IETF Logo Mail Archive

Re: [quicwg/base-drafts] [Version Ossification] Alternative version and Initial Salt should be part of NEW_TOKEN (#3111)

Kazuho Oku <notifications@github.com> Tue, 22 October 2019 03:00 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89427120B22 for <quic-issues@ietfa.amsl.com>; Mon, 21 Oct 2019 20:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.74
X-Spam-Level:
X-Spam-Status: No, score=-7.74 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W41F7RYG40ni for <quic-issues@ietfa.amsl.com>; Mon, 21 Oct 2019 20:00:41 -0700 (PDT)
Received: from out-7.smtp.github.com (out-7.smtp.github.com [192.30.252.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5F82120B19 for <quic-issues@ietf.org>; Mon, 21 Oct 2019 20:00:40 -0700 (PDT)
Received: from github-lowworker-25680bd.va3-iad.github.net (github-lowworker-25680bd.va3-iad.github.net [10.48.17.61]) by smtp.github.com (Postfix) with ESMTP id 3F2E42C20DD for <quic-issues@ietf.org>; Mon, 21 Oct 2019 20:00:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1571713240; bh=0y6UrlcO23b8Fo8cGHvvcWtrxBs8w2xkHGMMNlgDSG0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=yp/OtXij3NB90vCfAhglhgaucs3IEksRYL0MVAehGFu0J5EoHh+4Brjg49HQ6/7NJ y6kljyoid78hjc/ig0FyUmYyibd1ZWs4rGE1MRM11Lw4oK8dVx5zqGnSEQFeeux7Bf RBfMvF+Ucb7Kl2oPrLt+2odEb7G8f3MRiHRtLwT0=
Date: Mon, 21 Oct 2019 20:00:40 -0700
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK5HEALSYK6Q7Z5RCMV3XORVREVBNHHB4UHVOQ@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3111/544787363@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3111@github.com>
References: <quicwg/base-drafts/issues/3111@github.com>
Subject: Re: [quicwg/base-drafts] [Version Ossification] Alternative version and Initial Salt should be part of NEW_TOKEN (#3111)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dae70d830639_52f23fc890ecd96448144"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/TqqH_DGyljNuUAKCfOeFu7RGfv0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 03:00:46 -0000

@ianswett 
> To clarify what you're getting from this that isn't achieved in TPs is that here you're guaranteed that when the client comes back with the version and salt, they'll also specify the Token. But if these were in transport params, then the client might decide not to send the subsequently transmitted token with the version and salt or the corresponding token might not get delivered in time?

That's correct.

Unless we require the token and the alternative salt to be used together, the only source that we could use to determine the initial salt would be the version number field. That means that there can be at most 2<sup>32</sup> salts, therefore we'd see a birthday problem once we handle 2<sup>16</sup> connections. That's more than enough for ossification, but not as a way to encrypt Initial packets.

If we bundle the token and the alternative salt, and require them to be used together, then the value space of the alternative salt becomes 2<sup>128</sup> that can be unique to each connection.

Note also that being possible to deduct the alternative salt from the NEW_TOKEN tokens simplifies the deployment, because servers dealing with NEW_TOKEN tokens are expected to have a way to deduce other information from the token. The complexity becomes to just adding one more information (which is the alternative salt) to that set of information, whereas we'd be required to retain a map (or define a way to a map) that lists the alternative version numbers and salts, if we do not require the token and the alternative salt to be used together.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3111#issuecomment-544787363

v2.23.0 | Report a Bug | By Email