Re: KEYS_READY
Marten Seemann <martenseemann@gmail.com> Thu, 14 February 2019 05:27 UTC
Return-Path: <martenseemann@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09CD130FCB for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 21:27:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXKqrFMNjVyu for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 21:27:40 -0800 (PST)
Received: from mail-it1-x142.google.com (mail-it1-x142.google.com [IPv6:2607:f8b0:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E40FC130F99 for <quic@ietf.org>; Wed, 13 Feb 2019 21:27:39 -0800 (PST)
Received: by mail-it1-x142.google.com with SMTP id z9so10230948itc.4 for <quic@ietf.org>; Wed, 13 Feb 2019 21:27:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vRDnUV+dVuKgK/lymnhrbKl2Kp7J4fTKoJfZw/cXp6E=; b=KL29tEqadhfimdHrXrqB1lyICYnYF2oxIp40PdTeSGvZ9iGNWPX/1jevbxiMrFTMMJ NV+76xvrNJ9BXghXxwkKm1bcvB8hA+C79GNpBJtMIPQQDloEEh9X5uRKSC0CzkurYbCP VtubyblsR+hyXFDtV/MzVDZj/RxU7AHHqCRtvhfCi8q+Xj5Kv2u5BwZnYJyxQDgXRF2C wC4gZlNJsUaupqYcYZp8jr5IBrHOZMikj5jzIhUFngk9ZiSSxUsl/7jG+XPdbm2ApD+d 8D71Gym1V8U2AdAiAAPnegyFhMnQmbbExmcnIS51LtkSzhTUPYBhxWDXdIoGQ0nieY9Y 6SLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vRDnUV+dVuKgK/lymnhrbKl2Kp7J4fTKoJfZw/cXp6E=; b=IzOb880JuKtuCTomeTq1Pm9n3NW2FoU80u3AWKLlp/WoPSKOJht7Emw/sQQUdAvqo4 DCLVBUoR48Yv3OaDQbkwKDNn4h/8Nc7EkWWi7STe4Gy03P0reH/OBmWe8vleFisT/1B8 bomJwIQ04gFtEfIjdHzOxDHy2Q72zSmD6TYaVrV00rE+mUjSR1CmE3kUBdPO9cCDM9xO zbCYGijFfx7d3GH/nAqSvpAJl4xS9a/f1G2blNxI5gusJEyZCfH1HS1oKhHTB7gFtaBE RJJS2ovIr3vXVlvtmM2PqPXP0PnDvK+zqgfn3MPHlOm9vje8M4pRSqaL0T6mA3I3J89Z iBCw==
X-Gm-Message-State: AHQUAubmomn2D7A6rS5MKRV5OYA/f+NMTl+n9xTQYwdGCx+Ad/tIruk2 Nq5cg2+Mq0fWJ/SldLgFPJRGJgNtvPwjucb4ziY=
X-Google-Smtp-Source: AHgI3IYbQr3bmlObsKaGXvZayOsz3LsdHp0X4O7cOw3aqrU2rlXn+lejdQlhuJN3N18qczPYVG+YD8raOshnPTLKImM=
X-Received: by 2002:a6b:bc83:: with SMTP id m125mr1021490iof.83.1550122058856; Wed, 13 Feb 2019 21:27:38 -0800 (PST)
MIME-Version: 1.0
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com>
In-Reply-To: <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com>
From: Marten Seemann <martenseemann@gmail.com>
Date: Thu, 14 Feb 2019 13:27:27 +0800
Message-ID: <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com>
Subject: Re: KEYS_READY
To: Martin Thomson <mt@lowentropy.net>
Cc: Jana Iyengar <jri.ietf@gmail.com>, QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ad413d0581d3eafe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/c3-kqXA5hoEmJAQu8DMpzXRqUi0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 05:27:42 -0000
> I was OK with that PR, and while we might go back and forth on the merits of using a bit vs. a frame, the consensus in Tokyo was that the frame was superior. Also, this solves more problems. In my understanding, the consensus in Tokyo was based on the assumption that the bit and the frame were basically signaling the same thing - at least I wasn’t aware of the additional retransmission logic necessary, and I would’ve opposed this solution if I had known. > The PR changes how Initial keys are retired. Instead of relying on the delivery of Handshake packets, it relies on the delivery of KEYS_ACTIVE frames. However, we do not require KEY_ACTIVE frames to be included in every Handshake packet being sent. This is again the problem of a discrete vs. a continuous signal. Using another bit in the first byte solves this problem. After the handshake completes, we want the peer to advance from handshake mode to normal mode in the loss recovery logic, since in handshake mode we don’t have PTOs. The only way to achieve this using the KEYS_ACTIVE frame is to include it in multiple (all packets for one RTT?) after the handshake completes. That being said, adding a generation number as Kazuho suggested seems to be the second best solution, since it at least removes the necessity to implement separate retransmission rules. On Thu, Feb 14, 2019 at 13:05 Martin Thomson <mt@lowentropy.net> wrote: > On Thu, Feb 14, 2019, at 15:24, Jana Iyengar wrote: > > (I've left this comment on the PR as well, but seeing that this > discussion > > is happening here as well, echoing it here) > > If the peer hasn't acked the previous KEYS_ACTIVE, it may not have seen > it > > yet. It is possible that it simultaneously did a key update and sent a > > KEYS_ACTIVE however. Under this condition, the endpoint wouldn't be able > to > > update its keys again, since the peer may close the connection, right? > > This is not a problem, but it requires thinking the process through. > > An endpoint can only initiate a key update if it has received > KEYS_ACTIVE. It can only send KEYS_ACTIVE if it has received a key update > (and is either responding, or initiated that). > > Take the example where an ACK is lost, so a key update occurs when one > peer is retransmitting KEYS_ACTIVE: > > C: Update to Key Phase 1. > S: Update to Key Phase 1. Send KEYS_ACTIVE. > C: Send packet containing ACK for the server packet containing > KEYS_ACTIVE, plus KEYS_ACTIVE. That packet is lost. > C: Update to Key Phase 0. > S: Update to Key Phase 0. Send KEYS_ACTIVE. > > The server might believe that its KEYS_ACTIVE hasn't been acknowledged, > but it has to be prepared for a key update as soon as it sends the frame. > > If there is a simultanous update it looks like this: > > C: Update to Key Phase 1. > S: Update to Key Phase 1. (Concurrent with previous.) > C: Receive packet with KP1. Send KEYS_ACTIVE. Lost. > S: Receive packet with KP1. Send KEYS_ACTIVE. > > At this point, both peers are fine, they are on the same keys, and a key > update can be triggered by the client. The server can't update until the > client repairs the lost KEYS_ACTIVE frame. This continues: > > C: Update to Key Phase 0. > S: Receive KP0. Update to Key Phase 0. Send KEYS_ACTIVE. > > As you can see, the client stops sending when it updates again, but that's > OK. > > It's also safe if the KEYS_ACTIVE frames get through, but acknowledgments > for them don't. > >
- KEYS_READY Martin Thomson
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Marten Seemann
- Re: KEYS_READY Ian Swett
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Christian Huitema
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Christian Huitema
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Jana Iyengar
- Re: KEYS_READY Jana Iyengar
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Marten Seemann
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Ryan Hamilton
- RE: KEYS_READY Mike Bishop
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Nick Harper
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi