Network Working Group                                      M. Kuehlewind
Internet-Draft                                               B. Trammell
Intended status: Informational                                ETH Zurich
Expires: January 3, April 25, 2019                                   July 02,                                 October 22, 2018

              Applicability of the QUIC Transport Protocol


   This document discusses the applicability of the QUIC transport
   protocol, focusing on caveats impacting application protocol
   development and deployment over QUIC.  Its intended audience is
   designers of application protocol mappings to QUIC, and implementors
   of these application protocols.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 3, April 25, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   3
   2.  The Necessity of Fallback . . . . . . . . . . . . . . . . . .   3
   3.  Zero RTT  . . . . . . . . . . . . . . . . . . . . . . . . . .   3   4
     3.1.  Thinking in Zero RTT  . . . . . . . . . . . . . . . . . .   4
     3.2.  Here There Be Dragons . . . . . . . . . . . . . . . . . .   4
     3.3.  Session resumption versus Keep-alive  . . . . . . . . . .   4
   4.  Use of Streams  . . . . . . . . . . . . . . . . . . . . . . .   4   6
     4.1.  Stream versus Flow Multiplexing . . . . . . . . . . . . .   5   6
     4.2.  Packetization and latency . . . . . . . . . . . . . . . .   6   7
     4.3.  Prioritization  . . . . . . . . . . . . . . . . . . . . .   6   7
   5.  Port Selection  . . . . . . . . . . . . . . . . . . . . . . .   8
   6.  Graceful connection closure . . . . . . . . . . . . . . . . .   6
   6.   8
   7.  Information exposure and the Connection ID  . . . . . . . . .   7
     6.1.   8
     7.1.  Server-Generated Connection ID  . . . . . . . . . . . . .   7
     6.2.   9
     7.2.  Mitigating Timing Linkability with Connection ID
           Migration . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.3.  Using Server Retry for Redirection  . . . . . . . . . . .   8
   7.   9
   8.  Use of Versions and Cryptographic Handshake . . . . . . . . .   8
   8.  10
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   9.  10
   10. Security Considerations . . . . . . . . . . . . . . . . . . .   8
   10.  10
   11. Contributors  . . . . . . . . . . . . . . . . . . . . . . . .   9
   11.  10
   12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   9
   12.  11
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     12.1.  11
     13.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     12.2.  11
     13.2.  Informative References . . . . . . . . . . . . . . . . .   9  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10  13

1.  Introduction

   QUIC [QUIC] is a new transport protocol currently under development
   in the IETF quic working group, focusing on support of semantics as
   needed for HTTP/2 [QUIC-HTTP] such as stream-multiplexing to avoid
   head-of-line blocking.  Based on current deployment practices, QUIC
   is encapsulated in UDP.  The version of QUIC that is currently under
   development will integrate TLS 1.3 [TLS13] to encrypt all payload
   data and most control information.

   This document provides guidance for application developers that want
   to use the QUIC protocol without implementing it on their own.  This
   includes general guidance for application use of HTTP/2 over QUIC as
   well as the use of other application layer protocols over QUIC.  For
   specific guidance on how to integrate HTTP/2 with QUIC, see

   In the following sections we discuss specific caveats to QUIC's
   applicability, and issues that application developers must consider
   when using QUIC as a transport for their application.

1.1.  Notational Conventions

   The words "MUST", "MUST NOT", "SHOULD", and "MAY" are used in this
   document.  It's not shouting; when these words are capitalized, they
   have a special meaning as defined in [RFC2119].

2.  The Necessity of Fallback

   QUIC uses UDP as a substrate for userspace implementation and port
   numbers for NAT and middlebox traversal.  While there is no evidence
   of widespread, systematic disadvantage of UDP traffic compared to TCP
   in the Internet [Edeline16], somewhere between three [Trammell16] and
   five [Swett16] percent of networks simply block UDP traffic.  All
   applications running on top of QUIC must therefore either be prepared
   to accept connectivity failure on such networks, or be engineered to
   fall back to some other transport protocol.  This fallback SHOULD
   provide TLS 1.3 or equivalent cryptographic protection, if available,
   in order to keep fallback from being exploited as a downgrade attack.
   In the case of HTTP, this fallback is TLS 1.3 over TCP.

   These applications must operate, perhaps with impaired functionality,
   in the absence of features provided by QUIC not present in the
   fallback protocol.  For fallback to TLS over TCP, the most obvious
   difference is that TCP does not provide stream multiplexing and
   therefore stream multiplexing would need to be implemented in the
   application layer if needed.  Further, TCP without the TCP Fast Open
   extension does not support 0-RTT session resumption.  TCP Fast Open
   can be requested by the connection initiator but might no be
   supported by the far end or could be blocked on the network path.
   Note that there is some evidence of middleboxes blocking SYN data
   even if TFO was successfully negotiated (see [PaaschNanog]).

   Any fallback mechanism is likely to impose a degradation of
   performance; however, fallback MUST not silently violate the
   application's expectation of confidentiality or integrity of its
   payload data.

   Moreover, while encryption (in this case TLS) is inseparably
   integrated with QUIC, TLS negotiation over TCP can be blocked.  In
   case it is RECOMMENDED to abort the connection, allowing the
   application to present a suitable prompt to the user that secure
   communication is unavailable.

3.  Zero RTT

   QUIC provides for 0-RTT connection establishment (see section 3.2 of
   [QUIC]). establishment.  This presents
   opportunities and challenges for applications using QUIC.

3.1.  Thinking in Zero RTT

   A transport protocol that provides 0-RTT connection establishment to
   recently contacted servers is qualitatively different than one that
   does not from the point of view of the application using it.
   Relative trade-offs between the cost of closing and reopening a
   connection and trying to keep it open are different; see Section 3.3.

   Applications must be slightly rethought in order to make best use of
   0-RTT resumption.  Most importantly, application operations must be
   divided into idempotent and non-idempotent operations, as only
   idempotent operations may appear in 0-RTT packets.  This implies that
   the interface between the application and transport layer exposes
   idempotence either explicitly or implicitly.

3.2.  Here There Be Dragons

   Retransmission or (malicious) replay of data contained in 0-RTT
   resumption packets could cause the server side to receive two copies
   of the same data.  This is further described in [HTTP-RETRY].  Data
   sent during 0-RTT resumption also cannot benefit from perfect forward
   secrecy (PFS).

   Data in the first flight sent by the client in a connection
   established with 0-RTT MUST be idempotent (as specified in section
   2.1 in [QUIC-TLS]).  Applications MUST be designed, and their data
   MUST be framed, such that multiple reception of idempotent data is
   recognized as such by the receiverApplications that cannot treat data
   that may appear in a 0-RTT connection establishment as idempotent
   MUST NOT use 0-RTT establishment.  For this reason the QUIC transport
   SHOULD provide an interface for the application to indicate if 0-RTT
   support is in general desired or a way to indicate whether data is
   idempotent, and/or whether PFS is a hard requirement for the

3.3.  Session resumption versus Keep-alive

   [EDITOR'S NOTE: see]

4.  Use of Streams

   QUIC's stream multiplexing feature allows applications to run
   multiple streams over a single connection, without head-of-line
   blocking between streams, associated at a point

   Because QUIC is encapsulated in time UDP, applications using QUIC must
   deal with a single
   five-tuple.  Stream data is carried within Frames, where one (UDP)
   packet short idle timeouts.  Deployed stateful middleboxes will
   generally establish state for UDP flows on the wire can carry one of multiple stream frames.

   Stream first packet state,
   and keep state for much shorter idle periods than for TCP.  According
   to a 2010 study ([Hatonen10]), UDP applications can assume that any
   NAT binding or other state entry will be independently open and closed, gracefully expired after just thirty
   seconds of inactivity.

   A QUIC application has three strategies to deal with this issue:

   o  Ignore it, if the application-layer protocol consists only of
      interactions with no or by error.
   If a critical stream for very short idle periods.

   o  Ensure there are no long idle periods.

   o  Resume the application session after a long idle period, using 0-RTT
      resumption when appropriate.

   The first strategy is closed, the application
   can generate respective error messages on the application layer easiest, but it only applies to
   inform certain

   Either the other end server or the client in a QUIC application can send PING
   frames as keep-alives, to prevent the connection and any on-path
   state from timing out.  Recommendations for the use of keep-alives
   are application specific, mainly depending on the latency
   requirements and message frequency of the application.  In this case,
   the application mapping must specify whether the client or server is
   responsible for keeping the application alive.  Note that sending
   PING frames more frequently than every 30 seconds over long idle
   periods may result in a too much unproductive traffic and power usage
   for some situations.

   Alternatively, the client (but not the server) can use session
   resumption instead of sending keepalive traffic.  In this case, a
   client that wants to send data to a server over a connection idle
   longer than the server's idle timeout (available from the
   idle_timeout transport parameter) can simply reconnect.  When
   possible, this reconnection can use 0-RTT session resumption,
   reducing the latency involved with restarting the connection.  This
   of course only applies in cases in which 0-RTT data is safe, when the
   client is the restarting peer, and when the data to be sent is

   The tradeoffs between resumption and keepalive need to be evaluated
   on a per-application basis.  However, in general applications should
   use keepalives only in circumstances where continued communication is
   highly likely; [QUIC-HTTP], for instance, recommends using PING
   frames for keepalive only when a request is outstanding.

4.  Use of Streams

   QUIC's stream multiplexing feature allows applications to run
   multiple streams over a single connection, without head-of-line
   blocking between streams, associated at a point in time with a single
   five-tuple.  Stream data is carried within Frames, where one (UDP)
   packet on the wire can carry one of multiple stream frames.

   Stream can be independently open and closed, gracefully or by error.
   If a critical stream for the application is closed, the application
   can generate respective error messages on the application layer to
   inform the other end or the higher layer and eventually indicate quic QUIC
   to reset the connection.  QUIC, however, does not need to know which
   streams are critical, and does not provide an interface to
   exceptional handling of any stream.  There are special streams in
   QUIC that are used for control on the QUIC connection, however, these
   streams are not exposed to the application.

   Mapping of application data to streams is application-specific and
   described for HTTP/s in [QUIC-HTTP].  In general data that can be
   processed independently, and therefore would suffer from head of line
   blocking, if forced to be received in order, should be transmitted
   over different streams.  If there is a logical grouping of those data
   chunks or messages, stream can be reused, or a new stream can be
   opened for each chunk/message.  If a QUIC receiver has maximum
   allowed concurrent streams open and the sender on the other end
   indicates that more streams are needed, it doesn't automatically lead
   to an increase of the maximum number of streams by the receiver.
   Therefore it can be valuable to expose maximum number of allowed,
   currently open and currently used streams to the application to make
   the mapping of data to streams dependent on this information.

   Further, streams have a maximum number of bytes that can be sent on
   one stream.  This number is high enough (2^64) that this will usually
   not be reached with current applications.  Applications that send
   chunks of data over a very long period of time (such as days, months,
   or years), should rather utilize the 0-RTT session resumption ability
   provided by QUIC, than trying to maintain one connection open.

4.1.  Stream versus Flow Multiplexing

   Streams are meaningful only to the application; since stream
   information is carried inside QUIC's encryption boundary, no
   information about the stream(s) whose frames are carried by a given
   packet is visible to the network.  Therefore stream multiplexing is
   not intended to be used for differentiating streams in terms of
   network treatment.  Application traffic requiring different network
   treatment SHOULD therefore be carried over different five-tuples
   (i.e.  multiple QUIC connections).  Given QUIC's ability to send
   application data in the first RTT of a connection (if a previous
   connection to the same host has been successfully established to
   provide the respective credentials), the cost for of establishing another
   connection are is extremely low.

