Add STREAM Transport Protocol

[emschwartz]

Still need to add each of the frame specs but I figured I'd get the discussion started here.

What do you think? What needs more explanation?

[sharafian]

Looks really good overall, but I had a few questions

[sharafian]

You say entity here and party in other places. I think we should try to be consistent with one or the other, unless there's a difference in the two terms that I'm missing

[emschwartz]

Updated to remove "party"

[sharafian]

nitpick: you capitalize Server in the previous bullet but not here

[sharafian]

You reference send and receive limits here, but I don't think it's obvious to a new reader what those mean

[sharafian]

could you add a couple sentences here on what the data streams provide in terms of ordering, chunking, etc.?

[sharafian]

maybe add something saying that implementations SHOULD start the limits at 0 until the party says otherwise to prevent accidental transferring? Also what would be the purpose of a data limit? Just to prevent flooding?

[emschwartz]

Added e486b50#diff-58f381369b35d5dd3708619716745006R58

[sharafian]

What does the packet sequence do exactly, and are there any ways it could get out of sync?

[sharafian]

There's an Authenticated Encryption section above; this seems like a duplicate

[emschwartz]

Removed that duplicate description line

[sharafian]

I think it's better to length prefix the frames array than use 0x00 as a delimiter. Then if we want to extend the protocol later we wouldn't have a permanent 0 byte delimiter as support for previous versions

[emschwartz]

Actually I tried this an ran into the problem that length-prefixing the padding potentially changes the amount of padding you need. I think it's possible to have a situation where it is impossible to fill the packet exactly while putting the correct length prefix. I think this is why QUIC implemented the padding this way as well.

Then if we want to extend the protocol later we wouldn't have a permanent 0 byte delimiter as support for previous versions

What do you mean by this? It's easy to add new frames to the protocol because they'll just be ignored by old versions. I think that's a better way to extend the protocol than modifying the packet header.

[sharafian]

These numbers don't seem to match what's written in the file above

[sharafian]

maybe it's fine, but it seems slightly strange to have this use the sum of all streamMoney frames. You need to keep a running total on the side and then execute the streamMoney logic after all other frames are parsed, rather than being able to apply each frame's effect as you go through them

If we used something like percents or put the sum of all shares into each of the streammoney frames, then you could apply each frame without having to execute money frames at the end.

[adrianhopebailie]

If we used something like percents

What if the sum of all streamMoney frame percentages adds up to more than or less than 100%? If you have a total (the prepare amount) and want to partition it among multiple shares (streamMoney frames) but atomically apply this (i.e. reject the packet if sum of shares != total) then you can't avoid delayed execution of the money frames.

[sharafian]

There's no real need to apply it atomically; if the sender makes an error and gives out more than 100% of shares then the last frames just wouldn't be applied to their streams.

[adrianhopebailie]

What if it's < 100% where does the remaining money go?
How does the sender get notified which frames were applied and which weren't?

[michielbdejong]

Can you add a frame type to query the balance of the virtual accounting relationship between sender and receiver?

Overall the protocol looks very ingenious, impressive! I do think a downside of adding this to the RFCs repo is that, although you already implemented the reference implementation, maybe the Quilt project doesn't currently have the bandwidth to implement all of this, so that would require some planning maybe. Will discuss with @adrianhopebailie and @sappenin next week!

[michielbdejong]

Please explain the relation to LT as well.

|-----------------|
|  LT  |  STREAM  |
|-----------------|
|     ILPv4       |
|-----------------|
|   ledger layer  |
|-----------------|

[michielbdejong]

If you start from a situation where ILPv4 is ubiquitous, then ILPv4 accounting relationships will be everywhere, and it's useful to explain why you would still want to set up an end-to-end piggy-backed protocol on top of a semi-circle ILP path. I discussed this with @BobWay yesterday, and one great application of the semi-circle family-of-protocols (psk, psk2, psk2-draft2, PayStream, and STREAM) is when for instance you scan a barcode (with for instance an ILP address and a public key) on a vending machine: yes, there is an accounting relationship between you and that vending machine, but:

1. the relationship is short-lived
2. there is an air-gapped line-of-sight communication channel in the physical world, and converting that to a data connection (like in Add Bluetooth Payment Protocol Draft #186) can be avoided by using a semi-circle payment as a sort of "vpn over ilp"

So then this statement is incorrect; client and server do not need to use a data connection during the setup! :)

As we discussed, you might still use a semi-circle protocol like STREAM to reduce latency, but by saying in the first step that STREAM requires a communication channel, aren't you removing one of its greatest unique selling points?

