IETF Logo Mail Archive

Re: KEYS_READY

"Martin Thomson" <mt@lowentropy.net> Fri, 08 March 2019 03:38 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB3213108C for <quic@ietfa.amsl.com>; Thu, 7 Mar 2019 19:38:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=BS5GYBNo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=p8VB3HmS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqXKonj_LYoE for <quic@ietfa.amsl.com>; Thu, 7 Mar 2019 19:38:46 -0800 (PST)
Received: from new3-smtp.messagingengine.com (new3-smtp.messagingengine.com [66.111.4.229]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76529131071 for <quic@ietf.org>; Thu, 7 Mar 2019 19:38:46 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailnew.nyi.internal (Postfix) with ESMTP id D7C3A154E2 for <quic@ietf.org>; Thu, 7 Mar 2019 22:38:43 -0500 (EST)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Thu, 07 Mar 2019 22:38:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=message-id:in-reply-to:references:date:from:to:subject :content-type:content-transfer-encoding; s=fm1; bh=3aMxTU4GAWyBr 3BEJTsBtKrusxbgwykQNEWD7Ef0vic=; b=BS5GYBNoNdoNAl5sHfkXHBmcGg7ez sITHyEBlTjRu7wacPjdrEdAkmMYEbyzyn0vy1UEdnNgRW05CXi4jDj+QMjdthTf3 ghOt5FllDnJPVbevCRwTwdxTJ7w86Uy0tAN7Sb9YCXym24/GJktBew40i4gQ+TPj ZGgB4Ov1rFTlfUpQuVgD3HdfFI3M4TTNYEGrUbJFHnfq16/HGnffLPWk4oTCInke NTVcTj74xHraLP6PVZY5IFSXO2kX/KwI4G4Kz0ONVPDZ1JRIAA9oGQD2M1Yi9ptK 0HuniBqDxC6PyLp+yKZgzS8Tl0FJDql9egqSSNL/LUnR6B/dEWIDAHQKA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:references:subject:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=3aMxTU4GAWyBr3BEJTsBtKrusxbgwykQNEWD7Ef0vic=; b=p8VB3HmS i3gnxooclhDy9VHsKoLWMOS8CthMFaAjRMY9hVYcX8eRjDU3qwm/afsrojztp7Sb O6Gjq3wr3MMYt4d0KNPh6I+RWFZxP6u6YUjJTgoBRhMVper1IEYgQpPcNfllaOOl 5Y0VD4mNr4ian5Qs5RbXo90bx6S+beYWzn6X8tkVQ3ZDk30ZFSsvmphSkYLf6Y/C RaXLCzvR5jONrrQLRBj94GymsPTGsIT2CIOW2Q5IW+UcWB974gyk72/3ecMlYcqe PTk4i+3KoKG+HhJgy1j2fpSNMsrRlw7RMXiS/zweV6gwgh/ayM5Sp5GhMkIkwhnJ FRnUlMjpJNx/GQ==
X-ME-Sender: <xms:w-OBXDUMzShddjJVRWuK6ER4A5BKLOQQDaaNmFdlPPm_PUm42yZ0ow>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrfeelgdehiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecuogfthfevqddqufhushhpvggtthfgmhgrihhlohhrkf guqdffohhmrghinhculddutddtmdenucfjughrpefofgfkjghffffhvffutgfgsehtqher tderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofi gvnhhtrhhophihrdhnvghtqeenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhivght fhdrohhrghenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphi drnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:w-OBXADf_iL9Vqc5JVuRmA06AUjN_eLYKRLeLU468ZDnBoXfomn9Dg> <xmx:w-OBXKsHGFNWWsdgDumO-JnDKG0h2TnYAfUBswA7IbD3ZdYMxe2A0Q> <xmx:w-OBXLqRZzawMaaYYqxUlZ6YszzhFfQSEm21xdeitRjPVGx8qoG9Fg> <xmx:w-OBXC8heENr16zA3m9wx4sEU_vgkSXgPE_Jl2J7xo_cVKOeUc0Hxw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 430347C1EB; Thu, 7 Mar 2019 22:38:43 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.5-925-g644bf8c-fmstable-20190228v5
