Implement DAP-13 - Githubissues

branlwyd commented 1 month ago

DAP-13: https://www.ietf.org/archive/id/draft-ietf-ppm-dap-13.html

From DAP-09, this will require (roughly):

[x] Poll collection jobs with GET instead of POST. (DAP-10, PR)
[x] Upload reports with POST rather than PUT. (DAP-10, PR)
[x] Remove support for multi-collection of batches, removing max_batch_query_count & the leader-selected by_batch_id query. (DAP-11, PR, [1])
[x] Remove support for Poplar1. (without multi-collection of batches, Poplar1 is not so useful; #3480)
[x] Remove per-task HPKE configurations. (DAP-12, PR)
[x] Rename "query type" to "batch mode", "fixed-size" to "leader-selected". (DAP-12, PR)
[x] Remove max_batch_size. (DAP-12, PR)
[ ] Asynchronous aggregation. (DAP-12, PR, Issue)
[ ] Update collection-related messages to match aggregation messages. (DAP-12, PR)
[x] Replay protection changes. (DAP-12, PR, [2])
[x] Re-number PrepareError values. (DAP-12, PR)
[x] Update to VDAF-13. (DAP-13, PR, [3])
[x] Update to draft-ietf-ppm-dap-taskprov-01. (Spec)
[x] Rename "prepare error" to "report error". (DAP-13, PR)
[x] Rename "upload extension" to "report extension". (DAP-13, PR)
[x] Implement task start time, switch from task end time to task duration. (DAP-13, PR)
[x] Verify that we always reject reports outside of the task's validity window. (DAP-13, PR)
[x] Update embedded messages in Query, BatchSelector, PartialBatchSelector to include length prefix. (DAP-13, PR)
[x] Implement public report extensions. (DAP-13, PR)
[x] Bump version tag. (DAP-13, PR)

[1] Do not remove the part_batch_selector field, as it is restored in a later change. [2] This may not require changes, but we should validate that Janus implements the specified behavior. [3] This depends on a release of libprio-rs implementing VDAF-13 being available.

branlwyd commented 1 week ago

Replay protection changes

For this portion of the work, I think no changes are needed:

Janus implements leader-side replay checking by only ever including a given report into a single aggregation job. This is stricter than required by DAP, which requires removing/not including reports already marked when generating aggregation jobs, but does not require the report to be marked until aggregation is complete.
Janus implements helper-side replay checking by checking/marking replay for a report at time of aggregate initialization (by way of writing a scrubbed client report). This is stricter than required by DAP, which only requires that the check must occur before completing the aggregation job.

N.B. there are a few places where we MUST check replay of a report, where Janus does not do so because we implement the check at an earlier point in the protocol. I don't think we should make functional changes to Janus; we might consider an editorial change to DAP to say something like "Report replay MUST be resolved if it has not already been resolved."

branlwyd commented 6 days ago

Verify that we always reject reports outside of the task's validity window

I verified that we will always reject reports that are outside of the task's valid time window (i.e. task_start to task_end, inclusive).

branlwyd commented 4 days ago

I removed the (optional) indication of unknown extension types by the Leader, filing https://github.com/divviup/janus/issues/3505 instead.

branlwyd commented 2 days ago

I filed #3510 to add support for Prio3MultihotCountVec; it's not required for a compliant DAP-13 implementation, but there is little reason (other than prioritization) not to support it.

divviup / janus

Implement DAP-13 #3436