IETF Logo Mail Archive

Re: Should server enforce post-Retry packet numbering?

Jana Iyengar <jri.ietf@gmail.com> Sat, 08 August 2020 01:31 UTC

Return-Path: <jri.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3123A0786 for <quic@ietfa.amsl.com>; Fri, 7 Aug 2020 18:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jKu5WM6AwfoS for <quic@ietfa.amsl.com>; Fri, 7 Aug 2020 18:31:21 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C50523A0788 for <quic@ietf.org>; Fri, 7 Aug 2020 18:31:20 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id i10so4056526ljn.2 for <quic@ietf.org>; Fri, 07 Aug 2020 18:31:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l6PnYGOckZm2QSIiMTvC85jjidBxYle5lT9ZFTeWV3w=; b=cu7Vsl9rc4L5XhLTMGQpxWC2BszM7N90uhh0tl80v+ewNhD5mvsHzxJa3urD0HjRMJ ROjZUvEd0wYpMjeuza2jwm17s1oWfnuZisIjQ5wNruwySu6v4V4E2P/LPwfqA044jZmX WSuejN9WdiRS5Ef3+6V5LUmvyhi3BPsz8yyiV8BYAPsHzecJiU/k7Vuns1a4z5OkiJCc pyprLn1vD2ZuIBm3KWn/RUnFYerzm3Y/1Gxtcp4oB5RE304XnSM/yb4KpbFWv0whdVcY YTWuS7+d91uuihZKANOJyEjS5Xc9YHPEn+2JfqO1nHwqRn+/aa41UdqPgiSD9vUkugTA kBZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l6PnYGOckZm2QSIiMTvC85jjidBxYle5lT9ZFTeWV3w=; b=ldFVrDXmG8LyyopzJhHjZbtbJ6DFVd39EFHr8Yj/W48Lkc9BxLGQcMRVcQBw+Hy6ED QrGwK8TYhiuSj7BOPED5QwVAV6amWkhGQrLO+TRlO89Z8nXTRYiWfgCtUbyFJeiEzwkb szvZ4vzmaiqZewqkzb2jwFFu1iRLeKSElvzpDBZExypPTRbvj5aOPb7ICyX96zWiqlUe C5P2lDt7Tq1VEi1VNAPPpdBqmxrADgHWEVnXgFbLzK60cp1bArGJG6ZJMw7tOUpV30/4 f11WagqqsrMDvqlqhvDvigUvu7oNptwfl0XmQFwsrLwqY4mg04IBHpHWrb/OSe83D4Ob L15w==
X-Gm-Message-State: AOAM5316O2t/LOx4qUuunUTf56D421Q8WFh5doVEOCbSwPsGgW3KGRsn O8zUsjFEh6wQjWYC8KI0rVDsRYeLE793VWX3CEY=
X-Google-Smtp-Source: ABdhPJycmnJQDFYu5rd7SvSn9RHrpj+yPkSO1yjOH9o3EC3R75PBinbyemrUG2RBkCe3QF+lwZ72+fP0sdGOZheePsM=
X-Received: by 2002:a2e:9cd6:: with SMTP id g22mr1984840ljj.344.1596850278885; Fri, 07 Aug 2020 18:31:18 -0700 (PDT)
MIME-Version: 1.0
References: <20200807135410.GA20644@lubuntu> <CAOYVs2rrLmTAduugrupBvLWV0futJUne7r1EU3ix7OWFMqLm2Q@mail.gmail.com>
In-Reply-To: <CAOYVs2rrLmTAduugrupBvLWV0futJUne7r1EU3ix7OWFMqLm2Q@mail.gmail.com>
From: Jana Iyengar <jri.ietf@gmail.com>
Date: Fri, 07 Aug 2020 18:31:08 -0700
Message-ID: <CACpbDcdSpw2O-9wi_FZymB0HGpRVm8JNuVzi+pXyE_Qf5oHkyg@mail.gmail.com>
Subject: Re: Should server enforce post-Retry packet numbering?
To: Marten Seemann <martenseemann@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a1ee3205ac53ad3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/lwOSaF7KYV_dWeAZmgEqXWAsJ80>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 01:31:23 -0000

I think a "can" is enough here. A client that doesn't respect this risks
running into a server that enforces this MUST NOT and shoots the
connection. Is there a reason to recommend it?

On Fri, Aug 7, 2020 at 5:47 PM Marten Seemann <martenseemann@gmail.com>
wrote:

> I'm not sure if I'd increase the size of the token for this check in my
> implementation, but if you don’t care about a few extra bytes, it probably
> won’t hurt to perform this check.
> I'm a bit skeptical if a SHOULD is warranted here though, as the worst
> that can happen is a nonce reuse for a key that's publicly known anyway. Of
> course, this might change once a client uses ECH or some kind of version
> aliasing.
>
> That said, I just added a check for this on the interop runner (
> https://github.com/marten-seemann/quic-interop-runner/pull/130) Clients
> will now fail the Retry test if they don't increase the packet number on
> Retry.
>
> On Fri, Aug 7, 2020 at 20:54 Dmitri Tikhonov <dtikhonov@litespeedtech.com>
> wrote:
>
>> Hello,
>>
>>
>>
>> In a couple of threads on Slack, Lars reminded me of an interesting
>>
>> MUST NOT in the transport draft:
>>
>>
>>
>> " A client MUST NOT reset the packet number for any packet number space
>>
>> " after processing a Retry packet; Section 17.2.3 contains more
>>
>> " information on this.
>>
>>
>>
>> This made me wonder whether the server should check that the client
>>
>> indeed did not reset the packet number.  This is possible to do by
>>
>> including the packet number into the Retry token and then comparing
>>
>> this value with the number of the packet that carries the token back.
>>
>>
>>
>> I could not find such SHOULD in the draft.  Should it be included?
>>
>> E.g. "The server SHOULD abort the connection if it detects that packet
>>
>> numbers were reset upon Retry."
>>
>>
>>
>>   - Dmitri.
>>
>>
>>
>>

v2.46.0 | Report a Bug | By Email | System Status