Re: [quicwg/base-drafts] Early CONNECTION_CLOSE fixes (#3440)

Jana Iyengar <notifications@github.com> Wed, 04 March 2020 00:39 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1B733A096F for <quic-issues@ietfa.amsl.com>; Tue, 3 Mar 2020 16:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7sIJtMVbIJc for <quic-issues@ietfa.amsl.com>; Tue, 3 Mar 2020 16:38:58 -0800 (PST)
Received: from out-11.smtp.github.com (out-11.smtp.github.com [192.30.254.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70D2C3A0967 for <quic-issues@ietf.org>; Tue, 3 Mar 2020 16:38:58 -0800 (PST)
Received: from github-lowworker-f144ac1.va3-iad.github.net (github-lowworker-f144ac1.va3-iad.github.net [10.48.16.59]) by smtp.github.com (Postfix) with ESMTP id 1505C261576 for <quic-issues@ietf.org>; Tue, 3 Mar 2020 16:38:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1583282337; bh=lM+wcv+xDJSOI82BBS8pkQdKixBgthyMaycIbKnEHgA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=nHPmK0ND7WwFsOLM58x+BZ9vaX7+rQNLIfBcM6EHukwLoAW9aVUFQLoTMmwUsWFOT MzdmRyQBERi6jATVXxLwZL7uQKrrKWi3Z5MtIcz32AdPhXyhDs+kmq2WAlp9Z/MR+O ixdvDGvlm4kRynwAwD7mSsMFitYlp3DjZXBp2t9M=
Date: Tue, 03 Mar 2020 16:38:56 -0800
From: Jana Iyengar <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK2ZZDHXMU34XA4TZCF4NLM2BEVBNHHCC4MTBY@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3440/review/368409255@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3440@github.com>
References: <quicwg/base-drafts/pull/3440@github.com>
Subject: Re: [quicwg/base-drafts] Early CONNECTION_CLOSE fixes (#3440)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e5ef8a0c3298_5a6d3fb5f1ecd95c139382"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: janaiyengar
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/H2oN6tIrvB_1G_fWPx6GormMdc0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 00:39:02 -0000

janaiyengar commented on this pull request.

A few suggestions, but overall looks good!

> @@ -415,12 +415,18 @@ A QUIC client starts TLS by requesting TLS handshake bytes from TLS.  The client
 acquires handshake bytes before sending its first packet.  A QUIC server starts
 the process by providing TLS with the client's handshake bytes.
 
-At any time, the TLS stack at an endpoint will have a current sending encryption
-level and receiving encryption level. Each encryption level is associated with a
-different flow of bytes, which is reliably transmitted to the peer in CRYPTO
-frames. When TLS provides handshake bytes to be sent, they are appended to the
-current flow and any packet that includes the CRYPTO frame is protected using
-keys from the corresponding encryption level.
+At any time, the TLS stack at an endpoint will have a current sending
+encryption level and receiving encryption level. Encryption levels correspond
+roughly to packet number spaces and determine the packet type and keys that are
+used for protecting data.
+
+Each encryption level is associated with a different flow of bytes, which is
+reliably transmitted to the peer in CRYPTO frames. When TLS provides handshake
+bytes to be sent, they are appended to the current flow and any packet that

```suggestion
bytes to be sent, they are appended to the current flow. Any packet that
```

> +encryption level and receiving encryption level. Encryption levels correspond
+roughly to packet number spaces and determine the packet type and keys that are
+used for protecting data.

```suggestion
encryption level and receiving encryption level. Encryption levels determine
the packet type and keys that are used for protecting data.
```

(moved this below to be more precise.)

> +0-RTT, Handshake, and 1-RTT packets. CRYPTO frames are carried in just three of
+these levels, omitting the 0-RTT level.

```suggestion
0-RTT, Handshake, and 1-RTT packets. CRYPTO frames are carried in just three of
these levels, omitting the 0-RTT level. These four levels correspond to three packet
number spaces: Initial and Handshake encrypted packets use their own separate
spaces, and 0-RTT and 1-RTT encrypted packets use one other space. 
```

> @@ -1364,12 +1364,11 @@ by the frames that are typically contained in those packets. So, for instance
 the first packet is of type Initial, with packet number 0, and contains a CRYPTO
 frame carrying the ClientHello.
 
-Note that multiple QUIC packets -- even of different encryption levels -- may be
+Note that multiple QUIC packets -- even of different packet types -- can be

Take-it-or-leave-it suggestion: It seems useful to say here that different encryption levels can be coalesced. Perhaps retain this old text here?

>  coalesced into a single UDP datagram (see {{packet-coalesce}}), and so this
 handshake may consist of as few as 4 UDP datagrams, or any number more. For
-instance, the server's first flight contains packets from the Initial encryption
-level (obfuscation), the Handshake level, and "0.5-RTT data" from the server at
-the 1-RTT encryption level.
+instance, the server's first flight contains Initial packets (obfuscation),

```suggestion
instance, the server's first flight contains Initial packets,
```

>  coalesced into a single UDP datagram (see {{packet-coalesce}}), and so this
 handshake may consist of as few as 4 UDP datagrams, or any number more. For
-instance, the server's first flight contains packets from the Initial encryption
-level (obfuscation), the Handshake level, and "0.5-RTT data" from the server at
-the 1-RTT encryption level.
+instance, the server's first flight contains Initial packets (obfuscation),
+Handshake packets, and "0.5-RTT data" in packets with a short header.

```suggestion
Handshake packets, and "0.5-RTT data" in 1-RTT packets with a short header.
```

> +An CONNECTION_CLOSE of type 0x1d MUST be replaced by a CONNECTION_CLOSE of type
+0x1c when sending the frame in Initial packets. Otherwise, information about
+the application state might be revealed. Endpoints MUST clear the value of the
+Reason Phrase field and SHOULD use the APPLICATION_ERROR code when converting
+to a CONNECTION_CLOSE of type 0x1c.

```suggestion
Sending a CONNECTION_CLOSE of type 0x1d in an Initial packet might reveal application
state to third parties. To avoid this leakage, a CONNECTION_CLOSE of type 0x1d MUST
be replaced by a CONNECTION_CLOSE of type 0x1c when sending the frame in Initial
packets. Endpoints MUST clear the value of the Reason Phrase field and SHOULD use
the APPLICATION_ERROR code when converting to a CONNECTION_CLOSE of type 0x1c.
```

>  
-A client will always know whether the server has Handshake keys (see
-{{discard-initial}}), but it is possible that a server does not know whether the
-client has Handshake keys.  Under these circumstances, a server SHOULD send a
-CONNECTION_CLOSE frame in both Handshake and Initial packets to ensure that at
-least one of them is processable by the client.  Similarly, a peer might be
-unable to read 1-RTT packets, so an endpoint SHOULD send CONNECTION_CLOSE in
-Handshake and 1-RTT packets prior to confirming the handshake.  These packets
-can be coalesced into a single UDP datagram; see {{packet-coalesce}}.
+CONNECTION_CLOSE frames sent in multiple packets can be coalesced into a single

```suggestion
CONNECTION_CLOSE frames sent in multiple packets types can be coalesced into a single
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3440#pullrequestreview-368409255