diff options
Diffstat (limited to 'doc/rfc/rfc9368.txt')
-rw-r--r-- | doc/rfc/rfc9368.txt | 813 |
1 files changed, 813 insertions, 0 deletions
diff --git a/doc/rfc/rfc9368.txt b/doc/rfc/rfc9368.txt new file mode 100644 index 0000000..8ab47ba --- /dev/null +++ b/doc/rfc/rfc9368.txt @@ -0,0 +1,813 @@ + + + + +Internet Engineering Task Force (IETF) D. Schinazi +Request for Comments: 9368 Google LLC +Updates: 8999 E. Rescorla +Category: Standards Track Mozilla +ISSN: 2070-1721 May 2023 + + + Compatible Version Negotiation for QUIC + +Abstract + + QUIC does not provide a complete version negotiation mechanism but + instead only provides a way for the server to indicate that the + version the client chose is unacceptable. This document describes a + version negotiation mechanism that allows a client and server to + select a mutually supported version. Optionally, if the client's + chosen version and the negotiated version share a compatible first + flight format, the negotiation can take place without incurring an + extra round trip. This document updates RFC 8999. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9368. + +Copyright Notice + + Copyright (c) 2023 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 1.1. Conventions + 1.2. Definitions + 2. Version Negotiation Mechanism + 2.1. Incompatible Version Negotiation + 2.2. Compatible Versions + 2.3. Compatible Version Negotiation + 2.4. Connections and Version Negotiation + 2.5. Client Choice of Original Version + 3. Version Information + 4. Version Downgrade Prevention + 5. Server Deployments of QUIC + 6. Application-Layer Protocol Considerations + 7. Considerations for Future Versions + 7.1. Interaction with Retry + 7.2. Interaction with TLS Resumption + 7.3. Interaction with 0-RTT + 8. Special Handling for QUIC Version 1 + 9. Security Considerations + 10. IANA Considerations + 10.1. QUIC Transport Parameter + 10.2. QUIC Transport Error Code + 11. References + 11.1. Normative References + 11.2. Informative References + Acknowledgments + Authors' Addresses + +1. Introduction + + The version-invariant properties of QUIC [QUIC-INVARIANTS] define a + Version Negotiation packet but do not specify how an endpoint reacts + when it receives one. QUIC version 1 [QUIC] allows the server to use + a Version Negotiation packet to indicate that the version the client + chose is unacceptable, but it doesn't allow the client to safely make + use of that information to create a new connection with a mutually + supported version. This document updates [QUIC-INVARIANTS] by + defining version negotiation mechanisms that leverage the Version + Negotiation packet. + + With proper safety mechanisms in place, the Version Negotiation + packet can be part of a mechanism to allow two QUIC implementations + to negotiate between two totally disjoint versions of QUIC. This + document specifies version negotiation using Version Negotiation + packets, which adds an extra round trip to connection establishment + if needed. + + It is beneficial to avoid additional round trips whenever possible, + especially given that most incremental versions are broadly similar + to the previous version. This specification also defines a simple + version negotiation mechanism which leverages similarities between + versions and can negotiate between "compatible" versions without + additional round trips. + +1.1. Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +1.2. Definitions + + The document uses the following terms: + + * In the context of a given QUIC connection, the "first flight" of + packets refers to the set of packets the client creates and sends + to initiate the connection before it has heard back from the + server. + + * In the context of a given QUIC connection, the "client's Chosen + Version" is the QUIC version of the connection's first flight. + + * The "Original Version" is the QUIC version of the very first + packet the client sends to the server. If version negotiation + spans multiple connections (see Section 2.4), the Original Version + is equal to the client's Chosen Version of the first QUIC + connection. + + * The "Negotiated Version" is the QUIC version in use on the + connection once the version negotiation process completes. + + * The "Maximum Segment Lifetime" (MSL) represents the time a QUIC + packet can exist in the network. Implementations can make this + configurable, and a RECOMMENDED value is one minute. Note that + the term "segment" here originated in Section 3.4.1 of [TCP]. + +2. Version Negotiation Mechanism + + This document specifies two means of performing version negotiation: + 1) "incompatible", which requires a round trip and is applicable to + all versions, and 2) "compatible", which allows saving the round trip + but only applies when the versions are compatible (see Section 2.2). + + The client initiates a QUIC connection by choosing an Original + Version and sending a first flight of QUIC packets with a long header + to the server [QUIC-INVARIANTS]. The client's first flight includes + Version Information (see Section 3), which will be used to optionally + enable compatible version negotiation (see Section 2.3) and to + prevent version downgrade attacks (see Section 4). + + Upon receiving this first flight, the server verifies whether it + knows how to parse first flights from the Chosen Version (which is + also the Original Version in this case). If it does not, then it + starts incompatible version negotiation (see Section 2.1), which + causes the client to initiate a new connection with a different + version. For instance, if the client initiates a connection with + version A that the server can't parse, the server starts incompatible + version negotiation; then, when the client initiates a new connection + with version B, we say that the first connection's client Chosen + Version is A, the second connection's client Chosen Version is B, and + the Original Version for the entire sequence is A. + + If the server can parse the first flight, it can establish the + connection using the client's Chosen Version, or it MAY select any + other compatible version, as described in Section 2.3. + + Note that it is possible for a server to have the ability to parse + the first flight of a given version without fully supporting it, in + the sense that it implements enough of the version's specification to + parse first flight packets but not enough to fully establish a + connection using that version. + +2.1. Incompatible Version Negotiation + + The server starts incompatible version negotiation by sending a + Version Negotiation packet. This packet SHALL include each entry + from the server's set of Offered Versions (see Section 5) in a + Supported Version field. The server MAY add reserved versions (as + defined in Section 6.3 of [QUIC]) in Supported Version fields. + + Clients will ignore a Version Negotiation packet if it contains the + Original Version attempted by the client, as required by Section 4. + The client also ignores a Version Negotiation packet that contains + incorrect connection ID fields, as required by Section 6 of + [QUIC-INVARIANTS]. + + Upon receiving the Version Negotiation packet, the client SHALL + search for a version it supports in the list provided by the server. + If it doesn't find one, it SHALL abort the connection attempt. + Otherwise, it SHALL select a mutually supported version and send a + new first flight with that version -- this version is now the + Negotiated Version. + + The new first flight will allow the endpoints to establish a + connection using the Negotiated Version. The handshake of the + Negotiated Version will exchange Version Information (see Section 3) + that is required to ensure that version negotiation was genuine, + i.e., that no attacker injected packets in order to influence the + version negotiation process (see Section 4). + + Only servers can start incompatible version negotiation. Clients + MUST NOT send Version Negotiation packets and servers MUST ignore all + received Version Negotiation packets. + +2.2. Compatible Versions + + If A and B are two distinct versions of QUIC, A is said to be + "compatible" with B if it is possible to take a first flight of + packets from version A and convert it into a first flight of packets + from version B. As an example, if versions A and B are absolutely + equal in their wire image and behavior during the handshake but + differ after the handshake, then A is compatible with B and B is + compatible with A. Note that the conversion of the first flight can + be lossy; some data, such as QUIC version 1 0-RTT packets, could be + ignored during conversion and retransmitted later. + + Version compatibility is not symmetric. It is possible for version A + to be compatible with version B and for version B not to be + compatible with version A. This could happen, for example, if + version B is a strict superset of version A, i.e., if version A + includes the concept of streams and STREAM frames and version B + includes the concept of streams and the hypothetical concept of tubes + along with STREAM and TUBE frames, then A would be compatible with B, + but B would not be compatible with A. + + Note that version compatibility does not mean that every single + possible instance of a first flight will succeed in conversion to the + other version. A first flight using version A is said to be + "compatible" with version B if two conditions are met: (1) version A + is compatible with version B and (2) the conversion of this first + flight to version B is well defined. For example, if version B is + equal to version A in all aspects except it introduced a new frame in + its first flight that version A cannot parse or even ignore, then + version B could still be compatible with version A, as conversions + would succeed for connections where that frame is not used. In this + example, first flights using version B that carry this new frame + would not be compatible with version A. + + When a new version of QUIC is defined, it is assumed to not be + compatible with any other version unless otherwise specified. + Similarly, no other version is compatible with the new version unless + otherwise specified. Implementations MUST NOT assume compatibility + between versions unless explicitly specified. + + Note that both endpoints might disagree on whether two versions are + compatible or not. For example, two versions could