< draft-ietf-quic-tls-21.txt   draft-ietf-quic-tls-22.txt >
QUIC M. Thomson, Ed. QUIC M. Thomson, Ed.
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track S. Turner, Ed. Intended status: Standards Track S. Turner, Ed.
Expires: January 9, 2020 sn3rd Expires: January 10, 2020 sn3rd
July 08, 2019 July 09, 2019
Using TLS to Secure QUIC Using TLS to Secure QUIC
draft-ietf-quic-tls-21 draft-ietf-quic-tls-22
Abstract Abstract
This document describes how Transport Layer Security (TLS) is used to This document describes how Transport Layer Security (TLS) is used to
secure QUIC. secure QUIC.
Note to Readers Note to Readers
Discussion of this draft takes place on the QUIC working group Discussion of this draft takes place on the QUIC working group
mailing list (quic@ietf.org), which is archived at mailing list (quic@ietf.org), which is archived at
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 9, 2020. This Internet-Draft will expire on January 10, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 24 skipping to change at page 3, line 24
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
11.1. Normative References . . . . . . . . . . . . . . . . . . 34 11.1. Normative References . . . . . . . . . . . . . . . . . . 34
11.2. Informative References . . . . . . . . . . . . . . . . . 35 11.2. Informative References . . . . . . . . . . . . . . . . . 35
11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 36 11.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix A. Sample Initial Packet Protection . . . . . . . . . . 36 Appendix A. Sample Initial Packet Protection . . . . . . . . . . 36
A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 36 A.1. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 36
A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 37 A.2. Client Initial . . . . . . . . . . . . . . . . . . . . . 37
A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 39 A.3. Server Initial . . . . . . . . . . . . . . . . . . . . . 39
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 40 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 40
B.1. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 40 B.1. Since draft-ietf-quic-tls-21 . . . . . . . . . . . . . . 40
B.2. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 40 B.2. Since draft-ietf-quic-tls-20 . . . . . . . . . . . . . . 40
B.3. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 40 B.3. Since draft-ietf-quic-tls-18 . . . . . . . . . . . . . . 40
B.4. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 41 B.4. Since draft-ietf-quic-tls-17 . . . . . . . . . . . . . . 41
B.5. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 41 B.5. Since draft-ietf-quic-tls-14 . . . . . . . . . . . . . . 41
B.6. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 41 B.6. Since draft-ietf-quic-tls-13 . . . . . . . . . . . . . . 41
B.7. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 42 B.7. Since draft-ietf-quic-tls-12 . . . . . . . . . . . . . . 41
B.8. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 42 B.8. Since draft-ietf-quic-tls-11 . . . . . . . . . . . . . . 42
B.9. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 42 B.9. Since draft-ietf-quic-tls-10 . . . . . . . . . . . . . . 42
B.10. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 42 B.10. Since draft-ietf-quic-tls-09 . . . . . . . . . . . . . . 42
B.11. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 42 B.11. Since draft-ietf-quic-tls-08 . . . . . . . . . . . . . . 42
B.12. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 42 B.12. Since draft-ietf-quic-tls-07 . . . . . . . . . . . . . . 42
B.13. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 42 B.13. Since draft-ietf-quic-tls-05 . . . . . . . . . . . . . . 42
B.14. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 42 B.14. Since draft-ietf-quic-tls-04 . . . . . . . . . . . . . . 42
B.15. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 42 B.15. Since draft-ietf-quic-tls-03 . . . . . . . . . . . . . . 42
B.16. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 42 B.16. Since draft-ietf-quic-tls-02 . . . . . . . . . . . . . . 42
B.17. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 43 B.17. Since draft-ietf-quic-tls-01 . . . . . . . . . . . . . . 43
B.18. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 43 B.18. Since draft-ietf-quic-tls-00 . . . . . . . . . . . . . . 43
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 43 B.19. Since draft-thomson-quic-tls-01 . . . . . . . . . . . . . 43
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 44
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44
1. Introduction 1. Introduction
This document describes how QUIC [QUIC-TRANSPORT] is secured using This document describes how QUIC [QUIC-TRANSPORT] is secured using
TLS [TLS13]. TLS [TLS13].
TLS 1.3 provides critical latency improvements for connection TLS 1.3 provides critical latency improvements for connection
establishment over previous versions. Absent packet loss, most new establishment over previous versions. Absent packet loss, most new
connections can be established and secured within a single round connections can be established and secured within a single round
skipping to change at page 34, line 37 skipping to change at page 34, line 37
[AES] "Advanced encryption standard (AES)", National Institute [AES] "Advanced encryption standard (AES)", National Institute
of Standards and Technology report, of Standards and Technology report,
DOI 10.6028/nist.fips.197, November 2001. DOI 10.6028/nist.fips.197, November 2001.
[CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF [CHACHA] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018, Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
<https://www.rfc-editor.org/info/rfc8439>. <https://www.rfc-editor.org/info/rfc8439>.
[QUIC-RECOVERY] [QUIC-RECOVERY]
Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection Iyengar, J., Ed. and I. Swett, Ed., "QUIC Loss Detection
and Congestion Control", draft-ietf-quic-recovery-21 (work and Congestion Control", draft-ietf-quic-recovery-22 (work
in progress), July 2019. in progress), July 2019.