[emschwartz]

So then this statement is incorrect; client and server do not need to use a data connection during the setup! :)

Sure, they need a private communication channel where they are sure that no one is eavesdropping. We could add a note that those properties don't need to come from authenticated encryption, but I think in most cases that would just be something like HTTPS (whether the data is sent in the body or headers).

by saying in the first step that STREAM requires a communication channel, aren't you removing one of its greatest unique selling points?

No, I don't see how it would be. Even if you need to communicate a single message on startup, it makes a big difference to avoid an extra delay for every packet. In many cases that message may not even require an extra roundtrip because it can be sent alongside other application data that you'd be sending anyway. Also, I think we may end up implementing Diffie-Hellman over ILP/STREAM so that you only need to start with a public key and ILP address (that you could get from some kind of public lookup), but I don't think we need to do that right now.

[michielbdejong]

Your said elsewhere that "it seems crazy to require a connection over the internet", so then why are you against highlighting that as an advantage here?

[sharafian]

As I see it the main advantage is that the connection over the internet isn't a part of the protocol flow. Usually you have access to the internet, but because STREAM doesn't need a special purpose channel you can just piggyback the initial setup on top of some communication you were already doing (i.e. in the response headers for an API call, or communicated through a laser)

[emschwartz]

Can you add a frame type to query the balance of the virtual accounting relationship between sender and receiver?

I don't think that's a good idea for the following reasons:

• As @sharafian pointed out when we were discussing removing getBalance from the Ledger Plugin Interface, having a static view of the balance does not help if it's changing constantly over time (for example when streaming some content) according to some more complex function
• I think it would be unused by many if not most applications you could build on this. For example, if I'm sending you money and set my limit to 1000 because that's the maximum I'm willing to pay, knowing what you think my balance is will not change what I'm willing to pay
• Since STREAM includes a data channel, any applications or protocols that do want to be able to query the static balance or rate function can easily add that to their protocol

[dappelt]

The term "send maximum" is confusing given that it sends "greater than or equal to 1000". Should be rather called send minimum.

[emschwartz]

That's a mistake. It should be the maximum. I'll update it to get rid of the greater than part

[dappelt]

... they SHOULD ... -> ... the receiver SHOULD ...

[sentientwaffle]

Why is channel in quotes here but not in the Data Stream definition? What's the difference?

[adrianhopebailie]

Awesome stuff. Great idea to leverage QUIC.

[adrianhopebailie]

If we use ASN.1's SEQUENCE OF (which you have) then I believe the length (i.e. count of frames) is part of the OER encoding. Why do you need to length prefix that?

[emschwartz]

It is technically part of the OER format but I'm not currently length-prefixing that array (I know, it's not the right way to do it). The reason I'm not is related to the padding issue described in #417 (comment).

[adrianhopebailie]

Should be frames SEQUENCE OF StreamFrame?

[adrianhopebailie]

Why not simply define a padding frame that is always ignored?

[emschwartz]

There are really two questions here:

1. Is the padding frame just a single zero byte (0x00, like Padding in QUIC) or a proper frame that has a length prefix for the contents?
2. Can padding come between other frames (see Padding between frames quicwg/base-drafts#158) or does it have to come at the end?

The problem I ran into with length-prefixing the padding is that OER length prefixes are themselves variable length. You need to know how much padding there is to know how long the length prefix is, but the length of the length prefix affects how much padding you need. I'm not completely sure but I think there is a possible edge case where it's impossible to get the right amount of padding because of that.

If you don't length-prefix the padding, you definitely want to mandate that padding should come at the end, because checking individual bytes is very slow. I ran into this when adding padding to the implementation and at first the padded packets made the tests run thousands of times slower than the tests for unpadded packets. I thought it might be encryption related at first, but it turned out that it was just the speed of checking the value of each byte to see if it was zero (there were >30k of them).

[adrianhopebailie]

If we used something like percents

What if the sum of all streamMoney frame percentages adds up to more than or less than 100%? If you have a total (the prepare amount) and want to partition it among multiple shares (streamMoney frames) but atomically apply this (i.e. reject the packet if sum of shares != total) then you can't avoid delayed execution of the money frames.

[dappelt]

Given that STREAM Connections can be long-lived, did you consider the implications for the encryption key? A given key should only be used to encrypt a limited number of messages.

That number is large, but it might become relevant for long-lived connections. Quote from the NIST publication on AES-GCM:

The total number of invocations of the authenticated encryption function shall not exceed 2^32, including all IV lengths and all instances of the authenticated encryption function with the given key.

[emschwartz]

Good point. Do you think it's better to drop the connection or add a frame that allows you to change the shared secret? I originally thought about adding a shared secret to the ConnectionNewAddress frame but opted against it.

[dappelt]

Let's break down the pros and cons of both options.

The options are: After the total number of encrypted messages exceeds some threshold, 1) the connection should either be dropped or 2) the encryption key needs to be renewed.

1) Dropping the connection
+ simple to implement
- higher-level protocols have to assume that the connection might be dropped and have to reestablish

2) Renewing the key
+ no connection interruption due to exhausting the key/nonces
- More complex. Requires a new frame type or an existing frame needs to be extended to communicate the new key
- Duplicates Logic. Key establishment is explicitly not part of PSK but assumed to be done over a separate, secure communication channel. If we add a way to exchange keys within the protocol, we are essentially duplicating the key establishing logic.
- Potentially Insecure. Depending on how it is implemented, it might be insecure. For example, a man-in-the-middle could just count how many messages went over a connection and when it is about time to renew the key, he would drop all packets, thus preventing client and server to exchange a new key. Once the max. number of invocations for AES-GCM is reached, client/server have no other (secure) option as to drop the connection. Otherwise, the man-in-the-middle can decrypt packets and learn the new encryption key.

The last point makes me realize that as a last resort the connection NEEDS to be dropped. Renewing the key within the protocol is just a convenience feature. So I definitely recommend to go with 1) for now.

[rhuairahrighairidh]

Nice work. Slightly hard to see how all the pieces fit together without a good understanding of QUIC, but I assume that can be taken as required reading.

[dora-gt]

I could not understand what multiplexed means at a glance. Giving some examples may help.

• What cannot be achieved WITHOUT multiplexed transport?
• What can be achieved WITH multiplexed transport?

[dora-gt]

Do the two entities include Server?
I could not make it clear that...

• Two entities mean sender/receiver AND server
• Two entities mean sender AND receiver, and do not contain server

[dora-gt]

Also, I could not understand what initiates means here because Setup section explains the initiation, doesn't it?

In the section, it seems that we don't use ILP packet for the initiation.

It may be hard to explain the structure and the procedure without some diagrams.

[dora-gt]

Before the Relation, I strongly recommend to explain what multiplexed or STREAM means essentially. What we can do with STREAM. Up to here, I could not imagine what it is exactly.

• Sending money to multiple addresses using a single connection?
• Sending not only money transfer data but also data that is not concerned with the money transfer, and these are bidirectional?

Basically, readers want a big and essential picture first of all.

[emschwartz]

I simplified the protocol further, fleshed out the descriptions more, and incorporated feedback from the first round of review. Let me know if you have any comments or questions!

