Internet-Draft | QUIC Retry Offload | March 2022 |
Duke & Banks | Expires 29 September 2022 | [Page] |
- Workgroup:
- QUIC
- Internet-Draft:
- draft-duke-quic-retry-offload-00
- Published:
- Intended Status:
- Standards Track
- Expires:
QUIC Retry Offload
Abstract
QUIC uses Retry packets to reduce load on stressed servers, by forcing the client to prove ownership of its address before the server commits state. QUIC also has an anti-tampering mechanism to prevent the unauthorized injection of Retry packets into a connection. However, a server operator may want to offload production of Retry packets to an anti-Denial-of-Service agent or hardware accelerator. "Retry Offload" is a mechanism for coordination between a server and an external generator of Retry packets that can succeed despite the anti-tampering mechanism.¶
Note to Readers
Discussion of this document takes place on the QUIC Working Group mailing list (quic@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/quic/.¶
Source for this draft and an issue tracker can be found at https://github.com/quicwg/load-balancers.¶
Status of This Memo
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 29 September 2022.¶
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1. Introduction
QUIC [RFC9000] servers send Retry packets to avoid prematurely allocating resources when under stress, such as during a Denial of Service (DoS) attack. Because both Initial packets and Retry packets have weak authentication properties, the Retry packet contains an encrypted token that helps the client and server to validate, via transport parameters, that an attacker did not inject or modify a packet of either type for this connection attempt.¶
However, a server under stress is less inclined to process incoming Initial packets and compute the Retry token in the first place. An analogous mechanism for TCP is syncookies [RFC4987]. As TCP has weaker authentication properties to QUIC, syncookie generation can often be offloaded to a hardware device, or to a anti-Denial-of-Service provider that is topologically far from the protected server. As such an offload would behave exactly like an attacker, QUIC's authentication methods make such a capability impossible.¶
This document seeks to enable offloading of Retry generation to QUIC via explicit coordination between servers and the hardware or provider offload, which this document refers to as a "Retry Offload." It has two different modes, to conform to two different use cases.¶
The no-shared-state mode has minimal coordination and does not require key sharing. While operationally easier to configure and manage, it places severe constraints on the operational profile of the offload. In particular, the offload must control all ingress to the server and fail closed.¶
The shared-state mode removes the operational constraints, but also requires more sophisticated key management.¶
Both modes specify a common format for encoding information in the Retry token, so that the server can correctly populate the relevant transport parameter fields.¶
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
In this document, these words will appear with that interpretation only when in ALL CAPS. Lower case uses of these words are not to be interpreted as carrying significance described in RFC 2119.¶
For brevity, "Connection ID" will often be abbreviated as "CID".¶
A "Retry Offload" is a hardware or software device that is conceptually separate from a QUIC server that terminates QUIC connections. This document assumes that the Retry Offload and the server have an administrative relationship that allows them to accept common configuation.¶
A "configuration agent" is some entity that determines the common configuration to be distributed to the servers and the Retry Offload.¶
This document uses "QUIC" to refer to the protocol in QUIC version 1 [RFC9000]. Retry offloads can be applied to other versions of QUIC that use Retry packets and have identical information requirements for Retry validation. However, note that source and destination connection IDs are the only relevant data fields that are invariant across QUIC versions [RFC8999].¶
2. Common Requirements
Regardless of mechanism, a Retry Offload has an active mode, where it is generating Retry packets, and an inactive mode, where it is not, based on its assessment of server load and the likelihood an attack is underway. The choice of mode MAY be made on a per-packet or per-connection basis, through a stochastic process or based on client address.¶
A configuration agent MUST distribute a list of QUIC versions the Retry Offload supports. It MAY also distribute either an "Allow-List" or a "Deny-List" of other QUIC versions. It MUST NOT distribute both an Allow-List and a Deny-List.¶
The Allow-List or Deny-List MUST NOT include any versions included for Retry Offload support.¶
The Configuration Agent MUST provide a means for the entity that controls the Retry Offload to report its supported version(s) to the configuration Agent. If the entity has not reported this information, it MUST NOT activate the Retry Offload and the configuration agent MUST NOT distribute configuration that activates it.¶
