Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)

Kazuho Oku <> Thu, 24 May 2018 05:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C705712D945 for <>; Wed, 23 May 2018 22:49:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YaC7ItQVo36L for <>; Wed, 23 May 2018 22:49:15 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4E44112D944 for <>; Wed, 23 May 2018 22:49:14 -0700 (PDT)
Received: by with SMTP id o76-v6so284382pfi.5 for <>; Wed, 23 May 2018 22:49:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cVHhOGXo/EpzX4pagav4x0LxdVkoSkiQE2ltykr8PzY=; b=gE2cxTM9gxQWoAohdxhBvsbEvEW2rmDKsLz42RLv+peJq8J/avBpg6hgohWpu24Rvh WZjxwazx7NwoavOUoKByBLN8og4TztfXI2BPUVdcJGK2ZSb4uwt3JSbsdEy1sOcMNZ82 t694dkK8jl7Shh0C3/fpJxiH76DU/ORTtJNLtmbDGQxg4JnMZdzcJGk4VyApEwDc+l// 3wyzScOG6jyAZvMYJnYKv5O5BlWMqExiLHZB+7OdOKCBZk2Rj5mqMWSnMGVQ6KetsgU5 2+UrN+kkPa8pFhb/eP5ImPNlRprWFUN/SH1Hk9HNBjpiWhHZv1b47a/6PCUZQ267ykDt emMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cVHhOGXo/EpzX4pagav4x0LxdVkoSkiQE2ltykr8PzY=; b=osmbKuA9+7tyuP/L3wGZlw9FP+y42EdqDgeXWGssaodKAHkw4emnuf6mTtbDw6dS/m ASiyv6NUUnfGshMJItCliQbCcjPrRmZblvnS21el6sg4KXYsBTWXiggs0WRAxT8w+Lat U9/7njt3UHtloyvnIUWNgqFP9/0Ake7T/VKLz9T0czKFtsmHzPwMoOIHOQ3Kv3e4v/YI 4BRBrn7YH2rnpDwCQa5M/V0/LTWaJkZLJzsf5pW8lSe1iMyBcIpPjV1QDPEonasjbxSk gi/esRxdNb6ZpZh9BxUvqWfKpS0r9Nnlrrp0iu6VG+gAffaaid+Iu/oCzxSSjjS50hv8 7cAQ==
X-Gm-Message-State: ALKqPwehUggFrAxeMKkP/xh4GdI3Sdx3/Ge8XTkLzOuNPF57M8hHG8eX MBqwLAlir4bHrpiOCNI+BETVTEvJRTAbTvdW8do=
X-Google-Smtp-Source: AB8JxZp7XGIpZzJJgacQA9gtV7635Mpf+VEjM4UU/V3gLPZRdQVw0viCWa1LFMIH69cJxWLorKW6abFckKuAJG/Fabk=
X-Received: by 2002:a62:ccdc:: with SMTP id j89-v6mr5887580pfk.182.1527140953515; Wed, 23 May 2018 22:49:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:1189:0:0:0:0 with HTTP; Wed, 23 May 2018 22:49:12 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Kazuho Oku <>
Date: Thu, 24 May 2018 14:49:12 +0900
Message-ID: <>
Subject: Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)
To: Martin Thomson <>
Cc: Jana Iyengar <>, Eric Rescorla <>, QUIC WG <>, Ian Swett <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 May 2018 05:49:17 -0000

2018-05-24 13:43 GMT+09:00 Martin Thomson <>:
> The obvious solution for the problem of not retransmitting the client
> Finished is to retransmit it until it is acknowledged.  With the proposed
> design, that means that the server sends a Handshake message after the
> handshake is done, which I think is fine.  If the client sends Finished
> until it is acknowledged, then I think we're good.

I agree that that would work.

IIUC downsides compared to the implicit ACK approach are that the
server needs to keep the old keys for certain amount of time (e.g., 2
MSL) and that the additional Handshake packet will consume about 30
octets of the 3 packet window that we have for the server's first

> I can see the appeal in saying that if you receive an ACK for 1-RTT data
> then your Handshake packets must have been received.  I can see that
> working even, but you have to be careful.  It's just a signal that you can
> stop sending CRYPTO frames, not that you are done with the keys.  You might
> need to send ACK again and you might still receive packets at that level.
> You could drop read keys and ACK only the old packets that you did decrypt,
> but I suspect that it's better to authenticate any packet and ACK
> faithfully, which would be better for your peer's congestion state.
> That also means that you probably need to have timers for cleaning up, to
> avoid the pathological case where acknowledgments are sent indefinitely.

I agree with your argument about congestion control.

One way of acquiring correct congestion control information in the
implicit ACK approach will be to send coalesced packets that combines
a Handshake packet with a packet protected by a higher encryption key.
That will guarantee that you would receive an ACK for the delivery of
the datagrams, and you can feed the information to the congestion

FWIW, I have implemented implicit ACK in quicly, and it only required
about 40 additional lines of code, including the retransmission logic
for Handshake_Done. The code can be found at
Coalesced packets is not implemented.

> I think that the FIN bit idea might work to close out the use of the
> "stream" for each set of keys. That is, as opposed to the crypto stream as
> a whole.  But it's duplicative: the crypto handshake needs to know when it
> moves from one set of keys to the next and replicating that signaling at
> the QUIC layer only really adds things to check for consistency.
> On Thu, May 24, 2018 at 11:07 AM Kazuho Oku <> wrote:
>> 2018-05-24 3:46 GMT+09:00 Jana Iyengar <>:
>> > A thought occurs to me: a CRYPTO_HS frame with the fin bit set can be
> used
>> > to indicate that the handshake is done.This could be used as a signal
> (aka
>> > HANDSHAKE_DONE) to solve Marten's problem of a client rtxing a CFIN. Of
>> > course, this would mean that this particular CRYPTO_HS frame would be
>> > encrypted with a 1-RTT key... which *I think* is fine. What do you
> think?
>> I am not sure if that is a good approach.
>> I would assume that we would like to keep the handshake flow on the
>> 1-RTT key open for the lifetime of the QUIC connection, so that we
>> could send things related to the TLS (e.g. session tickets). Sending
>> FIN from the server right after receiving ClientFinished makes that
>> impossible.
>> Having said that, I do agree that the need for a dedicated frame is a
>> pain. It is a pain because we need to have a retransmission logic for
>> the frame.
>> I think that you are making a good point in suggesting to consider
>> reusing the retransmission logic that already exists for bidirectional
>> flows. But as said, FIN bit does not seem like an answer in this case.
>> IMO, ideally we should define a new TLS post-handshake message (that
>> does not convey any data), and send that from the server in response
>> to ClientFinished using 1-RTT packet. The message will act as a signal
>> that the server has received ClientFinished.
>> The benefit of this approach is that we can reuse the retransmission
>> logic that will exist for handshake flows. The downside is that TLS
>> stacks need to be aware of the new handshake message.
>> Considering the fact that the Design Team is already suggesting a
>> substantial change to the TLS stack, we might have chance in asking
>> for the addition of a new handshake message. But I am not sure.
>> --
>> Kazuho Oku

Kazuho Oku