IETF Logo Mail Archive

Re: KEYS_READY

"Martin Thomson" <mt@lowentropy.net> Fri, 01 March 2019 06:15 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7321311F6 for <quic@ietfa.amsl.com>; Thu, 28 Feb 2019 22:15:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=i8SVAWrE; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=xvGLbk2I
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oc_kXHuts_rB for <quic@ietfa.amsl.com>; Thu, 28 Feb 2019 22:15:36 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C67E41311F5 for <quic@ietf.org>; Thu, 28 Feb 2019 22:15:35 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id AE7883559; Fri, 1 Mar 2019 01:15:34 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Fri, 01 Mar 2019 01:15:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:in-reply-to:references:date:from:to:cc:subject :content-type:content-transfer-encoding; s=fm1; bh=uTxyQG7d+3OkC 2ujheVngw5FfTEBDmDIKylD1GCqI44=; b=i8SVAWrEacHuwGQrxyPtaAPn71pEb kFG8MJ79pHiRAwv1sn5S0YysLluv1pi7AuTovDB0pFnxbWD4r9NscCnudKcs7Sz9 H26M+/uzIVdTXXpEWeJeLw8CMW8Gs1U7MD6LoCsKJufsOp+8HcCx0cC1elivQtPo RmgUXAW92gciYRkw0dZ+H0PuFk/tSvJbtWB8t2Y9Onfi59hqg9vdP1hnJ47YMUvi jAi8pmdTP2xHSWsw3OQWGxuVd0Cqs7d21aZPCfwNNzXC+Smqc1rpWuTNCiaPIVf/ kebHgMHZRCEM5AIYyoEzXbAJk+PuxPAo5WUeIyX9wcHF/JPodweyU0WvA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=uTxyQG7d+3OkC2ujheVngw5FfTEBDmDIKylD1GCqI44=; b=xvGLbk2I YM9FJIiD6DbpbLu8vj8qrLscqhGAXZTrCIVvNnmkWy7KU4QqtMr7LsdveXngkSKx EfD71OjJGTLD0EPiulUFqBd2h/7gQPHJG9TG1yQk6+MleAsUPw9LK8HdNUNYpJ1G U4cMchLDK35684rgvwcUobnaaxGNH0CcWFkUk+rikY5m6NcLbv3TwlBZWgApqbmG 3mORfumlr9BkPc/q8wbJfUfqYLUeg35HthZ+WD5+oj4Kk4DxjQwypANfYuP05mUz Wuz4wexd6Az7y+VGVFajZYBpqbAZTW2K/bqtMd+45Mr6Q6xwU7Dt3799tVR7W3RW 1dN09UHWjSrbVQ==
X-ME-Sender: <xms:Bc54XD8cUdErudIm4AiwCAhBgXFxuEi76oW66NT6ojd77E7Je-EnpQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrvdeggdeliecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucffoh hmrghinhepghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghenucfrrghrrghmpehmrghi lhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvthenucevlhhushhtvghrufhiii gvpedt
X-ME-Proxy: <xmx:Bs54XMCNqGzsmJJEpFlVNM3-jln5KE069e7xpUFeIxe_P6FTSH3w4g> <xmx:Bs54XDzkHe8EyOOgMGZIFewREVye9-TeVauPuDHoNu14R822KaneXg> <xmx:Bs54XBS1q_Kxgq_zGgMRVrJb7T6dDaNN5yb-SmVKQHSdjtn5hqumpQ> <xmx:Bs54XMwFfwteYwXjxd4ygCJk9qw3ZYbACkVMOy7l893Ca3mIBTQ86Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id C52AF7C1EB; Fri, 1 Mar 2019 01:15:33 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-925-g644bf8c-fmstable-20190228v5
X-Me-Personality: 92534000
Message-Id: <b33833e0-d458-4683-b41c-a4b6c38f40f3@www.fastmail.com>
In-Reply-To: <CACdeXi+dAPro=J7Nh9KbdQBYo3Ssup0r-x-WsppfEriJEWYwdg@mail.gmail.com>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com> <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com> <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <DB6PR10MB176684E61A66BF01C66008F6AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <CAPDSy+5MSST-Nkoi+oaRzSLDJCYqhUmKw1nP_p4fOyq7cfK17w@mail.gmail.com> <CAJ_4DfRKrYOyozbp4GmPNODnZ_sKTECXbMa5Vsuxa4zmubERHQ@mail.gmail.com> <MWHPR22MB0991FCD3ADA97790B238E491DA670@MWHPR22MB0991.namprd22.prod.outlook.com> <CAPDSy+4=YYyTe5=85X09e1kAB7TrmmNXK-2wnLZubfS1ekWRJA@mail.gmail.com> <f2e59f1c-b7d5-49ce-affc-7d16684a048a@www.fastmail.com> <CAPDSy+4sKR99Fwqt+08JevAmC7E4LUSohUrQgVc+5BA56CLEkQ@mail.gmail.com> <b4364dee-a429-45c5-8b56-b82269f1ab2e@www.fastmail.com> <CAPDSy+4idHMDpNya42K5fxRQ6tFUoOXz9bi8K2eU8u-xRiOB3g@mail.gmail.com> <045bbf5b-04e4-4f9f-886b-f7ff9254bdab@www.fastmail.com> <CAPDSy+4iTM1wYpr04fmqOULct5LrB4UnDiPz_K9vGSd3oB=4eg@mail.gmail.com> <CANatvzyoEJZBWhBEBLMcysv_GTEKHup02++RAj_XX+SztVQm1g@mail.gmail.com> <CAPDSy+4kFMhpyHrvcQhT+rwnwfraOb0eBs=eOQPTNGWWJV51Kg@mail.gmail.com> <7879ac68-5a8e-4b5e-a81f-03b851be8328@www.fastmail.com> <CACdeXi+dAPro=J7Nh9KbdQBYo3Ssup0r-x-WsppfEriJEWYwdg@mail.gmail.com>
Date: Fri, 01 Mar 2019 01:15:33 -0500
From: Martin Thomson <mt@lowentropy.net>
To: Nick Harper <nharper@google.com>
Cc: IETF QUIC WG <quic@ietf.org>
Subject: Re: KEYS_READY
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/VNah_XqnUT-3t8jlPytFZFWLGR4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2019 06:15:38 -0000

I see.  That's not clear.  It might have helped to explain that in the email announcing the proposal, because the PR contains errors that are quite confusing.  The PR never really defines what "done with keys" means either.

If that is the only difference then we can talk about the implications of driving state based on ACK frames, which we've not done in the past.  Leaving the ugly exception for Initial aside, I suspect that this is much harder to implement, because you have to track where data was first sent in order to send the frame at the right time.  That's easy enough for CRYPTO frames, which are basically all you have during the handshake, but in order to implement it for key updates you need visibility into which packets are still outstanding.  That requires a new type of access to the loss recovery module.

I see quite a few omissions and mistakes in the PR.  For instance, this doesn't address the concerns about retransmissions of the frame across key updates.  It also shows the server sending the frame in Handshake packets before it could have received ACKs.  Hence my confusion.

On Fri, Mar 1, 2019, at 16:21, Nick Harper wrote:
> There is one difference between the RETIRE_KEYS and KEYS_ACTIVE PRs 
> (besides the name of the new frame):
> 
> With RETIRE_KEYS, the client doesn't send it until the Client Finished 
> has been ACKed. With KEYS_ACTIVE, the client MUST send it in its first 
> 1-RTT packet, while the server MUST NOT process that 1-RTT packet until 
> it has received the Client Finished.
> 
> Even though they do basically the same thing, I think it's much easier 
> to understand the logic in the RETIRE_KEYS PR. The logic for 
> RETIRE_KEYS is "I send RETIRE_KEYS when I don't need to send or receive 
> anything more at the previous encryption level." After re-reading the 
> KEYS_ACTIVE PR, I don't see a similar underlying principle for when 
> it's sent, just a set of rules to follow.
> 
> On Thu, Feb 28, 2019 at 7:37 PM Martin Thomson <mt@lowentropy.net> wrote:
> > I don't get it. This is the same proposal. With fewer editorial changes, perhaps.
> > 
> >  On Fri, Mar 1, 2019, at 11:30, David Schinazi wrote:
> >  > Since this conversation has quieted down for two weeks, I went ahead 
> >  > and wrote up the RETIRE_KEYS proposal:
> >  > https://github.com/quicwg/base-drafts/pull/2492
> >  > 
> >  > I believe this is simpler to reason about than the KEYS_ACTIVE proposal 
> >  > and safer as it makes less assumptions about the handshake protocol.
> >  > 
> >  > Please let me know what you think, and I believe we should keep the 
> >  > discussion here instead of on the PR.
> >  > 
> >  > David
> >  > 
> >  > On Thu, Feb 14, 2019 at 5:51 PM Kazuho Oku <kazuhooku@gmail.com> wrote:
> >  > > 2019年2月15日(金) 9:18 David Schinazi <dschinazi.ietf@gmail.com>:
> >  > > >
> >  > > >
> >  > > >
> >  > > > On Thu, Feb 14, 2019 at 3:45 PM Martin Thomson <mt@lowentropy.net> wrote:
> >  > > >>
> >  > > >> On Fri, Feb 15, 2019, at 09:47, David Schinazi wrote:
> >  > > >> > This means that the server sends KEYS_ACTIVE(1-RTT) not when the 1-RTT
> >  > > >> > keys are active,
> >  > > >> > but instead when the handshake finishes, which is when the server has
> >  > > >> > received the client finished.
> >  > > >> > Those are two different moments in time.
> >  > > >>
> >  > > >> Yes, because the keys aren't active when the server starts sending 1-RTT packets. They are only active when the server starts reading 1-RTT. The server can't activate its 1-RTT reading keys until the handshake is complete.
> >  > > >
> >  > > >
> >  > > > Ah, thanks. Looking at it this way it makes sense to me - we may want to make the text clearer in case I'm not the only one who was confused.
> >  > > >
> >  > > >>
> >  > > >> That's why I chose to name this KEYS_ACTIVE(this), not RETIRE_KEYS(prev), but I don't really mind what it is called.
> >  > > >
> >  > > >
> >  > > > I don't feel strongly about names either as long as they make sense - and now KEYS_ACTIVE also makes sense to me - so either name is fine by me.
> >  > > >
> >  > > >>
> >  > > >> > My proposal is to have the client decide when it is done with the
> >  > > >> > handshake keys by having the client
> >  > > >> > delay sending RETIRE_KEYS(Handshake) instead of the server delaying
> >  > > >> > sending KEYS_ACTIVE(1-RTT).
> >  > > >>
> >  > > >> This requires that the client send more Handshake packets. And it adds a lot of delay because the client has to wait until all its packets are acknowledged. We previously agreed that any such signal from the server is more direct and effective.
> >  > > >
> >  > > >
> >  > > > I don't think it means more handshake packets. And it's still a direct signal between endpoints. The only difference is that the client-to-server RETIRE_KEYS message is delayed by one RTT compared to its KEYS_ACTIVE message so the server will wait one RTT before throwing away handshake keys. But it has the advantage of not requiring any implicit ACKs. So the tradeoff we're facing is between allowing the server to throw away keys sooner at the cost of making implicit decisions. This implicitness means KEYS_ACTIVE does not allow the client to be able to send anything in Handshake after the ClientFinished. I'm worried that might prevent protocol changes down the road.
> >  > > >
> >  > > > I'm still in favor of paying the one RTT before key deletion to make the protocol more explicit.
> >  > > 
> >  > > I share the same view.
> >  > > 
> >  > > Admittedly, it means that then the frame would no longer be useful for
> >  > > dropping the Initial keys, assuming that we want to drop them ASAP as
> >  > > we do now.
> >  > > 
> >  > > But even with that downside, I think it makes sense to delay when the
> >  > > handshake and each generation of 1-RTT keys are dropped. After all, we
> >  > > can argue that the requirement for when to drop the Initial keys is
> >  > > exceptional due to security concerns.
> >  > > 
> >  > > Hence something like
> >  > > https://mailarchive.ietf.org/arch/msg/quic/NNOzxNWldmfiUN9avCdiQMNVXMw.
> >  > > 
> >  > > -- 
> >  > > Kazuho Oku
> >

v2.23.0 | Report a Bug | By Email