Re: [quicwg/base-drafts] Desirable behavior when it takes time to derive the traffic keys for the next PN space (#3821)
Jana Iyengar <notifications@github.com> Wed, 29 July 2020 02:27 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A6733A0EE3 for <quic-issues@ietfa.amsl.com>; Tue, 28 Jul 2020 19:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.899
X-Spam-Level: *
X-Spam-Status: No, score=1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k895kUOsbkGw for <quic-issues@ietfa.amsl.com>; Tue, 28 Jul 2020 19:27:46 -0700 (PDT)
Received: from out-21.smtp.github.com (out-21.smtp.github.com [192.30.252.204]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDFF33A0E2D for <quic-issues@ietf.org>; Tue, 28 Jul 2020 19:27:45 -0700 (PDT)
Received: from github-lowworker-52827f8.ash1-iad.github.net (github-lowworker-52827f8.ash1-iad.github.net [10.56.108.24]) by smtp.github.com (Postfix) with ESMTP id F0347520E54 for <quic-issues@ietf.org>; Tue, 28 Jul 2020 19:27:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1595989664; bh=XRnQZR6CRddULT7gy93+xUGkXsUSlI19dwRrlhJ1/YQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=shFiHK3LbEgSXPDC85GQmfP9luqJL+4GNH3xmU9FwR+HYcUDkaluj8tdlAhwDm9uj qs2wfaYQDxXkj/lAm5kwqoaGG93FX020D4d4NKaTh/IImd71waApZ2L9jyQJBuvfuu RwEvMYf5v1IWkFgY/9Cp+jkmxqJjL+wqgszfdi3o=
Date: Tue, 28 Jul 2020 19:27:44 -0700
From: Jana Iyengar <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZXNRTRRK5U6NT7UUN5FS72BEVBNHHCNTMDWA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3821/665393532@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3821@github.com>
References: <quicwg/base-drafts/issues/3821@github.com>
Subject: Re: [quicwg/base-drafts] Desirable behavior when it takes time to derive the traffic keys for the next PN space (#3821)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f20dea0e0b33_1c8516f814995c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: janaiyengar
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/Pk6r79iKMXpqPHegzhgUqfsdszg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 02:27:48 -0000
Posting the email I sent out to the list here, FTR. This got no pushback and support, FWIW. Note that this resolution makes this issue a design one, so I'm removing the editorial tag. ``` Problems: During the handshake, an endpoint can receive packets (carrying data or acknowledgements) that it cannot decrypt because the requisite keys are not yet available. This can happen because the crypto machinery at the endpoint is waiting for earlier packets to be received to yield the keys. Similarly, a client might not be able to read 1-RTT packets received from the server because it is waiting for certificate validation to complete. 1. The assumption in the TLS specification is that when an endpoint is busy doing something (certificate validation or key generation for instance), it won't be able to respond to received packets with acknowledgements (Section 4.1.4). Contrary to the assumption in the spec, Chrome and Firefox both process the certificate chain asynchronously, and therefore acks handshake packets immediately, even the ones that arrive after they have started verifying the certificate chain. But they buffer 1-RTT packets, and therefore the issue exists for 1-RTT packets. As a result, there's potential delay, sometimes significant, in responding to some packets during the handshake. There are two side effects of this. S1. First, this means that an endpoint that runs a PTO timer and retransmits data for 0-RTT and 1-RTT packets while the handshake is still in progress might be doing this quite unnecessarily. The peer may well have received this data and have queued it, waiting to be able to decrypt it. S2. Second, acks for these packets that are buffered and then later decrypted and read can be sent much later than when the packets were received at the peer, causing the ack_delay to potentially be much higher than the advertised max_ack_delay. The endpoint ignores ack_delay larger than max_ack_delay, and this inflates the smoothed_rtt and rtt_variance, potentially inflating the PTO significantly (which can cause handshakes to fail if the endpoint employs a "handshake timeout" period). Proposed Solutions: S1. To solve the first problem, we already have a condition in the recovery draft to _not_ arm the PTO on 1-RTT data until the handshake is complete (Section 6.2.1). This is not quite adequate, since it still allows a client to arm a PTO timer on 1-RTT data on sending a CFIN and 1-RTT data, before ensuring that the server has received the CFIN. The proposed solution here is to change this condition from "handshake complete" to "handshake confirmed". Meaning that an endpoint only arms a PTO timer on 0-RTT or 1-RTT data when it knows that the peer has the keys necessary to read and write in 1-RTT, and can therefore respond with an ACK. We think this holds up, but we'd like to get this under everyone's eyes, to ensure that the discussion isn't missing subtle deadlock issues. S2. To solve the second problem, the proposal is to use ack_delay as reported by the endpoint that buffers the data appropriately. ack_delay is the amount of the time the information (regardless of that being the packet itself or the acknowledgement) being buffered intentionally. For this, we need the following: - endpoints MUST report an ack_delay that is the sum of the controlled delay (i.e. the duration of the data and the ack being buffered) - endpoints ignore max_ack_delay for acknowledgements of packets that were sent prior to handshake confirmation. Those are the ones that might have been buffered at the peer until keys were ready. In addition, we explicitly recommend endpoints that asynchronously process handshake messages to buffer 1-RTT packets, instead of dropping them, as dropping packets has significant impact on congestion control. Note that this matches what those implementations already do. ``` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/3821#issuecomment-665393532
- [quicwg/base-drafts] Desirable behavior when it t… Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Martin Thomson
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Martin Thomson
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Martin Thomson
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … Kazuho Oku
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … ianswett
- Re: [quicwg/base-drafts] Desirable behavior when … Martin Thomson
- Re: [quicwg/base-drafts] Desirable behavior when … Jana Iyengar