Re: [quicwg/base-drafts] First octet changes (#2006)
Martin Thomson <notifications@github.com> Sun, 18 November 2018 22:59 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BABDD128766 for <quic-issues@ietfa.amsl.com>; Sun, 18 Nov 2018 14:59:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.469
X-Spam-Level:
X-Spam-Status: No, score=-8.469 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vDVX_Ci3Abg for <quic-issues@ietfa.amsl.com>; Sun, 18 Nov 2018 14:59:48 -0800 (PST)
Received: from out-1.smtp.github.com (out-1.smtp.github.com [192.30.252.192]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65E0412D4EB for <quic-issues@ietf.org>; Sun, 18 Nov 2018 14:59:47 -0800 (PST)
Date: Sun, 18 Nov 2018 14:59:46 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542581986; bh=fHKKAYgiPb0FZKqAn/pa4Zv1XSKniW5oMkrvA64Fmco=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=CIljA2oJ1xLBfAO5bSZpokNhNJjpsaxP1w//RThiLjulUJW046h4WVfofd2xdo1i+ 7lMN6sLGsYGvKA2DohVFTAbCryZHa+7l07ZJG+vSzFQ2VEqfj8Z9yaalYvO5fBZsCM oC3ZKbhTh8w1CDCEf6tDSTEfhTHszEvbfUBvf494=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab224ab468cb82b620d6bed9ee4532aa47614cc49692cf000000011809b0e292a169ce16b57ba1@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2006/review/176013246@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2006@github.com>
References: <quicwg/base-drafts/pull/2006@github.com>
Subject: Re: [quicwg/base-drafts] First octet changes (#2006)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf1eee243eac_4fbb3f8eabcd45b4240397"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/tzAwZ1MmrntyFgPXH3vLhJ5atWA>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Nov 2018 22:59:50 -0000
martinthomson commented on this pull request. Thanks for the feedback everyone. > @@ -771,10 +771,9 @@ used for QUIC packet protection is the AEAD that is negotiated for use with the TLS connection. For example, if TLS is using the TLS_AES_128_GCM_SHA256, the AEAD_AES_128_GCM function is used. -QUIC packets are protected prior to applying packet number protection -({{pn-encrypt}}). The unprotected packet number is part of the associated data -(A). When removing packet protection, an endpoint first removes the protection -from the packet number. +Packets are protected prior to applying header protection ({{header-protect}}). I considered this, but the fact is that we also protect the header, so payload is equally misleading, perhaps more so. > +with the remaining bytes. + +{{pseudo-hp}} shows a sample algorithm for applying header protection. Removing +protection only differs in the order in which the packet number length +(pn_length) is determined. + +~~~ +mask = header_protection(hp_key, sample) + +pn_length = (packet[0] & 0x03) + 1 +if packet[0] & 0x80 == 0x80: + # Long header: 4 bits masked + packet[0] ^= mask[0] & 0x0f +else: + # Short header: 5 bits masked + packet[0] ^= mask[0] & 0x1f We can't encrypt this value. > +protection only differs in the order in which the packet number length +(pn_length) is determined. + +~~~ +mask = header_protection(hp_key, sample) + +pn_length = (packet[0] & 0x03) + 1 +if packet[0] & 0x80 == 0x80: + # Long header: 4 bits masked + packet[0] ^= mask[0] & 0x0f +else: + # Short header: 5 bits masked + packet[0] ^= mask[0] & 0x1f + +# pn_offset is the start of the Packet Number field. +packet[pn_offset:pn_offset+pn_length] ^= mask[1:1+pn_length] We don't explain what `^` means either. > +Before a TLS ciphersuite can be used with QUIC, a header protection algorithm +MUST be specified for the AEAD used with that ciphersuite. This document +defines algorithms for AEAD_AES_128_GCM, AEAD_AES_128_CCM, AEAD_AES_256_GCM, +AEAD_AES_256_CCM (all AES AEADs are defined in {{!AEAD=RFC5116}}), and +AEAD_CHACHA20_POLY1305 {{!CHACHA=RFC8439}}. + + +### Header Protection Sample {#hp-sample} + +The header protection algorithm uses both the header protection key and a sample +of the ciphertext from the packet Payload field. + +The same number of bytes are always sampled, but an allowance needs to be made +for the endpoint removing protection, which will not know the length of the +Packet Number field. In sampling the packet ciphertext, the Packet Number field +is assumed to be 4 bytes long (its maximum possible encoded length), unless Please take this discussion to an issue. This will be lost here. > @@ -3271,15 +3257,35 @@ Header Form: : The most significant bit (0x80) of byte 0 (the first byte) is set to 1 for long headers. -Long Packet Type: +Fixed Bit: + +: The next bit (0x40) of byte 0 is set to 1. Packets containing a zero value + for this bit are not valid packets in this version. Not quite the same way. This can be detected using public information, so you don't need to run a constant-time decryption on that packet. > -: The fourth bit (0x10) of byte 0 is set to 1. +: The next two bits (those with a mask of 0x18) of byte 0 are reserved. These + bits are protected using header protection (see Section 5.4 of + {{QUIC-TLS}}). The value included prior to protection MUST be set to 0. An + endpoint MUST treat receipt of a packet that has a non-zero value for these + bits after removing protection as a connection error of type + PROTOCOL_VIOLATION. Right, and this is covered in the -tls doc: https://quicwg.org/base-drafts/draft-ietf-quic-tls.html#pn-encrypt-analysis > @@ -3677,7 +3666,7 @@ wishes to perform a stateless retry (see {{validate-handshake}}). 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+ -|1| 0x7e | +|1|1| 3 |ODCIL(4| Saving a byte is neither here nor there, but the two blocks of four unused bits was a problem. I agree, it's odd :) > -Third Bit: +: The next bit (0x40) of byte 0 is set to 1. Packets containing a zero value @DavidSchinazi, we're not doing this for you, but I'm glad you're happy. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/2006#pullrequestreview-176013246
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- [quicwg/base-drafts] First octet changes (#2006) Martin Thomson
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… janaiyengar
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… ianswett
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… erickinnear
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Dmitri Tikhonov
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… David Schinazi
- Re: [quicwg/base-drafts] First octet changes (#20… Christian Huitema
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… Martin Thomson
- Re: [quicwg/base-drafts] First octet changes (#20… Dirkjan Ochtman
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Martin Thomson
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… Marten Seemann
- Re: [quicwg/base-drafts] First octet changes (#20… Christian Huitema
- Re: [quicwg/base-drafts] First octet changes (#20… Kazuho Oku
- Re: [quicwg/base-drafts] First octet changes (#20… Martin Thomson
- Re: [quicwg/base-drafts] First octet changes (#20… Martin Thomson
- Re: [quicwg/base-drafts] First octet changes (#20… Martin Thomson
- Re: [quicwg/base-drafts] First octet changes (#20… MikkelFJ
- Re: [quicwg/base-drafts] First octet changes (#20… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… ianswett
- Re: [quicwg/base-drafts] First byte changes (#200… Christian Huitema
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Mike Bishop
- Re: [quicwg/base-drafts] First byte changes (#200… MikkelFJ
- Re: [quicwg/base-drafts] First byte changes (#200… David Schinazi
- Re: [quicwg/base-drafts] First byte changes (#200… David Schinazi
- Re: [quicwg/base-drafts] First byte changes (#200… Dmitri Tikhonov
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Marten Seemann
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… Alexandre Ferrieux
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… janaiyengar
- Re: [quicwg/base-drafts] First byte changes (#200… Kazuho Oku
- Re: [quicwg/base-drafts] First byte changes (#200… MikkelFJ
- Re: [quicwg/base-drafts] First byte changes (#200… janaiyengar
- Re: [quicwg/base-drafts] First byte changes (#200… Igor Lubashev
- Re: [quicwg/base-drafts] First byte changes (#200… Christian Huitema
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson
- Re: [quicwg/base-drafts] First byte changes (#200… Martin Thomson