IETF Logo Mail Archive

Re: Removing packet number gaps

Martin Thomson <martin.thomson@gmail.com> Tue, 02 January 2018 04:40 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86560126C89 for <quic@ietfa.amsl.com>; Mon, 1 Jan 2018 20:40:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6bZLBrWWG51 for <quic@ietfa.amsl.com>; Mon, 1 Jan 2018 20:40:33 -0800 (PST)
Received: from mail-ot0-x243.google.com (mail-ot0-x243.google.com [IPv6:2607:f8b0:4003:c0f::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32AB12025C for <quic@ietf.org>; Mon, 1 Jan 2018 20:40:32 -0800 (PST)
Received: by mail-ot0-x243.google.com with SMTP id 14so14466144oth.9 for <quic@ietf.org>; Mon, 01 Jan 2018 20:40:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4Df185gMIxUPkgDPUBz+VLxa2LYVgguHcj/7o0cvs6M=; b=fe6q3ZPYpmEo/UHPQZWBjouNrx8/Od1YodDswtXF+tBWQCRX3dXwJhO1VKmhGu2Han 6dfbrneNgUOp67JvEt/EimSt22Tw3CMs5ithd7tp5LLDUSTJx4/+CzYFFKM9eSjK9o3o Ei+OgzxF8mPnEjFhVOxSBQ4OoLgpN25f54YWHJFWXnrjdtcWXQj6G1J6vZzZMdI/WIvg WPC+qAQwV9+vKE2djKu5FByvgFSs5W3zxjeTgz/Zx1W4sPFXM4RCyc2KWYK6iqzasZTL CyX2K1D/qN5f3cn/N13ez7Tw/dHxkIks+yQ13Hl4GZkri/kaKC/2sQZgbLIJgoJzbcFO HJXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4Df185gMIxUPkgDPUBz+VLxa2LYVgguHcj/7o0cvs6M=; b=r0SVxcxZXWimHHrBUcMHyBy2XKkOoLhFGY7mKKQwcHN4jl7EXPzIhtLu74zTxJuMVv qyBpxYYBQVR0UArCMA579lUOJq9GqvNYJvZh38dAC79dzZ2ChAjsZ831dyR5qI5UObcX MvKZt+GAJngoFBaYLnIivOV+kGvyc/ZhLufC+LEuwkHTPKKKSh92AaDFZ2cXfnbhkXr0 Dpn8dNGf40B4yLkMdMSfOtIP/bYvQwwTD8NNqohMsw0fbnWr45024tpSMkXq0fIIddvl zX4rGy3PMh0eyuComzn4Km5XW+NzZwU/9flOGrp2WkDOo1KFSItVKH9QUOqqZM8f7XtC SgAQ==
X-Gm-Message-State: AKGB3mLfYKTpd2KeBWp7Vk5DWITzjhilGKndivnneBlCG/SO/LQRByhr IsvFVZAnlGxNcXseWD4cYboAoZ/tAesVuIB9x/8=
X-Google-Smtp-Source: ACJfBotnWbwUYqLg3Frn89T8yhdRlBDC0FWRBOWLx+rCQbR7awDAipakFho0azTB0XaAL0/Nbddua7d0SR4G5FYxiJA=
X-Received: by 10.157.35.229 with SMTP id t92mr12043762otb.16.1514868032129; Mon, 01 Jan 2018 20:40:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.46.182 with HTTP; Mon, 1 Jan 2018 20:40:31 -0800 (PST)
In-Reply-To: <E88EE694-2977-408D-BFB9-6E6FE383B7A1@huitema.net>
References: <CABkgnnW89B+5Qo0u_+Wr5K0wCRZ3Wp-+CTWJbHRGGwD06hn-zw@mail.gmail.com> <16F84894-C3D9-4342-83EB-616759E739BD@huitema.net> <CABkgnnWHcZrAKBKpkF7JPZ3Bzwdk9HPXcA1cbyUtkvzMv0G64g@mail.gmail.com> <E88EE694-2977-408D-BFB9-6E6FE383B7A1@huitema.net>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 02 Jan 2018 15:40:31 +1100
Message-ID: <CABkgnnV3796gPPSdF5DUiiGxLr+iZrzK=G8vz02pnXsb1+7LYg@mail.gmail.com>
Subject: Re: Removing packet number gaps
To: Christian Huitema <huitema@huitema.net>
Cc: QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/cUSrUDx1KjJvuDcy4b5ofwLI7is>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 04:40:34 -0000

On Tue, Jan 2, 2018 at 3:11 PM, Christian Huitema <huitema@huitema.net> wrote:
>> On Jan 1, 2018, at 7:38 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
>>
>>> On Tue, Jan 2, 2018 at 1:13 PM, Christian Huitema <huitema@huitema.net> wrote:
>>> For clarification: are you proposing to make the encryption key and IV dependent on the connection ID, or just the packet number mask?
>>
>> Both.  As you argue in your draft, this makes some things easier, and
>> it fits more naturally if the key, IV, and mask all have similar
>> derivations.
>
> Yes, it seems natural. But there is at least one downside: both peers need the master secret available when creating or receiving a new connection ID. In the current design, the master secret can be erased once encryption keys have been initialized.

You need the packet protection secret around if you ever want to do a
key update.

> OTOH, with that design we can get rid of the key phase mechanism. To refresh the key, just start using a new connection ID.

True, but that would remove the post-compromise security that we get
from the current design.

>>> Also, are you proposing applying the mask before encoding the packet header on 1, 2, 4 or 8 bytes, or after that?
>>
>> After.  We'd have to be careful to get the bit alignment right, of course.
>
> You don't actually need to be careful with the XOR solution. Just XOR four bytes after completing the payload encryption, and XOR then again before decrypting the payload.

You have to get the right part of the 4 (or 5) bytes or it will fail.
That means a htonl() call, but that's easy.  Though I note that if we
do as Igor suggests, then we get that number just once per connection
ID (with  a call to ntohl() at that point) and add before encoding and
you don't have to worry about the truncation bit.

> By the way, can we get 5 bytes instead of just 4? With the 5th byte, we could grease the lower bits of the first byte, greasing the packet type.

Sure.  I didn't want to burden everyone with this, but it's an obvious
extension.

v2.23.0 | Report a Bug | By Email