Re: [quicwg/base-drafts] Discard Initial keys as soon as possible (#2045)

ekr <notifications@github.com> Fri, 23 November 2018 19:34 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5743912D84D for <quic-issues@ietfa.amsl.com>; Fri, 23 Nov 2018 11:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Level:
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id teyBRwXI34v4 for <quic-issues@ietfa.amsl.com>; Fri, 23 Nov 2018 11:34:09 -0800 (PST)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E590612D4EB for <quic-issues@ietf.org>; Fri, 23 Nov 2018 11:34:08 -0800 (PST)
Date: Fri, 23 Nov 2018 11:34:07 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1543001647; bh=NfDHLF/rAe8VgJKyWBOSlr8KnN70H8gzKP4Uk5Oy/Hw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=sp53ciTjGrVsrG2YqkPRqjjTbTRqN0buA0WEKfNddmsYOtESFQIJrQHHIt6DBN7dl J0sd48oFPtuaRksCvTZO+BkSxBz6hgKPWucSNUUvamPEmQbwsezLzHwPxSHprgWGb1 DjcDjlpX2xjzmfX8vr8NObgk+LcgKt4Dl0Oa/8V0=
From: ekr <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abc0c86b59735b930f9dadac9023f60810bc48291892cf000000011810182f92a169ce16de7e61@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2045/review/178014366@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2045@github.com>
References: <quicwg/base-drafts/pull/2045@github.com>
Subject: Re: [quicwg/base-drafts] Discard Initial keys as soon as possible (#2045)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf8562fe6379_56ee3f8f6d8d45b414124b2"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ekr
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/_ttdsuJwDuCrwy2nMvACthJKGzY>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 19:34:11 -0000

ekr requested changes on this pull request.



> @@ -439,6 +456,13 @@ Either packet indicates that the Initial was received but not processed.
 Neither packet can be treated as an acknowledgment for the Initial, but they MAY
 be used to improve the RTT estimate.
 
+#### Discarding Initial State
+
+As described in Section 4.10 of {{QUIC-TLS}}, endpoints stop sending and
+receiving Initial packets once they start exchanging Handshake packets.  At this
+point, all loss recovery state for the Initial encryption level is also
+discarded.

I'm not sure I understand what this mean; it seems like there is one set of variables. Do you mean you reset all the variables to the initial values.

> @@ -1059,6 +1083,14 @@ A sender that does not use pacing SHOULD reset its congestion window to the
 minimum of the current congestion window and the initial congestion window.
 This recommendation is based on Section 4.1 of {{?RFC5681}}.
 
+## In-Flight Packet Accounting
+
+When keys for an encryption level are discarded (see {{QUIC-TLS}}), any packets
+sent with those keys are removed from the count of bytes in flight.  No loss
+events will occur for these packets.  Note that it is expected that keys are
+discarded after those packets would be declared lost, but Initial secrets are
+destroyed earlier.

I'm not sure I understand this text.

> @@ -691,6 +692,24 @@ will be marked as lost before this, as they leave a gap in the sequence of
 packet numbers.
 
 
+## Discarding Initial Keys {#discard-initial}
+
+Packets protected with Initial secrets ({{initial-secrets}}) are not
+authenticated, meaning that an attacker could spoof packets with the intent to
+disrupt a connection.  To limit these attacks, Initial packet protection keys
+can be discarded more aggressively than other keys.
+
+The successful use of Handshake packets indicates that no more Initial packets
+need to be exchanged, as these keys can only be produced after receiving all
+CRYPTO frames from Initial packets.  Thus, a client MUST discard Initial keys
+when it first sends a Handshake packet and a server MUST discard Initial keys
+when it first successfully processes a Handshake packet.  Endpoints MUST NOT
+send Initial packets after this point.

I thought the sense of the discussion in BKK was *not* to do this. It's a weird kind of implicit ACKIng. This probably needs list and issue discussion, not just merging at this time.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2045#pullrequestreview-178014366