4.2.  Packetization and latency


   QUIC provides an interface that provides multiple streams to the
   application; however, the application usually doesn't have cannot control how the data
   transmitted over one stream is mapped into frame and frames or how those frames
   are bundled into packets.  By default default, QUIC will try to maximally
   pack packets with one or more stream data frames to minimize
   bandwidth consumption and computational costs with one or multiple same data frames. (see section 8 of
   [QUIC]).  If there is not enough data available to send fill a packet,
   QUIC may even wait for a short time,
   trading of latency and to optimize bandwidth efficiency. efficiency
   instead of latency.  This time might delay can either be pre-configured or can the
   dynamically adjusted based on the observed sending pattern of the
   application.  If the application requires low latency, with only
   small chunks of data to send, it may be valuable to indicate to QUIC
   that all data should be send out immediately.  Or  Alternatively, if the
   application expects to use a certain specific sending pattern is know by the
   application, pattern, it might can also
   provide valuable guidance a suggested delay to QUIC for how long
   it should wait to wait before bundle frame
   frames into a packet.

4.3.  Prioritization

   Stream prioritization is not exposed to either the network, nor to network or the
   receiver.  Prioritization can be realized is managed by the sender sender, and the QUIC
   transport should provide an interface for applications to prioritize
   streams [QUIC].  Further applications can implement their own
   prioritization scheme on top of QUIC: (an application) an application protocol that
   runs on top of QUIC can define explicit messages for signaling
   priority, such as those defined for HTTP/2; it can define rules that
   allow an endpoint to determine priority based on context; or it can
   provide a higher level interface and leave the determination to the
   application on top.

   Priority handling of retransmissions can be implemented by the sender
   in the transport layer.  [QUIC] recommends to retransmit lost data
   before new data, unless indicated differently by the application.
   Currently, QUIC only provides fully reliable stream transmission, and
   as such
   which means that prioritization of retransmissions likely will be beneficial
   in most cases, as by filling in gaps that get filled up and thereby free freeing up the flow control. control
   window.  For not fully partially reliable streams or unreliable streams, priority
   scheduling of retransmissions over data of higher-priority streams
   might not be desired.  In this
   case desirable.  For such streams, QUIC could also either provide
   an explicit interface to control prioritization, or derive the
   prioritization decision from the reliability level of the stream.

5.  Port Selection

   As QUIC is a general purpose transport protocol, there are no
   requirements that servers use a particular UDP port for QUIC in
   general.  Instead, the same port number is used as would be used for
   the same application over TCP.  In the case of HTTP the expectation
   is that port 443 is used, which has already been registered for "http
   protocol over TLS/SSL".  However, [QUIC-HTTP] also specifies the use
   of Alt-Svc for HTTP/QUIC discovery which allows the server to use and
   announce a different port number.

   In general, port numbers serves two purposes: "first, they provide a
   demultiplexing identifier to differentiate transport sessions between
   the same pair of endpoints, and second, they may also identify the
   application protocol and associated service to which processes
   connect" [RFC6335].  Note that the assumption that an application can
   be identified in the network based on the port number is less true
   today, due to encapsulation, mechanisms for dynamic port assignments
   as well as NATs.

   However, whenever a non-standard port is used which does not enable
   easy mapping to a registered service name, this can lead to blocking
   by network elements such as firewalls that rely on the port number as
   a first order of filtering.

6.  Graceful connection closure

   [EDITOR'S NOTE: give some guidance here about the steps an
   application should take; however this is still work in progress]


7.  Information exposure and the Connection ID

   QUIC exposes some information to the network in the unencrypted part
   of the header, either before the encryption context is established,
   because the information is intended to be used by the network.  QUIC
   has a long header that is used during connection establishment and
   for other control processes, and a short header that may be used for
   data transmission in an established connection.  While the long
   header is fixed and always exposes some information, information (such as the version and
   Connection IDs), the short header only exposes the packet number by default and may optionally expose a
   connection ID.

   Given that exposing this information may make it possible to
   associate multiple addresses with at most only a single client during rebinding,
   which has privacy implications, an application may indicate to not
   support exposure of certain information after the handshake.
   Specifically, an application that has additional information that the
   client is not behind a NAT and the server is not behind a load
   balancer, and therefore it is unlikely that the addresses will be re-
   bound, may indicate to the transport that is wishes to not expose a
   Connection ID.


7.1.  Server-Generated Connection ID

   QUIC supports a server-generated Connection ID, transmitted to the
   client during connection establishment: see establishment (see Section 5.7 6.1 of [QUIC]. [QUIC]).
   Servers behind load balancers should may need to propose a Connection ID
   during the handshake, encoding the identity of the server or
   information about its load balancing pool, in order to support
   stateless load balancing.  Once the server generates a Connection ID
   that encodes its identity, every CDN load balancer would be able to
   forward the
   packets to that server without needing information about every
   specific flow it is forwarding. the packets to that server without retaining connection

   Server-generated Connection connection IDs must not encode should seek to obscure any encoding,
   of routing identities or any information other
   that that needed to route packets to the appropriate backend
   server(s): typically information.  Exposing the identity server
   mapping would allow linkage of multiple IP addresses to the same host
   if the backend server also supports migration.  Furthermore, this opens an
   attack vector on specific servers or pool pools.

   The best way to obscure an encoding is to appear random to observers,
   which is most rigorously achieved with encryption.

7.2.  Mitigating Timing Linkability with Connection ID Migration

   While sufficiently robust connection ID generation schemes will
   mitigate linkability issues, they do not provide full protection.
   Analysis of
   servers, if the data-center's load balancing system keeps "local"
   state lifetimes of all flows itself.  Care must be exercised to ensure that six-tuples (source and destination
   addresses as well as the
   information encoded in migrated CID) may expose these links anyway.

   In the Connection ID limit where connection migration in a server pool is not sufficient rare, it
   is trivial for an observer to
   identify unique end users.  Note that by encoding routing information associate two connection IDs.
   Conversely, in the Connection ID, load balancers open up a new attack vector that
   allows bad actors to direct traffic at a specific backend opposite limit where every server or
   pool.  It handles multiple
   simultaneous migrations, even an exposed server mapping may be
   insufficient information.

   The most efficient mitigation for these attacks is therefore recommended that Server-Generated Connection
   ID includes operational,
   either by using a cryptographic MAC load balancing architecture that loads more flows
   onto a single server-side address, by coordinating the load balancer pool server is
   able timing of
   migrations to identify and discard packets featuring an invalid MAC.

6.2. attempt to increase the number of simultaneous
   migrations at a given time, or through other means.

7.3.  Using Server Retry for Redirection

   QUIC provides a Server Retry packet that can be sent by a server in
   response to the Client Initial packet.  The server may choose a new
   Connection ID in that packet and the client will retry by sending
   another Client Initial packet with the server-selected connection Connection ID.
   This mechanism can be used to redirect a connection to a different
   server, e.g. due to performance reasons or when servers in a server
   pool are upgraded gradually, and therefore may support different
   versions of QUIC.  In this case, it is assumed that all servers
   belonging to a certain pool are served in cooperation with load
   balancers that forward the traffic based on the connection Connection ID.  A
   server can chose choose the connection Connection ID in the Server Retry packet such
   that the load balancer will redirect the next Client Initial packet
   to a different server in that pool.


8.  Use of Versions and Cryptographic Handshake

   Versioning in QUIC may change the protocol's behavior completely,
   except for the meaning of a few header fields that have been declared
   to be fixed.  As such invariant [QUIC-INVARIANTS].  A version of QUIC with a higher
   version number
   does will not necessarily provide a better service, but
   might simply provide a very different service, so feature set.  As such, an
   application needs to be able to select which versions of QUIC it
   wants to use.

