IETF Logo Mail Archive

Re: KEYS_READY

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Thu, 14 February 2019 05:42 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 533DF13106A for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 21:42:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7L7YEk2GzNFF for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 21:42:41 -0800 (PST)
Received: from mail-pf1-x42d.google.com (mail-pf1-x42d.google.com [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5031C130FE9 for <quic@ietf.org>; Wed, 13 Feb 2019 21:42:41 -0800 (PST)
Received: by mail-pf1-x42d.google.com with SMTP id s22so2496563pfh.4 for <quic@ietf.org>; Wed, 13 Feb 2019 21:42:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=Nfz+upCX6Hggm/PkuDeZLEBG6qcFgTvz0fUcZ1LA6VY=; b=cW9Fv4m7XgnqAcCqrDfWX4xAWKJGSYklNsAlQ6+5p7QDc9fbJMkK/JnQ+367hTsXRv exm9PMZRFvxKfjetQ4sEKKPWfY06WFliCsr3kztHKcagPJ/Lt8n+tP9sPbt+k9373Lhf Y/u0PH1JPXpRiFA0g0ll0HyVpyeVq5CHpmX81boiYMr7m7BZikqVhMeYERsgZl6A5Fa9 RrjrzjKEWyrV5rdFV41r7wmKCh+h68/buA5r4e59dq3f5YssP6Qpz3EOtO1Mc4WDSVxG OgU+CrMFopyj9KzpFK4GRrZW/73jEo0EtzYuHkmCNZcnCTkqft81lsEfAGWZaE+9T3Kx DDIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version; bh=Nfz+upCX6Hggm/PkuDeZLEBG6qcFgTvz0fUcZ1LA6VY=; b=MYGsYiA5Fpd0NzKTMORG+gqNS/d2dneAe+nb62LEqdFzD1b/RwzoFYP0Ww9xTu0khw V3QIRODPo34VsnVErCYYh2B10qxINN9asTKhx4du2kDRvIrLuZdwENJ0NQNTTi+Kj33W 5nuqn+O1+msXUhn4F4bDhWhsZDuIQJhoe9ANFXvNxDcozej/fWEx3Ybn5SQD7PaBmYGm k53KwQOplqQ1KzqVFG15NqIfkMUDAB/4Cw2JqaDAbRenHqIhnB6lb2jMQLavcsG4YZEH 8z1xc1XiAelP5L1nVeYEm5sJfNh89aQO+/ryew8lC+79HCiAV42hiQcN5ByUYsBzQEKt xI3A==
X-Gm-Message-State: AHQUAub1HsDM/N91PFPc3N7YkxIDuFj/Hr18kVKYpXpcoZ/tNwjHh006 61bZ8vgh7vEcWSPirbQ2bm8=
X-Google-Smtp-Source: AHgI3IbAFuOloHlxCpU3aSc5haRx3Z5NOwpuempiHOQBSNU4myFPf1VPNiR2DjZk24/Eg/NBU5elfw==
X-Received: by 2002:a65:4784:: with SMTP id e4mr2105035pgs.12.1550122960556; Wed, 13 Feb 2019 21:42:40 -0800 (PST)
Received: from DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM ([40.101.73.61]) by smtp.gmail.com with ESMTPSA id a6sm1430970pfn.147.2019.02.13.21.42.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Feb 2019 21:42:39 -0800 (PST)
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
To: Marten Seemann <martenseemann@gmail.com>, Martin Thomson <mt@lowentropy.net>
CC: Jana Iyengar <jri.ietf@gmail.com>, QUIC WG <quic@ietf.org>
Subject: Re: KEYS_READY
Thread-Topic: KEYS_READY
Thread-Index: ATY0ODE1WAmiSi3iEdmd5vS0ATj/SkFNNUt1UVJEWEtnNGItQUF5aXlqUS1kb3pBZEt3cDk0OTQ1UUtjdmRFMDc0NVFWUVFGQjA2NDZkNjFhZEE0Njkxd0t5UWNBNzc3M0FKcThnlp13a38=
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 14 Feb 2019 05:42:31 +0000
Message-ID: <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com>, <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com>
In-Reply-To: <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_DB6PR10MB1766128EAD7248F02C1EAFA5AC670DB6PR10MB1766EURP_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/K6hN07DOE0SoNTSkmkRMQ0Gvf54>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 05:42:44 -0000

Why do keys need to be in sync?
Disregarding handshake, if each peer has a separate key index counter, at change in phase bit ought to be sufficient.

