Re: Handshake costs 2-RTT when token validation fail
"Martin Thomson" <mt@lowentropy.net> Mon, 15 July 2019 02:27 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD3CB120191 for <quic@ietfa.amsl.com>; Sun, 14 Jul 2019 19:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=RLQCwPke; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=p6AMBPXw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtxJ978OlvMw for <quic@ietfa.amsl.com>; Sun, 14 Jul 2019 19:27:17 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76BB512001B for <quic@ietf.org>; Sun, 14 Jul 2019 19:27:17 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id B351A220C3 for <quic@ietf.org>; Sun, 14 Jul 2019 22:27:16 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Sun, 14 Jul 2019 22:27:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=xkpSX 7hG2g0heoI7a9egNbmfCDE/ABAXKUVsvgcERiI=; b=RLQCwPkeooYUigt/vdpPb DMtsALhDOULkj5desyQ3fi80plFFl2RhE0hyLVUaCknEIDrqWhkb8XXUA4wMiVaJ BYQ+YUCVOwHVLhtbzfwtpl1pUajzbp3jIYGyr14QOyuKsChdve+r+Kto3K/baHIs P2ej7VjyjHQB1SY8LgXXSrG0CotbmgKmO1B38o/6qcBIPLw3tY/HEGfw2VmOuOcY ENAMhcg8Qy0mT8M94Fsev58DgvPI7zgfLAIw0qNzr2y86DPDTK0VklU/lkMsOP5Y 2I070nfSEytLe9KMJ9EsuFTYnAQWrRyfWjDdvNCzanWwil6eD8SdgoTjj22Y20Bk Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=xkpSX7hG2g0heoI7a9egNbmfCDE/ABAXKUVsvgcER iI=; b=p6AMBPXwin2ce+O00W1w9FvuKo/6sH5YjUqBZ3Rk1ig7IXiPHHiUInM/0 bDwZFrk3nz+SgkZuwrhMIuytbqkL/YU1ZLr+wJSctCcIO6XAcrwXK1li8MQ3rAdu b28ol7GGlnpUMAPX0+wBdXDd+TEZgdOwSR6dluSOq00iGlw27xkteJPNBhxVVwcR YvrMfTq1TtlN+400BCh3FMicv6UmKPtb0GFFdS6T1Myz4WtzypI/77em7wYn+lsw PPdx/UsbPqtTGpN3xNSujGAuRBmU3zHeXEJfIMMzyVeJ/6G5SyNqLwdGt0cGkwg/ ZUf7JbN7kQFD4GCOLi+E+ivZkQIzw==
X-ME-Sender: <xms:hOQrXcVxPymsfdu8rfc9HwMyZk_Q4JwWVvdQCc4pli0u88FPL8xhpA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrheejgdefvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehloh ifvghnthhrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:hOQrXXaKEqymfhCnOtUDMFLb0qee5oiGIZYTuX3X-Kyj5CMxXbQiTg> <xmx:hOQrXUprfppmDt6OMoR4CULcvbQRJ_qHBgWch7_qx1eu1QrQXilv0w> <xmx:hOQrXUGuXHc1_qhTs29BPell1ll6qUTGqrm8MUB_72Girj1lTiiWxg> <xmx:hOQrXfJOQIDQ8RrXo8g2mlQIWT5VbVIFT2cGsm1HDyEMSNh683uqrg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 775BDE00CC; Sun, 14 Jul 2019 22:27:16 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-731-g19d3b16-fmstable-20190627v1
Mime-Version: 1.0
Message-Id: <586613ea-0a6c-49ef-ae92-6ef4680a9781@www.fastmail.com>
In-Reply-To: <CAG9+TpZgzncJF_TCode98QhxKM4wZhPUfSKkQhOCZJ05scW2kQ@mail.gmail.com>
References: <CAG9+TpZgzncJF_TCode98QhxKM4wZhPUfSKkQhOCZJ05scW2kQ@mail.gmail.com>
Date: Mon, 15 Jul 2019 12:27:18 +1000
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Handshake costs 2-RTT when token validation fail
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/TMqkRC2VrX-X-T6uhVFOFvanDb4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 02:27:19 -0000
The reason we have Retry is to force an extra RTT. This is really only for the case where the server is unable or unwilling to process the Initial without proof that the client is "live". That is, the client can demonstrate that they are not spoofing their source address. On Fri, Jul 12, 2019, at 19:45, Jiuhai Zhang wrote: > Can server continue to handshake when token validation fail? Clientmay > send new token in Handshake packet.Just like thisClient > Server > > Initial -> > > <- Retry+Token > <- Handshake > > Handshake+Token-> > > Is there other solution to avoid 2-RTT?--------------------Client > Server > > Initial[0]: CRYPTO[CH] -> > > <- Retry+Token > > Initial+Token[1]: CRYPTO[CH] -> > > Initial[0]: CRYPTO[SH] ACK[1] > Handshake[0]: CRYPTO[EE, CERT, CV, FIN] > <- 1-RTT[0]: STREAM[1, "..."] > > Figure 5: Example Handshake with Retry >
- Handshake costs 2-RTT when token validation fail Jiuhai Zhang
- Re: Handshake costs 2-RTT when token validation f… Martin Thomson