Say a client discovers an HTTP server using an A record and so connects over HTTP/1.1 or HTTP/2, even if it supports HTTP/3 (leaving optimistic attempts to use HTTP/3 aside for this example).
If that server advertises availability of HTTP/3, can the client act on this information?
According to the draft as written, the client cannot. However, if the client supports SVCB (technically, the HTTPS record), it might reasonably assume that the server would not advertise HTTP/3 without also having provided some means of discovering it. As framed, the server might have offered some other way of discovering this incompatible protocol, so the client cannot assume that the option to use HTTP/3 was the result of an attack that suppressed the SVCB record. The client therefore cannot treat this as a potential attack. That's not great. It would be good if they could at least act.
@bemasc suggests:
I think this draft should probably either name the scope or be specific to SVCB, to avoid cases where the scope is ambiguous. Naming the scope, and providing a scope identifier meaning "IP and port number", would often be sufficient for secure QUIC upgrade without SVCB, at the cost of some conceptual complexity.
I think that this reasonable. There are a few options:
-
Limit this to just SVCB. That's simple and understandable, but it means that we can't use the mechanism for new things. QUIC version negotiation has already been identified as something that might benefit from this. And having to define a new mechanism for authentication of a new scheme is suboptimal.
-
Have the client advertise what it believes the scope to be. I included this for completeness, but I think that this doesn't help at all. This requires that the server act, and the model here depends on client action.
-
Have the server advertise a single scope of applicability. The problem with this is that it makes it hard to know what the right scope is. The server has to choose. You could base this on information that the client provides, but I think that biases the outcome in ways that might be exploited by attacks. I don't think that this is viable either.
-
Have the server advertise multiple scopes of applicability. There is two ways to spell this: as a set of scopes (IP+port, SVCB, QUIC-VN) or by recognizing that the goal is to define the union of sets and that most of the sets are subsets of others.
So I think that I agree with Ben here. It sounds like a single identifier would be good. We could define just two values for the moment: IP+port and SVCB. In this case, the first is understood to be a subset of the other so we don't need to define IP+port||SVCB as a separate codepoint. We could recommend that every new scope defined include identifiers for all possible sets, either by being a superset or subset of other scopes or defining identifiers that combine the new scope with every other identifier.
The problem with that approach is that introducing a new scope at the server causes old clients to lose protection, because they don't understand the old scopes. So we need to go back to a set (or list).
I tend to think that the number of scopes will be low, so I'm inclined to use a bitfield for this (16 bits seems like it is enough) so that we don't have to grapple with the complications that come with list parsing. The minimum size is the same as opaque<1..255>
, but it doesn't increase in size, so it is easier to process.