The endpoints can have vastly different consumption rates.

With sync keys the peer can prevent you from updating while uou can update after ca 3 PTO in the async design. Neither design can force the peer to update.


________________________________
Fra: QUIC <quic-bounces@ietf.org> på vegne af Marten Seemann <martenseemann@gmail.com>
Sendt: torsdag, februar 14, 2019 6:27 AM
Til: Martin Thomson
Cc: Jana Iyengar; QUIC WG
Emne: Re: KEYS_READY

> I was OK with that PR, and while we might go back and forth on the merits of using a bit vs. a frame, the consensus in Tokyo was that the frame was superior.  Also, this solves more problems.

In my understanding, the consensus in Tokyo was based on the assumption that the bit and the frame were basically signaling the same thing - at least I wasn’t aware of the additional retransmission logic necessary, and I would’ve opposed this solution if I had known.

> The PR changes how Initial keys are retired. Instead of relying on the delivery of Handshake packets, it relies on the delivery of KEYS_ACTIVE frames. However, we do not require KEY_ACTIVE frames to be included in every Handshake packet being sent.

This is again the problem of a discrete vs. a continuous signal. Using another bit in the first byte solves this problem.
After the handshake completes, we want the peer to advance from handshake mode to normal mode in the loss recovery logic, since in handshake mode we don’t have PTOs. The only way to achieve this using the KEYS_ACTIVE frame is to include it in multiple (all packets for one RTT?) after the handshake completes.

That being said, adding a generation number as Kazuho suggested seems to be the second best solution, since it at least removes the necessity to implement separate retransmission rules.

On Thu, Feb 14, 2019 at 13:05 Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote:
On Thu, Feb 14, 2019, at 15:24, Jana Iyengar wrote:
> (I've left this comment on the PR as well, but seeing that this discussion
> is happening here as well, echoing it here)
> If the peer hasn't acked the previous KEYS_ACTIVE, it may not have seen it
> yet. It is possible that it simultaneously did a key update and sent a
> KEYS_ACTIVE however. Under this condition, the endpoint wouldn't be able to
> update its keys again, since the peer may close the connection, right?

This is not a problem, but it requires thinking the process through.

An endpoint can only initiate a key update if it has received KEYS_ACTIVE.  It can only send KEYS_ACTIVE if it has received a key update (and is either responding, or initiated that).

Take the example where an ACK is lost, so a key update occurs when one peer is retransmitting KEYS_ACTIVE:

C: Update to Key Phase 1.
S: Update to Key Phase 1.  Send KEYS_ACTIVE.
C: Send packet containing ACK for the server packet containing KEYS_ACTIVE, plus KEYS_ACTIVE.  That packet is lost.
C: Update to Key Phase 0.
S: Update to Key Phase 0. Send KEYS_ACTIVE.

The server might believe that its KEYS_ACTIVE hasn't been acknowledged, but it has to be prepared for a key update as soon as it sends the frame.

If there is a simultanous update it looks like this:

C: Update to Key Phase 1.
S: Update to Key Phase 1.  (Concurrent with previous.)
C: Receive packet with KP1.  Send KEYS_ACTIVE.  Lost.
S: Receive packet with KP1.  Send KEYS_ACTIVE.

At this point, both peers are fine, they are on the same keys, and a key update can be triggered by the client.  The server can't update until the client repairs the lost KEYS_ACTIVE frame.  This continues:

C: Update to Key Phase 0.
S: Receive KP0.  Update to Key Phase 0.  Send KEYS_ACTIVE.

As you can see, the client stops sending when it updates again, but that's OK.

It's also safe if the KEYS_ACTIVE frames get through, but acknowledgments for them don't.

v2.23.0 | Report a Bug | By Email