draft-ietf-quic-invariants-latest.txt   draft-ietf-quic-invariants-auth48.txt 
Internet Engineering Task Force (IETF) M. Thomson Internet Engineering Task Force (IETF) M. Thomson
Request for Comments: 8999 Mozilla Request for Comments: 8999 Mozilla
Category: Standards Track May 2021 Category: Standards Track April 2021
ISSN: 2070-1721 ISSN: 2070-1721
Version-Independent Properties of QUIC Version-Independent Properties of QUIC
Abstract Abstract
This document defines the properties of the QUIC transport protocol This document defines the properties of the QUIC transport protocol
that are common to all versions of the protocol. that are common to all versions of the protocol.
Status of This Memo Status of This Memo
skipping to change at page 2, line 7 skipping to change at line 45
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. An Extremely Abstract Description of QUIC . . . . . . . . . . 2 1. An Extremely Abstract Description of QUIC
2. Fixed Properties of All QUIC Versions . . . . . . . . . . . . 2 2. Fixed Properties of All QUIC Versions
3. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Conventions and Definitions
4. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 4. Notational Conventions
5. QUIC Packets . . . . . . . . . . . . . . . . . . . . . . . . 4 5. QUIC Packets
5.1. Long Header . . . . . . . . . . . . . . . . . . . . . . . 4 5.1. Long Header
5.2. Short Header . . . . . . . . . . . . . . . . . . . . . . 5 5.2. Short Header
5.3. Connection ID . . . . . . . . . . . . . . . . . . . . . . 6 5.3. Connection ID
5.4. Version . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.4. Version
6. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 6 6. Version Negotiation
7. Security and Privacy Considerations . . . . . . . . . . . . . 8 7. Security and Privacy Considerations
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 9. References
8.2. Informative References . . . . . . . . . . . . . . . . . 8 9.1. Normative References
Appendix A. Incorrect Assumptions . . . . . . . . . . . . . . . 9 9.2. Informative References
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 10 Appendix A. Incorrect Assumptions
Author's Address
1. An Extremely Abstract Description of QUIC 1. An Extremely Abstract Description of QUIC
QUIC is a connection-oriented protocol between two endpoints. Those QUIC is a connection-oriented protocol between two endpoints. Those
endpoints exchange UDP datagrams. These UDP datagrams contain QUIC endpoints exchange UDP datagrams. These UDP datagrams contain QUIC
packets. QUIC endpoints use QUIC packets to establish a QUIC packets. QUIC endpoints use QUIC packets to establish a QUIC
connection, which is shared protocol state between those endpoints. connection, which is shared protocol state between those endpoints.
2. Fixed Properties of All QUIC Versions 2. Fixed Properties of All QUIC Versions
In addition to providing secure, multiplexed transport, QUIC In addition to providing secure, multiplexed transport, QUIC
[QUIC-TRANSPORT] allows for the option to negotiate a version. This [QUIC-TRANSPORT] allows for the option to negotiate a version. This
allows the protocol to change over time in response to new allows the protocol to change over time in response to new
requirements. Many characteristics of the protocol could change requirements. Many characteristics of the protocol could change
between versions. between versions.
This document describes the subset of QUIC that is intended to remain This document describes the subset of QUIC that is intended to remain
stable as new versions are developed and deployed. All of these stable as new versions are developed and deployed. The functionality
invariants are independent of the IP version. of all of these invariants is independent of the IP version.
The primary goal of this document is to ensure that it is possible to The primary goal of this document is to ensure that it is possible to
deploy new versions of QUIC. By documenting the properties that deploy new versions of QUIC. By documenting the properties that
cannot change, this document aims to preserve the ability for QUIC cannot change, this document aims to preserve the ability for QUIC
endpoints to negotiate changes to any other aspect of the protocol. endpoints to negotiate changes to any other aspect of the protocol.
As a consequence, this also guarantees a minimal amount of As a consequence, this also guarantees a minimal amount of
information that is made available to entities other than endpoints. information that is made available to entities other than endpoints.
Unless specifically prohibited in this document, any aspect of the Unless specifically prohibited in this document, any aspect of the
protocol can change between different versions. protocol can change between different versions.
Appendix A contains a non-exhaustive list of some incorrect Appendix A contains a non-exhaustive list of some incorrect
assumptions that might be made based on knowledge of QUIC version 1; assumptions that might be made based on knowledge of QUIC version 1;
these do not apply to every version of QUIC. these do not apply to every version of QUIC.
3. Conventions and Definitions 3. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document defines requirements on future QUIC versions, even This document defines requirements on future QUIC versions, even
where normative language is not used. where normative language is not used.
