Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)

Martin Thomson <> Mon, 26 August 2019 11:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3C69120129 for <>; Mon, 26 Aug 2019 04:30:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4S7gpA2PyYJ1 for <>; Mon, 26 Aug 2019 04:30:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 50B661200C3 for <>; Mon, 26 Aug 2019 04:30:43 -0700 (PDT)
Date: Mon, 26 Aug 2019 04:30:42 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1566819042; bh=H5GD4eKijGJWMzl82ElaAUudS7R4zZ3nNEM/xTW+OiA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=NSwHSfDdvM7D5h68ZbzliCWmIrWars2qCpX6YMEGE0UnEWByYhV6T5kj4gtZXMitj /fKAJmqB7G2B8PLCwOl3LZPGD1tZJa9gn0i3OO1eYUQcHm17lsbrK2fdVRLIDAgfWw D5PAzxN78GnhsK+W8xzrKF5mEwW2+cKp2jFpeVI8=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2152/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Why does stateless reset have to be checked after MAC failure (#2152)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d63c2e284399_2d753fc5ba8cd95c1853b8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Aug 2019 11:30:45 -0000

I imagine this to be much simpler than you suggest.  An endpoint that sends packets using a given set of connection IDs puts all the associated stateless reset tokens into a structure.  Then along with decrypting packets, it iterates through that structure and performs a constant time comparison with each.  That's something that won't have weird cache usage patterns, other than the usual cost of getting these values into the cache if they fall out.  The number of active values shouldn't be a secret, which is most of what that tells you.

The result of this will be two Boolean values: whether the AEAD was OK and whether the stateless reset was triggered.  An authentic packet will be the logical OR of those two values.  Anything else is dropped.  After that point, you have crossed into packets being "good", so the time you take to process the packet is less of a concern.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: