Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)

Mike Bishop <> Tue, 05 November 2019 15:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8AEE01200D7 for <>; Tue, 5 Nov 2019 07:28:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R5-28Wcckpgd for <>; Tue, 5 Nov 2019 07:28:30 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1C3F12082E for <>; Tue, 5 Nov 2019 07:28:24 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id EBEE28C0647 for <>; Tue, 5 Nov 2019 07:28:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572967703; bh=JFRHQzv+FraruIMaFtkAqm7xzx+nQsKrGEJSnCCqn9I=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=xdFiECR23zl43X+8OAtd9pbN8ZODxpxOVRsUNXQnpnAqM9IMxi8uT3sVF2+EFCbc7 Eqmv0JVzMCRXU2BYfWrEmgXY+CQfBltG2xWUaEJ/R9ls5Ocm0Dsk4vGeSFoCVXawr5 9Dp7PJx5iXfTowwElP6GHYmANX1UmBB3VKRWCnhw=
Date: Tue, 05 Nov 2019 07:28:23 -0800
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3166/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dc19517dd7f5_c063fb0e26cd9641030664"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Nov 2019 15:28:33 -0000

MikeBishop commented on this pull request.

> +which is comprised of:
+* Version number; a 32-bit unsigned number that is to be presented on wire in
+  place of the version number specified in this document.  This value MUST NOT
+  be a reserved version ({{versions}}).
+* Packet type modifier; a two-bit value that obfuscates the Long Packet Type of
+  a long header packet ({{long-header}}).  The long packet type bits of a long
+  header packet is encoded as an bit-wise exclusive or (XOR) of the packet type
+  modifier and the type numbers defined in {{long-packet-types}}.
+* Initial salt; a 16-byte binary blob that is to be used in place of the initial
+  salt defined in section 5.2 of {{QUIC-TLS}}.
+A server advertises these seeds using a NEW_TOKEN frame {{frame-new-token}}.
+The token MUST permit the server to recover these seeds.  This property can be

That's true as well, but the processing flow is:

- Server recognizes version alias, which permits it to find the token field
- Server is able to obtain the Initial salt using the combination of version and token (whether it needs both is implementation-dependent)
- Server uses salt to decrypt Initial packet contents

I suggested the "permit ... to recover" language to remove the implication that the token *contains* the salt, but a server could certainly send the same version alias to different clients with different salts if the token enables the mapping.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: