Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)

Martin Thomson <> Wed, 06 May 2020 07:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6F3373A0064 for <>; Wed, 6 May 2020 00:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.555
X-Spam-Status: No, score=-6.555 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZB2zBGm86qXA for <>; Wed, 6 May 2020 00:21:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F23E3A00AD for <>; Wed, 6 May 2020 00:21:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 63840A0D07 for <>; Wed, 6 May 2020 00:21:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1588749674; bh=DQKhYXX72iQ2E+Y8iGS2ppP9w265lG9RhcrxOl5uTyg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=YLBgmu6JfeOBDf02bgqgg3QMBNvd/xgUDPY8haT0gAByq2zoA+Kr90ZNchbI/iC4O 7hs6jkrGjxFruWJHnuKTRitCDaACvG6tOlJxIBzwMVkrZ5VH/MnuKi3Zyjukhexsm0 k5aNiKfdgi0yIvxgaVwQbUQeGcK/iZvEiqoVEWtg=
Date: Wed, 06 May 2020 00:21:14 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3619/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Forgery limits on packet protection (#3619)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eb2656a53ddc_40c33fe0fb6cd95c118122f"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 May 2020 07:21:17 -0000

I realize that I didn't respond to @anrossi.  That advice applies to the limits that TLS specifies already; this issue is primarily about responding to forgeries.

That said, 1G is pretty good advice.  However what we've seen from this analysis that 1G results in a lower safety margin than TLS aims for.  But it's close enough that if the AEAD is as good as the set we have here, you are probably OK.  However, this does depend a lot on the specific AEAD.  I'd be uncomfortable using so simple a guide in the general case.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: