Re: [quicwg/base-drafts] Flow control for post-handshake CRYPTO messages (#1834)

David Benjamin <> Thu, 25 October 2018 23:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 345A712D7F8 for <>; Thu, 25 Oct 2018 16:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.469
X-Spam-Status: No, score=-8.469 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id unYca3WZWHiT for <>; Thu, 25 Oct 2018 16:32:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4507E126DBF for <>; Thu, 25 Oct 2018 16:32:32 -0700 (PDT)
Date: Thu, 25 Oct 2018 16:32:31 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1540510351; bh=Sjryn1KlUS/ObyccSDnGDQanUe/rRZaDgSu7mCOXx70=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=FwlQq/5PKknWoB+XZ+tAux1Y+uht/X5yz5ZMKO1+FvycAywq9FJ+2ER3reu5M3gUs 1ttMfV0GYSAJBdwthuCVndo5vY0fWdYDAnVwFMsBKWXA00VBC/NFRmWeWNZgObNgNj px2H1IFF+ISEsg7tsOehDDEzqdsqBpHuRfJ9KNQM=
From: David Benjamin <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/1834/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Flow control for post-handshake CRYPTO messages (#1834)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bd2528f60d1c_30a53fb7b5ad45c4242051f"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: davidben
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Oct 2018 23:32:34 -0000

Right, this issue originally came up as we were thinking through key availability vs key install times. The problem is, as you note, it's weird to allow sending data you cannot read ACKs for. (Conversely, it's weird, perhaps fatally so, to allow receiving data you cannot send ACKs for.) Though it's not the only scenario. The other side may send a burst of tickets.

> I'm very much inclined to leave this "unfixed", but to leave a warning that sending large post-handshake messages risks connection failure.

The point is that's not a sufficient warning. This is either a problem or a nitpick depending on the solution.

Sending an overly large message, in general, risks connection failure. TLS stacks bound the size there based on some ad-hoc analysis that no sane NewSessionTicket (or other message) will ever exceed such-and-such bytes based on what goes in it. TLS stacks typically buffer up a message before processing, so it makes sense that the TLS stack is responsible for buffering it.

But that's distinct from sending *many* post-handshake messages. TLS over QUIC must also account for that due to the lack of flow control. TLS over TCP does not have this problem because TCP provides flow control. If I try to send a million 100-byte TLS messages over TCP, I'll quickly run into TCP's flow control.

QUIC, however, doesn't have such flow control for CRYPTO frames. Instead it relies on a limit from the crypto protocol:

Although the TLS stack natively bounds *a single message* rather than *total data*, it is easy to compute a total limit during the handshake because there are only a fixed handful of messages. Thus the advice there works.... *except* for post-handshake messages. Thus the issue.

Realistically, it's probably fine to handwaive and say:
* The bound is not total data ever sent at the encryption level, but amount of data ahead of the read position.
* Pick some ad-hoc limit for post-handshake stuff, enough to fit a bunch of NSTs.
* Yeah, don't send too many NSTs in a row. You can send a bunch of them over the lifetime of the connection, but space them out a bit so you're sure the receiver isn't waiting on the first byte, having buffered the rest up.
* Probably you won't end up in a situation where the first NST packet keeps getting lost and as you queue up more and more NSTs over the lifetime of the connection. That would be strange.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: