Re: [quicwg/base-drafts] Rules for discarding old keys (#1636)
Mike Bishop <notifications@github.com> Tue, 07 August 2018 20:50 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB121310D4 for <quic-issues@ietfa.amsl.com>; Tue, 7 Aug 2018 13:50:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.009
X-Spam-Level:
X-Spam-Status: No, score=-8.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VSiXIy_nAyXs for <quic-issues@ietfa.amsl.com>; Tue, 7 Aug 2018 13:50:38 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3E51310D2 for <quic-issues@ietf.org>; Tue, 7 Aug 2018 13:50:37 -0700 (PDT)
Date: Tue, 07 Aug 2018 13:50:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1533675037; bh=FOtOfwoeN7oMUZZ9gA2G12WZbNILk8/cyeb9VCPx1rA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=kjWtE6+S7fXkOKD8x1IMNm43rRgpJbzfVJGE5Sz0sszWo4Eas5s9og+zso327NFmG PqvX0I++FwzPVHOzQTmaAaHTJRk5JSvaz2lEJYkrjoEnkKOEQwkkAxgyl8LcwnImOl JpitPo+EXTjRC0YbbgFb+1uLlJqLPu/80U7GKTXc=
From: Mike Bishop <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abb68499edb2408b335b3690aff72d58736ec6ec4692cf000000011781c81c92a169ce14c102a5@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1636/review/144174218@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1636@github.com>
References: <quicwg/base-drafts/pull/1636@github.com>
Subject: Re: [quicwg/base-drafts] Rules for discarding old keys (#1636)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b6a061cea76f_1d3d3fbd052be62816819c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/n29GKCQMoRwCZjW13lTt2Lx2DU0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2018 20:50:40 -0000
MikeBishop commented on this pull request. Good content, but some structural feedback. > @@ -619,6 +619,55 @@ The alert level of all TLS alerts is "fatal"; a TLS stack MUST NOT generate alerts at the "warning" level. +## Discarding Unused Keys + +After QUIC moves to a new encryption level, packet protection keys for previous +encryption levels can be discarded. This occurs several times during the +handshake, as well as when keys are updated (see {{key-update}}). + +QUIC endpoints MUST retain keys until they are no longer needed. If packets +from a lower encryption level contain CRYPTO frames, frames that retransmit that +data MUST be sent at the same encryption level. Similarly, an endpoint +generates acknowledgements for packets at the same encryption level as the +packet being acknowledged. Thus, it is possible that keys for a lower +encryption level are needed for a short time after keys for a newer encryption +level are available. + +An endpoint can only discard keys for a given encryption level only after it has Pick an only, but only one. > +handshake, as well as when keys are updated (see {{key-update}}). + +QUIC endpoints MUST retain keys until they are no longer needed. If packets +from a lower encryption level contain CRYPTO frames, frames that retransmit that +data MUST be sent at the same encryption level. Similarly, an endpoint +generates acknowledgements for packets at the same encryption level as the +packet being acknowledged. Thus, it is possible that keys for a lower +encryption level are needed for a short time after keys for a newer encryption +level are available. + +An endpoint can only discard keys for a given encryption level only after it has +both received and acknowledged all CRYPTO frames for that encryption level and +when it has had all CRYPTO frames for that encryption level acknowledged by its +peer. However, this does not guarantee that no further packets will need to be +received or sent at that encryption level because a peer might not have received +all the acknowledgements necessary to reach the same state. This paragraph seems duplicative of the preceding one. Can they be consolidated? Or if they are substantially different, the difference highlighted? > +from a lower encryption level contain CRYPTO frames, frames that retransmit that +data MUST be sent at the same encryption level. Similarly, an endpoint +generates acknowledgements for packets at the same encryption level as the +packet being acknowledged. Thus, it is possible that keys for a lower +encryption level are needed for a short time after keys for a newer encryption +level are available. + +An endpoint can only discard keys for a given encryption level only after it has +both received and acknowledged all CRYPTO frames for that encryption level and +when it has had all CRYPTO frames for that encryption level acknowledged by its +peer. However, this does not guarantee that no further packets will need to be +received or sent at that encryption level because a peer might not have received +all the acknowledgements necessary to reach the same state. + +After all CRYPTO frames for a given encryption level have been either sent or +received and the corresponding acknowledgments have been received or sent, an Given that each encryption level other than 0-RTT includes CRYPTO frames in both directions, I'd question the use of "either" here -- after all outgoing CRYPTO frames have been sent and all expected CRYPTO frames have been received, and the corresponding acknowledgements have also been sent and received. > +when it has had all CRYPTO frames for that encryption level acknowledged by its +peer. However, this does not guarantee that no further packets will need to be +received or sent at that encryption level because a peer might not have received +all the acknowledgements necessary to reach the same state. + +After all CRYPTO frames for a given encryption level have been either sent or +received and the corresponding acknowledgments have been received or sent, an +endpoint starts a timer. To limit the effect of packet loss around a change in +keys, endpoints MUST retain packet protection keys for that encryption level for +at least three times the current Retramsmission Timeout (RTO) interval as +defined in {{QUIC-RECOVERY}}. Retaining keys for this interval allows packets +containing CRYPTO or ACK frames at that encryption level to be sent if packets +are determined to be lost or new packets require acknowledgment. While this +timer is running, an endpoint MUST use the most recent packet protection keys +for all packets, except to protect packets containing CRYPTO and ACK frames for +the older encryption level. These packets MAY also include PADDING frames. Talking about the "most recent packet protection keys" feels a little jarring here, since you're actually talking about encryption levels in this section. This doesn't flow as clearly if you mix in key updates at the same time. Perhaps "New data MUST be sent at the highest currently-available encryption level, but ACK frames and retransmissions of CRYPTO frames from prior encryption levels continue to be sent at that encryption level." > +defined in {{QUIC-RECOVERY}}. Retaining keys for this interval allows packets +containing CRYPTO or ACK frames at that encryption level to be sent if packets +are determined to be lost or new packets require acknowledgment. While this +timer is running, an endpoint MUST use the most recent packet protection keys +for all packets, except to protect packets containing CRYPTO and ACK frames for +the older encryption level. These packets MAY also include PADDING frames. + +Once this timer expires, an endpoint MUST NOT either accept or generate new +packets using those packet protection keys. An endpoint can discard packet +protection keys for that encryption level. + +An endpoint can update keys multiple times (see {{key-update}}) while this timer +runs. In that case, packets protected with the newest packet protection keys +and packets sent two updates prior will appear to use the same keys. After the +handshake is complete, endpoints only need to maintain the two latest sets of +packet protection keys and MAY discard older keys. Make the transition to discussing key updates more explicit, if you need to do it in this section. Maybe, "Key updates in the 1-RTT encryption level do not require that keys from other encryption levels have already been discarded." I'd be inclined to move the rest of the key update discussion to that section and leave it with that statement. Wherever that discussion lands, it feels like these two paragraphs need to merge. Something like "Frequent key updates could create confusion about which generation of 1-RTT keys were used to protect the packet. To mitigate this, key updates can be performed only once per RTT. This means...." -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/1636#pullrequestreview-144174218
- [quicwg/base-drafts] Rules for discarding old key… Martin Thomson
- Re: [quicwg/base-drafts] Rules for discarding old… Mike Bishop
- Re: [quicwg/base-drafts] Rules for discarding old… Martin Thomson
- Re: [quicwg/base-drafts] Rules for discarding old… Martin Thomson
- Re: [quicwg/base-drafts] Rules for discarding old… Martin Thomson
- Re: [quicwg/base-drafts] Rules for discarding old… Mike Bishop
- Re: [quicwg/base-drafts] Rules for discarding old… Martin Thomson
- Re: [quicwg/base-drafts] Rules for discarding old… Martin Thomson