   A new version could use an encryption scheme other than TLS 1.3 or
   higher.  [QUIC] specifies requirements for the cryptographic
   handshake as currently realized by TLS 1.3 and described in a
   separate specification [QUIC-TLS].  This split is performed to enable
   light-weight versioning with different cryptographic handshakes.


9.  IANA Considerations

   This document has no actions for IANA.


10.  Security Considerations

   See the security considerations in [QUIC] and [QUIC-TLS]; the
   security considerations for the underlying transport protocol are
   relevant for applications using QUIC, as well.

   Application developers should note that any fallback they use when
   QUIC cannot be used due to network blocking of UDP SHOULD guarantee
   the same security properties as QUIC; if this is not possible, the
   connection SHOULD fail to allow the application to explicitly handle
   fallback to a less-secure alternative.  See Section 2.


11.  Contributors

   Igor Lubashev contributed text to Section 6 7 on server-selected
   Connection IDs.


12.  Acknowledgments

   This work is partially supported by the European Commission under
   Horizon 2020 grant agreement no. 688421 Measurement and Architecture
   for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat
   for Education, Research, and Innovation under contract no. 15.0268.
   This support does not imply endorsement.


13.  References


13.1.  Normative References

   [QUIC]     Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed
              and Secure Transport", draft-ietf-quic-transport-13 draft-ietf-quic-transport-15 (work
              in progress), June October 2018.

              Thomson, M., "Version-Independent Properties of QUIC",
              draft-ietf-quic-invariants-03 (work in progress), October

              Thomson, M. and S. Turner, "Using Transport Layer Security
              (TLS) to Secure QUIC", draft-ietf-quic-tls-13 draft-ietf-quic-tls-15 (work in
              progress), June October 2018.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/
              RFC2119, 10.17487/RFC2119, March 1997, <

   [RFC6335]  Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S.
              Cheshire, "Internet Assigned Numbers Authority (IANA)
              Procedures for the Management of the Service Name and
              Transport Protocol Port Number Registry", BCP 165,
              RFC 6335, DOI 10.17487/RFC6335, August 2011,

   [TLS13]    Thomson, M. and S. Turner, "Using Transport Layer Security
              (TLS) to Secure QUIC", draft-ietf-quic-tls-13 draft-ietf-quic-tls-15 (work in
              progress), June October 2018.


13.2.  Informative References

              Edeline, K., Kuehlewind, M., Trammell, B., Aben, E., and
              B. Donnet, "Using UDP for Internet Transport Evolution
              (arXiv preprint 1612.07816)", December 2016,

              Hatonen, S., Nyrhinen, A., Eggert, L., Strowes, S.,
              Sarolahti, P., and M. Kojo, "An experimental study of home
              gateway characteristics (Proc. ACM IMC 2010)", October

              Nottingham, M., "Retrying HTTP Requests", draft-
              nottingham-httpbis-retry-01 (work in progress), February

              Nottingham, M., "Retrying HTTP Requests", draft-
              nottingham-httpbis-retry-01 (work in progress), February

              Paasch, C., "Network Support for TCP Fast Open (NANOG 67
              presentation)", June 2016,

              Bishop, M., "Hypertext Transfer Protocol (HTTP) over
              QUIC", draft-ietf-quic-http-13 draft-ietf-quic-http-15 (work in progress), June October

   [Swett16]  Swett, I., "QUIC Deployment Experience at Google (IETF96
              QUIC BoF presentation)", July 2016,

              Trammell, B. and M. Kuehlewind, "Internet Path
              Transparency Measurements using RIPE Atlas (RIPE72 MAT
              presentation)", May 2016, <

Authors' Addresses

   Mirja Kuehlewind
   ETH Zurich
   Gloriastrasse 35
   8092 Zurich


   Brian Trammell
   ETH Zurich
   Gloriastrasse 35
   8092 Zurich