The configuration agent MAY delete versions from the final supported version list if policy does not require the Retry Offload to operate on those versions.¶
The configuration Agent MUST provide a means for the entities that control servers behind the Retry Offload to report either an Allow-List or a Deny-List.¶
If all entities supply Allow-Lists, the consolidated list MUST be the union of these sets. If all entities supply Deny-Lists, the consolidated list MUST be the intersection of these sets.¶
If entities provide a mixture of Allow-Lists and Deny-Lists, the consolidated list MUST be a Deny-List that is the intersection of all provided Deny-Lists and the inverses of all Allow-Lists.¶
If no entities that control servers have reported Allow-Lists or Deny-Lists, the default is a Deny-List with the null set (i.e., all unsupported versions will be admitted). This preserves the future extensibilty of QUIC.¶
A Retry Offload MUST forward all packets for a QUIC version it does not support that are not on a Deny-List or absent from an Allow-List. Note that if servers support versions the Retry Offload does not, this may increase load on the servers.¶
Note that future versions of QUIC might not have Retry packets, require different information in Retry, or use different packet type indicators.¶
2.1. Considerations for Non-Initial Packets
Initial Packets are especially effective at consuming server resources because they cause the server to create connection state. Even when mitigating this load with Retry Packets, the act of validating an Initial Token and sending a Retry Packet is more expensive than the response to a non-Initial packet with an unknown Connection ID: simply dropping it and/or sending a Stateless Reset.¶
Nevertheless, a Retry Offload in Active Mode might desire to shield servers from non-Initial packets that do not correspond to a previously admitted Initial Packet. This has a number of considerations.¶
- If a Retry Offload maintains no per-flow state, it cannot distinguish between valid and invalid non-Initial packets and MUST forward all non-Initial Packets to the server.¶
- For QUIC versions the Retry Offload does not support and are present on the Allow-List (or absent from the Deny-List), the Retry Offload cannot distinguish Initial Packets from other long headers and therefore MUST admit all long headers.¶
- If a Retry Offload keeps per-flow state, it can identify 4-tuples that have been previously approved, admit non-Initial packets from those flows, and drop all others. However, dropping short headers will effectively break Address Migration and NAT Rebinding when in Active Mode, as post-migration packets will arrive with a previously unknown 4-tuple. This policy will also break connection attempts using any new QUIC versions that begin connections with a short header.¶
- If a Retry Offload is integrated with a QUIC-LB routable load balancer [I-D.ietf-quic-load-balancers], it can verify that the Destination Connection ID is routable, and only admit non-Initial packets with routable DCIDs. As the Connection ID encoding is invariant across QUIC versions, the Retry Offload can do this for all short headers.¶
Nothing in this section prevents Retry Offloads from making basic syntax correctness checks on packets with QUIC versions that it understands (e.g., enforcing the Initial Packet datagram size minimum in version 1).¶
6. IANA Considerations
There are no IANA requirements.¶
7. References
7.1. Normative References
- [RFC8446]
- Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/info/rfc8446>.
- [RFC9000]
- Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Multiplexed and Secure Transport", RFC 9000, DOI 10.17487/RFC9000, , <https://www.rfc-editor.org/info/rfc9000>.
- [TIME_T]
- "Open Group Standard: Vol. 1: Base Definitions, Issue 7", IEEE Std 1003.1 , , <http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_16>.
7.2. Informative References
- [I-D.ietf-quic-load-balancers]
- Duke, M., Banks, N., and C. Huitema, "QUIC-LB: Generating Routable QUIC Connection IDs", Work in Progress, Internet-Draft, draft-ietf-quic-load-balancers-12, , <https://www.ietf.org/archive/id/draft-ietf-quic-load-balancers-12.txt>.
- [RFC2119]
- Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
- [RFC4106]
- Viega, J. and D. McGrew, "The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)", RFC 4106, DOI 10.17487/RFC4106, , <https://www.rfc-editor.org/info/rfc4106>.
- [RFC4987]
- Eddy, W., "TCP SYN Flooding Attacks and Common Mitigations", RFC 4987, DOI 10.17487/RFC4987, , <https://www.rfc-editor.org/info/rfc4987>.
- [RFC6020]
- Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10.17487/RFC6020, , <https://www.rfc-editor.org/info/rfc6020>.
- [RFC7696]
- Housley, R., "Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms", BCP 201, RFC 7696, DOI 10.17487/RFC7696, , <https://www.rfc-editor.org/info/rfc7696>.
- [RFC8340]
- Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, , <https://www.rfc-editor.org/info/rfc8340>.
- [RFC8999]
- Thomson, M., "Version-Independent Properties of QUIC", RFC 8999, DOI 10.17487/RFC8999, , <https://www.rfc-editor.org/info/rfc8999>.
- [RFC9001]
- Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure QUIC", RFC 9001, DOI 10.17487/RFC9001, , <https://www.rfc-editor.org/info/rfc9001>.
Appendix A. Retry Offload YANG Model
These YANG models conform to [RFC6020] and express a complete Retry Offload configuration.¶
module ietf-retry-offload { yang-version "1.1"; namespace "urn:ietf:params:xml:ns:yang:ietf-quic-lb"; prefix "quic-lb"; import ietf-yang-types { prefix yang; reference "RFC 6991: Common YANG Data Types."; } import ietf-inet-types { prefix inet; reference "RFC 6991: Common YANG Data Types."; } organization "IETF QUIC Working Group"; contact "WG Web: <http://datatracker.ietf.org/wg/quic> WG List: <quic@ietf.org> Authors: Martin Duke (martin.h.duke at gmail dot com) Nick Banks (nibanks at microsoft dot com) Christian Huitema (huitema at huitema.net)"; description "This module enables the explicit cooperation of QUIC servers with offloads that generate Retry packets on their behalf. Copyright (c) 2022 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision "2022-02-11" { description "Initial version"; reference "RFC XXXX, QUIC Retry Offloads"; } container retry-offload-config { description "Configuration of Retry Offload. If supported-versions is empty, there is no Retry Offload. If token-keys is empty, it uses the non-shared-state offload. If present, it uses shared-state tokens."; leaf-list supported-versions { type uint32; description "QUIC versions that the Retry Offload supports. If empty, there is no Retry Offload."; } leaf unsupported-version-default { type enumeration { enum allow { description "Unsupported versions admitted by default"; } enum deny { description "Unsupported versions denied by default"; } } default allow; description "Are unsupported versions not in version-exceptions allowed or denied?"; } leaf-list version-exceptions { type uint32; description "Exceptions to the default-deny or default-allow rule."; } list token-keys { key "key-sequence-number"; description "list of active keys, for key rotation purposes. Existence implies shared-state format"; leaf key-sequence-number { type uint8 { range "0..127"; } mandatory true; description "Identifies the key used to encrypt the token"; } leaf token-key { type retry-offload-key; mandatory true; description "16-byte key to encrypt the token"; } leaf token-iv { type yang:hex-string { length 23; } mandatory true; description "8-byte IV to encrypt the token, encoded in 23 bytes"; } } } }¶
A.1. Tree Diagram
This summary of the YANG models uses the notation in [RFC8340].¶
module: retry-offload-config +--rw retry-offload-config +--rw supported-versions* uint32 +--rw unsupported-version-default? enumeration +--rw version-exceptions* uint32 +--rw token-keys* [key-sequence-number] +--rw key-sequence-number uint8 +--rw token-key quic-lb-key +--rw token-iv yang:hex-string ## Shared State Retry Token Test Vectors In this case, the shared-state retry token is issued by Retry Offload, so the opaque data of shared-state retry token body would be null ({{shared-state-retry}}).¶
Configuration: key_seq 0x00 encrypt_key 0x30313233343536373839303132333435 AEAD_IV 0x313233343536373839303132¶
Shared-State Retry Offload Token Body: ODCIL 0x12 RSCIL 0x10 port 0x1a0a original_destination_connection_id 0x0c3817b544ca1c94313bba41757547eec937 retry_source_connection_id 0x0301e770d24b3b13070dd5c2a9264307 timestamp 0x0000000060c7bf4d¶
Shared-State Retry Offload Token: unique_token_number 0x59ef316b70575e793e1a8782 key_sequence 0x00 encrypted_shared_state_retry_offload_token_body 0x7d38b274aa4427c7a1557c3fa666945931defc65da387a83855196a7cb73caac1e28e5346fd76868de94f8b62294 AEAD_ICV 0xf91174fdd711543a32d5e959867f9c22¶
AEAD related parameters: client_ip_addr 127.0.0.1 client_port 6666 AEAD_nonce 0x68dd025f45616941072ab6b0 AEAD_associated_data 0x7f00000100000000000000000000000059ef316b70575e793e1a878200 ~~~¶
Appendix B. Acknowledgments
Christian Huitema, Ling Tao Nju, and William Zeng Ke all provided useful input to this document.¶
Appendix C. Change Log
-
RFC Editor's Note: Please remove this section prior to publication of a final version of this document.¶
C.2. since draft-ietf-quic-load-balancers-11
- Fixed mistakes in test vectors¶
C.9. since draft-ietf-quic-load-balancers-04
- Rearranged the shared-state retry token to simplify token processing¶
- More compact timestamp in shared-state retry token¶
- Revised server requirements for shared-state retries¶
- Eliminated zero padding from the test vectors¶
- Added server use bytes to the test vectors¶
- Additional compliant DCID criteria¶
C.11. since-draft-ietf-quic-load-balancers-02
- Replaced stream cipher algorithm with three-pass version¶
- Updated Retry format to encode info for required TPs¶
- Added discussion of version invariance¶
- Cleaned up text about config rotation¶
- Added Reset Oracle and limited configuration considerations¶
- Allow dropped long-header packets for known QUIC versions¶
C.13. since-draft-ietf-quic-load-balancers-00
- Removed in-band protocol from the document¶
C.14. Since draft-duke-quic-load-balancers-06
- Switch to IETF WG draft.¶
C.16. Since draft-duke-quic-load-balancers-04
- Added standard for Retry Offloads¶