Return-Path: X-Original-To: quic@ietfa.amsl.com Delivered-To: quic@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BBA212D7F1 for ; Wed, 23 May 2018 16:25:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rP33hifcnA8S for ; Wed, 23 May 2018 16:25:31 -0700 (PDT) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EAD61273B1 for ; Wed, 23 May 2018 16:25:31 -0700 (PDT) Received: by mail-io0-x233.google.com with SMTP id e12-v6so76030iob.8 for ; Wed, 23 May 2018 16:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=NyybhNzaTdrtVS4hg5OdPZrZfXeSd9Oq8fTnXwtD+28=; b=JNe2K+cYBd9Qi3vmiqA37St870C9XZSXwOMW50xL91HxPs/nbGnw5UJ3jrhFQDhS59 aeQ1tibhSus0MjRNDtavBbOqzAIYekWLZlyyGMy7FoUQ8HDqjFAI8V8pBpEfn8k5RZ3R 8YKPJ7zyV/Ik1cp28X7PR+jenkXrDH4im9UrA15r4ngwwRQJoJoWX+5aJKW2IFdqu4Uf CmErmKjkb+nQdih+vQmzTkq98NGYurd+MVE7FaqPTPSEiYTlQ3gu4vyt8c5kYQS/lCqO 2jBN+vOnAfgCn2zkeRAWgpmUb1czyilWkdB1pBu+oOFcZXbbKytxuBdTUoV9sC7GSqNC sryw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NyybhNzaTdrtVS4hg5OdPZrZfXeSd9Oq8fTnXwtD+28=; b=RMnpb+bSAButHON3qRORgQAqLOD+D7Em4PTBoeSFc/oKdDdlKLwCCphIQGlvNEwx/L IR4Wc1pliN+MpQdYXDkuk7FGt3bmiIQFOBdUeYBfnw4NKubQoqSC86RH9JeqMe1CgjiX CCPuXEK/BPqiDcEfc6HijgsXMFZ3Gmc/sihrKnqk1MYZib9f+ZMbZ4w95stpTHsqWQE1 NU8HFr6ktAe8gtavbg2H3OrE9NeooT8O+lgm+DfvGjuabRyqWEjpprDBNM200KQjbUvj 68fdhh+5q/80exb+/DYgHBpDLq5elK/Wm24CWBUem4e09EQC1K4r2F35vTJb6Xtunjud KKyw== X-Gm-Message-State: ALKqPwcWhm7si6JxQNYEDQWj7tTEKZ/VvGgfdYhTB1HKy/tZ41G1vjx+ kf/SlVMkNwqAMIdREgrk31oj+AQ+qVbFD4xkmS0= X-Google-Smtp-Source: ADUXVKKLMbaBUibxDFyaS5QW+BLJzu4eq2Y+id6GnDdn7WBSzkCs0jTByI0P+lZx52UtirOJJxF611cofXOmz88MI/4= X-Received: by 2002:a6b:88e3:: with SMTP id s96-v6mr4605916ioi.45.1527117930206; Wed, 23 May 2018 16:25:30 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:27d4:0:0:0:0:0 with HTTP; Wed, 23 May 2018 16:25:29 -0700 (PDT) From: Jana Iyengar Date: Wed, 23 May 2018 16:25:29 -0700 Message-ID: Subject: Stream0 Proposal: EMPTY_ACK To: IETF QUIC WG Content-Type: multipart/alternative; boundary="000000000000c29d25056ce7d917" Archived-At: X-BeenThere: quic@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Main mailing list of the IETF QUIC working group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 May 2018 23:25:34 -0000 --000000000000c29d25056ce7d917 Content-Type: text/plain; charset="UTF-8" (Forking this discussion off from the main thread.) On Wed, May 23, 2018 at 2:13 AM, Kazuho Oku wrote: > 2018-05-23 14:29 GMT+09:00 Christian Huitema : > > I like the proposal. In particular, I really like the encryption of > > handshake packets with the handshake key, as it does close a number of > > avenues for attacks. And I like that it solves the "ack promotion" issue > > that I was complaining against for some time. Turns out that in the > current > > draft, it is very hard to contain that problem if you enable client auth. > > > > > > On the other hand, I agree with Martin that a lot of the additions to > > transmission recovery should be moved to separate PRs. I am not > enthusiastic > > with the EMPTY ACK mechanism, or with the proposed "implicit > > acknowledgement" of a lower crypto stream by a higher level ack. > > At the moment I do not have a strong opinion on the Empty ACK mechanism. > > However, regarding how we close the Initial and Handshake contexts, my > preference goes to using implicit ACKs (i.e. use the successful > receipt of a packet that is protected under a higher level of > encryption key as the signal) rather than explicitly ACKing the last > flight of data. > > As I see, there are two downsides in the Explicit ACKing approach. > > * Explicit ACKing requires sending two additional packets during the > handshake, which means that we would have more AES operations plus > somewhere around 60 bytes of overhead on the wire. > * Explicit ACKing requires more signaling from the TLS stack. In case > of implicit ACKing, the TLS stack need to only provide the AEAD > contexts and the messages, whereas in case of explicit ACKing, the TLS > stack also needs to provide a signal indicating the end of the > transmission at each encryption level. > > The downside of the implicit ACKing approach is that the server needs > to signal the termination of the Handshake context using a special > frame sent using a 1-RTT packet. > > But even taking that into consideration, I think that implicit ACKing > is still easier to implement, considering the need for the additional > signal in the explicit ACK case that have been described above. > > > > In any > > case, starting as simple as possible would help having the first > > implementations and tests. > > > > > > On 5/22/2018 8:26 PM, Subodh Iyengar wrote: > > > > As an implementor of fizz, I support this design and am willing to > implement > > this as well. > > > > > > While this is a change in the API that TLS classically exposes, I think > this > > is the right tradeoff because it helps make things way more explicit > which > > will prevent several other bugs from happening in the future. > > > > > > Subodh > > > > ________________________________ > > From: QUIC on behalf of Martin Thomson > > > > Sent: Tuesday, May 22, 2018 8:00:40 PM > > To: Ian Swett > > Cc: ekr@mozilla.com; QUIC WG > > Subject: Re: Stream0 Design Team Proposal > > > > First of all, thanks to the design team for the work they have done. I > > haven't digested everything yet, but I think that I have a good sense of > > the shape of the proposal. > > > > Overall, this looks like a workable design. It's a lot more invasive of > > the cryptographic handshake implementation than I had thought people were > > willing to stomach originally. But it's clear that we've run into > problems > > with the current, more abstract API and this is a fairly natural way to > > split TLS. I've spent a little time thinking about how this might be > > implemented and I think that it's not going to be *too* painful. The > proof > > will be in the pudding there though. > > > > In looking at the PR, I really appreciate seeing all the changes > together.. > > BTW, the link above points to the wrong PR, so be careful (it appears to > > have the same content, but that's not guaranteed). The actual PR is > here: > > https://github.com/quicwg/base-drafts/pull/1377 > > > > I've pushed a branch to the main repo so that you can preview the entire > > document set: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__quicwg. > github.io_base-2Ddrafts_stream0_&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r= > h3Ju9EBS7mHtwg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&s= > ususmtxI3BTaLlBWe_HkQUWRH4sBI0Cggj1oWZMBHak&e= > > > > It seems like there are some core changes here and a bunch of separable > or > > at least secondary changes. I'm sure that each one has its own > > justification, but that isn't always clear. The following changes seem > like > > they are separable: > > > > * The use of separate packet number spaces > > * The Retry packet changes (and NEW_TOKEN) > > * EMPTY_ACK > > * The TLS extension for flow control > > > > Right now, some of these appear to be entirely gratuitous. I'd like to > get > > to the bottom of each before we continue. > > > > At a minimum, the PR we land first should include just the core changes. > > As you say, reviewing a monster PR like this will only make GitHub weep > > unicorns, but we might be able to cut this into smaller pieces. > > > > On Wed, May 23, 2018 at 11:31 AM Ian Swett > 40google.com@dmarc.ietf.org> wrote: > > > >> Dear QUIC WG, > > > > > >> On behalf of the Stream 0 Design Team, I am pleased to report that we > > have consensus on a proposed approach to share with the WG. The DT's > > proposal will make QUIC and TLS work closer together and incorporates > ideas > > from DTLS, but it does not use the DTLS protocol itself. > > > > > >> The DT believes this solves the important open Stream 0 issues. The > > proposal will be a bit more invasive in TLS, but we believe it is the > right > > long-term direction and several TLS stacks (BoringSSL, PicoTLS, NSS, and > > Mint) are willing and able to do the work necessary.. A number of stacks > > are currently working on implementations of this new approach, which we > > hope to have in time for the Interim meeting. > > > > > >> A design document describing the overall approach can be found at: > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs. > google.com_document_d_1fRsJqPinJl8N3b-2DbflDRV6auojfJLkxddT93j6SwHY8 > _edit&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=_ > vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&s=jDNnz34hmWvLSQnHkSnYdihW-jG- > 0xZ-YYqKq30wVGg&e= > > > > > >> A PR making the changes to the QUIC documents can be found at: > > > >> https://github.com/quicwg/base-drafts/pull/1377 > > > > > >> A few design details did not have clear consensus, but it was felt it > > would be better to discuss those in the wider WG than delay the design > > team. A consistent choice was made in the PR and these issues are > > mentioned in Appendix B of the design doc. > > > > > >> As always, comments and questions welcome. That said, this is a big PR > > and we recognize that some editorial work is going to be needed before > > merging. In the interest of letting people follow along, and to keep > github > > from falling over, we ask people to keep discussion on the mailing list > and > > refrain from making PR comments. > > > > > >> See you in Kista! > > > > > >> Ian and Eric > > > > > > > > -- > Kazuho Oku > > --000000000000c29d25056ce7d917 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
(Forking this discussion off from the main thread.)

On Wed, May 23, 2018= at 2:13 AM, Kazuho Oku <kazuhooku@gmail.com> wrote:
2018-05-23 14:29 GMT+09:00 Ch= ristian Huitema <huitema@huitema.= net>:
> I like the proposal. In particular, I really like the encryption of > handshake packets with the handshake key, as it does close a number of=
> avenues for attacks. And I like that it solves the "ack promotion= " issue
> that I was complaining against for some time. Turns out that in the cu= rrent
> draft, it is very hard to contain that problem if you enable client au= th.
>
>
> On the other hand, I agree with Martin that a lot of the additions to<= br> > transmission recovery should be moved to separate PRs. I am not enthus= iastic
> with the EMPTY ACK mechanism, or with the proposed "implicit
> acknowledgement" of a lower crypto stream by a higher level ack.<= br>
At the moment I do not have a strong opinion on the Empty ACK mechan= ism.

However, regarding how we close the Initial and Handshake contexts, my
preference goes to using implicit ACKs (i.e. use the successful
receipt of a packet that is protected under a higher level of
encryption key as the signal) rather than explicitly ACKing the last
flight of data.

As I see, there are two downsides in the Explicit ACKing approach.

* Explicit ACKing requires sending two additional packets during the
handshake, which means that we would have more AES operations plus
somewhere around 60 bytes of overhead on the wire.
* Explicit ACKing requires more signaling from the TLS stack. In case
of implicit ACKing, the TLS stack need to only provide the AEAD
contexts and the messages, whereas in case of explicit ACKing, the TLS
stack also needs to provide a signal indicating the end of the
transmission at each encryption level.

The downside of the implicit ACKing approach is that the server needs
to signal the termination of the Handshake context using a special
frame sent using a 1-RTT packet.

But even taking that into consideration, I think that implicit ACKing
is still easier to implement, considering the need for the additional
signal in the explicit ACK case that have been described above.


