Re: Key updates

Martin Thomson <martin.thomson@gmail.com> Tue, 07 August 2018 00:36 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF98C130E53 for <quic@ietfa.amsl.com>; Mon, 6 Aug 2018 17:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnJNPXug8C0Q for <quic@ietfa.amsl.com>; Mon, 6 Aug 2018 17:36:35 -0700 (PDT)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AB08130E04 for <quic@ietf.org>; Mon, 6 Aug 2018 17:36:35 -0700 (PDT)
Received: by mail-oi0-x22e.google.com with SMTP id s198-v6so25437152oih.11 for <quic@ietf.org>; Mon, 06 Aug 2018 17:36:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oUMhbx6jpcMklORhOxaf3ase0K/8NbclEMb4g+0IOsU=; b=LVuGyGtNSEH1PiE7cUjto0WY5XY7amvIlew20JmhrYb1mgwwhWXUIfnTCPpafe26A3 GejthMEebq89T1sHWJVlsH6weCd98dr2Wd4Ek1THyfiralmdMO9iqA2OJublYpf5uJf3 QeO4GcYcMtZSB9PImHNTCF/PfL4LPc9Yi3iLSLhE4MQRumHk9mt5T5CmXOoQ5KLdHHJ4 IAR6puDWbak86BVIhbOkWFo6xevhb4Ov1nlsH+kzI+dMJrKONI/yOQy8AA+BprMXXW8j 52gPK+JUYLnH6p0wMTkk3ZaxW5nGnrIJ01LXInC8JIZBKEfbFDSU7i/t8RNOt7yWP9rX Ikrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oUMhbx6jpcMklORhOxaf3ase0K/8NbclEMb4g+0IOsU=; b=NLoFf2WS8W/r+BTRx3QXjCuAS0nOSHiOl084v8WbTOOJIbsir1ZXMUI4p5hcQ1rE8O DHMKxo4oQR8ZW1Czxz2Ryf4bZKMoOo0mwCu1JBPF4QMAvu9YA1nd0oJ72/QgbUHRsWVH tI1VL6vhWzXWnALVMrou3krHb3r0HbMqQEdrECRGIAFm8ytngA40b1i2Ws0Q8r4hsG9c BL353pZiznyE+ufIzCKoCE90g1+lR0uwHMfHES4bt8uiRNrEyo//JtctHBZUiPFXCdtN vuKoBMlLdjT74Pr7/KULKknmqMmVDdTMeB3qG6qcPM4EPHX9PuX8uXuZPdMr9fjadHKU P+Qw==
X-Gm-Message-State: AOUpUlFVQi+Ax3s/u4gEOumtQF5MC0EtwpJIt7g914ugC97BrXgLp5QG BMRzTU0eQqQDIyUxYmqNS4r4JBhARbgewK2oASE=
X-Google-Smtp-Source: AAOMgpfL/f6lqqJFBaFMqbNKAzbBMAT81nAStXkx521rtDqoiT9sVrAGB7pH2PidThPHJTSBVp+wBsEC8ljPoblKeWk=
X-Received: by 2002:aca:5841:: with SMTP id m62-v6mr18108216oib.346.1533602194403; Mon, 06 Aug 2018 17:36:34 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnW9-Jn1CH0rSwbtDmMrOZ+jstugVsOpWtShDJgT_KSyOw@mail.gmail.com> <CAKcm_gPXFXZc4ysm7ugG0T8GTWjgcO9hvO6ATj0MRiEufie=bQ@mail.gmail.com>
In-Reply-To: <CAKcm_gPXFXZc4ysm7ugG0T8GTWjgcO9hvO6ATj0MRiEufie=bQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 7 Aug 2018 10:36:23 +1000
Message-ID: <CABkgnnW9WLAV8F-_i53as8tvavntHVkwUWrsL4PjLDcczpBX4g@mail.gmail.com>
Subject: Re: Key updates
To: Ian Swett <ianswett@google.com>
Cc: QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/OK6F327Df7YMxZ7ZriKtS5f1Ibc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Aug 2018 00:36:37 -0000

On Mon, Aug 6, 2018 at 10:43 PM Ian Swett <ianswett@google.com> wrote:
> I think we seriously considered the option of "Close the connection and 0RTT a new one".

Yes, and the TLS working group did too.  This is what we got.

I implemented a limit to the number of records we send in TLS and
haven't heard a complaint (even though we have non-trivial numbers of
DES connections, where the limit is fairly low).  Which suggests that
this might be an OK strategy... for the web.

However, I also know that people were using h2 for things like
connections between gateways and origin servers and were very annoyed
at the 2^31 cap on the number of streams, which caused them all sorts
of performance problems during changeovers.  2^31 streams happens well
after you need to rekey GCM.  I don't think that we can reasonably
punt on this.

My writeup was long, but I think that the fix is simple.  As much as
Nick might like to destroy TLS state (the essential parts of which
aren't a real burden, being comprised of two 32 octet secrets and an
epoch counter), I don't believe that we can just kick this particular
can down the road, tempting as it might seem.

I do want to explore the notion of binding key changes to connection
ID.  It has some nice properties.  I can't make it work without making
things more complicated than what I proposed though.