X-Me-Personality: 92534000
Message-Id: <c4198fc7-d5be-4dd2-80fe-f0adc1db0c77@www.fastmail.com>
In-Reply-To: <CANatvzxD8fphJ1+sGOC_Qgi4BKU0=RaWe=DTkt+OPP_cMqbQjQ@mail.gmail.com>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com> <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com> <375A63C5-7120-4688-8873-EEA90693332E@huitema.net> <CANatvzxoOFzpkcH_4VpQscpZq8ak0QL0D6REvyJVjE+ga97SVQ@mail.gmail.com> <1550111606.3717440.1657643080.033E200B@webmail.messagingengine.com> <ae018a6d-4c9a-acc7-4213-21d1670f9dad@huitema.net> <1550117510.928793.1657684264.41D049FA@webmail.messagingengine.com> <CACpbDcfbEcg70RwpFrCQ2X6WA0Dd7ygd=Q0w7iwKc-ZgZQbZ0w@mail.gmail.com> <1550120733.954579.1657700168.72A8F92A@webmail.messagingengine.com> <CAOYVs2qQJgGNhXJNjhE8L=wxBgq+3qs144WYXs0JoWNBrK_a6A@mail.gmail.com> <DB6PR10MB1766128EAD7248F02C1EAFA5AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <DB6PR10MB176684E61A66BF01C66008F6AC670@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <CAPDSy+5MSST-Nkoi+oaRzSLDJCYqhUmKw1nP_p4fOyq7cfK17w@mail.gmail.com> <CAJ_4DfRKrYOyozbp4GmPNODnZ_sKTECXbMa5Vsuxa4zmubERHQ@mail.gmail.com> <MWHPR22MB0991FCD3ADA97790B238E491DA670@MWHPR22MB0991.namprd22.prod.outlook.com> <CAPDSy+4=YYyTe5=85X09e1kAB7TrmmNXK-2wnLZubfS1ekWRJA@mail.gmail.com> <f2e59f1c-b7d5-49ce-affc-7d16684a048a@www.fastmail.com> <CAPDSy+4sKR99Fwqt+08JevAmC7E4LUSohUrQgVc+5BA56CLEkQ@mail.gmail.com> <b4364dee-a429-45c5-8b56-b82269f1ab2e@www.fastmail.com> <CAPDSy+4idHMDpNya42K5fxRQ6tFUoOXz9bi8K2eU8u-xRiOB3g@mail.gmail.com> <045bbf5b-04e4-4f9f-886b-f7ff9254bdab@www.fastmail.com> <CAPDSy+4iTM1wYpr04fmqOULct5LrB4UnDiPz_K9vGSd3oB=4eg@mail.gmail.com> <CANatvzyoEJZBWhBEBLMcysv_GTEKHup02++RAj_XX+SztVQm1g@mail.gmail.com> <CAPDSy+4kFMhpyHrvcQhT+rwnwfraOb0eBs=eOQPTNGWWJV51Kg@mail.gmail.com> <7879ac68-5a8e-4b5e-a81f-03b851be8328@www.fastmail.com> <CACdeXi+dAPro=J7Nh9KbdQBYo3Ssup0r-x-WsppfEriJEWYwdg@mail.gmail.com> <b33833e0-d458-4683-b41c-a4b6c38f40f3@www.fastmail.com> <CAPDSy+5-fSw=fM=xsXAkmA1XHErFY0O7qy9ct0-w0M-F52NKKQ@mail.gmail.com> <CANatvzxD8fphJ1+sGOC_Qgi4BKU0=RaWe=DTkt+OPP_cMqbQjQ@mail.gmail.com>
Date: Thu, 07 Mar 2019 22:38:44 -0500
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: KEYS_READY
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/mtH0wg1fKTlI-Ke4j1oDKNE4O4o>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 03:38:49 -0000

Unfortunately, I don't see this as accelerating discussion.  I appreciate having the proposal, but I suspect we're going to need to decide this in Prague.

On Fri, Mar 8, 2019, at 14:29, Kazuho Oku wrote:
> Hoping to accelerate the discussion, I have created yet another PR
> that tries to solve the problem.