have been defined + concurrently and then specified as compatible in a third document + much later -- in that scenario, one endpoint might be aware of the + compatibility document, while the other may not. + +2.3. Compatible Version Negotiation + + When the server can parse the client's first flight using the + client's Chosen Version, it can extract the client's Version + Information structure (see Section 3). This contains the list of + versions that the client knows its first flight is compatible with. + + In order to perform compatible version negotiation, the server MUST + select one of these versions that it (1) supports and (2) knows the + client's Chosen Version is compatible with. This selected version is + now the Negotiated Version. After selecting it, the server attempts + to convert the client's first flight into that version and replies to + the client as if it had received the converted first flight. + + If those formats are identical, as in cases where the Negotiated + Version is the same as the client's Chosen Version, then this will be + the identity transformation. If the first flight is correctly + formatted, then this conversion process cannot fail by definition of + the first flight being compatible; if the server is unable to convert + the first flight, it MUST abort the handshake. + + If a document specifies that a QUIC version is compatible with + another, that document MUST specify the mechanism by which clients + are made aware of the Negotiated Version. An example of such a + mechanism is to have the client determine the server's Negotiated + Version by examining the QUIC long header Version field. Note that, + in this example mechanism, it is possible for the server to initially + send packets with the client's Chosen Version before switching to the + Negotiated Version (this can happen when the client's Version + Information structure spans multiple packets; in that case, the + server might acknowledge the first packet in the client's Chosen + Version and later switch to a different Negotiated Version). + Mutually compatible versions SHOULD use the same mechanism. + + Note that, after the first flight is converted to the Negotiated + Version, the handshake completes in the Negotiated Version. If the + Negotiated Version has requirements that apply during the handshake, + those requirements apply to the entire handshake, including the + converted first flight. In particular, if the Negotiated Version + mandates that endpoints perform validations on Handshake packets, + endpoints MUST also perform such validations on the converted first + flight. For instance, if the Negotiated Version requires that the + 5-tuple remain stable for the entire handshake (as QUIC version 1 + does), then both endpoints need to validate the 5-tuple of all + packets received during the handshake, including the converted first + flight. + + Note also that the client can disable compatible version negotiation + by only including the Chosen Version in the Available Versions field + of the Version Information (see Section 3). + + If the server does not find a compatible version (including the + client's Chosen Version), it will perform incompatible version + negotiation instead (see Section 2.1). + + Note that it is possible to have incompatible version negotiation + followed by compatible version negotiation. For instance, if version + A is compatible with version B and version C is compatible with + version D, the following scenario could occur: + + Client Server + + Chosen = A, Available Versions = (A, B) -------------> + <------------------------ Version Negotiation = (D, C) + + Chosen = C, Available Versions = (C, D) -------------> + <------------- Chosen = D, Available Versions = (D, C) + + Figure 1: Combined Negotiation Example + + In this example, the client selected C from the server's Version + Negotiation packet, but the server preferred D and then selected it + from the client's offer. + +2.4. Connections and Version Negotiation + + QUIC connections are shared state between a client and a server + [QUIC-INVARIANTS]. The compatible version negotiation mechanism + defined in this document (see Section 2.3) is performed as part of a + single QUIC connection; that is, the packets with the client's Chosen + Version are part of the same connection as the packets with the + Negotiated Version. + + In comparison, the incompatible version negotiation mechanism, which + leverages QUIC Version Negotiation packets (see Section 2.1), + conceptually operates across two QUIC connections, i.e., the + connection attempt prior to receiving the Version Negotiation packet + is distinct from the connection with the incompatible version that + follows. + + Note that this separation across two connections is conceptual, i.e., + it applies to normative requirements on QUIC connections, but it does + not require implementations to internally use two distinct connection + objects. + +2.5. Client Choice of Original Version + + When the client picks its Original Version, it SHOULD try to avoid + incompatible version negotiation to save a round trip. Therefore, + the client SHOULD pick an Original Version to maximize the combined + probability