IETF Logo Mail Archive

Re: KEYS_READY

Christian Huitema <huitema@huitema.net> Wed, 13 February 2019 18:20 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FCC5129532 for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 10:20:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAgztlA-QXyC for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 10:20:50 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6CEB128766 for <quic@ietf.org>; Wed, 13 Feb 2019 10:20:49 -0800 (PST)
Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx66.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1gtz9J-0005ue-7q for quic@ietf.org; Wed, 13 Feb 2019 19:20:47 +0100
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1gtz8l-0001gg-Ta for quic@ietf.org; Wed, 13 Feb 2019 13:20:42 -0500
Received: (qmail 28852 invoked from network); 13 Feb 2019 18:20:10 -0000
Received: from unknown (HELO [192.168.200.65]) (Authenticated-user:_huitema@huitema.net@[72.235.197.82]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ianswett@google.com>; 13 Feb 2019 18:20:10 -0000
Content-Type: multipart/alternative; boundary="Apple-Mail-DD26C05A-8545-432E-946F-52CE3292A51B"
Mime-Version: 1.0 (1.0)
From: Christian Huitema <huitema@huitema.net>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com>
Date: Wed, 13 Feb 2019 08:18:53 -1000
Cc: Kazuho Oku <kazuhooku@gmail.com>, Marten Seemann <martenseemann@gmail.com>, Ian Swett <ianswett@google.com>, IETF QUIC WG <quic@ietf.org>, Martin Thomson <mt@lowentropy.net>
Content-Transfer-Encoding: 7bit
Message-Id: <375A63C5-7120-4688-8873-EEA90693332E@huitema.net>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Subject: Re: KEYS_READY
X-Originating-IP: 168.144.250.245
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.22)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5iwpPlMzY9McWCcnDexe+SB602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiVi9yycgTaoevOymOS184Cx587i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pB1XpqFDyTB1Bz0n/bLAAUYB/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8l4YBmPrqPoeRXD34azf1rYZv5uZUEePrXZkexHL9EC3AAJAfA 9MMVcQ9WVjD1q+Rbd9IPG/DQ2p+GU04sTuYFs91jhnM/Mbva2XLV/LIEzaKyLm0zESXAkIAT8ZKA DvsGI5uh86ZVnyOrYkLMWyEaRt9fxN2oReTDHAyOynaY0CmHJLVH4DfVNbPXJmiLfub/IRFsicyJ MEhQFtD8PLoiniWmsFByBoXAuCZEyg59LM/9rUJrEbVA84BZVscMTXpbpuxXJTL417vaJWq5kk+j cuidX4Ts4xdG+C13IyWeZaJwAHPn4EuYWIk0YD/RIopThgL6QxS4osK9V1p/ZT+2S/2sJzkTPqLX OxynC3d/lOtk354Leo8WHhg9Xcph2esmZk4AVtnYApSiFQp1w3dnUjMTi5Xt/sRoctxyu5EZ7wRl sQ6lNTZIrBtlLeoEHaVN0z6bhalFEM/pjPCQA+BAlsTokFnU5zYymx0KpbmN9WVZYSpQQtCkh8qZ SV0LCxteHrovWChlJe1YIblhndLZoDa2wbrUn4GCIjlzEzWJjqUhu1/rdU1t/SWu+yxj6TsAzBpI RKEYj3P5LT70ZY4uKweW4Es5GC+3P+x9oa7YqbO9UshveVgoiypAicYsWUtd0ktSrwQbrgk6jfwM HIN4qo4cvttr0tmBjeIn/Z/emtVQvYq5Gwe6V5p1dZXUJLl9UHdlPJIlgYKUOVb4Kg3Ivfi62j4u w/K+m8SGihSRsuS3byv3CjhKpQiDxiH2EAzS5xSvMev/h5X3p2+rThvFRg==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/fh1HnzWZzlvg44ZH3AoGPGZhXGc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 18:20:52 -0000

 

> On Feb 13, 2019, at 5:55 AM, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> wrote:
> 
> The point is that under the rules set by the PR, it is not possible to update keys before a KEYS_ACTIVE / KEYS_READY frame has been received. If such a frame is sent, but lost, there is not path to update keys again. This goes wrong after a (long) while, when the current key is exchausted.
> It does not matter that updates are rare. 

The more I look at it, the more I think that key update / key ready should be treated in much the same way as path challenge / path response. Something like: I just updated my key, can you receive it (challenge); yes, you can see I am using your new key (response). This resolves the debate with ack-or-not (not), and also whether the mechanism can be used to delay update ad infinitum (cannot).

If we use the existing path challenge mechanism, we need to add a restriction that responses must be sent in the same epoch. Or we can invent a new one.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email