Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)

Kazuho Oku <> Fri, 25 May 2018 08:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D34EE1243FE for <>; Fri, 25 May 2018 01:06:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1v_kmufKYtoV for <>; Fri, 25 May 2018 01:06:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AD4BB1201FA for <>; Fri, 25 May 2018 01:06:24 -0700 (PDT)
Received: by with SMTP id f1-v6so2247165plt.6 for <>; Fri, 25 May 2018 01:06:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=959mrzNQKutR5mTu8Cg9qPeBMNREemoDauXuaoxApl0=; b=CtXDUN5apxwLMBfpmjepHXC9dw57AssEe6D36GO7EOWhKK41q21VJf6j6B8vjRHTWA u89UPIOJsHvnDEXU2Xqz80XiGUkiMP2MZ0Q1vV5fZeIx84cihw96Fi5tTy+v8G+eVp8h B9TngoGhxwb4ew6WiVgDPa7FvzVHTyBZZjDIoD5dBezk74huM6mUcVVonci49brga7WB RrB53rLKK9qsk19gol7cFOD6g4IqnrylHfd/3CiHajN99kFRQ8P2CQWQfPwkJmepbje2 OEjZiipRYg0Y8a6CGQYEeGJvuOCfcAm9B0kCpXljfwZk9KoHXxhxICyNaSyWTF136VWx KOMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=959mrzNQKutR5mTu8Cg9qPeBMNREemoDauXuaoxApl0=; b=X48DU+JoRdwdrXChg4WK3VZ2PBUv2QalxhJCDrlEI2SiYuiKVdofHpFRFjg4A0Q8Ah beYWz1oOW4NgeETETUxhsWX5ZqfLX1NlPqv55s7nTuHG5MkuRBtYOBQqUQqm/7gqc6Ge VeOo+ZG9wLU2Fam4RUAwLoKT9KMGdHcadtXryHbw9w4NLk2uLeu1SroD4m+q17tTNnQj lBYHiuxIYEe/aSIP14yVmcqaDoGW34EyKPeuOEbQuzDpvMtoJksHgvcIYO+Jb7PL9C6Q yUTXNR2GX79Tpkqp6CN8wRTshL0wZ0aluwCpLfqWyRDMjb6weBe15m6S4p48UU282rgW wQPg==
X-Gm-Message-State: ALKqPwdBgMcNcZHLpM31IjElQRg3bysrhugCSgid9LZoUzsAG0GN/5uQ VcNWBkldvPZlnHkUxaSfFPhD1QeG8CayZ+OkA0A=
X-Google-Smtp-Source: AB8JxZonnfjt2nS0NosbicC08MAiGZ169fM0pHHTvepSenQ5V2N6TJXShS8WWnnHJjeQdV11hrsS76B5ECUDGVCGBIM=
X-Received: by 2002:a17:902:b7ca:: with SMTP id v10-v6mr1519677plz.224.1527235584119; Fri, 25 May 2018 01:06:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:1189:0:0:0:0 with HTTP; Fri, 25 May 2018 01:06:23 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Kazuho Oku <>
Date: Fri, 25 May 2018 17:06:23 +0900
Message-ID: <>
Subject: Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)
To: Martin Thomson <>
Cc: Jana Iyengar <>, Eric Rescorla <>, QUIC WG <>, Ian Swett <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 May 2018 08:06:27 -0000

I think I might have found an issue in the explicit ACK approach that
we use in the PR.

That is that EOED cannot be ACKed.

Assuming that EOED is sent using 0-RTT keys, it needs to be acked by
the server using the same key, because the transmission of EOED needs
to be guaranteed for the TLS handshake to complete.

However, there is no 0-RTT send key on the server-side.

Do we have any rule for dealing with this? I searched though the text
of the PR but could not find an answer.

2018-05-24 14:49 GMT+09:00 Kazuho Oku <>:
> 2018-05-24 13:43 GMT+09:00 Martin Thomson <>:
>> The obvious solution for the problem of not retransmitting the client
>> Finished is to retransmit it until it is acknowledged.  With the proposed
>> design, that means that the server sends a Handshake message after the
>> handshake is done, which I think is fine.  If the client sends Finished
>> until it is acknowledged, then I think we're good.
> I agree that that would work.
> IIUC downsides compared to the implicit ACK approach are that the
> server needs to keep the old keys for certain amount of time (e.g., 2
> MSL) and that the additional Handshake packet will consume about 30
> octets of the 3 packet window that we have for the server's first
> flights.
>> I can see the appeal in saying that if you receive an ACK for 1-RTT data
>> then your Handshake packets must have been received.  I can see that
>> working even, but you have to be careful.  It's just a signal that you can
>> stop sending CRYPTO frames, not that you are done with the keys.  You might
>> need to send ACK again and you might still receive packets at that level.
>> You could drop read keys and ACK only the old packets that you did decrypt,
>> but I suspect that it's better to authenticate any packet and ACK
>> faithfully, which would be better for your peer's congestion state.
>> That also means that you probably need to have timers for cleaning up, to
>> avoid the pathological case where acknowledgments are sent indefinitely.
> I agree with your argument about congestion control.
> One way of acquiring correct congestion control information in the
> implicit ACK approach will be to send coalesced packets that combines
> a Handshake packet with a packet protected by a higher encryption key.
> That will guarantee that you would receive an ACK for the delivery of
> the datagrams, and you can feed the information to the congestion
> controller.
> FWIW, I have implemented implicit ACK in quicly, and it only required
> about 40 additional lines of code, including the retransmission logic
> for Handshake_Done. The code can be found at
> Coalesced packets is not implemented.
>> I think that the FIN bit idea might work to close out the use of the
>> "stream" for each set of keys. That is, as opposed to the crypto stream as
>> a whole.  But it's duplicative: the crypto handshake needs to know when it
>> moves from one set of keys to the next and replicating that signaling at
>> the QUIC layer only really adds things to check for consistency.
>> On Thu, May 24, 2018 at 11:07 AM Kazuho Oku <> wrote:
>>> 2018-05-24 3:46 GMT+09:00 Jana Iyengar <>:
>>> > A thought occurs to me: a CRYPTO_HS frame with the fin bit set can be
>> used
>>> > to indicate that the handshake is done.This could be used as a signal
>> (aka
>>> > HANDSHAKE_DONE) to solve Marten's problem of a client rtxing a CFIN. Of
>>> > course, this would mean that this particular CRYPTO_HS frame would be
>>> > encrypted with a 1-RTT key... which *I think* is fine. What do you
>> think?
>>> I am not sure if that is a good approach.
>>> I would assume that we would like to keep the handshake flow on the
>>> 1-RTT key open for the lifetime of the QUIC connection, so that we
>>> could send things related to the TLS (e.g. session tickets). Sending
>>> FIN from the server right after receiving ClientFinished makes that
>>> impossible.
>>> Having said that, I do agree that the need for a dedicated frame is a
>>> pain. It is a pain because we need to have a retransmission logic for
>>> the frame.
>>> I think that you are making a good point in suggesting to consider
>>> reusing the retransmission logic that already exists for bidirectional
>>> flows. But as said, FIN bit does not seem like an answer in this case.
>>> IMO, ideally we should define a new TLS post-handshake message (that
>>> does not convey any data), and send that from the server in response
>>> to ClientFinished using 1-RTT packet. The message will act as a signal
>>> that the server has received ClientFinished.
>>> The benefit of this approach is that we can reuse the retransmission
>>> logic that will exist for handshake flows. The downside is that TLS
>>> stacks need to be aware of the new handshake message.
>>> Considering the fact that the Design Team is already suggesting a
>>> substantial change to the TLS stack, we might have chance in asking
>>> for the addition of a new handshake message. But I am not sure.
>>> --
>>> Kazuho Oku
> --
> Kazuho Oku

Kazuho Oku