Re: [quicwg/base-drafts] Rewrite key update section (#3050)
ianswett <notifications@github.com> Fri, 27 September 2019 17:26 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF68120A79 for <quic-issues@ietfa.amsl.com>; Fri, 27 Sep 2019 10:26:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.899
X-Spam-Level:
X-Spam-Status: No, score=-7.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3FLitCjskww for <quic-issues@ietfa.amsl.com>; Fri, 27 Sep 2019 10:26:06 -0700 (PDT)
Received: from out-22.smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23B9C120A76 for <quic-issues@ietf.org>; Fri, 27 Sep 2019 10:26:06 -0700 (PDT)
Received: from github-lowworker-d31a065.va3-iad.github.net (github-lowworker-d31a065.va3-iad.github.net [10.48.17.70]) by smtp.github.com (Postfix) with ESMTP id 76390A1E72 for <quic-issues@ietf.org>; Fri, 27 Sep 2019 10:26:05 -0700 (PDT)
Date: Fri, 27 Sep 2019 10:26:05 -0700
From: ianswett <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYYUSA3CCE4WJZWKJF3TODL3EVBNHHB3CL6HQ@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3050/review/294411517@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3050@github.com>
References: <quicwg/base-drafts/pull/3050@github.com>
Subject: Re: [quicwg/base-drafts] Rewrite key update section (#3050)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d8e462d67354_13833faf9cecd96c2460db"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/gGU1YbApj1lAJdZPS0ZHghFrH1k>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 17:26:10 -0000
ianswett commented on this pull request. This generally looks like an improvement, some suggestions. > +: Keys of packets other than the 1-RTT packets are never updated; their keys are + derived solely from the TLS handshake state. + +The endpoint that initiates a key update also updates the keys that it uses for +receiving packets. These keys will be needed to process packets the peer sends +after updating. + +An endpoint SHOULD retain old keys so that packets sent by its peer prior to +receiving the key update can be processed. Discarding old keys too early can +cause delayed packets to be discarded. Discarding packets will be interpreted +as packet loss by the peer and could adversely affect performance. + + +## Responding to a Key Update + +Once an endpoint has acknowledged a packet in the current key phase, a peer is I misread this a few times at first, so how about "A peer is permitted to initiate a key update after receiving an acknowledgement of a packet in the current key phase." Or you could remove this sentence entirely given there's a MUST NOT above. > +keys for receiving. + +If a packet is successfully processed using the next key and IV, then the peer +has initiated a key update. The endpoint MUST update its send keys to the +corresponding key phase in response, as described in {{key-update-initiate}}. +Sending keys MUST be updated before sending an acknowledgement for the packet +that was received with updated keys. By acknowledging the packet that triggered +the key update in a packet protected with the updated keys, the endpoint signals +that the key update is complete. + +An endpoint can defer sending the packet or acknowledgement according to its +normal packet sending behaviour; it is not necessary to immediately generate a +packet in response to a key update. The next packet sent by the endpoint will +use the updated keys. The next packet that contains an acknowledgement will +cause the key update to be completed. If an endpoint detects a second update +before it has sent any packets with updated keys or an acknowledgement for the It has to send an acknowledgement, so I think this can be more restrictive? ```suggestion before it has sent any packets with updated keys containing an acknowledgement for the ``` > +keys twice without awaiting confirmation. An endpoint MAY treat consecutive key +updates as a connection error of type KEY_UPDATE_ERROR. + +An endpoint that receives an acknowledgement that is carried in a packet +protected with old keys where any acknowledged packet was protected with newer +keys MAY treat that as a connection error of type KEY_UPDATE_ERROR. This +indicates that a peer has received and acknowledged a packet that initiates a +key update, but has not updated keys in response. + + +## Timing of Receive Key Generation {#receive-key-generation} + +Endpoints responding to an apparent key update MUST NOT generate a timing +side-channel signal that might indicate that the Key Phase bit was invalid (see +{{header-protect-analysis}}). Endpoints can use dummy packet protection keys in +place of discarded keys when key updates are not permitted; using dummy keys There's no way to indicate key updates are not permitted at all, correct? Maybe say "not yet permitted" to be slightly clearer that it's too early/fast, and key updates are not an optional feature. > +has initiated a key update. The endpoint MUST update its send keys to the +corresponding key phase in response, as described in {{key-update-initiate}}. +Sending keys MUST be updated before sending an acknowledgement for the packet +that was received with updated keys. By acknowledging the packet that triggered +the key update in a packet protected with the updated keys, the endpoint signals +that the key update is complete. + +An endpoint can defer sending the packet or acknowledgement according to its +normal packet sending behaviour; it is not necessary to immediately generate a +packet in response to a key update. The next packet sent by the endpoint will +use the updated keys. The next packet that contains an acknowledgement will +cause the key update to be completed. If an endpoint detects a second update +before it has sent any packets with updated keys or an acknowledgement for the +packet that initiated the key update, it indicates that its peer has updated +keys twice without awaiting confirmation. An endpoint MAY treat consecutive key +updates as a connection error of type KEY_UPDATE_ERROR. I'll note that this means every time there is a key update, there is a small window of time where a peer can reset the connection unless the receiver successfully decrypts the incoming packet before sending the connection close. Maybe what you're intending is that the receiver detects a second update and is processed, but I wasn't sure. > +keys. + +Packets with higher packet numbers MUST be protected with either the same or +newer packet protection keys than packets with lower packet numbers. An +endpoint that successfully removes protection with old keys when newer keys were +used for packets with lower packet numbers MUST treat this as a connection error +of type KEY_UPDATE_ERROR. + + +## Receiving with Different Keys {#old-keys-recv} + +For receiving packets during a key update, packets protected with older keys +might arrive if they were delayed by the network. Retaining old packet +protection keys allows these packets to be successfully processed. + +As packet protected with keys from the next key phase use the same Key Phase ```suggestion As packets protected with keys from the next key phase use the same Key Phase ``` > +channel that might reveal which keys were used to remove packet protection. + +Alternatively, endpoints can retain only two sets of packet protection keys, +swapping previous for next after enough time has passed to allow for reordering +in the network. In this case, the Key Phase bit alone can be used to select +keys. + +An endpoint SHOULD allow a period between one and two times the Probe Timeout +(PTO; see {{QUIC-RECOVERY}}) after a key update before it creates the next set +of packet protection keys. These MAY replace the previous keys at that time. +With the caveat that PTO is a subjective measure - that is, a peer could have a +different view of the RTT - this time is expected to be long enough that any +reordered packets would be declared lost by a peer even if they were +acknowledged and short enough to allow for subsequent key updates. + +Endpoints SHOULD allow for the possibility that a peer is not able to handle a I'm confused by the one to two times PTO vs three times PTO here. I prefer this second paragraph that states you need to way 3*PTO after key update is complete, minus the fact I'm unclear what "a peer is not able to handle a key update during this period" means? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/3050#pullrequestreview-294411517
- [quicwg/base-drafts] Rewrite key update section (… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Kazuho Oku
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Kazuho Oku
- Re: [quicwg/base-drafts] Rewrite key update secti… David Schinazi
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… David Schinazi
- Re: [quicwg/base-drafts] Rewrite key update secti… David Schinazi
- Re: [quicwg/base-drafts] Rewrite key update secti… ianswett
- Re: [quicwg/base-drafts] Rewrite key update secti… ekr
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… ianswett
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… David Schinazi
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… David Schinazi
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Jana Iyengar
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Kazuho Oku
- Re: [quicwg/base-drafts] Rewrite key update secti… Kazuho Oku
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson
- Re: [quicwg/base-drafts] Rewrite key update secti… Kazuho Oku
- Re: [quicwg/base-drafts] Rewrite key update secti… Martin Thomson