> 
> https://github.com/quicwg/base-drafts/pull/2504
> 
> I've tried to take a very conservative approach in the PR, partly
> because I think it's good to do so at a late stage of standardization
> process, and also because it helps us figure out the range of the
> choices we have in addressing the issue.
> 
> The PR, in short, introduces a MAX_KEY_UPDATES frame, that let's
> endpoints communicate the cumulative number of key updates that are
> permitted, just like MAX_STREAMS permit the cumulative number of
> streams that can be opened. It concentrates on dropping the 0-RTT,
> Handshake and previous generations of 1-RTT keys, without touching how
> the Initial keys are dropped.
> 
> Please let me know what you think. Thank you in advance.
> 
> 2019年3月2日(土) 8:50 David Schinazi <dschinazi..ietf@gmail.com>:
> >
> > Thanks Martin and Nick.
> >
> > I agree that my proposal needs a lot of work to get the wording right, but I think the difference between that and MT's is when you send the frame:
> > - MT's model is to send it when you're not expecting to receive anything anymore
> > - my model is to send it when you know you won't be sending anymore
> >
> > I believe letting the sender decide is easier to reason about and will help down the road, even if it has the downside of keeping the handshake keys around for an extra RTT on the server.
> >
> > David
> >
> > On Thu, Feb 28, 2019 at 10:15 PM Martin Thomson <mt@lowentropy.net> wrote:
> >>
> >> I see.  That's not clear.  It might have helped to explain that in the email announcing the proposal, because the PR contains errors that are quite confusing.  The PR never really defines what "done with keys" means either..
> >>
> >> If that is the only difference then we can talk about the implications of driving state based on ACK frames, which we've not done in the past.  Leaving the ugly exception for Initial aside, I suspect that this is much harder to implement, because you have to track where data was first sent in order to send the frame at the right time.  That's easy enough for CRYPTO frames, which are basically all you have during the handshake, but in order to implement it for key updates you need visibility into which packets are still outstanding.  That requires a new type of access to the loss recovery module.
> >>
> >> I see quite a few omissions and mistakes in the PR.  For instance, this doesn't address the concerns about retransmissions of the frame across key updates.  It also shows the server sending the frame in Handshake packets before it could have received ACKs.  Hence my confusion.
> >>
> >> On Fri, Mar 1, 2019, at 16:21, Nick Harper wrote:
> >> > There is one difference between the RETIRE_KEYS and KEYS_ACTIVE PRs
> >> > (besides the name of the new frame):
> >> >
> >> > With RETIRE_KEYS, the client doesn't send it until the Client Finished
> >> > has been ACKed. With KEYS_ACTIVE, the client MUST send it in its first
> >> > 1-RTT packet, while the server MUST NOT process that 1-RTT packet until
> >> > it has received the Client Finished.
> >> >
> >> > Even though they do basically the same thing, I think it's much easier
> >> > to understand the logic in the RETIRE_KEYS PR. The logic for
> >> > RETIRE_KEYS is "I send RETIRE_KEYS when I don't need to send or receive
> >> > anything more at the previous encryption level." After re-reading the
> >> > KEYS_ACTIVE PR, I don't see a similar underlying principle for when
> >> > it's sent, just a set of rules to follow.
> >> >
> >> > On Thu, Feb 28, 2019 at 7:37 PM Martin Thomson <mt@lowentropy.net> wrote:
> >> > > I don't get it. This is the same proposal. With fewer editorial changes, perhaps.
> >> > >
> >> > >  On Fri, Mar 1, 2019, at 11:30, David Schinazi wrote:
> >> > >  > Since this conversation has quieted down for two weeks, I went ahead
> >> > >  > and wrote up the RETIRE_KEYS proposal:
> >> > >  > https://github.com/quicwg/base-drafts/pull/2492
> >> > >  >
> >> > >  > I believe this is simpler to reason about than the KEYS_ACTIVE proposal
> >> > >  > and safer as it makes less assumptions about the handshake protocol.
> >> > >  >
> >> > >  > Please let me know what you think, and I believe we should keep the
> >> > >  > discussion here instead of on the PR.
> >> > >  >
> >> > >  > David
> >> > >  >
> >> > >  > On Thu, Feb 14, 2019 at 5:51 PM Kazuho Oku <kazuhooku@gmail.com> wrote:
> >> > >  > > 2019年2月15日(金) 9:18 David Schinazi <dschinazi.ietf@gmail.com>:
> >> > >  > > >
> >> > >  > > >
> >> > >  > > >
> >> > >  > > > On Thu, Feb 14, 2019 at 3:45 PM Martin Thomson <mt@lowentropy...net> wrote:
> >> > >  > > >>
> >> > >  > > >> On Fri, Feb 15, 2019, at 09:47, David Schinazi wrote:
> >> > >  > > >> > This means that the server sends KEYS_ACTIVE(1-RTT) not when the 1-RTT
> >> > >  > > >> > keys are active,
> >> > >  > > >> > but instead when the handshake finishes, which is when the server has
> >> > >  > > >> > received the client finished.
> >> > >  > > >> > Those are two different moments in time.
> >> > >  > > >>
> >> > >  > > >> Yes, because the keys aren't active when the server starts sending 1-RTT packets. They are only active when the server starts reading 1-RTT. The server can't activate its 1-RTT reading keys until the handshake is complete.
> >> > >  > > >
> >> > >  > > >
> >> > >  > > > Ah, thanks. Looking at it this way it makes sense to me - we may want to make the text clearer in case I'm not the only one who was confused.
> >> > >  > > >
> >> > >  > > >>
> >> > >  > > >> That's why I chose to name this KEYS_ACTIVE(this), not RETIRE_KEYS(prev), but I don't really mind what it is called.
> >> > >  > > >
> >> > >  > > >
> >> > >  > > > I don't feel strongly about names either as long as they make sense - and now KEYS_ACTIVE also makes sense to me - so either name is fine by me.
> >> > >  > > >
> >> > >  > > >>
> >> > >  > > >> > My proposal is to have the client decide when it is done with the
> >> > >  > > >> > handshake keys by having the client
> >> > >  > > >> > delay sending RETIRE_KEYS(Handshake) instead of the server delaying
> >> > >  > > >> > sending KEYS_ACTIVE(1-RTT).
> >> > >  > > >>
> >> > >  > > >> This requires that the client send more Handshake packets. And it adds a lot of delay because the client has to wait until all its packets are acknowledged. We previously agreed that any such signal from the server is more direct and effective.
> >> > >  > > >
> >> > >  > > >
> >> > >  > > > I don't think it means more handshake packets. And it's still a direct signal between endpoints. The only difference is that the client-to-server RETIRE_KEYS message is delayed by one RTT compared to its KEYS_ACTIVE message so the server will wait one RTT before throwing away handshake keys. But it has the advantage of not requiring any implicit ACKs. So the tradeoff we're facing is between allowing the server to throw away keys sooner at the cost of making implicit decisions. This implicitness means KEYS_ACTIVE does not allow the client to be able to send anything in Handshake after the ClientFinished. I'm worried that might prevent protocol changes down the road.
> >> > >  > > >
> >> > >  > > > I'm still in favor of paying the one RTT before key deletion to make the protocol more explicit.
> >> > >  > >
> >> > >  > > I share the same view.
> >> > >  > >
> >> > >  > > Admittedly, it means that then the frame would no longer be useful for
> >> > >  > > dropping the Initial keys, assuming that we want to drop them ASAP as
> >> > >  > > we do now.
> >> > >  > >
> >> > >  > > But even with that downside, I think it makes sense to delay when the
> >> > >  > > handshake and each generation of 1-RTT keys are dropped. After all, we
> >> > >  > > can argue that the requirement for when to drop the Initial keys is
> >> > >  > > exceptional due to security concerns.
> >> > >  > >
> >> > >  > > Hence something like
> >> > >  > > https://mailarchive.ietf.org/arch/msg/quic/NNOzxNWldmfiUN9avCdiQMNVXMw.
> >> > >  > >
> >> > >  > > --
> >> > >  > > Kazuho Oku
> >> > >
> >>
> 
> 
> -- 
> Kazuho Oku
> 
>

v2.23.0 | Report a Bug | By Email