Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QUIC: Extract more QUIC flow details #194

Merged
merged 23 commits into from
Apr 22, 2024
Merged

QUIC: Extract more QUIC flow details #194

merged 23 commits into from
Apr 22, 2024

Conversation

jmuecke
Copy link
Contributor

@jmuecke jmuecke commented Oct 26, 2023
edited
Loading

We extend ipfixprobe's quic module by extracting the following additional QUIC meta information:

Output field Type Description
QUIC_SNI string Decrypted server name
QUIC_USER_AGENT string Decrypted user agent
QUIC_VERSION uint32 QUIC version from first server long header packets
QUIC_CLIENT_VERSION uint32 QUIC version from first client long header packet
QUIC_TOKEN_LENGTH uint64 Token length from Initial and Retry packets
QUIC_OCCID bytes Source Connection ID from first client packet
QUIC_OSCID bytes Destination Connection ID from first client packet
QUIC_SCID bytes Source Connection ID from first server packet
QUIC_RETRY_SCID bytes Source Connection ID from Retry packet
QUIC_MULTIPLEXED uint8 > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs)
QUIC_ZERO_RTT uint8 Number of 0-RTT packets in flow.
QUIC_SERVER_PORT uint16 TODO Server Port determined by packet type and TLS message
QUIC_PACKETS uint8* QUIC long header packet type (v1 encoded), version negotiation, QUIC bit
QUIC_CH_PARSED uint8 >0 if TLS Client Hello parsed without errors
QUIC_TLS_EXT_TYPE uint16* TLS extensions in the TLS Client Hello
QUIC_TLS_EXT_LEN uint16* Length of each TLS extension
QUIC_TLS_EXT string Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension

Additional improvements:

  • Previously ipfixprobe detected QUIC flows as UDP flows on port 443 that include a QUIC Initial packet. The new detection is requires the transport protocol UDP, a minimum length for long header packets, a known QUIC version and a QUIC long header packet.
  • Previously ipfixprobe only parsed the first packet of a flow and tested against QUIC. We now test all packets in a flow against QUIC long header packet properties (see above).
  • Previously ipfixprobe only considered the first QUIC packet in the UDP payload. We now parse all coalesced packets with a long header.
  • We extract both versions in compatible version negotiation.
  • The retry token length is extracted from Retry packets.
  • We detect if the same 5/4-tuple is used by multiple different QUIC connections.

Limitations:

  • We are unable to detect client migration and subsequently added paths (Multipath QUIC).
  • We do not parse any short header packets.

hynekkar
hynekkar requested changes Oct 31, 2023
View reviewed changes
Copy link
Contributor

@hynekkar hynekkar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Jonas, Thank you very much for your effort! I have small comments on your contribution. Besides, I would like to ask you about code formatting according to the .clang-format file in the repository root. Any modern IDE should understand this code formatting.

README.md Outdated Show resolved Hide resolved
include/ipfixprobe/ipfix-elements.hpp Outdated Show resolved Hide resolved
process/quic.cpp Outdated Show resolved Hide resolved
jmuecke and others added 18 commits October 31, 2023 16:01
@jmuecke
VN: Add QUIC extension if FLOW_FLUSH. Version = VN is not an error.
d0bbe9f
@jmuecke
<README> Use correct type for CID fields.
4ba9896
@jmuecke
<quic> 0-RTT collect client CID. But no other CIDs or version.
1c4f8b8
@jmuecke
<quic> Add quic packet type information for each datagram.
6825aa4
@jmuecke
Enforce CID lengths are within the defined spec. Parse packet type last.
85e0975
@jmuecke
Export detected quic server port.
c2dfa2a
@jmuecke
vn: Add server port before flushing flow
1fab916
@jmuecke
quic versions: Support all versions triggering vns.
f6ae322
@jmuecke
Fix processing of version negotiation eliciting version.
fa271e9
@jmuecke
<quic> tested and improved quic module
c77c89f 
This include the following improvements:
- Fix order of processing CID information
- Fix detection of QUIC sni
- Store DCID from first Initial and Retry packet for decryption, in case
  the connection does not begin with an Initial incl. the TLS client
hello.
- Version negotiation: extract CID fields
- Scan for QUIC packets in the entire flow. Before we only checked the
  first packet. But this is problematic when an unknown QUIC version is
used in the first packet.
- Add all known QUIC versions and respective salts (Adds Facebook
  versions, picoquic and QUICv2 salts)
- Add extraction of TLS extensions in Client Hello. This includes the
  extraction of the TLS extension type, length and payload.
- Increase QUIC token size.
- Update authors and date
- Update README
- Code cleanup, refector get_API
@jmuecke
<quic> Restrict TLS extraction to alpn and quic_transport parameters
53ba8f7
@jmuecke
<quic> Fix text output
0ecfefb
@hynekkar
QUIC - Fix required output IPFIX buffer size
531c54a
@hynekkar
QUIC - Fix payload len underflow, when smaller than expected
13c522a
@hynekkar
QUIC - Avoid source buffer overflow in crypto frame copy
131613c
@jmuecke
<quic> Return proper QUIC version.
f7b6f44 
We assume QUIC version 1 if we have no knowledge about the spoken QUIC
version.
@hynekkar
QUIC - Fix IPFIX IDs for basic list elements
3cfa8a7
@jmuecke
<quic> Change payload_len only if previously modified.
71683ab
@SiskaPavel SiskaPavel self-assigned this Mar 18, 2024
@SiskaPavel
Copy link
Contributor

Hello,
please apply changes from branch feature-quic-tud (commit c5297ff). After this the merge request will be ready for merge.

@SiskaPavel
Copy link
Contributor

Modify this if statement:

process/quic.cpp: In member function ‘void ipxp::QUICPlugin::set_client_hello_fields(ipxp::QUICParser*, ipxp::Flow&, ipxp::RecordExtQUIC*, const ipxp::Packet&, bool)’:
process/quic.cpp:265:33: warning: suggest parentheses around ‘&&’ within ‘||’ [-Wparentheses]
  265 |             || (!new_quic_flow) && (quic_data->retry_scid_length == dcid_len))
      |                ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     ```

@jmuecke
Copy link
Contributor Author

jmuecke commented Apr 16, 2024
edited
Loading

I applied the commit and modified that condition to get rid of the compiler warning.

I also changed part or the retry code, to only act upon the first retry packet.

@jmuecke jmuecke marked this pull request as ready for review April 16, 2024 20:10
@SiskaPavel SiskaPavel merged commit d2b7d7d into CESNET:master Apr 22, 2024
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hynekkar hynekkar hynekkar approved these changes

@SiskaPavel SiskaPavel SiskaPavel approved these changes

Assignees

@SiskaPavel SiskaPavel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jmuecke @SiskaPavel @hynekkar