Re: [quicwg/base-drafts] Rules for discarding old keys (#1636)

Martin Thomson <notifications@github.com> Wed, 08 August 2018 02:03 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3404B127332 for <quic-issues@ietfa.amsl.com>; Tue, 7 Aug 2018 19:03:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.01
X-Spam-Level:
X-Spam-Status: No, score=-8.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n4Tw4e4QXGnw for <quic-issues@ietfa.amsl.com>; Tue, 7 Aug 2018 19:03:26 -0700 (PDT)
Received: from out-3.smtp.github.com (out-3.smtp.github.com [192.30.252.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B5B7130DFA for <quic-issues@ietf.org>; Tue, 7 Aug 2018 19:03:26 -0700 (PDT)
Date: Tue, 07 Aug 2018 19:03:25 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1533693805; bh=krYGsnrcgSQ/J3rkfUOeNPupPg5BrRL+7xT4004Rbf8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=mWiRFV/P80Ozhz1lvHquXfzO57Y1HCsruR2/rdaY36wPQIPQ4NOcjGXQSQ2tbAB+F QWtMK0ssB5MCZlm49rI8TGYjOLi/0XA8EEKFt57YWp3MBFtn+BY4E8kmoBDwW/KUoG xYHmDvx3Ygrb/RVUykvOIOnoFWn67maqsGCFqO98=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab7f95b756a57808b425a3b261123db0f7383df6c392cf000000011782116d92a169ce14c102a5@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1636/review/144245278@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1636@github.com>
References: <quicwg/base-drafts/pull/1636@github.com>
Subject: Re: [quicwg/base-drafts] Rules for discarding old keys (#1636)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b6a4f6db1505_1a273f87212d45b423959d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/vRgQqj9uCORWGWNiCyisbgOOyKo>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Aug 2018 02:03:28 -0000

martinthomson commented on this pull request.



> +defined in {{QUIC-RECOVERY}}.  Retaining keys for this interval allows packets
+containing CRYPTO or ACK frames at that encryption level to be sent if packets
+are determined to be lost or new packets require acknowledgment.  While this
+timer is running, an endpoint MUST use the most recent packet protection keys
+for all packets, except to protect packets containing CRYPTO and ACK frames for
+the older encryption level.  These packets MAY also include PADDING frames.
+
+Once this timer expires, an endpoint MUST NOT either accept or generate new
+packets using those packet protection keys.  An endpoint can discard packet
+protection keys for that encryption level.
+
+An endpoint can update keys multiple times (see {{key-update}}) while this timer
+runs.  In that case, packets protected with the newest packet protection keys
+and packets sent two updates prior will appear to use the same keys.  After the
+handshake is complete, endpoints only need to maintain the two latest sets of
+packet protection keys and MAY discard older keys.

The mitigation is a structural one - we don't say "don't update too often", instead it's more or less impossible to update that often (peers could update more often if they synchronized their efforts, but the floor is half an RTT).  I'll reword with these comments in mind though.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/1636#discussion_r208436580