IETF Logo Mail Archive

Re: KEYS_READY

David Schinazi <dschinazi.ietf@gmail.com> Fri, 01 March 2019 23:49 UTC

Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0803130FF3 for <quic@ietfa.amsl.com>; Fri, 1 Mar 2019 15:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yBUvhejc6apa for <quic@ietfa.amsl.com>; Fri, 1 Mar 2019 15:49:34 -0800 (PST)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A6ED131004 for <quic@ietf.org>; Fri, 1 Mar 2019 15:49:34 -0800 (PST)
Received: by mail-pg1-x536.google.com with SMTP id u9so12164263pgo.7 for <quic@ietf.org>; Fri, 01 Mar 2019 15:49:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kYc4wk5gfaM9gKjdICryReTeCMYiZl8VskeoUd17Iv0=; b=BXKp3vfmVNcG2D+3uf2K4pgyWCo2t7phPKb3VkeIJ93sGTSh/e7ewpI+d7JSq7mYcE qRo6UluYDMx+QpF8iqlHHDZjtCiaT2wKUtzL0I6OKWlhcqiSP4I7T0nL8yhQRPVzKTOv KPseJoJjZzWGpff2IUQBKVzJVkL1o5fW3ql0iof68JOZ8GcnF+cJr9uSpLSUxh2HPI0i 4vrz8lPvXD69uIyCrt0UfLkBIgC93tQMOk57fjommO/EcngxL+hDdsX7Pe301W+Ag8hn 4hWOvFFi1I50li/zI3NNf0xLJu7FIqqqOmX8KRebkqHNQ5KMff4QB73BZmfDMV34Lck/ 7yQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kYc4wk5gfaM9gKjdICryReTeCMYiZl8VskeoUd17Iv0=; b=CRrc0ArzMR2nXw3cdp4FyHW2lWrOjKrl1Pjc2+1cEHie8zTbnkdBB/HnDGJTnrYT+c Pu3cmzc1b9DCkr8F/yOfk+ht3vIYANxwPMjBydFiS1cwnxCgARVyiaum/4+ANtuzjOUg PJVhYYkEYCTSP0gjPwASgYvY1ePi6WDa761kQN8gJSqqiCmIMtc4atYFAGIWdAfYPLIw dF7qvNeJH7Dm6Zo+kravuwhW6q1LHfwdhCHPHx8mkRhPFsSSzkkwDbnr+BMFfXvDVc5W 2dSwoJF2M8oXt2cdM3IOwyDQgPKDpSycE4t26OE4LtNYq23+KiT+k+/Xn29qV4PONVu/ jlow==
X-Gm-Message-State: APjAAAUWBmQJD2z/ycOEKM8kIQfzk2RTzysHIAEWors1wTB0d14ojc+m 3GVt6cRYfx98SRSV/taJKXcWmG7qwxzF75aMiQQ=
X-Google-Smtp-Source: APXvYqzEUC1aVJw5Z4aW8LujBDXNMuIwC3jkRTPbpHCJhacLeGgGCC0Bs81E4IA4naveQbIbGqQTKBNNDteLeOyVwO8=
X-Received: by 2002:a63:2c8b:: with SMTP id s133mr7458200pgs.448.1551484173687; Fri, 01 Mar 2019 15:49:33 -0800 (PST)
MIME-Version: 1.0
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com> <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com> <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <DB6PR10MB176684E61A66BF01C66008F6AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <CAPDSy+5MSST-Nkoi+oaRzSLDJCYqhUmKw1nP_p4fOyq7cfK17w@mail.gmail.com> <CAJ_4DfRKrYOyozbp4GmPNODnZ_sKTECXbMa5Vsuxa4zmubERHQ@mail.gmail.com> <MWHPR22MB0991FCD3ADA97790B238E491DA670@MWHPR22MB0991.namprd22.prod.outlook.com> <CAPDSy+4=YYyTe5=85X09e1kAB7TrmmNXK-2wnLZubfS1ekWRJA@mail.gmail.com> <f2e59f1c-b7d5-49ce-affc-7d16684a048a@www.fastmail.com> <CAPDSy+4sKR99Fwqt+08JevAmC7E4LUSohUrQgVc+5BA56CLEkQ@mail.gmail.com> <b4364dee-a429-45c5-8b56-b82269f1ab2e@www.fastmail.com> <CAPDSy+4idHMDpNya42K5fxRQ6tFUoOXz9bi8K2eU8u-xRiOB3g@mail.gmail.com> <045bbf5b-04e4-4f9f-886b-f7ff9254bdab@www.fastmail.com> <CAPDSy+4iTM1wYpr04fmqOULct5LrB4UnDiPz_K9vGSd3oB=4eg@mail.gmail.com> <CANatvzyoEJZBWhBEBLMcysv_GTEKHup02++RAj_XX+SztVQm1g@mail.gmail.com> <CAPDSy+4kFMhpyHrvcQhT+rwnwfraOb0eBs=eOQPTNGWWJV51Kg@mail.gmail.com> <7879ac68-5a8e-4b5e-a81f-03b851be8328@www.fastmail.com> <CACdeXi+dAPro=J7Nh9KbdQBYo3Ssup0r-x-WsppfEriJEWYwdg@mail.gmail.com> <b33833e0-d458-4683-b41c-a4b6c38f40f3@www.fastmail.com>
In-Reply-To: <b33833e0-d458-4683-b41c-a4b6c38f40f3@www.fastmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 01 Mar 2019 15:49:22 -0800
Message-ID: <CAPDSy+5-fSw=fM=xsXAkmA1XHErFY0O7qy9ct0-w0M-F52NKKQ@mail.gmail.com>
Subject: Re: KEYS_READY
To: Martin Thomson <mt@lowentropy.net>
Cc: Nick Harper <nharper@google.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c1ff70583110f42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/24QS4YlG5Db_ueuSSEvi4xUqCWA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 23:49:51 -0000

Thanks Martin and Nick.

I agree that my proposal needs a lot of work to get the wording right, but
I think the difference between that and MT's is when you send the frame:
- MT's model is to send it when you're not expecting to receive anything
anymore
- my model is to send it when you know you won't be sending anymore

I believe letting the sender decide is easier to reason about and will help
down the road, even if it has the downside of keeping the handshake keys
around for an extra RTT on the server.

David

On Thu, Feb 28, 2019 at 10:15 PM Martin Thomson <mt@lowentropy.net> wrote:

> I see.  That's not clear.  It might have helped to explain that in the
> email announcing the proposal, because the PR contains errors that are
> quite confusing.  The PR never really defines what "done with keys" means
> either.
>
> If that is the only difference then we can talk about the implications of
> driving state based on ACK frames, which we've not done in the past.
> Leaving the ugly exception for Initial aside, I suspect that this is much
> harder to implement, because you have to track where data was first sent in
> order to send the frame at the right time.  That's easy enough for CRYPTO
> frames, which are basically all you have during the handshake, but in order
> to implement it for key updates you need visibility into which packets are
> still outstanding.  That requires a new type of access to the loss recovery
> module.
>
> I see quite a few omissions and mistakes in the PR.  For instance, this
> doesn't address the concerns about retransmissions of the frame across key
> updates.  It also shows the server sending the frame in Handshake packets
> before it could have received ACKs.  Hence my confusion.
>
> On Fri, Mar 1, 2019, at 16:21, Nick Harper wrote:
> > There is one difference between the RETIRE_KEYS and KEYS_ACTIVE PRs
> > (besides the name of the new frame):
> >
> > With RETIRE_KEYS, the client doesn't send it until the Client Finished
> > has been ACKed. With KEYS_ACTIVE, the client MUST send it in its first
> > 1-RTT packet, while the server MUST NOT process that 1-RTT packet until
> > it has received the Client Finished.
> >
> > Even though they do basically the same thing, I think it's much easier
> > to understand the logic in the RETIRE_KEYS PR. The logic for
> > RETIRE_KEYS is "I send RETIRE_KEYS when I don't need to send or receive
> > anything more at the previous encryption level." After re-reading the
> > KEYS_ACTIVE PR, I don't see a similar underlying principle for when
> > it's sent, just a set of rules to follow.
> >
> > On Thu, Feb 28, 2019 at 7:37 PM Martin Thomson <mt@lowentropy.net>
> wrote:
> > > I don't get it. This is the same proposal. With fewer editorial
> changes, perhaps.
> > >
> > >  On Fri, Mar 1, 2019, at 11:30, David Schinazi wrote:
> > >  > Since this conversation has quieted down for two weeks, I went
> ahead
> > >  > and wrote up the RETIRE_KEYS proposal:
> > >  > https://github.com/quicwg/base-drafts/pull/2492
> > >  >
> > >  > I believe this is simpler to reason about than the KEYS_ACTIVE
> proposal
> > >  > and safer as it makes less assumptions about the handshake protocol.
> > >  >
> > >  > Please let me know what you think, and I believe we should keep the
> > >  > discussion here instead of on the PR.
> > >  >
> > >  > David
> > >  >
> > >  > On Thu, Feb 14, 2019 at 5:51 PM Kazuho Oku <kazuhooku@gmail.com>
> wrote:
> > >  > > 2019年2月15日(金) 9:18 David Schinazi <dschinazi.ietf@gmail.com>:
