Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)

Mike Bishop <> Tue, 29 October 2019 19:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AE644120B60 for <>; Tue, 29 Oct 2019 12:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3ElXCkvHWn1u for <>; Tue, 29 Oct 2019 12:02:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 170CA120A36 for <>; Tue, 29 Oct 2019 12:02:24 -0700 (PDT)
Date: Tue, 29 Oct 2019 12:02:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572375742; bh=r5djvtaJOLErUwGNumY/V8V+v4XjedejJ8lMwBYwtJc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Dae0XS0rquW41o3XHCwWmC+4kiOEMZ8YNgI/lMWSEFCh7RxxuMKuodfjWmJnerR0Q LOPxUsmqH6DNVahhAjoH3N8GLngKEh9kWlTbX+U5AwJUWlffgX2Ah2hgqXhereZ42m lOwxY+HU1+w1QvJ82F6+R9/xZMD1HYz2SsmdQFbY=
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3166/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5db88cbe7765d_606d3fd0f0acd9642985e7"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Oct 2019 19:02:32 -0000

MikeBishop commented on this pull request.

This direction is starting to sound reasonable.

> +The token MUST include or associated with the alternative version number with
+which it can be used.

At a minimum, "be associated with."  But better, I think, to say that the token MUST permit the server to recover the base version number associated with the obfuscated version, the salt, and the mask.  Exactly how the server arranges that is an implementation detail.

> +  0-RTT, and Retry packets. This XOR is applied after the packets are encrypted
+  and before they are decrypted.
+* Alternative initial salt; a 16-byte binary blob that is to be used in place of
+  the initial salt defined in section 5.2 of {{QUIC-TLS}}.
+A server advertises these values using a NEW_TOKEN frame {{frame-new-token}}.
+The token MUST include or associated with the alternative version number with
+which it can be used.
+Typically, a server would pre-allocate a set of unused version numbers as the
+alternative version numbers, associating each of those version numbers with a
+packet type modifier chosen at random.  Then, when issuing a token using a
+NEW_TOKEN frame, the server generates the alternative initial salt by calling a
+pseudo-random function, embeds that initial salt into the token which is then
+encrypted, and sends a NEW_TOKEN frame that comprises of the generated token and

encrypted, and sends a NEW_TOKEN frame that contains the generated token and

> @@ -3940,6 +4007,19 @@ described in {{QUIC-TLS}}.  This protection does not provide confidentiality or
 integrity against on-path attackers, but provides some level of protection
 against off-path attackers.
+Additionally, the token is accompanied by a checksum.  This is because when a

I second the question here; the checksum doesn't appear to serve a purpose not already covered here.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: