negotiation packet with versions 13 and 14, therefore the | a Version Negotiation packet with versions 13 and 14; therefore, | |||
| handshake succeeds using negotiated version 14. | the handshake succeeds using Negotiated Version 14. | |||
| * In the second scenario, the server supports versions 10, 13, and | * In the second scenario, the server supports versions 10, 13, and | |||
| 14 and they are all Fully-Deployed. However, the attacker forges | 14, and they are all Fully Deployed. However, the attacker forges | |||
| a Version Negotiation packet with versions 10 and 13. This | a Version Negotiation packet with versions 10 and 13. This | |||
| triggers an incompatible version negotiation and the client | triggers an incompatible version negotiation, and the client | |||
| initiates a new connection with version 10. Then the server's | initiates a new connection with version 10. Then, the server's | |||
| Available Versions field contains 10, 13 and 14. In that | Available Versions field contains 10, 13, and 14. In that | |||
| scenario, the client would have picked 14 instead of 10 if it had | scenario, the client would have picked 14 instead of 10 if it had | |||
| received a Version Negotiation packet with versions 10, 13 and 14, | received a Version Negotiation packet with versions 10, 13, and | |||
| therefore the client aborts the handshake with a version | 14; therefore, the client aborts the handshake with a version | |||
| negotiation error. | negotiation error. | |||
| This validation of Available Versions is not sufficient to prevent | This validation of Available Versions is not sufficient to prevent | |||
| downgrade. Downgrade prevention also depends on the client ignoring | downgrade. Downgrade prevention also depends on the client ignoring | |||
| Version Negotiation packets that contain the original version; see | Version Negotiation packets that contain the Original Version (see | |||
| Section 2.1. | Section 2.1). | |||
| After the process of version negotiation in this document completes, | After the process of version negotiation described in this document | |||
| the version in use for the connection is the version that the server | completes, the version in use for the connection is the version that | |||
| sent in the Chosen Version field of its Version Information. That | the server sent in the Chosen Version field of its Version | |||
| remains true even if other versions were used in the Version field of | Information. That remains true even if other versions were used in | |||
| long headers at any point in the lifetime of the connection. In | the Version field of long headers at any point in the lifetime of the | |||
| particular, since during compatible version negotiation the client is | connection. In particular, since the client can be made aware of the | |||
| made aware of the negotiated version by the QUIC long header version | Negotiated Version by the QUIC long header version during compatible | |||
| (see Section 2.3), clients MUST validate that the server's Chosen | version negotiation (see Section 2.3), clients MUST validate that the | |||
| Version is equal to the negotiated version; if they do not match, the | server's Chosen Version is equal to the Negotiated Version; if they | |||
| client MUST close the connection with a version negotiation error. | do not match, the client MUST close the connection with a version | |||
| This prevents an attacker's ability to influence version negotiation | negotiation error. This prevents an attacker's ability to influence | |||
| by forging the Version long header field. | version negotiation by forging the long header Version field. | |||
| 5. Server Deployments of QUIC | 5. Server Deployments of QUIC | |||
| While this document mainly discusses a single QUIC server, it is | While this document mainly discusses a single QUIC server, it is | |||
| common for deployments of QUIC servers to include a fleet of multiple | common for deployments of QUIC servers to include a fleet of multiple | |||
| server instances. We therefore define the following terms: | server instances. Therefore, we define the following terms: | |||
| Acceptable Versions: This is the set of versions supported by a | Acceptable Versions: This is the set of versions supported by a | |||
| given server instance. More specifically, these are the versions | given server instance. More specifically, these are the versions | |||
| that a given server instance will use if a client sends a first | that a given server instance will use if a client sends a first | |||
| flight using them. | flight using them. | |||
| Offered Versions: This is the set of versions that a given server | Offered Versions: This is the set of versions that a given server | |||
| instance will send in a Version Negotiation packet if it receives | instance will send in a Version Negotiation packet if it receives | |||
| a first flight from an unknown version. This set will most often | a first flight from an unknown version. This set will most often | |||
| be equal to the Acceptable Versions set, except during short | be equal to the Acceptable Versions set, except during short | |||
| transitions while versions are added or removed (see below). | transitions while versions are added or removed (see below). | |||