> > >  > > >
> > >  > > >
> > >  > > >
> > >  > > > On Thu, Feb 14, 2019 at 3:45 PM Martin Thomson <mt@lowentropy..net>
> wrote:
> > >  > > >>
> > >  > > >> On Fri, Feb 15, 2019, at 09:47, David Schinazi wrote:
> > >  > > >> > This means that the server sends KEYS_ACTIVE(1-RTT) not when
> the 1-RTT
> > >  > > >> > keys are active,
> > >  > > >> > but instead when the handshake finishes, which is when the
> server has
> > >  > > >> > received the client finished.
> > >  > > >> > Those are two different moments in time.
> > >  > > >>
> > >  > > >> Yes, because the keys aren't active when the server starts
> sending 1-RTT packets. They are only active when the server starts reading
> 1-RTT. The server can't activate its 1-RTT reading keys until the handshake
> is complete.
> > >  > > >
> > >  > > >
> > >  > > > Ah, thanks. Looking at it this way it makes sense to me - we
> may want to make the text clearer in case I'm not the only one who was
> confused.
> > >  > > >
> > >  > > >>
> > >  > > >> That's why I chose to name this KEYS_ACTIVE(this), not
> RETIRE_KEYS(prev), but I don't really mind what it is called.
> > >  > > >
> > >  > > >
> > >  > > > I don't feel strongly about names either as long as they make
> sense - and now KEYS_ACTIVE also makes sense to me - so either name is fine
> by me.
> > >  > > >
> > >  > > >>
> > >  > > >> > My proposal is to have the client decide when it is done
> with the
> > >  > > >> > handshake keys by having the client
> > >  > > >> > delay sending RETIRE_KEYS(Handshake) instead of the server
> delaying
> > >  > > >> > sending KEYS_ACTIVE(1-RTT).
> > >  > > >>
> > >  > > >> This requires that the client send more Handshake packets. And
> it adds a lot of delay because the client has to wait until all its packets
> are acknowledged. We previously agreed that any such signal from the server
> is more direct and effective.
> > >  > > >
> > >  > > >
> > >  > > > I don't think it means more handshake packets. And it's still a
> direct signal between endpoints. The only difference is that the
> client-to-server RETIRE_KEYS message is delayed by one RTT compared to its
> KEYS_ACTIVE message so the server will wait one RTT before throwing away
> handshake keys. But it has the advantage of not requiring any implicit
> ACKs. So the tradeoff we're facing is between allowing the server to throw
> away keys sooner at the cost of making implicit decisions. This
> implicitness means KEYS_ACTIVE does not allow the client to be able to send
> anything in Handshake after the ClientFinished. I'm worried that might
> prevent protocol changes down the road.
> > >  > > >
> > >  > > > I'm still in favor of paying the one RTT before key deletion to
> make the protocol more explicit.
> > >  > >
> > >  > > I share the same view.
> > >  > >
> > >  > > Admittedly, it means that then the frame would no longer be
> useful for
> > >  > > dropping the Initial keys, assuming that we want to drop them
> ASAP as
> > >  > > we do now.
> > >  > >
> > >  > > But even with that downside, I think it makes sense to delay when
> the
> > >  > > handshake and each generation of 1-RTT keys are dropped. After
> all, we
> > >  > > can argue that the requirement for when to drop the Initial keys
> is
> > >  > > exceptional due to security concerns.
> > >  > >
> > >  > > Hence something like
> > >  > >
> https://mailarchive.ietf.org/arch/msg/quic/NNOzxNWldmfiUN9avCdiQMNVXMw.
> > >  > >
> > >  > > --
> > >  > > Kazuho Oku
> > >
>
>

v2.23.0 | Report a Bug | By Email