Re: [quicwg/base-drafts] Preventing KEY_PHASE bit from being used as a tool to correlate CIDs (#1322)

Martin Thomson <notifications@github.com> Tue, 01 May 2018 05:17 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EDF12E881 for <quic-issues@ietfa.amsl.com>; Mon, 30 Apr 2018 22:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X65Bc-z3NLql for <quic-issues@ietfa.amsl.com>; Mon, 30 Apr 2018 22:17:55 -0700 (PDT)
Received: from out-10.smtp.github.com (out-10.smtp.github.com [192.30.254.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C2CF12E896 for <quic-issues@ietf.org>; Mon, 30 Apr 2018 22:17:55 -0700 (PDT)
Date: Mon, 30 Apr 2018 22:17:54 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1525151874; bh=TtP4oqxj0TF5osJK/e82DIgZ8NN4+A1WLX0oIweCA2s=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=PTE/VErWtk2QobzuPM452l3OKKLl+iSChEZDR4VXDfoRz51yw30CkVChQOHsMa384 AoucskJt0Ib2r/Bd/SvuhOrXkn01haX5EG3Dyj9G7o0xVzzvuZoRcnJ7pjfJlEpcZ1 ifYZLq2d2FiPyIbv3diVo5AFAYVwiw+8TqDmfqio=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab7af8d1c9983db0e4e41411cc1e08d6dae537c3b692cf0000000116ffba8292a169ce12e69628@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1322/385601496@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1322@github.com>
References: <quicwg/base-drafts/issues/1322@github.com>
Subject: Re: [quicwg/base-drafts] Preventing KEY_PHASE bit from being used as a tool to correlate CIDs (#1322)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ae7f882c8aee_48663fd73e5eef8497876"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/kUKhpifqBwoiZaUaEw4Glf8PTvo>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2018 05:17:57 -0000

Key updates require reciprocation.  Using a new connection ID would be the same.  So no change there.

One advantage of coupling NEW_CONNECTION_ID to key updates is that it means that there is a single mechanism that supports migration (and multipath) and key update.  You can't support one without also enabling the other.

One thing I've been concerned about with key update is that no one will implement it.  NSS only very recently grew that capability in TLS 1.3; it's a small feature, but one that took ages to implement because there wasn't much incentive to build it.  We still don't have the DTLS variant because it messes with our timers in ways that are hard to reason about.

I agree that simultaneous migration would be a mistake.  Better to drive rollovers based on packet counts as @kazuho suggests.  Though I think that we can probably ignore the 2<sup>62</sup> limit and throw connections away if they ever get to that point.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1322#issuecomment-385601496