IETF Logo Mail Archive

Re: KEYS_READY

Kazuho Oku <kazuhooku@gmail.com> Fri, 15 February 2019 01:52 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3B512950A for <quic@ietfa.amsl.com>; Thu, 14 Feb 2019 17:52:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DRpa5k3MEnRl for <quic@ietfa.amsl.com>; Thu, 14 Feb 2019 17:51:57 -0800 (PST)
Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CAB21310E1 for <quic@ietf.org>; Thu, 14 Feb 2019 17:51:57 -0800 (PST)
Received: by mail-lf1-x143.google.com with SMTP id q11so6025385lfd.3 for <quic@ietf.org>; Thu, 14 Feb 2019 17:51:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=9T+e/61cjpi49hGxagu0qptzOHOEeSc62rhY58aUAc0=; b=RX3iqLFs6Cgw1M0VCe6XAk2UpOAV+REUMo5612UjXhD9yElOnzGHtbQOoh3jgI4Dop a57jDi0M/C2wpYdx6YY3qVKVQjLpLL8mbPhX/IzdOFHMgmkN/ZKJFTDJ6pEs4dwTU3WQ s/zJaJHMSiAdP6PdSjOApRe0Z/0b1TeCchm6wfLFdsg82LJkJELsyl82DxpF/nVRMw2K gYYq/SdUxd+0OKR6K4Daidz7Apr2pyx3iXz1w6KIJOcBAr7k7x63NGiblRBh0FVynq7e ZSS237iAYeF8idipxtVBUg8W2TQR79QDjOMExJf/cSWdL5nmvdsLhSoXGKyTh+KsS6W7 hOxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=9T+e/61cjpi49hGxagu0qptzOHOEeSc62rhY58aUAc0=; b=DNjIQdJ+0CFAKqAQuWI77LGvBozK2PEmeGEf5LSB5n0Zzk52QBgbsmEMW5UAw4Zk3i NCaohj9Of6DX9AZcJFFerkTYL5OvnowwCHJlJZMh3KPOyt/Kk4vuANiOpYqfesyAwzER nz+lkcDWfiCzlnqoRqvOkAb3uIwm0zqbtDRgxmRsfjkwWRCJcB9JIIJZPFqL452Vqauw DDjGvqfNqoR6wNoukpd8WcPC+GexyXcn7bMWnLjlBXUyrqJOnkTCHQWmH4ncsNNBHIe1 BQvyil/BeWUguGOouY9s9ks31jprio3Loa4dWwrrvLbFs1JTfrlHKq0G6IFT4/qR+oXa UvJg==
X-Gm-Message-State: AHQUAuaO0THpwXCqEmPxAIfQLnCw0DY3J59gcT+rf/nbmhuGbLLse4r0 a6S6BHqEqpYTYehCrTfnQ+0LgUdegjKffs9XImc=
X-Google-Smtp-Source: AHgI3IbxxKyG/rcTyt2rkTidUYvqNGcCgJwkLCbXyk4n9pBOVtwO5PNAk431BF3FfYFRrTBNcyPzzLeyDp0tb93MIjs=
X-Received: by 2002:a19:7b0e:: with SMTP id w14mr4006622lfc.8.1550195515144; Thu, 14 Feb 2019 17:51:55 -0800 (PST)
MIME-Version: 1.0
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com> <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com> <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <DB6PR10MB176684E61A66BF01C66008F6AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <CAPDSy+5MSST-Nkoi+oaRzSLDJCYqhUmKw1nP_p4fOyq7cfK17w@mail.gmail.com> <CAJ_4DfRKrYOyozbp4GmPNODnZ_sKTECXbMa5Vsuxa4zmubERHQ@mail.gmail.com> <MWHPR22MB0991FCD3ADA97790B238E491DA670@MWHPR22MB0991.namprd22.prod.outlook.com> <CAPDSy+4=YYyTe5=85X09e1kAB7TrmmNXK-2wnLZubfS1ekWRJA@mail.gmail.com> <f2e59f1c-b7d5-49ce-affc-7d16684a048a@www.fastmail.com> <CAPDSy+4sKR99Fwqt+08JevAmC7E4LUSohUrQgVc+5BA56CLEkQ@mail.gmail.com> <b4364dee-a429-45c5-8b56-b82269f1ab2e@www.fastmail.com> <CAPDSy+4idHMDpNya42K5fxRQ6tFUoOXz9bi8K2eU8u-xRiOB3g@mail.gmail.com> <045bbf5b-04e4-4f9f-886b-f7ff9254bdab@www.fastmail.com> <CAPDSy+4iTM1wYpr04fmqOULct5LrB4UnDiPz_K9vGSd3oB=4eg@mail.gmail.com>
In-Reply-To: <CAPDSy+4iTM1wYpr04fmqOULct5LrB4UnDiPz_K9vGSd3oB=4eg@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 15 Feb 2019 10:51:43 +0900
Message-ID: <CANatvzyoEJZBWhBEBLMcysv_GTEKHup02++RAj_XX+SztVQm1g@mail.gmail.com>
Subject: Re: KEYS_READY
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, Jana Iyengar <jri.ietf@gmail.com>, Ryan Hamilton <rch=40google.com@dmarc.ietf.org>, Marten Seemann <martenseemann@gmail.com>, Mike Bishop <mbishop@evequefou.be>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/B6EFSsVEvOOCziJpPWAnBHriv5E>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 01:52:06 -0000

2019年2月15日(金) 9:18 David Schinazi <dschinazi.ietf@gmail.com>:
>
>
>
> On Thu, Feb 14, 2019 at 3:45 PM Martin Thomson <mt@lowentropy.net> wrote:
>>
>> On Fri, Feb 15, 2019, at 09:47, David Schinazi wrote:
>> > This means that the server sends KEYS_ACTIVE(1-RTT) not when the 1-RTT
>> > keys are active,
>> > but instead when the handshake finishes, which is when the server has
>> > received the client finished.
>> > Those are two different moments in time.
>>
>> Yes, because the keys aren't active when the server starts sending 1-RTT packets.  They are only active when the server starts reading 1-RTT.  The server can't activate its 1-RTT reading keys until the handshake is complete.
>
>
> Ah, thanks. Looking at it this way it makes sense to me - we may want to make the text clearer in case I'm not the only one who was confused.
>
>>
>> That's why I chose to name this KEYS_ACTIVE(this), not RETIRE_KEYS(prev), but I don't really mind what it is called.
>
>
> I don't feel strongly about names either as long as they make sense - and now KEYS_ACTIVE also makes sense to me - so either name is fine by me.
>
>>
>>  > My proposal is to have the client decide when it is done with the
>> > handshake keys by having the client
>> > delay sending RETIRE_KEYS(Handshake) instead of the server delaying
>> > sending KEYS_ACTIVE(1-RTT).
>>
>> This requires that the client send more Handshake packets.  And it adds a lot of delay because the client has to wait until all its packets are acknowledged.  We previously agreed that any such signal from the server is more direct and effective.
>
>
> I don't think it means more handshake packets. And it's still a direct signal between endpoints. The only difference is that the client-to-server RETIRE_KEYS message is delayed by one RTT compared to its KEYS_ACTIVE message so the server will wait one RTT before throwing away handshake keys. But it has the advantage of not requiring any implicit ACKs. So the tradeoff we're facing is between allowing the server to throw away keys sooner at the cost of making implicit decisions. This implicitness means KEYS_ACTIVE does not allow the client to be able to send anything in Handshake after the ClientFinished. I'm worried that might prevent protocol changes down the road.
>
> I'm still in favor of paying the one RTT before key deletion to make the protocol more explicit.

I share the same view.

Admittedly, it means that then the frame would no longer be useful for
dropping the Initial keys, assuming that we want to drop them ASAP as
we do now.

But even with that downside, I think it makes sense to delay when the
handshake and each generation of 1-RTT keys are dropped. After all, we
can argue that the requirement for when to drop the Initial keys is
exceptional due to security concerns.

Hence something like
https://mailarchive.ietf.org/arch/msg/quic/NNOzxNWldmfiUN9avCdiQMNVXMw.

-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email