QUIC: Extract more QUIC flow details

[jmuecke]

We extend ipfixprobe's quic module by extracting the following additional QUIC meta information:

Output field	Type	Description
QUIC_SNI	string	Decrypted server name
QUIC_USER_AGENT	string	Decrypted user agent
QUIC_VERSION	uint32	QUIC version from first server long header packets
QUIC_CLIENT_VERSION	uint32	QUIC version from first client long header packet
QUIC_TOKEN_LENGTH	uint64	Token length from Initial and Retry packets
QUIC_OCCID	bytes	Source Connection ID from first client packet
QUIC_OSCID	bytes	Destination Connection ID from first client packet
QUIC_SCID	bytes	Source Connection ID from first server packet
QUIC_RETRY_SCID	bytes	Source Connection ID from Retry packet
QUIC_MULTIPLEXED	uint8	> 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs)
QUIC_ZERO_RTT	uint8	Number of 0-RTT packets in flow.
QUIC_SERVER_PORT	uint16	TODO Server Port determined by packet type and TLS message
QUIC_PACKETS	uint8*	QUIC long header packet type (v1 encoded), version negotiation, QUIC bit
QUIC_CH_PARSED	uint8	>0 if TLS Client Hello parsed without errors
QUIC_TLS_EXT_TYPE	uint16*	TLS extensions in the TLS Client Hello
QUIC_TLS_EXT_LEN	uint16*	Length of each TLS extension
QUIC_TLS_EXT	string	Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension

Additional improvements:

• Previously ipfixprobe detected QUIC flows as UDP flows on port 443 that include a QUIC Initial packet. The new detection is requires the transport protocol UDP, a minimum length for long header packets, a known QUIC version and a QUIC long header packet.
• Previously ipfixprobe only parsed the first packet of a flow and tested against QUIC. We now test all packets in a flow against QUIC long header packet properties (see above).
• Previously ipfixprobe only considered the first QUIC packet in the UDP payload. We now parse all coalesced packets with a long header.
• We extract both versions in compatible version negotiation.
• The retry token length is extracted from Retry packets.
• We detect if the same 5/4-tuple is used by multiple different QUIC connections.

Limitations:

• We are unable to detect client migration and subsequently added paths (Multipath QUIC).
• We do not parse any short header packets.

[SiskaPavel]

Hello, please apply changes from branch feature-quic-tud (commit c5297ff). After this the merge request will be ready for merge.

[SiskaPavel]

Modify this if statement:

process/quic.cpp: In member function ‘void ipxp::QUICPlugin::set_client_hello_fields(ipxp::QUICParser*, ipxp::Flow&, ipxp::RecordExtQUIC*, const ipxp::Packet&, bool)’:
process/quic.cpp:265:33: warning: suggest parentheses around ‘&&’ within ‘||’ [-Wparentheses]
  265 |             || (!new_quic_flow) && (quic_data->retry_scid_length == dcid_len))
      |                ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[jmuecke]

I applied the commit and modified that condition to get rid of the compiler warning.

I also changed part or the retry code, to only act upon the first retry packet.