| Fully Deployed Versions: This is the set of QUIC versions that is | ||||
| Fully-Deployed Versions: This is the set of QUIC versions that is | ||||
| supported and negotiated by every single QUIC server instance in | supported and negotiated by every single QUIC server instance in | |||
| this deployment. If a deployment only contains a single server | this deployment. If a deployment only contains a single server | |||
| instance, then this set is equal to the Offered Versions set, | instance, then this set is equal to the Offered Versions set, | |||
| except during short transitions while versions are added or | except during short transitions while versions are added or | |||
| removed (see below). | removed (see below). | |||
| If a deployment contains multiple server instances, software updates | If a deployment contains multiple server instances, software updates | |||
| may not happen at exactly the same time on all server instances. | may not happen at exactly the same time on all server instances. | |||
| Because of this, a client might receive a Version Negotiation packet | Because of this, a client might receive a Version Negotiation packet | |||
| from a server instance that has already been updated and the client's | from a server instance that has already been updated, and the | |||
| resulting connection attempt might reach a different server instance | client's resulting connection attempt might reach a different server | |||
| which hasn't been updated yet. | instance which hasn't been updated yet. | |||
| However, even when there is only a single server instance, it is | However, even when there is only a single server instance, it is | |||
| still possible to receive a stale Version Negotiation packet if the | still possible to receive a stale Version Negotiation packet if the | |||
| server performs its software update while the Version Negotiation | server performs its software update while the Version Negotiation | |||
| packet is in flight. | packet is in flight. | |||
| This could cause the version downgrade prevention mechanism described | This could cause the version downgrade prevention mechanism described | |||
| in Section 4 to falsely detect a downgrade attack. To avoid that, | in Section 4 to falsely detect a downgrade attack. To avoid that, | |||
| server operators SHOULD perform a three-step process when they wish | server operators SHOULD perform a three-step process when they wish | |||
| to add or remove support for a version: | to add or remove support for a version, as described below. | |||
| When adding support for a new version: | When adding support for a new version: | |||
| * The first step is to progressively add support for the new version | * The first step is to progressively add support for the new version | |||
| to all server instances. This step updates the Acceptable | to all server instances. This step updates the Acceptable | |||
| Versions but not the Offered Versions nor the Fully-Deployed | Versions but not the Offered Versions nor the Fully Deployed | |||
| Versions. Once all server instances have been updated, operators | Versions. Once all server instances have been updated, operators | |||
| wait for at least one MSL to allow any in-flight Version | wait for at least one MSL to allow any in-flight Version | |||
| Negotiation packets to arrive. | Negotiation packets to arrive. | |||
| * Then, the second step is to progressively add the new version to | * Then, the second step is to progressively add the new version to | |||
| Offered Versions on all server instances. Once complete, | Offered Versions on all server instances. Once complete, | |||
| operators wait for at least another MSL. | operators wait for at least another MSL. | |||
| * Finally, the third step is to progressively add the new version to | * Finally, the third step is to progressively add the new version to | |||
| Fully-Deployed Versions on all server instances. | Fully Deployed Versions on all server instances. | |||
| When removing support for a version: | When removing support for a version: | |||
| * The first step is to progressively remove the version from Fully- | * The first step is to progressively remove the version from Fully | |||
| Deployed Versions on all server instances. Once it has been | Deployed Versions on all server instances. Once it has been | |||
| removed on all server instances, operators wait for at least one | removed on all server instances, operators wait for at least one | |||
| MSL to allow any in-flight Version Negotiation packets to arrive. | MSL to allow any in-flight Version Negotiation packets to arrive. | |||
| * Then, the second step is to progressively remove the version from | * Then, the second step is to progressively remove the version from | |||
| Offered Versions on all server instances. Once complete, | Offered Versions on all server instances. Once complete, | |||
| operators wait for at least another MSL. | operators wait for at least another MSL. | |||
| * Finally, the third step is to progressively remove support for the | * Finally, the third step is to progressively remove support for the | |||
| version from all server instances. That step updates the | version from all server instances. That step updates the | |||
| Acceptable Versions. | Acceptable Versions. | |||
