Re: KEYS_READY
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Thu, 14 February 2019 05:44 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7935A130FE9 for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 21:44:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J27x8lQsL48M for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 21:44:09 -0800 (PST)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B39E130FE8 for <quic@ietf.org>; Wed, 13 Feb 2019 21:44:09 -0800 (PST)
Received: by mail-pf1-x42e.google.com with SMTP id g6so2477641pfh.13 for <quic@ietf.org>; Wed, 13 Feb 2019 21:44:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=VVjut9Z8dGU8k+uteETNwTfYlPk1EXfqBCmg01orzz0=; b=KU9tWDwv78xOgO1miJnzjPZhGOSGe7wnRd82HT1BBIyGxrl9p/Ib9uKNi2DE0yasBD k80/hPV23GOLEtRY+EjHE0XWrhDqAA9n7GLRm2aMcOHQMMOxAOCQ4tGXjEEbUIz+QDpf VTlz4aAz7qw2sSfLKNuTcESnor6lHWwU7wKvqJ8fjmlLZ69AmQn1ihepBxl4MZ1AqB+2 sFEibXakOgs9aYhzcV3hPVK9Jr0gygv4usHHEPTvNHZpo0LYQrXuOIn90w8QVzHOJVTl jUpEKuG/wDc1gGp22/gFQwhO/GeH+Km1bbmn14ykoRhHuk42XnbaBrVFU1hPOqFalk+Y 6UQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version; bh=VVjut9Z8dGU8k+uteETNwTfYlPk1EXfqBCmg01orzz0=; b=X7bg4OcmbTf5yflOwmAlAIWAS/HLcRUL7g5wHKBJUixbJ1YGqNKVqIToP7x/jVZG+9 jypfDILZZSSpu2TEIao8xGC82Z1Q4cuqfMRRuG5eHd51RYvSaodmJvWaSWee2jYnoYj9 8epI8xp1jt1Tyq+6fy3KfEP1pugqzRRcTtm941Afwkgbdn1t03/o1irIVOGFm3hzlMsc IMNB1LaT/Nwo8Fpmj79SalsrBicFD1khrW+bUIbx5X5RaGIv0w8xq7A/6Bbk9jKnw6b6 3JDKig/vyp4CXq76HXhr91VQUT35vZ3I4mhX1RoaBpTOuHgVe0+f6bc0sMDHXOegr6vo JuLQ==
X-Gm-Message-State: AHQUAua341MkOA8soOH4wkC7aWr1oNKHWY92mz3h8Sj0EdWSUG7f52Uz ZE8YDsA60ujD4dcZb+Ty8fjmd+bBwOM=
X-Google-Smtp-Source: AHgI3IYZdfuFJSU/CpOQYIINvqQ57DFHYqjGngzUi5H75HHCMQGn7gEHK0Ujl8KIe8n4Q3hZx8rYcw==
X-Received: by 2002:a62:5910:: with SMTP id n16mr2228317pfb.128.1550123049026; Wed, 13 Feb 2019 21:44:09 -0800 (PST)
Received: from DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM ([40.101.73.61]) by smtp.gmail.com with ESMTPSA id k71sm2047104pga.44.2019.02.13.21.44.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Feb 2019 21:44:08 -0800 (PST)
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
To: Marten Seemann <martenseemann@gmail.com>, Martin Thomson <mt@lowentropy.net>
CC: Jana Iyengar <jri.ietf@gmail.com>, QUIC WG <quic@ietf.org>
Subject: Re: KEYS_READY
Thread-Topic: KEYS_READY
Thread-Index: ATY0ODE1WAmiSi3iEdmd5vS0ATj/SkFNNUt1UVJEWEtnNGItQUF5aXlqUS1kb3pBZEt3cDk0OTQ1UUtjdmRFMDc0NVFWUVFGQjA2NDZkNjFhZEE0Njkxd0t5UWNBNzc3M0FKcThnMEZGRTGVG0cY+A==
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Thu, 14 Feb 2019 05:44:00 +0000
Message-ID: <DB6PR10MB176684E61A66BF01C66008F6AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com>, <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com>, <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_DB6PR10MB176684E61A66BF01C66008F6AC670DB6PR10MB1766EURP_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/H0CiqYyhfNltjC7GP191JJgvg4s>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 05:44:11 -0000
I guess because ACK? ________________________________ Fra: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sendt: torsdag, februar 14, 2019 6:42 AM Til: Marten Seemann; Martin Thomson Cc: Jana Iyengar; QUIC WG Emne: Re: KEYS_READY Why do keys need to be in sync? Disregarding handshake, if each peer has a separate key index counter, at change in phase bit ought to be sufficient. The endpoints can have vastly different consumption rates. With sync keys the peer can prevent you from updating while uou can update after ca 3 PTO in the async design. Neither design can force the peer to update. ________________________________ Fra: QUIC <quic-bounces@ietf.org> på vegne af Marten Seemann <martenseemann@gmail.com> Sendt: torsdag, februar 14, 2019 6:27 AM Til: Martin Thomson Cc: Jana Iyengar; QUIC WG Emne: Re: KEYS_READY > I was OK with that PR, and while we might go back and forth on the merits of using a bit vs. a frame, the consensus in Tokyo was that the frame was