IETF Logo Mail Archive

Re: [quicwg/base-drafts] Move stateless reset token to the end (#842)

ianswett <notifications@github.com> Wed, 11 October 2017 00:27 UTC

Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 611001346EE for <quic-issues@ietfa.amsl.com>; Tue, 10 Oct 2017 17:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.799
X-Spam-Level:
X-Spam-Status: No, score=-4.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wQkEoAwzjcnk for <quic-issues@ietfa.amsl.com>; Tue, 10 Oct 2017 17:27:49 -0700 (PDT)
Received: from o5.sgmail.github.com (o5.sgmail.github.com [192.254.113.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CF36134613 for <quic-issues@ietf.org>; Tue, 10 Oct 2017 17:26:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=sB19u7eqEHs6hGbFcvyzNgK18Ak=; b=D8LMgjzuw7i73fKN QJSULYpFOAO33xdAeW+0KvrgQRPY4dCFd8c6LQWokGS7wlVdvf40Dlnxg7POYfNH dmevJEnEUozlPG100dCDjmZ2j+9ykILkb7IZv+mVw0BEgdApyELqT/erdwHSqMmm 88wSOawTDY5fMAYktbf5/g5NM28=
Received: by filter0944p1mdw1.sendgrid.net with SMTP id filter0944p1mdw1-9767-59DD654D-17 2017-10-11 00:26:53.396250089 +0000 UTC
Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2b-ext-cp1-prd.iad.github.net [192.30.253.17]) by ismtpd0004p1iad1.sendgrid.net (SG) with ESMTP id Z2iC1mGLTwqydjgl7Trg_w for <quic-issues@ietf.org>; Wed, 11 Oct 2017 00:26:53.287 +0000 (UTC)
Date: Wed, 11 Oct 2017 00:26:53 +0000
From: ianswett <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab59713dca2d7a13ebc2d390d19c8a22a2789b360b92cf0000000115f5274d92a169ce0fb8c6e7@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/842/review/68464290@github.com>
In-Reply-To: <quicwg/base-drafts/pull/842@github.com>
References: <quicwg/base-drafts/pull/842@github.com>
Subject: Re: [quicwg/base-drafts] Move stateless reset token to the end (#842)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_59dd654d28320_5f653fb5b2f12f28475e2"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak0c9bV0vf/UDvsO23DWrO3c11pt90jyI4k/hq sXRyzTLl4YZJakVEcPX1vKEoCupd5K6iTetxbn1QR1N5Sl2PHIYOZ7XMa66GToXU+bRhaJXT20lqCc vpep5BBD92HxTyyTGLTxpgelRUZfVuwtl6X6s72hWfNEii3tluB/595qag==
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/xBuPFyuXfLpQW6YQr1SL-OEjlFY>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2017 00:27:52 -0000

ianswett commented on this pull request.

A few small suggestions.

> @@ -1595,11 +1601,12 @@ CONNECTION_CLOSE or APPLICATION_CLOSE frame if it has sufficient state to do so.
 #### Detecting a Stateless Reset
 
 A client detects a potential stateless reset when a packet with a short header
-cannot be decrypted.  The client then performs a constant-time comparison of the
-16 octets that follow the Connection ID with the Stateless Reset Token provided
-by the server in its transport parameters.  If this comparison is successful,
-the connection MUST be terminated immediately.  Otherwise, the packet can be
-discarded.
+either cannot be decrypted or is marked as a potential duplicate.  The client

nit: I'd go with "is marked as a duplicate packet."

> @@ -1595,11 +1601,12 @@ CONNECTION_CLOSE or APPLICATION_CLOSE frame if it has sufficient state to do so.
 #### Detecting a Stateless Reset
 
 A client detects a potential stateless reset when a packet with a short header
-cannot be decrypted.  The client then performs a constant-time comparison of the
-16 octets that follow the Connection ID with the Stateless Reset Token provided
-by the server in its transport parameters.  If this comparison is successful,
-the connection MUST be terminated immediately.  Otherwise, the packet can be
-discarded.
+either cannot be decrypted or is marked as a potential duplicate.  The client
+then performs a constant-time comparison of the last 16 octets of the packet

Is it necessary to mention it's constant time?

> @@ -1595,11 +1601,12 @@ CONNECTION_CLOSE or APPLICATION_CLOSE frame if it has sufficient state to do so.
 #### Detecting a Stateless Reset
 
 A client detects a potential stateless reset when a packet with a short header
-cannot be decrypted.  The client then performs a constant-time comparison of the
-16 octets that follow the Connection ID with the Stateless Reset Token provided
-by the server in its transport parameters.  If this comparison is successful,
-the connection MUST be terminated immediately.  Otherwise, the packet can be
-discarded.
+either cannot be decrypted or is marked as a potential duplicate.  The client
+then performs a constant-time comparison of the last 16 octets of the packet
+with the Stateless Reset Token provided by the server in its transport
+parameters.  If this comparison is successful, the client MUST discard all

Instead of successful, how about "If they are identical" ?

> @@ -1595,11 +1601,12 @@ CONNECTION_CLOSE or APPLICATION_CLOSE frame if it has sufficient state to do so.
 #### Detecting a Stateless Reset
 
 A client detects a potential stateless reset when a packet with a short header
-cannot be decrypted.  The client then performs a constant-time comparison of the
-16 octets that follow the Connection ID with the Stateless Reset Token provided
-by the server in its transport parameters.  If this comparison is successful,
-the connection MUST be terminated immediately.  Otherwise, the packet can be
-discarded.
+either cannot be decrypted or is marked as a potential duplicate.  The client
+then performs a constant-time comparison of the last 16 octets of the packet
+with the Stateless Reset Token provided by the server in its transport
+parameters.  If this comparison is successful, the client MUST discard all
+connection state and not send any further packets on this connection. If the
+comparison is unsuccessful, the packet can be discarded.

is unsuccessful => fails?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/842#pullrequestreview-68464290

v2.35.0 | Report a Bug | By Email | System Status