Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)

Eric Rescorla <ekr@rtfm.com> Fri, 25 May 2018 13:51 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D75C12DA0D for <quic@ietfa.amsl.com>; Fri, 25 May 2018 06:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hULgQ98-3iUE for <quic@ietfa.amsl.com>; Fri, 25 May 2018 06:51:56 -0700 (PDT)
Received: from mail-ot0-x229.google.com (mail-ot0-x229.google.com [IPv6:2607:f8b0:4003:c0f::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E06AA126D45 for <quic@ietf.org>; Fri, 25 May 2018 06:51:55 -0700 (PDT)
Received: by mail-ot0-x229.google.com with SMTP id l12-v6so6131920oth.6 for <quic@ietf.org>; Fri, 25 May 2018 06:51:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SVNt1FRIYqArtDHD9gUyl24KZFix9r1IKDikBrqLays=; b=Xoh+7uiz40nHorTg/Iu4PgZzI8/2LXLfjdAsKg45IHY8JX4lnwDZovwNu058JTr+vG 3wsDQhtuX+F+ktooSTwsDTMXvbrv3ml8MLnmOMlutVCSZZv49tF27nSNvs87mVkwcRmm 4djqgavHV9UuUkqAoygAoVqIrHmUqIVoNZgMOS1SprVvgwtUOFJasGdrhk26MhrZ68Zz sAMMX/a+a4GlPzN7q+MclOEeNnpISxE7tYZVXF4RW9zJptUyl6XxiT2TPKqQcLRoe+Xe AY8AeJfv5MXbSqXCYESo35T82ti+wYCE46HkOkDniU0CwvMeQzOabnkdM8fDnpUd64/6 Fxew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SVNt1FRIYqArtDHD9gUyl24KZFix9r1IKDikBrqLays=; b=Svj64yt9/0+X2OoDS1TT67+rALTgU+pf81+EjbESzITA5h1//cWjrPY3aYBcQdQXhS W7iGe1U2GANl0FO/X14DrCObqSY1nRs6YLkcESbmpUMfVclrKd634ESvQUgS/oBWH7Xz /RBx2YKv1U0vy/O9KNZUxn2IJ5vuvnkTa0ZF/vh1DMiPDzpt6vEz0UWXbHmnOe1u2fWO 0Gvrbty/WOKp/OdiMIp7REytoPv0QeXqE45BAzKZPh5juWm0R32JHJMI7hFMwxIqtMTq 1XJDx+hO/rpahscULBmW4fkEo4mu6eKwr/APkIwtGi9DBbLqCYcBOyIilofXFg8ngvPP ZFXg==
X-Gm-Message-State: ALKqPwesP2o4SXSQk/zSYQwYjFgftesCvVOvaZNjqKhpcdBRxhIYwV6C IjJoKB4t38nFrVCKJSxAJIN5icHb7MSlX6WYszO/HA==
X-Google-Smtp-Source: ADUXVKJabysCCvu2R0KR4jJN4HM/F+kDAuL0hS2F6tORfJ2JhnGD5IhZhy1/sEoC/UWNZLqGX+VQooeMfaZ3JwqwRUw=
X-Received: by 2002:a9d:224d:: with SMTP id o71-v6mr1720032ota.101.1527256315049; Fri, 25 May 2018 06:51:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:66:0:0:0:0:0 with HTTP; Fri, 25 May 2018 06:51:14 -0700 (PDT)
In-Reply-To: <CANatvzw7tR8wZud_bFmxc2HPPXAMBLUx=SC7MoD87JQcvQfbZQ@mail.gmail.com>
References: <CANatvzwN1kVO3ofvyYX9cg=cKcg4FdqUT3VB6hneEDa5UjT_0w@mail.gmail.com> <CABkgnnUjw4WYDv5mmsFp2nDq4LtdJBzsgdFkxFzEdHrA37tejw@mail.gmail.com> <CANatvzyNHpTFpdS6_A-gijn2+dOiU=zxyiRJsQuSZVy+EyZ1gQ@mail.gmail.com> <CANatvzwXhqZBDt59HJCThbdhomGbac=Na0vcofZhPbEYRniV-g@mail.gmail.com> <CAN1APddOMnmf_dAEpVZEjuL2xx5GYK08MHrHBO_OY9JUh+jtjQ@mail.gmail.com> <CANatvzw7tR8wZud_bFmxc2HPPXAMBLUx=SC7MoD87JQcvQfbZQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 25 May 2018 06:51:14 -0700
Message-ID: <CABcZeBP16jmef9voFBisnqQAAbN8TgwSBC9nXEQ3dN3ST9gVLQ@mail.gmail.com>
Subject: Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: =?UTF-8?Q?Mikkel_Fahn=C3=B8e_J=C3=B8rgensen?= <mikkelfj@gmail.com>, Eric Rescorla <ekr@mozilla.com>, Jana Iyengar <jri.ietf@gmail.com>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023ce01056d0812b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/NzriqmMiMvbOoE4pvVwE3JSCYrU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 13:52:00 -0000

On Fri, May 25, 2018 at 1:57 AM, Kazuho Oku <kazuhooku@gmail.com> wrote:

> 2018-05-25 17:33 GMT+09:00 Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>:
> > The overview doc seems to be clear on ACK’s in general, not sure about
> EOED
> > specficially.
> >
> > https://docs.google.com/document/d/1fRsJqPinJl8N3b-
> bflDRV6auojfJLkxddT93j6SwHY8/edit
> >
> > section 2.2
> >
> > ACKs in 1-RTT packets will acknowledge the receipt of 0-RTT or 1-RTT
> > packets.  ACKs cannot be sent in 0-RTT packets.
>
> Thank you for pointing that out.
>
> That statement in the doc seem to contradict with the following
> statement in the PR.
>
>   - ACK frames MAY appear in packets of any encryption level, but
>     MUST only acknowledge packets which appeared in that encryption
>     level.
>

> Maybe the reference to "encryption level" should be corrected to
> "packet number space."
>

I agree. this is a defect.

-Ekr

>
> >
> >
> >
> > Kind Regards,
> > Mikkel Fahnøe Jørgensen
> >
> >
> > On 25 May 2018 at 10.06.49, Kazuho Oku (kazuhooku@gmail.com) wrote:
> >
> > I think I might have found an issue in the explicit ACK approach that
> > we use in the PR.
> >
> > That is that EOED cannot be ACKed.
> >
> > Assuming that EOED is sent using 0-RTT keys, it needs to be acked by
> > the server using the same key, because the transmission of EOED needs
> > to be guaranteed for the TLS handshake to complete.
> >
> > However, there is no 0-RTT send key on the server-side.
> >
> > Do we have any rule for dealing with this? I searched though the text
> > of the PR but could not find an answer.
> >
> >
> > 2018-05-24 14:49 GMT+09:00 Kazuho Oku <kazuhooku@gmail.com>:
> >> 2018-05-24 13:43 GMT+09:00 Martin Thomson <martin.thomson@gmail.com>:
> >>> The obvious solution for the problem of not retransmitting the client
> >>> Finished is to retransmit it until it is acknowledged. With the
> proposed
> >>> design, that means that the server sends a Handshake message after the
> >>> handshake is done, which I think is fine. If the client sends Finished
> >>> until it is acknowledged, then I think we're good.
> >>
> >> I agree that that would work.
> >>
> >> IIUC downsides compared to the implicit ACK approach are that the
> >> server needs to keep the old keys for certain amount of time (e.g., 2
> >> MSL) and that the additional Handshake packet will consume about 30
> >> octets of the 3 packet window that we have for the server's first
> >> flights.
> >>
> >>> I can see the appeal in saying that if you receive an ACK for 1-RTT
> data
> >>> then your Handshake packets must have been received. I can see that
> >>> working even, but you have to be careful. It's just a signal that you
> can
> >>> stop sending CRYPTO frames, not that you are done with the keys. You
> >>> might
> >>> need to send ACK again and you might still receive packets at that
> level.
> >>> You could drop read keys and ACK only the old packets that you did
> >>> decrypt,
> >>> but I suspect that it's better to authenticate any packet and ACK
> >>> faithfully, which would be better for your peer's congestion state.
> >>>
> >>> That also means that you probably need to have timers for cleaning up,
> to
> >>> avoid the pathological case where acknowledgments are sent
> indefinitely..
> >>
> >> I agree with your argument about congestion control.
> >>
> >> One way of acquiring correct congestion control information in the
> >> implicit ACK approach will be to send coalesced packets that combines
> >> a Handshake packet with a packet protected by a higher encryption key.
> >> That will guarantee that you would receive an ACK for the delivery of
> >> the datagrams, and you can feed the information to the congestion
> >> controller.
> >>
> >> FWIW, I have implemented implicit ACK in quicly, and it only required
> >> about 40 additional lines of code, including the retransmission logic
> >> for Handshake_Done. The code can be found at
> >>
> >> https://github.com/h2o/quicly/pull/8/commits/
> eee6eb5fc7c0359edfeb0b8f89ae9ac191ef0758.
> >> Coalesced packets is not implemented.
> >>
> >>>
> >>> I think that the FIN bit idea might work to close out the use of the
> >>> "stream" for each set of keys. That is, as opposed to the crypto stream
> >>> as
> >>> a whole. But it's duplicative: the crypto handshake needs to know when
> it
> >>> moves from one set of keys to the next and replicating that signaling
> at
> >>> the QUIC layer only really adds things to check for consistency.
> >>> On Thu, May 24, 2018 at 11:07 AM Kazuho Oku <kazuhooku@gmail.com>
> wrote:
> >>>
> >>>> 2018-05-24 3:46 GMT+09:00 Jana Iyengar <jri.ietf@gmail.com>:
> >>>
> >>>> > A thought occurs to me: a CRYPTO_HS frame with the fin bit set can
> be
> >>> used
> >>>> > to indicate that the handshake is done.This could be used as a
> signal
> >>> (aka
> >>>> > HANDSHAKE_DONE) to solve Marten's problem of a client rtxing a CFIN.
> >>>> > Of
> >>>> > course, this would mean that this particular CRYPTO_HS frame would
> be
> >>>> > encrypted with a 1-RTT key... which *I think* is fine. What do you
> >>> think?
> >>>
> >>>> I am not sure if that is a good approach.
> >>>
> >>>> I would assume that we would like to keep the handshake flow on the
> >>>> 1-RTT key open for the lifetime of the QUIC connection, so that we
> >>>> could send things related to the TLS (e.g. session tickets). Sending
> >>>> FIN from the server right after receiving ClientFinished makes that
> >>>> impossible.
> >>>
> >>>> Having said that, I do agree that the need for a dedicated frame is a
> >>>> pain. It is a pain because we need to have a retransmission logic for
> >>>> the frame.
> >>>
> >>>> I think that you are making a good point in suggesting to consider
> >>>> reusing the retransmission logic that already exists for bidirectional
> >>>> flows. But as said, FIN bit does not seem like an answer in this case.
> >>>
> >>>> IMO, ideally we should define a new TLS post-handshake message (that
> >>>> does not convey any data), and send that from the server in response
> >>>> to ClientFinished using 1-RTT packet. The message will act as a signal
> >>>> that the server has received ClientFinished.
> >>>
> >>>> The benefit of this approach is that we can reuse the retransmission
> >>>> logic that will exist for handshake flows. The downside is that TLS
> >>>> stacks need to be aware of the new handshake message.
> >>>
> >>>> Considering the fact that the Design Team is already suggesting a
> >>>> substantial change to the TLS stack, we might have chance in asking
> >>>> for the addition of a new handshake message. But I am not sure.
> >>>
> >>>> --
> >>>> Kazuho Oku
> >>
> >>
> >>
> >> --
> >> Kazuho Oku
> >
> >
> >
> > --
> > Kazuho Oku
> >
>
>
>
> --
> Kazuho Oku
>
>