This document uses terms and notational conventions from This document uses terms and notational conventions from
[QUIC-TRANSPORT]. [QUIC-TRANSPORT].
4. Notational Conventions 4. Notational Conventions
skipping to change at page 3, line 43 skipping to change at line 129
fixed value, optionality, or repetitions. Individual fields use the fixed value, optionality, or repetitions. Individual fields use the
following notational conventions, with all lengths in bits: following notational conventions, with all lengths in bits:
x (A): Indicates that x is A bits long x (A): Indicates that x is A bits long
x (A..B): Indicates that x can be any length from A to B; A can be x (A..B): Indicates that x can be any length from A to B; A can be
omitted to indicate a minimum of zero bits, and B can be omitted omitted to indicate a minimum of zero bits, and B can be omitted
to indicate no set upper limit; values in this format always end to indicate no set upper limit; values in this format always end
on a byte boundary on a byte boundary
x (L) = C: Indicates that x has a fixed value of C; the length of x x (L) = C: Indicates that x, with a length described by L, has a
is described by L, which can use any of the length forms above fixed value of C
x (L) ...: Indicates that x is repeated zero or more times and that x (L) ...: Indicates that x is repeated zero or more times (and that
each instance has a length of L each instance is length L)
This document uses network byte order (that is, big endian) values. This document uses network byte order (that is, big endian) values.
Fields are placed starting from the high-order bits of each byte. Fields are placed starting from the high-order bits of each byte.
Figure 1 shows an example structure: Figure 1 shows an example structure:
Example Structure { Example Structure {
One-bit Field (1), One-bit Field (1),
7-bit Field with Fixed Value (7) = 61, 7-bit Field with Fixed Value (7) = 61,
Arbitrary-Length Field (..), Arbitrary-Length Field (..),
Variable-Length Field (8..24), Variable-Length Field (8..24),
Repeated Field (8) ..., Repeated Field (8) ...,
} }
Figure 1: Example Format Figure 1: Example Format
5. QUIC Packets 5. QUIC Packets
QUIC endpoints exchange UDP datagrams that contain one or more QUIC QUIC endpoints exchange UDP datagrams that contain one or more QUIC
packets. This section describes the invariant characteristics of a packets. This section describes the invariant characteristics of a
QUIC packet. A version of QUIC could permit multiple QUIC packets in QUIC packet. A version of QUIC could permit multiple QUIC packets in
a single UDP datagram, but the invariant properties only describe the a single UDP datagram, but the invariant properties only describe the
first packet in a datagram. first packet in a datagram.
QUIC defines two types of packet headers: long and short. Packets QUIC defines two types of packet headers: long and short. Packets
skipping to change at page 4, line 50 skipping to change at line 185
Header Form (1) = 1, Header Form (1) = 1,
Version-Specific Bits (7), Version-Specific Bits (7),
Version (32), Version (32),
Destination Connection ID Length (8), Destination Connection ID Length (8),
Destination Connection ID (0..2040), Destination Connection ID (0..2040),
Source Connection ID Length (8), Source Connection ID Length (8),
Source Connection ID (0..2040), Source Connection ID (0..2040),
Version-Specific Data (..), Version-Specific Data (..),
} }
Figure 2: QUIC Long Header Figure 2: QUIC Long Header
A QUIC packet with a long header has the high bit of the first byte A QUIC packet with a long header has the high bit of the first byte
set to 1. All other bits in that byte are version specific. set to 1. All other bits in that byte are version specific.
The next four bytes include a 32-bit Version field. Versions are The next four bytes include a 32-bit Version field. Versions are
described in Section 5.4. described in Section 5.4.
The next byte contains the length in bytes of the Destination The next byte contains the length in bytes of the Destination
Connection ID field that follows it. This length is encoded as an Connection ID field that follows it. This length is encoded as an
8-bit unsigned integer. The Destination Connection ID field follows 8-bit unsigned integer. The Destination Connection ID field follows
skipping to change at page 5, line 42 skipping to change at line 224
Version-Specific Data (..), Version-Specific Data (..),
} }
Figure 3: QUIC Short Header Figure 3: QUIC Short Header
A QUIC packet with a short header has the high bit of the first byte A QUIC packet with a short header has the high bit of the first byte
set to 0. set to 0.
A QUIC packet with a short header includes a Destination Connection A QUIC packet with a short header includes a Destination Connection
ID immediately following the first byte. The short header does not ID immediately following the first byte. The short header does not
include the Destination Connection ID Length, Source Connection ID include the Connection ID Lengths, Source Connection ID, or Version
Length, Source Connection ID, or Version fields. The length of the fields. The length of the Destination Connection ID is not encoded
Destination Connection ID is not encoded in packets with a short in packets with a short header and is not constrained by this
header and is not constrained by this specification. specification.
The remainder of the packet has version-specific semantics. The remainder of the packet has version-specific semantics.
5.3. Connection ID 5.3. Connection ID
A connection ID is an opaque field of arbitrary length. A connection ID is an opaque field of arbitrary length.
The primary function of a connection ID is to ensure that changes in The primary function of a connection ID is to ensure that changes in
addressing at lower protocol layers (UDP, IP, and below) do not cause addressing at lower protocol layers (UDP, IP, and below) do not cause
packets for a QUIC connection to be delivered to the wrong QUIC packets for a QUIC connection to be delivered to the wrong QUIC
skipping to change at page 7, line 16 skipping to change at line 284
Header Form (1) = 1, Header Form (1) = 1,
Unused (7), Unused (7),
Version (32) = 0, Version (32) = 0,
Destination Connection ID Length (8), Destination Connection ID Length (8),
Destination Connection ID (0..2040), Destination Connection ID (0..2040),
Source Connection ID Length (8), Source Connection ID Length (8),
Source Connection ID (0..2040), Source Connection ID (0..2040),
Supported Version (32) ..., Supported Version (32) ...,
} }
Figure 4: Version Negotiation Packet Figure 4: Version Negotiation Packet
Only the most significant bit of the first byte of a Version Only the most significant bit of the first byte of a Version
Negotiation packet has any defined value. The remaining 7 bits, Negotiation packet has any defined value. The remaining 7 bits,
labeled "Unused", can be set to any value when sending and MUST be labeled "Unused", can be set to any value when sending and MUST be
ignored on receipt. ignored on receipt.
After the Source Connection ID field, the Version Negotiation packet After the Source Connection ID field, the Version Negotiation packet
contains a list of Supported Version fields, each identifying a contains a list of Supported Version fields, each identifying a
version that the endpoint sending the packet supports. A Version version that the endpoint sending the packet supports. A Version
Negotiation packet contains no other fields. An endpoint MUST ignore Negotiation packet contains no other fields. An endpoint MUST ignore
a packet that contains no Supported Version fields or contains a a packet that contains no Supported Version fields or contains a
truncated Supported Version value. truncated Supported Version value.
Version Negotiation packets do not use integrity or confidentiality Version Negotiation packets do not use integrity or confidentiality
protection. Specific QUIC versions might include protocol elements protection. Specific QUIC versions might include protocol elements
that allow endpoints to detect modification or corruption in the set that allow endpoints to detect modification or corruption in the set
of supported versions. of supported versions.
An endpoint MUST include the value from the Source Connection ID An endpoint MUST include the value from the Source Connection ID
field of the packet it receives in the Destination Connection ID field of the packet it receives in the Destination Connection ID
field. The value for the Source Connection ID field MUST be copied field. The value for the Source Connection ID MUST be copied from
from the Destination Connection ID field of the received packet, the Destination Connection ID of the received packet, which is
which is initially randomly selected by a client. Echoing both initially randomly selected by a client. Echoing both connection IDs
connection IDs gives clients some assurance that the server received gives clients some assurance that the server received the packet and
the packet and that the Version Negotiation packet was not generated that the Version Negotiation packet was not generated by an attacker
by an attacker that is unable to observe packets. that is unable to observe packets.
An endpoint that receives a Version Negotiation packet might change An endpoint that receives a Version Negotiation packet might change
the version that it decides to use for subsequent packets. The the version that it decides to use for subsequent packets. The
conditions under which an endpoint changes its QUIC version will conditions under which an endpoint changes its QUIC version will
depend on the version of QUIC that it chooses. depend on the version of QUIC that it chooses.
See [QUIC-TRANSPORT] for a more thorough description of how an See [QUIC-TRANSPORT] for a more thorough description of how an
endpoint that supports QUIC version 1 generates and consumes a endpoint that supports QUIC version 1 generates and consumes a
Version Negotiation packet. Version Negotiation packet.
skipping to change at page 8, line 27 skipping to change at line 343
means that reliably extracting information from a flow based on means that reliably extracting information from a flow based on
version-specific traits requires that middleboxes retain state for version-specific traits requires that middleboxes retain state for
every connection ID they see. every connection ID they see.
The Version Negotiation packet described in this document is not The Version Negotiation packet described in this document is not
integrity protected; it only has modest protection against insertion integrity protected; it only has modest protection against insertion
by attackers. An endpoint MUST authenticate the semantic content of by attackers. An endpoint MUST authenticate the semantic content of
a Version Negotiation packet if it attempts a different QUIC version a Version Negotiation packet if it attempts a different QUIC version
as a result. as a result.
8. References 8. IANA Considerations
8.1. Normative References This document has no IANA actions.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 9.2. Informative References
[QUIC-TLS] [QUIC-TLS] Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure
Thomson, M., Ed. and S. Turner, Ed., "Using Transport QUIC", RFC 9001, DOI 10.17487/RFC9001, April 2021,
Layer Security (TLS) to Secure QUIC", RFC 9001,
DOI 10.17487/RFC9001, May 2021,
<https://www.rfc-editor.org/info/rfc9001>. <https://www.rfc-editor.org/info/rfc9001>.
[QUIC-TRANSPORT] [QUIC-TRANSPORT]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000, Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021, DOI 10.17487/RFC9000, April 2021,
<https://www.rfc-editor.org/info/rfc9000>. <https://www.rfc-editor.org/info/rfc9000>.
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008, Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<https://www.rfc-editor.org/info/rfc5116>. <https://www.rfc-editor.org/info/rfc5116>.
Appendix A. Incorrect Assumptions Appendix A. Incorrect Assumptions
There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are There are several traits of QUIC version 1 [QUIC-TRANSPORT] that are
not protected from observation but are nonetheless considered to be not protected from observation but are nonetheless considered to be
changeable when a new version is deployed. changeable when a new version is deployed.
This section lists a sampling of incorrect assumptions that might be This section lists a sampling of incorrect assumptions that might be
made about QUIC based on knowledge of QUIC version 1. Some of these made about QUIC based on knowledge of QUIC version 1. Some of these
statements are not even true for QUIC version 1. This is not an statements are not even true for QUIC version 1. This is not an
exhaustive list; it is intended to be illustrative only. exhaustive list; it is intended to be illustrative only.
*Any and all of the following statements can be false for a given *Any and all of the following statements can be false for a given
QUIC version:* QUIC version:*
o QUIC uses TLS [QUIC-TLS] and some TLS messages are visible on the * QUIC uses TLS [QUIC-TLS], and some TLS messages are visible on the
wire. wire.
o QUIC long headers are only exchanged during connection * QUIC long headers are only exchanged during connection
establishment. establishment.
o Every flow on a given 5-tuple will include a connection * Every flow on a given 5-tuple will include a connection
establishment phase. establishment phase.
o The first packets exchanged on a flow use the long header. * The first packets exchanged on a flow use the long header.
o The last packet before a long period of quiescence might be * The last packet before a long period of quiescence might be
assumed to contain only an acknowledgment. assumed to contain only an acknowledgment.
o QUIC uses an Authenticated Encryption with Associated Data (AEAD) * QUIC uses an Authenticated Encryption with Associated Data (AEAD)
function (AEAD_AES_128_GCM; see [RFC5116]) to protect the packets function (AEAD_AES_128_GCM; see [RFC5116]) to protect the packets
it exchanges during connection establishment. it exchanges during connection establishment.
o QUIC packet numbers are encrypted and appear as the first * QUIC packet numbers are encrypted and appear as the first
encrypted bytes. encrypted bytes.
o QUIC packet numbers increase by one for every packet sent. * QUIC packet numbers increase by one for every packet sent.
o QUIC has a minimum size for the first handshake packet sent by a * QUIC has a minimum size for the first handshake packet sent by a
client. client.
o QUIC stipulates that a client speak first. * QUIC stipulates that a client speak first.
o QUIC packets always have the second bit of the first byte (0x40) * QUIC packets always have the second bit of the first byte (0x40)
set. set.
o A QUIC Version Negotiation packet is only sent by a server. * A QUIC Version Negotiation packet is only sent by a server.
o A QUIC connection ID changes infrequently. * A QUIC connection ID changes infrequently.
o QUIC endpoints change the version they speak if they are sent a * QUIC endpoints change the version they speak if they are sent a
Version Negotiation packet. Version Negotiation packet.
o The Version field in a QUIC long header is the same in both * The Version field in a QUIC long header is the same in both
directions. directions.
o A QUIC packet with a particular value in the Version field means * A QUIC packet with a particular value in the Version field means
that the corresponding version of QUIC is in use. that the corresponding version of QUIC is in use.
o Only one connection at a time is established between any pair of * Only one connection at a time is established between any pair of
QUIC endpoints. QUIC endpoints.
Author's Address Author's Address
Martin Thomson Martin Thomson
Mozilla Mozilla
Email: mt@lowentropy.net Email: mt@lowentropy.net
 End of changes. 33 change blocks. 
63 lines changed or deleted 66 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/