[adrianhopebailie]

This is fantastic! Some editorial suggestions and a few questions but nothing to block publishing

[adrianhopebailie]

s/another another/another/

[adrianhopebailie]

s/choice streams/choice of streams/

[adrianhopebailie]

Define half-open streams

[adrianhopebailie]

Define half-open connections

[adrianhopebailie]

• The encryption algorithm that will be used to encrypt the ILP packet data (optional -- assumed to be AES-256-GCM)

[emschwartz]

I don't think it's necessary to put that. Right now version 1 doesn't let you use other ciphers. A version 1.1 or 2 could, in which case you might need to communicate that. But this spec really just defines v1

[adrianhopebailie]

Sure, I was just being consistent with the first bullet (STREAM version)

[adrianhopebailie]

specify encoding of the string (UTF-8 I think if you're using Nodejs defaults)

[emschwartz]

Since it's all plain ascii characters, the string is the same in ASCII and UTF8

[adrianhopebailie]

True. Although, I think specifying the encoding is still worth doing because crypto algorithms are generally defined with either numbers or octet streams as input not strings. Specifying the encoding just explicitly tells the reader how to go from the string to the desired octets.

[adrianhopebailie]

Since we recommend closing connections after 2^32 packets have been sent couldn't this be fixed length?

[emschwartz]

True. I don't feel that strongly about this but VarUInts are shorter until you're in the tens of millions, which I doubt we're going to get to very frequently.

[adrianhopebailie]

Yeh, I think if you made this UInt32 it would still be less efficient than VarUInt for the majority of packets.

[adrianhopebailie]

Is this not UInt64 to save space?

[emschwartz]

Yeah, and to be more consistent with the rest of the fields in this protocol. I could be convinced if someone feels strongly that it should be a UInt64

[adrianhopebailie]

My only thought was that this will always correspond to an amount in an ILP packet but I think you are right that saving bytes should be the priority.

[sharafian]

Some questions regarding the explanations, but overall LGTM

[sharafian]

Endpoint makes me think of an HTTP endpoint, so I keep having to do a double take. The fact that we're using this for paid APIs which one may describe as a "paid endpoint" could make it more confusing too.

[emschwartz]

I used that term in this rewrite just because that was what QUIC used. Before I was using "entity" or "party" which seem too vague. I hear you on the potential confusion though.

[dora-gt]

I think Endpoint is a really good word because it makes me imagine something except for connectors that lie in the middle, the very end of the stream which means sender or receiver even if it sometimes recalls us HTTP endpoint.

To make it better, I propose modifying

• Endpoint - The client or server end of a connection
  to
• Endpoint - The client or server end of a connection, which can be terminal sender or receiver of money and data.

[sharafian]

What's the default maximum stream ID?

[emschwartz]

In the implementation it's 20 (so it'll let the other side open 10 streams).

One thing QUIC has that I didn't include here is an initial parameter negotiation. I thought it seemed unnecessary to have another data format for communicating these, but we could suggest (or mandate) that the first packet include frames to indicate the max stream ID and the max connection data.

[sharafian]

Given that the receiver's units can never be trusted nor relied upon, we should explain why the exchange rate is important to keep track of.

[sharafian]

what happens if the ConnectionNewAddress frame is dropped or is otherwise rejected? Also, can ConnectionNewAddress be sent in a response packet or only a prepare?

[emschwartz]

If you are actually going to do a switch-over you probably want to keep listening on both for a couple seconds or so (so that you get packets that might have been in flight before you switched). If you want to know for sure that the frame was received, you need to put it in a Prepare.

[sharafian]

Doesn't the authenticated encryption make it impossible for an attacker to pull this attack off? This paragraph makes it sound like that attack is possible under the current protocol.

[emschwartz]

Authenticated encryption means you know if you're not talking to the right party. However, the point of this attack is to create a legitimate connection to you and then tell you I've changed my address to that of the victim so that you bombard the new address with data. The mitigation for this is that if you get an address change you probably shouldn't send more than one packet before getting a valid (authenticated) message back from the new address.

[emschwartz]

That isn't in the ILP address, those values are in the encryption envelope in the ILP packet data

[sharafian]

is it 2^31 in order to give a bigger safety margin, or did you mean to write 2^32-1?

[emschwartz]

Both sides are encrypting messages with the same key, so unless they keep track of how many packets they've gotten from the other side they should only send 2^31 messages each

We discussed the loopback protocol and concluded not to pursue it for now

[traviscrist]

Minor typo resopnse

[adrianhopebailie]

Ship it!