> In any
> case, starting as simple as possible would help having the first
> implementations and tests.
>
>
> On 5/22/2018 8:26 PM, Subodh Iyengar wrote:
>
> As an implementor of fizz, I support this design and am willing to imp= lement
> this as well.
>
>
> While this is a change in the API that TLS classically exposes, I thin= k this
> is the right tradeoff because it helps make things way more explicit w= hich
> will prevent several other bugs from happening in the future.
>
>
> Subodh
>
> ________________________________
> From: QUIC <quic-bounces@i= etf.org> on behalf of Martin Thomson
> <martin.thomson@gmail.c= om>
> Sent: Tuesday, May 22, 2018 8:00:40 PM
> To: Ian Swett
> Cc: ekr@mozilla.com; QUIC WG > Subject: Re: Stream0 Design Team Proposal
>
> First of all, thanks to the design team for the work they have done.= =C2=A0 I
> haven't digested everything yet, but I think that I have a good se= nse of
> the shape of the proposal.
>
> Overall, this looks like a workable design.=C2=A0 It's a lot more = invasive of
> the cryptographic handshake implementation than I had thought people w= ere
> willing to stomach originally.=C2=A0 But it's clear that we've= run into problems
> with the current, more abstract API and this is a fairly natural way t= o
> split TLS.=C2=A0 I've spent a little time thinking about how this = might be
> implemented and I think that it's not going to be *too* painful.= =C2=A0 The proof
> will be in the pudding there though.
>
> In looking at the PR, I really appreciate seeing all the c= hanges together..
> BTW, the link above points to = the wrong PR, so be careful (it appears to
> have the same content, but that's not guaranteed).=C2=A0 The actua= l PR is here:
> https://github.com/quicwg/base-drafts/pull/= 1377
>
> I've pushed a branch to the main repo so that you can preview the = entire
> document set:
> https://urldefense.proofpoint.c= om/v2/url?u=3Dhttps-3A__quicwg.github.io_base-2Ddrafts_stream0_&a= mp;d=3DDwIBaQ&c=3D5VD0RTtNlTh3ycd41b3MUw&r=3Dh3Ju9EBS7mHt= wg-wAyN7fQ&m=3D_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&am= p;s=3DususmtxI3BTaLlBWe_HkQUWRH4sBI0Cggj1oWZMBHak&e=3D >
> It seems like there are some core changes here and a bunch of separabl= e or
> at least secondary changes.=C2=A0 I'm sure that each one has its o= wn
> justification, but that isn't always clear. The following changes = seem like
> they are separable:
>
> * The use of separate packet number spaces
> * The Retry packet changes (and NEW_TOKEN)
> * EMPTY_ACK
> * The TLS extension for flow control
>
> Right now, some of these appear to be entirely gratuitous.=C2=A0 I'= ;d like to get
> to the bottom of each before we continue.
>
> At a minimum, the PR we land first should include just the core change= s.
> As you say, reviewing a monster PR like this will only make GitHub wee= p
> unicorns, but we might be able to cut this into smaller pieces.
>
> On Wed, May 23, 2018 at 11:31 AM Ian Swett <ianswett=3D
> 40google.com@dmarc.ietf= .org> wrote:
>
>> Dear QUIC WG,
>
>
>> On behalf of the Stream 0 Design Team, I am pleased to report that= we
> have consensus on a proposed approach to share with the WG. The DT'= ;s
> proposal will make QUIC and TLS work closer together and incorporates = ideas
> from DTLS, but it does not use the DTLS protocol itself.
>
>
>> The DT believes this solves the important open Stream 0 issues. Th= e
> proposal will be a bit more invasive in TLS, but we believe it is the = right
> long-term direction and several TLS stacks (BoringSSL, PicoTLS, NSS, a= nd
> Mint) are willing and able to do the work necessary.. A number of stac= ks
> are currently working on implementations of this new approach, which w= e
> hope to have in time for the Interim meeting.
>
>
>> A design document describing the overall approach can be found at:=
>
>
> https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__docs.go= ogle.com_document_d_1fRsJqPinJl8N3b-2DbflDRV6auojfJLkxddT93j6SwHY= 8_edit&d=3DDwIBaQ&c=3D5VD0RTtNlTh3ycd41b3MUw&r=3Dh3Ju9EBS7mHtwg-wAyN7fQ&m=3D_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiH= YSM0Q_u1JA&s=3DjDNnz34hmWvLSQnHkSnYdihW-jG-0xZ-YYqKq30wVGg&am= p;e=3D
>
>
>> A PR making the changes to the QUIC documents can be found at:
>
>> https://github.com/quicwg/base-drafts/p= ull/1377
>
>
>> A few design details did not have clear consensus, but it was felt= it
> would be better to discuss those in the wider WG than delay the design=
> team.=C2=A0 A consistent choice was made in the PR and these issues ar= e
> mentioned in Appendix B of the design doc.
>
>
>> As always, comments and questions welcome. That said, this is a bi= g PR
> and we recognize that some editorial work is going to be needed before=
> merging. In the interest of letting people follow along, and to keep g= ithub
> from falling over, we ask people to keep discussion on the mailing lis= t and
> refrain from making PR comments.
>
>
>> See you in Kista!
>
>
>> Ian and Eric
>
>



--
Kazuho Oku


--000000000000c29d25056ce7d917--