that both: + + * the server knows how to parse first flights from the Original + Version and + + * the Original Version is compatible with the client's preferred + version. + + Without additional information, this could mean selecting the oldest + version that the client supports while advertising newer compatible + versions in the client's first flight. + +3. Version Information + + During the handshake, endpoints will exchange Version Information, + which consists of a Chosen Version and a list of Available Versions. + Any version of QUIC that supports this mechanism MUST provide a + mechanism to exchange Version Information in both directions during + the handshake, such that this data is authenticated. + + In QUIC version 1, the Version Information is transmitted using a new + version_information transport parameter (see Section 7.4 of [QUIC]). + The contents of Version Information are shown below (using the + notation from Section 1.3 of [QUIC]): + + Version Information { + Chosen Version (32), + Available Versions (32) ..., + } + + Figure 2: Version Information Format + + The content of each field is described below: + + Chosen Version: The version that the sender has chosen to use for + this connection. In most cases, this field will be equal to the + value of the Version field in the long header that carries this + data; however, future versions or extensions can choose to set + different values in the long header Version field. + + The contents of the Available Versions field depend on whether it is + sent by the client or by the server. + + Client-Sent Available Versions: When sent by a client, the Available + Versions field lists all the versions that this first flight is + compatible with, ordered by descending preference. Note that the + version in the Chosen Version field MUST be included in this list + to allow the client to communicate the Chosen Version's + preference. Note that this preference is only advisory; servers + MAY choose to use their own preference instead. + Server-Sent Available Versions: When sent by a server, the Available + Versions field lists all the Fully Deployed Versions of this + server deployment (see Section 5). The ordering of the versions + in this field does not carry any semantics. Note that the version + in the Chosen Version field is not necessarily included in this + list, because the server operator could be in the process of + removing support for this version. For the same reason, the + Available Versions field MAY be empty. + + Clients and servers MAY both include versions following the pattern + 0x?a?a?a?a in their Available Versions list. Those versions are + reserved to exercise version negotiation (see Section 15 of [QUIC]) + and will never be selected when choosing a version to use. + +4. Version Downgrade Prevention + + A version downgrade is an attack where a malicious entity manages to + make the QUIC endpoints negotiate a QUIC version different from the + one they would have negotiated in the absence of the attack. The + mechanism described in this document is designed to prevent downgrade + attacks. + + Clients MUST ignore any received Version Negotiation packets that + contain the Original Version. A client that makes a connection + attempt based on information received from a Version Negotiation + packet MUST ignore any Version Negotiation packets it receives in + response to that connection attempt. + + Both endpoints MUST parse their peer's Version Information during the + handshake. If that leads to a parsing failure (for example, if it is + too short or if its length is not divisible by four), then the + endpoint MUST close the connection; if the connection was using QUIC + version 1, that connection closure MUST use a transport error of type + TRANSPORT_PARAMETER_ERROR. If an endpoint receives a Chosen Version + equal to zero, or any Available Version equal to zero, it MUST treat + it as a parsing failure. If a server receives Version Information + where the Chosen Version is not included in Available Versions, it + MUST treat it as a parsing failure. + + Every QUIC version that supports version negotiation MUST define a + method for closing the connection with a version negotiation error. + For QUIC version 1, version negotiation errors are signaled using a + transport error of type VERSION_NEGOTIATION_ERROR (see Section 10.2). + + When a server receives a client's first flight, the server will first + establish which QUIC version is in use for this connection in order + to properly parse the first flight. This may involve examining data + that is not part of the handshake transcript, such as parts of the + packet header. When the server then processes the client's Version + Information, the server MUST validate that the client's Chosen + Version matches the version in use for the connection. If the two + differ, the server MUST close the connection with a version + negotiation error. + + In the specific case of QUIC version 1, the server determines that + version 1 is in use by observing that the Version field of the first + Long Header packet it receives is set to 0x00000001. Subsequently, + if the server receives the client's Version Information