[QUIC-TRANSPORT] [QUIC-TRANSPORT]
Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", draft-ietf-quic- Multiplexed and Secure Transport", draft-ietf-quic-
transport-21 (work in progress), July 2019. transport-22 (work in progress), July 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol "Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/info/rfc7301>. July 2014, <https://www.rfc-editor.org/info/rfc7301>.
skipping to change at page 35, line 40 skipping to change at page 35, line 40
Luykx, A. and K. Paterson, "Limits on Authenticated Luykx, A. and K. Paterson, "Limits on Authenticated
Encryption Use in TLS", March 2016, Encryption Use in TLS", March 2016,
<http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>. <http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf>.
[IMC] Katz, J. and Y. Lindell, "Introduction to Modern [IMC] Katz, J. and Y. Lindell, "Introduction to Modern
Cryptography, Second Edition", ISBN 978-1466570269, Cryptography, Second Edition", ISBN 978-1466570269,
November 2014. November 2014.
[QUIC-HTTP] [QUIC-HTTP]
Bishop, M., Ed., "Hypertext Transfer Protocol (HTTP) over Bishop, M., Ed., "Hypertext Transfer Protocol (HTTP) over
QUIC", draft-ietf-quic-http-21 (work in progress), July QUIC", draft-ietf-quic-http-22 (work in progress), July
2019. 2019.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
skipping to change at page 40, line 31 skipping to change at page 40, line 31
cdbe264bd65f2b076760c69beef23aa7 14c9a174d69034c09a2863e1e1863508 cdbe264bd65f2b076760c69beef23aa7 14c9a174d69034c09a2863e1e1863508
8d4afdeab9 8d4afdeab9
Appendix B. Change Log Appendix B. Change Log
*RFC Editor's Note:* Please remove this section prior to *RFC Editor's Note:* Please remove this section prior to
publication of a final version of this document. publication of a final version of this document.
Issue and pull request numbers are listed with a leading octothorp. Issue and pull request numbers are listed with a leading octothorp.
B.1. Since draft-ietf-quic-tls-20 B.1. Since draft-ietf-quic-tls-21
o No changes
B.2. Since draft-ietf-quic-tls-20
o Mandate the use of the QUIC transport parameters extension (#2528, o Mandate the use of the QUIC transport parameters extension (#2528,
#2560) #2560)
o Define handshake completion and confirmation; define clearer rules o Define handshake completion and confirmation; define clearer rules
when it encryption keys should be discarded (#2214, #2267, #2673) when it encryption keys should be discarded (#2214, #2267, #2673)
B.2. Since draft-ietf-quic-tls-18 B.3. Since draft-ietf-quic-tls-18
o Increased the set of permissible frames in 0-RTT (#2344, #2355) o Increased the set of permissible frames in 0-RTT (#2344, #2355)
o Transport parameter extension is mandatory (#2528, #2560) o Transport parameter extension is mandatory (#2528, #2560)
B.3. Since draft-ietf-quic-tls-17 B.4. Since draft-ietf-quic-tls-17
o Endpoints discard initial keys as soon as handshake keys are o Endpoints discard initial keys as soon as handshake keys are
available (#1951, #2045) available (#1951, #2045)
o Use of ALPN or equivalent is mandatory (#2263, #2284) o Use of ALPN or equivalent is mandatory (#2263, #2284)
B.4. Since draft-ietf-quic-tls-14 B.5. Since draft-ietf-quic-tls-14
o Update the salt used for Initial secrets (#1970) o Update the salt used for Initial secrets (#1970)
o Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019) o Clarify that TLS_AES_128_CCM_8_SHA256 isn't supported (#2019)
o Change header protection o Change header protection
* Sample from a fixed offset (#1575, #2030) * Sample from a fixed offset (#1575, #2030)
* Cover part of the first byte, including the key phase (#1322, * Cover part of the first byte, including the key phase (#1322,
skipping to change at page 41, line 28 skipping to change at page 41, line 35
o TLS provides an AEAD and KDF function (#2046) o TLS provides an AEAD and KDF function (#2046)
* Clarify that the TLS KDF is used with TLS (#1997) * Clarify that the TLS KDF is used with TLS (#1997)
* Change the labels for calculation of QUIC keys (#1845, #1971, * Change the labels for calculation of QUIC keys (#1845, #1971,
#1991) #1991)
o Initial keys are discarded once Handshake are avaialble (#1951, o Initial keys are discarded once Handshake are avaialble (#1951,
#2045) #2045)
B.5. Since draft-ietf-quic-tls-13 B.6. Since draft-ietf-quic-tls-13
o Updated to TLS 1.3 final (#1660) o Updated to TLS 1.3 final (#1660)
B.6. Since draft-ietf-quic-tls-12 B.7. Since draft-ietf-quic-tls-12
o Changes to integration of the TLS handshake (#829, #1018, #1094, o Changes to integration of the TLS handshake (#829, #1018, #1094,
#1165, #1190, #1233, #1242, #1252, #1450) #1165, #1190, #1233, #1242, #1252, #1450)
* The cryptographic handshake uses CRYPTO frames, not stream 0 * The cryptographic handshake uses CRYPTO frames, not stream 0
* QUIC packet protection is used in place of TLS record * QUIC packet protection is used in place of TLS record
protection protection
* Separate QUIC packet number spaces are used for the handshake * Separate QUIC packet number spaces are used for the handshake
skipping to change at page 41, line 45 skipping to change at page 42, line 4
#1165, #1190, #1233, #1242, #1252, #1450) #1165, #1190, #1233, #1242, #1252, #1450)
* The cryptographic handshake uses CRYPTO frames, not stream 0 * The cryptographic handshake uses CRYPTO frames, not stream 0
* QUIC packet protection is used in place of TLS record * QUIC packet protection is used in place of TLS record
protection protection
* Separate QUIC packet number spaces are used for the handshake * Separate QUIC packet number spaces are used for the handshake
* Changed Retry to be independent of the cryptographic handshake * Changed Retry to be independent of the cryptographic handshake
* Limit the use of HelloRetryRequest to address TLS needs (like * Limit the use of HelloRetryRequest to address TLS needs (like
key shares) key shares)
o Changed codepoint of TLS extension (#1395, #1402) o Changed codepoint of TLS extension (#1395, #1402)
B.7. Since draft-ietf-quic-tls-11 B.8. Since draft-ietf-quic-tls-11
o Encrypted packet numbers. o Encrypted packet numbers.
