RE: Go Back to Single Packet Number Space

Nick Banks <> Wed, 01 August 2018 17:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7544B130DF2 for <>; Wed, 1 Aug 2018 10:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nFMcuI2gWo9q for <>; Wed, 1 Aug 2018 10:17:30 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fe4d::70e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 18345129C6B for <>; Wed, 1 Aug 2018 10:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VWs/mC8p8q6uVNDzSWaE99PvA8A4ZO6z+UCMk2scjso=; b=JWMiEzaFM5lox7xSXOivsF26GIN/EzoT8MLG9n6TreRMD4K0Jlc0pf/XuF1kCH6o9FsmhE5vUvBy8o+Nmgy3Kf+GJtcrZWA2KSHb6NklCgg4MBSVRzIZeDewkLmv7OHiQJoIj1s3w43dwX/YC8U0uq1Kx7U0p4mezB63ONmfoXw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1038.7; Wed, 1 Aug 2018 17:17:28 +0000
Received: from ([fe80::60b8:4702:aa5f:f00]) by ([fe80::60b8:4702:aa5f:f00%3]) with mapi id 15.20.1038.003; Wed, 1 Aug 2018 17:17:28 +0000
From: Nick Banks <>
To: Tommy Pauly <>, "" <>, Eric Rescorla <>, Kazuho Oku <>
CC: Dmitri Tikhonov <>, Martin Thomson <>, Patrick McManus <>
Subject: RE: Go Back to Single Packet Number Space
Thread-Topic: Go Back to Single Packet Number Space
Thread-Index: AdQkTBwat6Uz522HTCmlcfdQS0RX0wANbUcAAALJdwAAAvnmgAAAQ0HqABhGVQABLz4MnA==
Date: Wed, 01 Aug 2018 17:17:28 +0000
Message-ID: <>
References: <> <> <20180726030135.GA19322@ubuntu-dmitri> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR2101MB1013; 6:ELA4TSAaUcRt0OYIDIK4n82YBZqBjHu1TI3VzGYVh0srBq8awvpWYWMncsPcDmBhNIDmphvduvewk2mAPUsC3lzxUmirkwMx2TmgVC07VZwy7ogQia0ZTGgxY0PV3yC/2nFGRHlbI+9glF9+5lJJTjfnQ37OLHfgCYvvU7f8245LdDJmHS7TbsONSvL/y4pNdoP5ZaezgzGWSBJjdk7QgLFoq+bwZHZP1AL6HxqOrTHHoFs/SC9o54hZaH+LSKOTXCAp/axxbi4kpwRE4UnBp6vearzeRlh/JziRnXQk7rU5FFLCmnLUigw2SwNPb9Q/Qh0dnw5fkD7bdY1eFf5ULoQDEdB7ov/lBoph7KsCxw+43g3Pd7PTDH3T+v6gEpTWgjHuYa8mx915r8ydss38IrlRRD/AgG3cbr4xrjJximhZ5KyXZDqquIOyU6pGmcz9PW2uFweGONJDNBt02j7S9g==; 5:dD3YlM/NzJTtNux0aQd17QqLImnUssMUYCaUcHBzfbs0gtJYbv8H5vZnSllDqhKGs0vtysr9McYNJKFY/0Qxr684i1npSkVgENBHsg0QioBihsR0TH7U1zkXyoR+kbFJQ5kwCj3sTGBqlkcbfLsaMGALa4KI6mXQaxYgqNo81w8=; 7:ziQqCrhvUNttQLGlRwcQK2KBbyB+3+WbFWX9Oa6/tHer9PCElNMFe+xOOdjR+b5UxP5BfAhlqaftFdt71KWdqs18Il39yoRF1a6les27QZFz01fo1d3FSPte/YVk1nG6beGmf6s+QHYSktkh+fj7xvUoKK4zmr8OLdIYR6wYgS8JRHnqlgh22tYayAM3lZ092IXNXhxxTv5Eue9jmw6thcdrPqS9UxNNX6hnS9/JEOQE5l+aDIxDL1cTM9MiGzFG
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a4d3c5ed-2474-4613-1fdc-08d5f7d2a86c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7193020); SRVR:DM5PR2101MB1013;
x-ms-traffictypediagnostic: DM5PR2101MB1013:
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(80524489315369)(158342451672863)(156600954879566)(166708455590820)(192374486261705)(189930954265078)(219752817060721)(31960201722614);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(2018427008)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:DM5PR2101MB1013; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2101MB1013;
x-forefront-prvs: 0751474A44
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(136003)(366004)(396003)(39860400002)(346002)(189003)(199004)(33656002)(11346002)(2501003)(186003)(66066001)(486006)(476003)(8936002)(446003)(105586002)(2906002)(5660300001)(86362001)(86612001)(14444005)(575784001)(8676002)(106356001)(256004)(561944003)(6116002)(5250100002)(54906003)(3846002)(68736007)(74316002)(7736002)(2900100001)(478600001)(93886005)(10290500003)(81166006)(966005)(81156014)(53936002)(6436002)(14454004)(8990500004)(110136005)(229853002)(55016002)(54896002)(236005)(9686003)(6306002)(39060400002)(97736004)(25786009)(99286004)(7696005)(102836004)(316002)(10090500001)(22452003)(4326008)(606006)(6246003)(53546011)(76176011)(26005)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR2101MB1013;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: mUWVp9pydcYYym7yEQj1FnWh2p86ysNXJw4RK6z20V2faLfSbKrhM3mqsJJKU/MmhWhzdKy4z/VJ/1UQUujOidQVmqm1Nm8SYblAPnBk0S3EDafUNv99BAIcbBEoXOqVHWeNAMV/WSDSqYGxwQve4yIGNrEbSvWp7N1mJVbvJwGkoPxhQEqspRj6FhAR6W/PBUCQcpVHValNFrZL4y70/aw8YM+LQc6V15t5GtzANsKh7eAexJvp14p7/eMBn8np/SsY5Lv5zcKjSESOXbtbnq9ebxfCz5LzCAsrk65he4K4w4cY0ZFT4F//5aF1ANRucy1U1od6O7VmnvJH1tlmiQyRgnvBKw5SO5tFo6/Q9wo=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR2101MB0901DF38B51EA5450B6D5F6FB32D0DM5PR2101MB0901_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a4d3c5ed-2474-4613-1fdc-08d5f7d2a86c
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2018 17:17:28.2394 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB1013
Archived-At: <>
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Aug 2018 17:17:33 -0000

Sorry for the lack of immediate follow up here. I was on vacation. I’d like to summarize what I see as the current arguments against my proposal with my counters:

  1.  Multiple packet number spaces make it easier, theoretically, to reason about the security properties for the packets.
     *   I’d argue that the security properties should be reasoned in terms of the packet’s encryption level/epoch and leave packet number spaces out of it completely. In those terms, the only difference my design has is that an acknowledgement can also be sent in a higher encryption level.
  2.  Folks have an uneasiness (and see it as a hack) about allowing for ACK frames to be sent in greater than or equal encryption level.
     *   Personally, I don’t see this as a hack at all. To me, it seems reasonable and intuitive to always use the more secure mechanism to acknowledge the information you have received so far.
  3.  A single packet number space may pose problems with the client’s second flight (if the Handshake packet is lost).
     *   In the multiple packet space, if the client coalesces the Initial packet with the ACK frame with their Handshake packet with the CRYPTO frame, you have exactly the same issue. The server ends up with an RTO and retransmits.
  4.  There are issues related to the security analysis if Handshake packets are allowed to acknowledge 1-RTT packets.
     *   I’d like more explanation on exactly what the issue is here. Did previous analysis explicitly show that something like this would be a problem, or has there just not been any analysis for something like this? My understanding is that the Handshake keys give you trust enough to know you are talking with whoever you started the conversation with, but they aren’t authenticated to be who they claim they are yet. Why would that level of trust not be acceptable to acknowledge a received packet?

To summarize my claimed pros for a single packet number space:

  1.  There is less state (memory) to manage on both the sender and receiver side.
  2.  There is less logic required for building packets to acknowledge all the currently received packets.
     *   I don’t believe an implementation would need to support sending coalesced packets to have an efficient handshake.
  3.  Cross encryption level loss recovery is easier to reason about and implement.
  4.  A single set of packet numbers is easier to reason about and debug.
  5.  Saves bytes on the wire.
     *   1 ACK frame for the server’s first flight.
     *   1 long header packet and ACK frame for the client’s second flight.

In general, I still believe the single packet number space far superior to the multiple packet space design. I feel it has a lot of tangible benefits over the multiple packet space design.

- Nick

Sent from Mail<> for Windows 10

From: <> on behalf of Tommy Pauly <>
Sent: Thursday, July 26, 2018 9:09:24 AM
To: Nick Banks
Cc: Dmitri Tikhonov;; Martin Thomson
Subject: Re: Go Back to Single Packet Number Space

First off, I'd like to +1 to the points Kazuho made, as I think he did a very good job of expressing the concern I have.

To elaborate on the point about separation of spaces making things easier to reason about:

While the table below does indicate that there are 4 different encryption levels/sets of keys, there can and should be a connection between the 0-RTT and 1-RTT spaces.

| Packet Type     | Encryption Level | PN Space  |
| Initial         | Initial secrets  | Initial   |
| 0-RTT Protected | 0-RTT            | 0/1-RTT   |
| Handshake       | Handshake        | Handshake |
| Retry           | N/A              | N/A       |
| Short Header    | 1-RTT            | 0/1-RTT   |

Effectively, there are three different levels of trust at play, which determine the type of frame content that may be sent:
- For Initial packets, there is no established trust at all
- For Handshake packets, there is only the established trust that the peers are the same ones that performed the Initial exchange; at this point it is safe to perform authentication
- For both 0-RTT and 1-RTT packets, there is the trust that the peers have completed an authenticated handshake; only here is it safe to send application data

These three levels of trust are not specific to TLS, but a common feature of security handshakes.

Separated packet number spaces allows an implementation to very discretely separate its handling of frames and retransmissions between the three levels of trust. The architecture that this promotes is one that (I hope) is less likely to have bugs in which frames that must only be sent in higher levels of trust are sent in lower levels.


On Jul 25, 2018, at 9:37 PM, Nick Banks <<>> wrote:

Since there are four encryption levels, the fact that there are only three packet spaces only makes things more confusing IMO.. If your argument is that matching them together makes things easier, then I’d think there should be four packet spaces. I think having all this duplication and separation just adds unnecessary complexity.

Sent from my Windows 10 device
[HxS - 15254 - 16.0.10325.20083]

From:<> <<>> on behalf of Tommy Pauly <<>>
Sent: Wednesday, July 25, 2018 9:26:49 PM
To: Dmitri Tikhonov
Cc: Martin Thomson; Nick Banks; QUIC WG
Subject: Re: Go Back to Single Packet Number Space

As another implementer, I also prefer having the split packet spaces. The point isn't necessarily that it's good to have the triple spaces, but rather that it's nice to have the packet number spaces correspond tightly with the packet types and protection. The logic for handling a space can be treated more uniformly in that way, although it does involve potentially more memory to store the state.


> On Jul 25, 2018, at 8:01 PM, Dmitri Tikhonov <<>> wrote:
> On Thu, Jul 26, 2018 at 11:41:48AM +1000, Martin Thomson wrote:
>> The feedback I've heard is that the simplification is subjective.
>> Others have said that a single space would complicate their
>> implementation considerably more.
> EKR is one of the "others" [1] -- are there other implementers who
> prefer the triple packet space?
>  - Dmitri.
> 1.;;sdata=fstGdvwnKKfApVKVQZFuJYdWAZkXCafUsEH0t1YtH8U%3D&amp;reserved=0<>