over QUIC + version 1 (as indicated by the Version field of the Long Header + packets that carried the transport parameters) and the client's + Chosen Version is not set to 0x00000001, the server MUST close the + connection with a version negotiation error. + + Servers MAY complete the handshake even if the Version Information is + missing. Clients MUST NOT complete the handshake if they are + reacting to a Version Negotiation packet and the Version Information + is missing, but MAY do so otherwise. + + If a client receives Version Information where the server's Chosen + Version was not sent by the client as part of its Available Versions, + the client MUST close the connection with a version negotiation + error. If a client has reacted to a Version Negotiation packet and + the server's Version Information was missing, the client MUST close + the connection with a version negotiation error. + + If the client received and acted on a Version Negotiation packet, the + client MUST validate the server's Available Versions field. The + Available Versions field is validated by confirming that the client + would have attempted the same version with knowledge of the versions + the server supports. That is, the client would have selected the + same version if it received a Version Negotiation packet that listed + the versions in the server's Available Versions field, plus the + Negotiated Version. If the client would have selected a different + version, the client MUST close the connection with a version + negotiation error. In particular, if the client reacted to a Version + Negotiation packet and the server's Available Versions field is + empty, the client MUST close the connection with a version + negotiation error. These connection closures prevent an attacker + from being able to use forged Version Negotiation packets to force a + version downgrade. + + As an example, let's assume a client supports hypothetical QUIC + versions 10, 12, and 14 with a preference for higher versions. The + client initiates a connection attempt with version 12. Let's explore + two independent example scenarios: + + * In the first scenario, the server supports versions 10, 13, and + 14, but only 13 and 14 are Fully Deployed (see Section 5). The + server sends a Version Negotiation packet with versions 10, 13, + and 14. This triggers an incompatible version negotiation, and + the client initiates a new connection with version 14. Then, the + server's Available Versions field contains 13 and 14. In that + scenario, the client would have also picked 14 if it had received + a Version Negotiation packet with versions 13 and 14; therefore, + the handshake succeeds using Negotiated Version 14. + + * In the second scenario, the server supports versions 10, 13, and + 14, and they are all Fully Deployed. However, the attacker forges + a Version Negotiation packet with versions 10 and 13. This + triggers an incompatible version negotiation, and the client + initiates a new connection with version 10. Then, the server's + Available Versions field contains 10, 13, and 14. In that + scenario, the client would have picked 14 instead of 10 if it had + received a Version Negotiation packet with versions 10, 13, and + 14; therefore, the client aborts the handshake with a version + negotiation error. + + This validation of Available Versions is not sufficient to prevent + downgrade. Downgrade prevention also depends on the client ignoring + Version Negotiation packets that contain the Original Version (see + Section 2.1). + + After the process of version negotiation described in this document + completes, the version in use for the connection is the version that + the server sent in the Chosen Version field of its Version + Information. That remains true even if other versions were used in + the Version field of long headers at any point in the lifetime of the + connection. In particular, since the client can be made aware of the + Negotiated Version by the QUIC long header version during compatible + version negotiation (see Section 2.3), clients MUST validate that the + server's Chosen Version is equal to the Negotiated Version; if they + do not match, the client MUST close the connection with a version + negotiation error. This prevents an attacker's ability to influence + version negotiation by forging the long header Version field. + +5. Server Deployments of QUIC + + While this document mainly discusses a single QUIC server, it is + common for deployments of QUIC servers to include a fleet of multiple + server instances. Therefore, we define the following terms: + + Acceptable Versions: This is the set of versions supported by a + given server instance. More specifically, these are the versions + that a given server instance will use if a client sends a first + flight using them. + Offered Versions: This is the set of versions that a given server + instance will send in a Version Negotiation packet if it receives + a first flight from an unknown version. This set will most often + be equal to the Acceptable Versions set, except during short + transitions while versions are added or removed (see below). + Fully Deployed Versions: This is the set of QUIC versions that