| Note that, during the update window, connections are vulnerable to | Note that, during the update window, connections are vulnerable to | |||
| downgrade attacks for partially-deployed versions. This is because a | downgrade attacks for Acceptable Versions that are not Fully | |||
| client cannot distinguish such a downgrade attack from legitimate | Deployed. This is because a client cannot distinguish such a | |||
| exchanges with both updated and non-updated server instances. | downgrade attack from legitimate exchanges with both updated and non- | |||
| updated server instances. | ||||
| 6. Application Layer Protocol Considerations | 6. Application-Layer Protocol Considerations | |||
| When a client creates a QUIC connection, its goal is to use an | When a client creates a QUIC connection, its goal is to use an | |||
| application layer protocol. Therefore, when considering which | application-layer protocol. Therefore, when considering which | |||
| versions are compatible, clients will only consider versions that | versions are compatible, clients will only consider versions that | |||
| support one of the intended application layer protocols. If the | support one of the intended application-layer protocols. If the | |||
| client's first flight advertises multiple Application Layer Protocol | client's first flight advertises multiple Application-Layer Protocol | |||
| Negotiation (ALPN) [ALPN] tokens and multiple compatible versions, it | Negotiation (ALPN) [ALPN] tokens and multiple compatible versions, it | |||
| is possible for some application layer protocols to not be able to | is possible for some application-layer protocols to not be able to | |||
| run over some of the offered compatible versions. It is the server's | run over some of the offered compatible versions. It is the server's | |||
| responsibility to only select an ALPN token that can run over the | responsibility to only select an ALPN token that can run over the | |||
| compatible QUIC version that it selects. | compatible QUIC version that it selects. | |||
| A given ALPN token MUST NOT be used with a new QUIC version different | A given ALPN token MUST NOT be used with a new QUIC version that is | |||
| from the version for which the ALPN token was originally defined, | different from the version for which the ALPN token was originally | |||
| unless all the following requirements are met: | defined, unless all the following requirements are met: | |||
| * The new QUIC version supports the transport features required by | * The new QUIC version supports the transport features required by | |||
| the application protocol. | the application protocol. | |||
| * The new QUIC version supports ALPN. | * The new QUIC version supports ALPN. | |||
| * The version of QUIC for which the ALPN token was originally | * The version of QUIC for which the ALPN token was originally | |||
| defined is compatible with the new QUIC version. | defined is compatible with the new QUIC version. | |||
| When incompatible version negotiation is in use, the second | When incompatible version negotiation is in use, the second | |||
| connection which is created in response to the received version | connection that is created in response to the received Version | |||
| negotiation packet MUST restart its application layer protocol | Negotiation packet MUST restart its application-layer protocol | |||
| negotiation process without taking into account the original version. | negotiation process without taking into account the Original Version. | |||
| 7. Considerations for Future Versions | 7. Considerations for Future Versions | |||
| In order to facilitate the deployment of future versions of QUIC, | In order to facilitate the deployment of future versions of QUIC, | |||
| designers of future versions SHOULD attempt to design their new | designers of future versions SHOULD attempt to design their new | |||
| version such that commonly deployed versions are compatible with it. | version such that commonly deployed versions are compatible with it. | |||
| QUIC version 1 defines multiple features which are not documented in | QUIC version 1 defines multiple features which are not documented in | |||
| the QUIC invariants. Since, at the time of writing, QUIC version 1 | the QUIC invariants. Since, at the time of writing, QUIC version 1 | |||
| is widely deployed, this section discusses considerations for future | is widely deployed, this section discusses considerations for future | |||
| versions to help with compatibility with QUIC version 1. | versions to help with compatibility with QUIC version 1. | |||
| 7.1. Interaction with Retry | 7.1. Interaction with Retry | |||
| QUIC version 1 features Retry packets, which the server can send to | QUIC version 1 features Retry packets, which the server can send to | |||
| validate the client's IP address before parsing the client's first | validate the client's IP address before parsing the client's first | |||
| flight. A server that sends a Retry packet can do so before parsing | flight. A server that sends a Retry packet can do so before parsing | |||
| the client's first flight. A server that sends a Retry packet | the client's first flight. Therefore, a server that sends a Retry | |||
