Re: Stream0 Proposal: EMPTY_ACK
Eric Rescorla <ekr@rtfm.com> Thu, 24 May 2018 02:46 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 753A312D88D for <quic@ietfa.amsl.com>; Wed, 23 May 2018 19:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DiB1_83ZIC7b for <quic@ietfa.amsl.com>; Wed, 23 May 2018 19:46:18 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8344F126CC7 for <quic@ietf.org>; Wed, 23 May 2018 19:46:18 -0700 (PDT)
Received: by mail-oi0-x22e.google.com with SMTP id t27-v6so111419oij.9 for <quic@ietf.org>; Wed, 23 May 2018 19:46:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5KYaJo/MZLMvagDqpNP6lfXSlobZDso8XHhiOatxmmU=; b=P/QyOthpfb11MK4G5r3oMOQKZYhdoO1Qv58DtoMdgv2Oqp7OntGbCSbCWFvvENqDqC yPIfm9pV8yseNQkG+CRDWfIxrsj3DW+uLAg3oqlfbzHwiFtwUDAiIlYKsXqAsJgOzKYv czLjfSyhZdLyzH3QWwkW7gRTyuwkJvLx2RHb9BmY71JwH+xmVYEsMxtC4YJ1ReVW3a5t 2aHE3xOiGayKq9uvwrg/J1/xWfvkyfvJtSzGqRswCy1ZvqekzVRZfkEhyjX2J15JZFDF yPy2VHVCvqf7UGnLYfHzz93hX200BKQBH7/mWqLNOdQf+ZaoIdK1ddgxtHMBvStGb/RS eRjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5KYaJo/MZLMvagDqpNP6lfXSlobZDso8XHhiOatxmmU=; b=KwGB5ozlSEpZ+Ej1u2DzRrxwgfLnTBdLnKHmxu62jIGOjxqUUNykVtMB22khdLaT+z kxWicgqw/+oa2EsY57y7I+TAUDcadAE1RXUDW/7/x3qd10p1lCGZBNR1mFG+pZGBiV6J sgT0lgNLP8McNVgSkSZDF2QaP1cznj3rOQ+9cZ0fAbyW4DfRxyz1E8m9Ga4aLIfgSjKE 7uTTtfdABWl6jGscoRLTmjWvTpnATR7bm4mSyu1mN5z8D6hFIWSOxEag4xk11T2gju6a 6htQ3I2T8iz/OAcubgkYIu2k5/HBX32Zq2CtWdS6yKue6qO/Cr7UsVpRaWEoAurgc42t WjYw==
X-Gm-Message-State: ALKqPwcyB5B2frKYVHj04BYxSDUZHtJpaY5ptyMIKCcVm1m1vV3d+Knf uTfju0cTG2cmgCHtQVtE7BVTwjrEEj5q0Nyv5fIhLQ==
X-Google-Smtp-Source: AB8JxZoI4C1kTtDib/Ih4MBXfYgBLoCe+3F0dPzPCa0wDUgmpyKPHFYlSvkIKj7dFgFN0jOYcCLS7B3VSXCEjFT5mdU=
X-Received: by 2002:aca:4c11:: with SMTP id z17-v6mr3084133oia.174.1527129977780; Wed, 23 May 2018 19:46:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:66:0:0:0:0:0 with HTTP; Wed, 23 May 2018 19:45:37 -0700 (PDT)
In-Reply-To: <6d80b771-ba07-cab7-fa86-d4e31d56b919@huitema.net>
References: <CACpbDcckRvyn18qowWbLRT+sX2EGj3_yPtoS2d-h6ypg4dFrVQ@mail.gmail.com> <6d80b771-ba07-cab7-fa86-d4e31d56b919@huitema.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 23 May 2018 19:45:37 -0700
Message-ID: <CABcZeBPtjbMVL2RQMyLZJg_QyHcgA5E_g8SAgoHUqjpLrJRA4g@mail.gmail.com>
Subject: Re: Stream0 Proposal: EMPTY_ACK
To: Christian Huitema <huitema@huitema.net>
Cc: Jana Iyengar <jri.ietf@gmail.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da1481056ceaa7eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/J-Fwp3jEHnHSAECUNGYtbIrunZs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 02:46:23 -0000
On Wed, May 23, 2018 at 7:10 PM, Christian Huitema <huitema@huitema.net> wrote: > I dislike the EMPTY_ACK because they are "responses to something that > could not be decrypted". You don't know where the packet came from, it > could be spoofed. So you have on one hand a possible optimization, on the > other hand a possible vulnerability, and in all cases additional complexity. > What's the vulnerability? Anything more than a spurious retransmit? -Ekr > On 5/23/2018 4:27 PM, Jana Iyengar wrote: > > (Moving more discussions from main thread) > > ---------- Forwarded message ---------- > From: Subodh Iyengar <subodh@fb.com> > Date: Wed, May 23, 2018 at 3:37 PM > Subject: Re: Stream0 Design Team Proposal > To: Mike Bishop <mbishop@evequefou.be>, Christian Huitema < > huitema@huitema.net>, "quic@ietf.org" <quic@ietf.org> > > > FWIW I see EMPTY_ACKs as being very similar to a Duplicate ack. We thought > about using Duplicate acks as well but we thought that EMPTY_ACks would be > simpler to implement and be able to convey similar information. > > > Subodh > ------------------------------ > *From:* QUIC <quic-bounces@ietf.org> on behalf of Mike Bishop < > mbishop@evequefou.be> > *Sent:* Wednesday, May 23, 2018 3:26:35 PM > *To:* Christian Huitema; quic@ietf.org > *Subject:* RE: Stream0 Design Team Proposal > > > Christian, can you expand on why you dislike the EMPTY_ACK? Being able to > say “I’ve received some packets from you, but am unable to process any of > them because I’m missing some handshake data” seems like a useful way to > short-circuit timeouts on clients. It also doesn’t commit the server to > holding any state – IIUC, a server could form a packet containing an > EMPTY_ACK and then discard its internal state until it gets the > retransmitted (or delayed) Initial packet. > > > > > > On Wed, May 23, 2018 at 4:25 PM, Jana Iyengar <jri.ietf@gmail.com> wrote: > >> (Forking this discussion off from the main thread.) >> >> On Wed, May 23, 2018 at 2:13 AM, Kazuho Oku <kazuhooku@gmail.com> wrote: >> >>> 2018-05-23 14:29 GMT+09:00 Christian Huitema <huitema@huitema.net>: >>> > I like the proposal. In particular, I really like the encryption of >>> > handshake packets with the handshake key, as it does close a number of >>> > avenues for attacks. And I like that it solves the "ack promotion" >>> issue >>> > that I was complaining against for some time. Turns out that in the >>> current >>> > draft, it is very hard to contain that problem if you enable client >>> auth. >>> > >>> > >>> > On the other hand, I agree with Martin that a lot of the additions to >>> > transmission recovery should be moved to separate PRs. I am not >>> enthusiastic >>> > with the EMPTY ACK mechanism, or with the proposed "implicit >>> > acknowledgement" of a lower crypto stream by a higher level ack. >>> >>> At the moment I do not have a strong opinion on the Empty ACK mechanism. >>> >>> However, regarding how we close the Initial and Handshake contexts, my >>> preference goes to using implicit ACKs (i.e. use the successful >>> receipt of a packet that is protected under a higher level of >>> encryption key as the signal) rather than explicitly ACKing the last >>> flight of data. >>> >>> As I see, there are two downsides in the Explicit ACKing approach. >>> >>> * Explicit ACKing requires sending two additional packets during the >>> handshake, which means that we would have more AES operations plus >>> somewhere around 60 bytes of overhead on the wire. >>> * Explicit ACKing requires more signaling from the TLS stack. In case >>> of implicit ACKing, the TLS stack need to only provide the AEAD >>> contexts and the messages, whereas in case of explicit ACKing, the TLS >>> stack also needs to provide a signal indicating the end of the >>> transmission at each encryption level. >>> >>> The downside of the implicit ACKing approach is that the server needs >>> to signal the termination of the Handshake context using a special >>> frame sent using a 1-RTT packet. >>> >>> But even taking that into consideration, I think that implicit ACKing >>> is still easier to implement, considering the need for the additional >>> signal in the explicit ACK case that have been described above. >>> >>> >>> > In any >>> > case, starting as simple as possible would help having the first >>> > implementations and tests. >>> > >>> > >>> > On 5/22/2018 8:26 PM, Subodh Iyengar wrote: >>> > >>> > As an implementor of fizz, I support this design and am willing to >>> implement >>> > this as well. >>> > >>> > >>> > While this is a change in the API that TLS classically exposes, I >>> think this >>> > is the right tradeoff because it helps make things way more explicit >>> which >>> > will prevent several other bugs from happening in the future. >>> > >>> > >>> > Subodh >>> > >>> > ________________________________ >>> > From: QUIC <quic-bounces@ietf.org> on behalf of Martin Thomson >>> > <martin.thomson@gmail.com> >>> > Sent: Tuesday, May 22, 2018 8:00:40 PM >>> > To: Ian Swett >>> > Cc: ekr@mozilla.com; QUIC WG >>> > Subject: Re: Stream0 Design Team Proposal >>> > >>> > First of all, thanks to the design team for the work they have done. I >>> > haven't digested everything yet, but I think that I have a good sense >>> of >>> > the shape of the proposal. >>> > >>> > Overall, this looks like a workable design. It's a lot more invasive >>> of >>> > the cryptographic handshake implementation than I had thought people >>> were >>> > willing to stomach originally. But it's clear that we've run into >>> problems >>> > with the current, more abstract API and this is a fairly natural way to >>> > split TLS. I've spent a little time thinking about how this might be >>> > implemented and I think that it's not going to be *too* painful. The >>> proof >>> > will be in the pudding there though. >>> > >>> > In looking at the PR, I really appreciate seeing all the changes >>> together.. >>> > BTW, the link above points to the wrong PR, so be careful (it appears >>> to >>> > have the same content, but that's not guaranteed). The actual PR is >>> here: >>> > https://github.com/quicwg/base-drafts/pull/1377 >>> > >>> > I've pushed a branch to the main repo so that you can preview the >>> entire >>> > document set: >>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__quicwg. >>> github.io_base-2Ddrafts_stream0_&d=DwIBaQ&c=5VD0RTtNlTh3ycd4 >>> 1b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T >>> 0_NEMiHYSM0Q_u1JA&s=ususmtxI3BTaLlBWe_HkQUWRH4sBI0Cggj1oWZMBHak&e= >>> > >>> > It seems like there are some core changes here and a bunch of >>> separable or >>> > at least secondary changes. I'm sure that each one has its own >>> > justification, but that isn't always clear. The following changes seem >>> like >>> > they are separable: >>> > >>> > * The use of separate packet number spaces >>> > * The Retry packet changes (and NEW_TOKEN) >>> > * EMPTY_ACK >>> > * The TLS extension for flow control >>> > >>> > Right now, some of these appear to be entirely gratuitous. I'd like >>> to get >>> > to the bottom of each before we continue. >>> > >>> > At a minimum, the PR we land first should include just the core >>> changes. >>> > As you say, reviewing a monster PR like this will only make GitHub weep >>> > unicorns, but we might be able to cut this into smaller pieces. >>> > >>> > On Wed, May 23, 2018 at 11:31 AM Ian Swett <ianswett= >>> > 40google.com@dmarc.ietf.org> wrote: >>> > >>> >> Dear QUIC WG, >>> > >>> > >>> >> On behalf of the Stream 0 Design Team, I am pleased to report that we >>> > have consensus on a proposed approach to share with the WG. The DT's >>> > proposal will make QUIC and TLS work closer together and incorporates >>> ideas >>> > from DTLS, but it does not use the DTLS protocol itself. >>> > >>> > >>> >> The DT believes this solves the important open Stream 0 issues. The >>> > proposal will be a bit more invasive in TLS, but we believe it is the >>> right >>> > long-term direction and several TLS stacks (BoringSSL, PicoTLS, NSS, >>> and >>> > Mint) are willing and able to do the work necessary.. A number of >>> stacks >>> > are currently working on implementations of this new approach, which we >>> > hope to have in time for the Interim meeting. >>> > >>> > >>> >> A design document describing the overall approach can be found at: >>> > >>> > >>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.go >>> ogle.com_document_d_1fRsJqPinJl8N3b-2DbflDRV6auojfJLkxddT93j >>> 6SwHY8_edit&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHt >>> wg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&s=j >>> DNnz34hmWvLSQnHkSnYdihW-jG-0xZ-YYqKq30wVGg&e= >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs..google.com_document_d_1fRsJqPinJl8N3b-2DbflDRV6auojfJLkxddT93j6SwHY8_edit&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&s=jDNnz34hmWvLSQnHkSnYdihW-jG-0xZ-YYqKq30wVGg&e=> >>> > >>> > >>> >> A PR making the changes to the QUIC documents can be found at: >>> > >>> >> https://github.com/quicwg/base-drafts/pull/1377 >>> > >>> > >>> >> A few design details did not have clear consensus, but it was felt it >>> > would be better to discuss those in the wider WG than delay the design >>> > team. A consistent choice was made in the PR and these issues are >>> > mentioned in Appendix B of the design doc. >>> > >>> > >>> >> As always, comments and questions welcome. That said, this is a big PR >>> > and we recognize that some editorial work is going to be needed before >>> > merging. In the interest of letting people follow along, and to keep >>> github >>> > from falling over, we ask people to keep discussion on the mailing >>> list and >>> > refrain from making PR comments. >>> > >>> > >>> >> See you in Kista! >>> > >>> > >>> >> Ian and Eric >>> > >>> > >>> >>> >>> >>> -- >>> Kazuho Oku >>> >>> >> > >
- Stream0 Proposal: EMPTY_ACK Jana Iyengar
- Re: Stream0 Proposal: EMPTY_ACK Jana Iyengar
- Re: Stream0 Proposal: EMPTY_ACK Christian Huitema
- Re: Stream0 Proposal: EMPTY_ACK Eric Rescorla
- Re: Stream0 Proposal: EMPTY_ACK Christian Huitema
- Re: Stream0 Proposal: EMPTY_ACK Eric Rescorla