is + supported and negotiated by every single QUIC server instance in + this deployment. If a deployment only contains a single server + instance, then this set is equal to the Offered Versions set, + except during short transitions while versions are added or + removed (see below). + + If a deployment contains multiple server instances, software updates + may not happen at exactly the same time on all server instances. + Because of this, a client might receive a Version Negotiation packet + from a server instance that has already been updated, and the + client's resulting connection attempt might reach a different server + instance which hasn't been updated yet. + + However, even when there is only a single server instance, it is + still possible to receive a stale Version Negotiation packet if the + server performs its software update while the Version Negotiation + packet is in flight. + + This could cause the version downgrade prevention mechanism described + in Section 4 to falsely detect a downgrade attack. To avoid that, + server operators SHOULD perform a three-step process when they wish + to add or remove support for a version, as described below. + + When adding support for a new version: + + * The first step is to progressively add support for the new version + to all server instances. This step updates the Acceptable + Versions but not the Offered Versions nor the Fully Deployed + Versions. Once all server instances have been updated, operators + wait for at least one MSL to allow any in-flight Version + Negotiation packets to arrive. + + * Then, the second step is to progressively add the new version to + Offered Versions on all server instances. Once complete, + operators wait for at least another MSL. + + * Finally, the third step is to progressively add the new version to + Fully Deployed Versions on all server instances. + + When removing support for a version: + + * The first step is to progressively remove the version from Fully + Deployed Versions on all server instances. Once it has been + removed on all server instances, operators wait for at least one + MSL to allow any in-flight Version Negotiation packets to arrive. + + * Then, the second step is to progressively remove the version from + Offered Versions on all server instances. Once complete, + operators wait for at least another MSL. + + * Finally, the third step is to progressively remove support for the + version from all server instances. That step updates the + Acceptable Versions. + + Note that, during the update window, connections are vulnerable to + downgrade attacks for Acceptable Versions that are not Fully + Deployed. This is because a client cannot distinguish such a + downgrade attack from legitimate exchanges with both updated and non- + updated server instances. + +6. Application-Layer Protocol Considerations + + When a client creates a QUIC connection, its goal is to use an + application-layer protocol. Therefore, when considering which + versions are compatible, clients will only consider versions that + support one of the intended application-layer protocols. If the + client's first flight advertises multiple Application-Layer Protocol + Negotiation (ALPN) [ALPN] tokens and multiple compatible versions, it + is possible for some application-layer protocols to not be able to + run over some of the offered compatible versions. It is the server's + responsibility to only select an ALPN token that can run over the + compatible QUIC version that it selects. + + A given ALPN token MUST NOT be used with a new QUIC version that is + different from the version for which the ALPN token was originally + defined, unless all the following requirements are met: + + * The new QUIC version supports the transport features required by + the application protocol. + + * The new QUIC version supports ALPN. + + * The version of QUIC for which the ALPN token was originally + defined is compatible with the new QUIC version. + + When incompatible version negotiation is in use, the second + connection that is created in response to the received Version + Negotiation packet MUST restart its application-layer protocol + negotiation process without taking into account the Original Version. + +7. Considerations for Future Versions + + In order to facilitate the deployment of future versions of QUIC, + designers of future versions SHOULD attempt to design their new + version such that commonly deployed versions are compatible with it. + + QUIC version 1 defines multiple features which are not documented in + the QUIC invariants. Since, at the time of writing, QUIC version 1 + is widely deployed, this section discusses considerations for future + versions to help with compatibility with QUIC version 1. + +7.1. Interaction with Retry + + QUIC version 1 features Retry packets, which the server can send to + validate the client's IP address before parsing the client's first + flight. A server that sends a Retry packet can do so before parsing + the client's first flight. Therefore, a server that sends a Retry + packet might not have processed the client's Version Information + before doing so. + + If a future document wishes to define compatibility between two + versions that support Retry, that document MUST specify how version + negotiation (both compatible and incompatible) interacts with Retry + during a handshake that requires both. For example, that could be + accomplished by having the server first send a Retry packet in the + Original Version, thereby validating the client's IP address before + attempting compatible version negotiation. If both versions support + authenticating Retry packets, the compatibility definition needs to + define how to authenticate the Retry in the Negotiated Version + handshake even though the Retry itself was sent using the client's + Chosen Version. + +7.2. Interaction with TLS Resumption + + QUIC version 1 uses TLS 1.3, which supports session resumption by + sending session tickets in one connection that can be used in a later + connection (see Section 2.2 of [TLS]). New versions that also use + TLS 1.3 SHOULD mandate that their session tickets are tightly scoped + to one version of QUIC, i.e., require that clients not use them + across multiple version and that servers validate this client + requirement. This helps mitigate cross-protocol attacks. + +7.3. Interaction with 0-RTT + + QUIC version 1 allows sending data from the client to the server + during the handshake by using 0-RTT packets. If a future document + wishes to define compatibility between two versions that support + 0-RTT, that document MUST address the scenario where there are 0-RTT + packets in the client's first flight. For example, this could be + accomplished by defining which transformations are applied to 0-RTT + packets. That document could specify that compatible version + negotiation causes 0-RTT data to be rejected by the server. + +8. Special Handling for QUIC Version 1 + + Because QUIC version 1 was the only QUIC version that was published + on the IETF Standards Track before this document, it is handled + specially as follows: if a client is starting a QUIC version 1 + connection in response to a received Version Negotiation packet and + the version_information transport parameter is missing from the + server's transport parameters, then the client SHALL proceed as if + the server's transport parameters contained a version_information + transport parameter with a Chosen Version set to 0x00000001 and an + Available Version list containing exactly one version set to + 0x00000001. This allows version negotiation to work with servers + that only support QUIC version 1. Note that implementations that + wish to use version negotiation to negotiate versions other than QUIC + version 1 MUST implement the version negotiation mechanism defined in + this document. + +9. Security Considerations + + The security of this version negotiation mechanism relies on the + authenticity of the Version Information exchanged during the + handshake. In QUIC version 1, transport parameters are + authenticated, ensuring the security of this mechanism. Negotiation + between compatible versions will have the security of the weakest + common version. + + The requirement that versions not be assumed compatible mitigates the + possibility of cross-protocol attacks, but more analysis is still + needed here. That analysis is out of scope for this document. + +10. IANA Considerations + +10.1. QUIC Transport Parameter + + IANA has registered the following value in the "QUIC Transport + Parameters" registry maintained at <https://www.iana.org/assignments/ + quic>. + + Value: 0x11 + Parameter Name: version_information + Status: permanent + Specification: RFC 9368 + +10.2. QUIC Transport Error Code + + IANA has registered the following value in the "QUIC Transport Error + Codes" registry maintained at <https://www.iana.org/assignments/ + quic>. + + Value: 0x11 + Code: VERSION_NEGOTIATION_ERROR + Description: Error negotiating version + Status: permanent + Specification: RFC 9368 + +11. References + +11.1. Normative References + + [ALPN] Friedl, S., Popov, A., Langley, A., and E. Stephan, + "Transport Layer Security (TLS) Application-Layer Protocol + Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, + July 2014, <https://www.rfc-editor.org/info/rfc7301>. + + [QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based + Multiplexed and Secure Transport", RFC 9000, + DOI 10.17487/RFC9000, May 2021, + <https://www.rfc-editor.org/info/rfc9000>. + + [QUIC-INVARIANTS] + Thomson, M., "Version-Independent Properties of QUIC", + RFC 8999, DOI 10.17487/RFC8999, May 2021, + <https://www.rfc-editor.org/info/rfc8999>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + <https://www.rfc-editor.org/info/rfc8446>. + +11.2. Informative References + + [TCP] Eddy, W., Ed., "Transmission Control Protocol (TCP)", + STD 7, RFC 9293, DOI 10.17487/RFC9293, August 2022, + <https://www.rfc-editor.org/info/rfc9293>. + +Acknowledgments + + The authors would like to thank Nick Banks, Mike Bishop, Martin Duke, + Ryan Hamilton, Roberto Peon, Anthony Rossi, and Martin Thomson for + their input and contributions. + +Authors' Addresses + + David Schinazi + Google LLC + 1600 Amphitheatre Parkway + Mountain View, CA 94043 + United States of America + Email: dschinazi.ietf@gmail.com + + + Eric Rescorla + Mozilla + Email: ekr@rtfm.com |