B.8. Since draft-ietf-quic-tls-10 B.9. Since draft-ietf-quic-tls-10
o No significant changes. o No significant changes.
B.9. Since draft-ietf-quic-tls-09 B.10. Since draft-ietf-quic-tls-09
o Cleaned up key schedule and updated the salt used for handshake o Cleaned up key schedule and updated the salt used for handshake
packet protection (#1077) packet protection (#1077)
B.10. Since draft-ietf-quic-tls-08 B.11. Since draft-ietf-quic-tls-08
o Specify value for max_early_data_size to enable 0-RTT (#942) o Specify value for max_early_data_size to enable 0-RTT (#942)
o Update key derivation function (#1003, #1004) o Update key derivation function (#1003, #1004)
B.11. Since draft-ietf-quic-tls-07 B.12. Since draft-ietf-quic-tls-07
o Handshake errors can be reported with CONNECTION_CLOSE (#608, o Handshake errors can be reported with CONNECTION_CLOSE (#608,
#891) #891)
B.12. Since draft-ietf-quic-tls-05 B.13. Since draft-ietf-quic-tls-05
No significant changes. No significant changes.
B.13. Since draft-ietf-quic-tls-04 B.14. Since draft-ietf-quic-tls-04
o Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642) o Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)
B.14. Since draft-ietf-quic-tls-03 B.15. Since draft-ietf-quic-tls-03
No significant changes. No significant changes.
B.15. Since draft-ietf-quic-tls-02 B.16. Since draft-ietf-quic-tls-02
o Updates to match changes in transport draft o Updates to match changes in transport draft
B.16. Since draft-ietf-quic-tls-01 B.17. Since draft-ietf-quic-tls-01
o Use TLS alerts to signal TLS errors (#272, #374) o Use TLS alerts to signal TLS errors (#272, #374)
o Require ClientHello to fit in a single packet (#338) o Require ClientHello to fit in a single packet (#338)
o The second client handshake flight is now sent in the clear (#262, o The second client handshake flight is now sent in the clear (#262,
#337) #337)
o The QUIC header is included as AEAD Associated Data (#226, #243, o The QUIC header is included as AEAD Associated Data (#226, #243,
#302) #302)
skipping to change at page 43, line 21 skipping to change at page 43, line 30
o Require at least TLS 1.3 (#138) o Require at least TLS 1.3 (#138)
o Define transport parameters as a TLS extension (#122) o Define transport parameters as a TLS extension (#122)
o Define handling for protected packets before the handshake o Define handling for protected packets before the handshake
completes (#39) completes (#39)
o Decouple QUIC version and ALPN (#12) o Decouple QUIC version and ALPN (#12)
B.17. Since draft-ietf-quic-tls-00 B.18. Since draft-ietf-quic-tls-00
o Changed bit used to signal key phase o Changed bit used to signal key phase
o Updated key phase markings during the handshake o Updated key phase markings during the handshake
o Added TLS interface requirements section o Added TLS interface requirements section
o Moved to use of TLS exporters for key derivation o Moved to use of TLS exporters for key derivation
o Moved TLS error code definitions into this document o Moved TLS error code definitions into this document
B.18. Since draft-thomson-quic-tls-01 B.19. Since draft-thomson-quic-tls-01
o Adopted as base for draft-ietf-quic-tls o Adopted as base for draft-ietf-quic-tls
o Updated authors/editors list o Updated authors/editors list
o Added status note o Added status note
Acknowledgments Acknowledgments
This document has benefited from input from Dragana Damjanovic, This document has benefited from input from Dragana Damjanovic,
 End of changes. 26 change blocks. 
46 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/