superior. Also, this solves more problems. In my understanding, the consensus in Tokyo was based on the assumption that the bit and the frame were basically signaling the same thing - at least I wasn’t aware of the additional retransmission logic necessary, and I would’ve opposed this solution if I had known. > The PR changes how Initial keys are retired. Instead of relying on the delivery of Handshake packets, it relies on the delivery of KEYS_ACTIVE frames. However, we do not require KEY_ACTIVE frames to be included in every Handshake packet being sent. This is again the problem of a discrete vs. a continuous signal. Using another bit in the first byte solves this problem. After the handshake completes, we want the peer to advance from handshake mode to normal mode in the loss recovery logic, since in handshake mode we don’t have PTOs. The only way to achieve this using the KEYS_ACTIVE frame is to include it in multiple (all packets for one RTT?) after the handshake completes. That being said, adding a generation number as Kazuho suggested seems to be the second best solution, since it at least removes the necessity to implement separate retransmission rules. On Thu, Feb 14, 2019 at 13:05 Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote: On Thu, Feb 14, 2019, at 15:24, Jana Iyengar wrote: > (I've left this comment on the PR as well, but seeing that this discussion > is happening here as well, echoing it here) > If the peer hasn't acked the previous KEYS_ACTIVE, it may not have seen it > yet. It is possible that it simultaneously did a key update and sent a > KEYS_ACTIVE however. Under this condition, the endpoint wouldn't be able to > update its keys again, since the peer may close the connection, right? This is not a problem, but it requires thinking the process through. An endpoint can only initiate a key update if it has received KEYS_ACTIVE. It can only send KEYS_ACTIVE if it has received a key update (and is either responding, or initiated that). Take the example where an ACK is lost, so a key update occurs when one peer is retransmitting KEYS_ACTIVE: C: Update to Key Phase 1. S: Update to Key Phase 1. Send KEYS_ACTIVE. C: Send packet containing ACK for the server packet containing KEYS_ACTIVE, plus KEYS_ACTIVE. That packet is lost. C: Update to Key Phase 0. S: Update to Key Phase 0. Send KEYS_ACTIVE. The server might believe that its KEYS_ACTIVE hasn't been acknowledged, but it has to be prepared for a key update as soon as it sends the frame. If there is a simultanous update it looks like this: C: Update to Key Phase 1. S: Update to Key Phase 1. (Concurrent with previous.) C: Receive packet with KP1. Send KEYS_ACTIVE. Lost. S: Receive packet with KP1. Send KEYS_ACTIVE. At this point, both peers are fine, they are on the same keys, and a key update can be triggered by the client. The server can't update until the client repairs the lost KEYS_ACTIVE frame. This continues: C: Update to Key Phase 0. S: Receive KP0. Update to Key Phase 0. Send KEYS_ACTIVE. As you can see, the client stops sending when it updates again, but that's OK. It's also safe if the KEYS_ACTIVE frames get through, but acknowledgments for them don't.
- KEYS_READY Martin Thomson
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Marten Seemann
- Re: KEYS_READY Ian Swett
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Christian Huitema
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Christian Huitema
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Jana Iyengar
- Re: KEYS_READY Jana Iyengar
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Marten Seemann
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY Mikkel Fahnøe Jørgensen
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Ryan Hamilton
- RE: KEYS_READY Mike Bishop
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY Nick Harper
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi
- Re: KEYS_READY Kazuho Oku
- Re: KEYS_READY Martin Thomson
- Re: KEYS_READY David Schinazi