| therefore might not have processed the client's Version Information | packet might not have processed the client's Version Information | |||
| before doing so. | before doing so. | |||
| If a future document wishes to define compatibility between two | If a future document wishes to define compatibility between two | |||
| versions that support retry, that document MUST specify how version | versions that support Retry, that document MUST specify how version | |||
| negotiation (both compatible and incompatible) interacts with retry | negotiation (both compatible and incompatible) interacts with Retry | |||
| during a handshake that requires both. For example, that could be | during a handshake that requires both. For example, that could be | |||
| accomplished by having the server first send a Retry packet in the | accomplished by having the server first send a Retry packet in the | |||
| original version thereby validating the client's IP address before | Original Version, thereby validating the client's IP address before | |||
| attempting compatible version negotiation. If both versions support | attempting compatible version negotiation. If both versions support | |||
| authenticating Retry packets, the compatibility definition needs to | authenticating Retry packets, the compatibility definition needs to | |||
| define how to authenticate the Retry in the negotiated version | define how to authenticate the Retry in the Negotiated Version | |||
| handshake even though the Retry itself was sent using the client's | handshake even though the Retry itself was sent using the client's | |||
| chosen version. | Chosen Version. | |||
| 7.2. Interaction with TLS resumption | 7.2. Interaction with TLS Resumption | |||
| QUIC version 1 uses TLS 1.3, which supports session resumption by | QUIC version 1 uses TLS 1.3, which supports session resumption by | |||
| sending session tickets in one connection that can be used in a later | sending session tickets in one connection that can be used in a later | |||
| connection; see Section 2.2 of [TLS]. New versions that also use TLS | connection (see Section 2.2 of [TLS]). New versions that also use | |||
| 1.3 SHOULD mandate that their session tickets are tightly scoped to | TLS 1.3 SHOULD mandate that their session tickets are tightly scoped | |||
| one version of QUIC; i.e., require that clients not use them across | to one version of QUIC, i.e., require that clients not use them | |||
| multiple version and that servers validate this client requirement. | across multiple version and that servers validate this client | |||
| This helps mitigate cross-protocol attacks. | requirement. This helps mitigate cross-protocol attacks. | |||
| 7.3. Interaction with 0-RTT | 7.3. Interaction with 0-RTT | |||
| QUIC version 1 allows sending data from the client to the server | QUIC version 1 allows sending data from the client to the server | |||
| during the handshake, by using 0-RTT packets. If a future document | during the handshake by using 0-RTT packets. If a future document | |||
| wishes to define compatibility between two versions that support | wishes to define compatibility between two versions that support | |||
| 0-RTT, that document MUST address the scenario where there are 0-RTT | 0-RTT, that document MUST address the scenario where there are 0-RTT | |||
| packets in the client's first flight. For example, this could be | packets in the client's first flight. For example, this could be | |||
| accomplished by defining which transformations are applied to 0-RTT | accomplished by defining which transformations are applied to 0-RTT | |||
| packets. That document could specify that compatible version | packets. That document could specify that compatible version | |||
| negotiation causes 0-RTT data to be rejected by the server. | negotiation causes 0-RTT data to be rejected by the server. | |||
| 8. Special Handling for QUIC Version 1 | 8. Special Handling for QUIC Version 1 | |||
| Because QUIC version 1 was the only IETF Standards Track version of | Because QUIC version 1 was the only QUIC version that was published | |||
| QUIC published before this document, it is handled specially as | on the IETF Standards Track before this document, it is handled | |||
| follows: if a client is starting a QUIC version 1 connection in | specially as follows: if a client is starting a QUIC version 1 | |||
| response to a received Version Negotiation packet, and the | connection in response to a received Version Negotiation packet and | |||
| version_information transport parameter is missing from the server's | the version_information transport parameter is missing from the | |||
| transport parameters, then the client SHALL proceed as if the | server's transport parameters, then the client SHALL proceed as if | |||
| server's transport parameters contained a version_information | the server's transport parameters contained a version_information | |||
| transport parameter with a Chosen Version set to 0x00000001 and an | transport parameter with a Chosen Version set to 0x00000001 and an | |||
| Available Version list containing exactly one version set to | Available Version list containing exactly one version set to | |||
| 0x00000001. This allows version negotiation to work with servers | 0x00000001. This allows version negotiation to work with servers | |||
| that only support QUIC version 1. Note that implementations which | that only support QUIC version 1. Note that implementations that | |||
| wish to use version negotiation to negotiate versions other than QUIC | wish to use version negotiation to negotiate versions other than QUIC | |||
| version 1 will need to implement the version negotiation mechanism | version 1 MUST implement the version negotiation mechanism defined in | |||
| defined in this document. | this document. | |||
| 9. Security Considerations | 9. Security Considerations | |||
| The security of this version negotiation mechanism relies on the | The security of this version negotiation mechanism relies on the | |||
| authenticity of the Version Information exchanged during the | authenticity of the Version Information exchanged during the | |||
| handshake. In QUIC version 1, transport parameters are authenticated | handshake. In QUIC version 1, transport parameters are | |||
| ensuring the security of this mechanism. Negotiation between | authenticated, ensuring the security of this mechanism. Negotiation | |||
| compatible versions will have the security of the weakest common | between compatible versions will have the security of the weakest | |||
| version. | common version. | |||
| The requirement that versions not be assumed compatible mitigates the | The requirement that versions not be assumed compatible mitigates the | |||
| possibility of cross-protocol attacks, but more analysis is still | possibility of cross-protocol attacks, but more analysis is still | |||
| needed here. That analysis is out of scope for this document. | needed here. That analysis is out of scope for this document. | |||
| 10. IANA Considerations | 10. IANA Considerations | |||
| 10.1. QUIC Transport Parameter | 10.1. QUIC Transport Parameter | |||
| IANA has registered the following value in the "QUIC Transport | IANA has registered the following value in the "QUIC Transport | |||
| Parameters" registry maintained at <https://www.iana.org/assignments/ | Parameters" registry maintained at <https://www.iana.org/assignments/ | |||
| quic>. | quic>. | |||
| Value: 0x11 | Value: 0x11 | |||
| Parameter Name: version_information | Parameter Name: version_information | |||
| Status: permanent | Status: permanent | |||
| Specification: This document | Specification: RFC 9368 | |||
| 10.2. QUIC Transport Error Code | 10.2. QUIC Transport Error Code | |||
| IANA has registered the following value in the "QUIC Transport Error | IANA has registered the following value in the "QUIC Transport Error | |||
| Codes" registry maintained at <https://www.iana.org/assignments/ | Codes" registry maintained at <https://www.iana.org/assignments/ | |||
| quic>. | quic>. | |||
| Value: 0x11 | Value: 0x11 | |||
| Code: VERSION_NEGOTIATION_ERROR | Code: VERSION_NEGOTIATION_ERROR | |||
| Description: Error negotiating version | Description: Error negotiating version | |||
| Status: permanent | Status: permanent | |||
| Specification: This document | Specification: RFC 9368 | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [ALPN] Friedl, S., Popov, A., Langley, A., and E. Stephan, | [ALPN] Friedl, S., Popov, A., Langley, A., and E. Stephan, | |||
| "Transport Layer Security (TLS) Application-Layer Protocol | "Transport Layer Security (TLS) Application-Layer Protocol | |||
| Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | |||
| July 2014, <https://www.rfc-editor.org/rfc/rfc7301>. | July 2014, <https://www.rfc-editor.org/info/rfc7301>. | |||
| [QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | [QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", RFC 9000, | Multiplexed and Secure Transport", RFC 9000, | |||
| DOI 10.17487/RFC9000, May 2021, | DOI 10.17487/RFC9000, May 2021, | |||
| <https://www.rfc-editor.org/rfc/rfc9000>. | <https://www.rfc-editor.org/info/rfc9000>. | |||
| [QUIC-INVARIANTS] | [QUIC-INVARIANTS] | |||
| Thomson, M., "Version-Independent Properties of QUIC", | Thomson, M., "Version-Independent Properties of QUIC", | |||
| RFC 8999, DOI 10.17487/RFC8999, May 2021, | RFC 8999, DOI 10.17487/RFC8999, May 2021, | |||
| <https://www.rfc-editor.org/rfc/rfc8999>. | <https://www.rfc-editor.org/info/rfc8999>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/rfc/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [TCP] Eddy, W., Ed., "Transmission Control Protocol (TCP)", | [TCP] Eddy, W., Ed., "Transmission Control Protocol (TCP)", | |||
| STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, | STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, | |||
| <https://www.rfc-editor.org/rfc/rfc9293>. | <https://www.rfc-editor.org/info/rfc9293>. | |||
| Acknowledgments | Acknowledgments | |||
| The authors would like to thank Nick Banks, Mike Bishop, Martin Duke, | The authors would like to thank Nick Banks, Mike Bishop, Martin Duke, | |||
| Ryan Hamilton, Roberto Peon, Anthony Rossi, and Martin Thomson for | Ryan Hamilton, Roberto Peon, Anthony Rossi, and Martin Thomson for | |||
| their input and contributions. | their input and contributions. | |||
| Authors' Addresses | Authors' Addresses | |||
| David Schinazi | David Schinazi | |||
| End of changes. 104 change blocks. | ||||
| 304 lines changed or deleted | 291 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||