Re: Go Back to Single Packet Number Space

Tommy Pauly <tpauly@apple.com> Thu, 26 July 2018 16:09 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA0A130DE0 for <quic@ietfa.amsl.com>; Thu, 26 Jul 2018 09:09:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level:
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5Ni76mh4Vih for <quic@ietfa.amsl.com>; Thu, 26 Jul 2018 09:09:33 -0700 (PDT)
Received: from mail-in25.apple.com (mail-out25.apple.com [17.171.2.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B223B130DD0 for <quic@ietf.org>; Thu, 26 Jul 2018 09:09:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1532621372; x=2396534972; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=RUkKlfv+7e0/fHlo2uwnzpLO9ADE1qIGRoo/naS8txM=; b=nsmxTaxxVFkGPltDuFZqp9b7p8+QsIijaUxsJlsPZDvvipqmZ/4uKW1U3YTtb0RA jgnR8tDAEGLTU/vxP12q2BCJLJMPalZrgF789k/HI8St1BZ6yaW8kBh9ajVF2acv nPozd/JssOhnJHK0PpDYFkHhIy6Hzz9+mrYt5xO0ddls1/NU0DcKcnFHveymAzRy MOQ71EmfnGVPkoH5F8v+FO0ojUXcv8bRf0YqmfzkDSDuM38NLLdTgpoH5DzbsOtM 8vm9eApjb6HImIVRJH/io5L1allrIVyxNysx0Ao3av8s+RFqWFAX8WzRCB3rQxez dNwfQOCmKGlpw72cTUkpfQ==;
X-AuditID: 11ab0219-56fff70000004c1b-d5-5b59f23c8b48
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) (using TLS with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail-in25.apple.com (Apple Secure Mail Relay) with SMTP id 12.FF.19483.C32F95B5; Thu, 26 Jul 2018 09:09:32 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_a6a0L5zxa95GL4r1soLqgg)"
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PCH003Z4E7WU3A0@ma1-mtap-s02.corp.apple.com>; Thu, 26 Jul 2018 09:09:32 -0700 (PDT)
Received: from process_viserion-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PCH00K00DW95Y00@nwk-mmpp-sz12.apple.com>; Thu, 26 Jul 2018 09:09:32 -0700 (PDT)
X-Va-A:
X-Va-T-CD: ac297ad8b265304ff727e66f1dc3418f
X-Va-E-CD: 9972b49a85f1a3efa290995569b54582
X-Va-R-CD: 5fd1ac8411fc0aff2be93db04dc55585
X-Va-CD: 0
X-Va-ID: a13329e3-044d-4f11-ab29-53a39bc3134f
X-V-A:
X-V-T-CD: ac297ad8b265304ff727e66f1dc3418f
X-V-E-CD: 9972b49a85f1a3efa290995569b54582
X-V-R-CD: 5fd1ac8411fc0aff2be93db04dc55585
X-V-CD: 0
X-V-ID: c7b00404-0858-4f07-a5fc-669731c13574
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PCH00K00DVH0R00@nwk-mmpp-sz12.apple.com>; Thu, 26 Jul 2018 09:09:31 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-07-26_04:,, signatures=0
X-Proofpoint-Scanner-Instance: nwk-grpmailp-qapp16.corp.apple.com-10000_instance1
Received: from [17.234.9.47] (unknown [17.234.9.47]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PCH0066CE7T8070@nwk-mmpp-sz12.apple.com>; Thu, 26 Jul 2018 09:09:31 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <E2A79E78-4498-4C89-9354-542F43E7B834@apple.com>
Subject: Re: Go Back to Single Packet Number Space
Date: Thu, 26 Jul 2018 09:09:24 -0700
In-reply-to: <DM5PR2101MB09015C909CB3527E73E355A8B32B0@DM5PR2101MB0901.namprd21.prod.outlook.com>
Cc: Dmitri Tikhonov <dtikhonov@litespeedtech.com>, "quic@ietf.org" <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
To: Nick Banks <nibanks=40microsoft.com@dmarc.ietf.org>
References: <DM5PR2101MB09016D44959E5796570F3CB7B3540@DM5PR2101MB0901.namprd21.prod.outlook.com> <CABkgnnUTPvrVALX0Xr9xGpJnTHq=yWN48NRqtcQSZ4bzGFjAYA@mail.gmail.com> <20180726030135.GA19322@ubuntu-dmitri> <E2CFE327-4F6B-4217-B248-CE049764187A@apple.com> <DM5PR2101MB09015C909CB3527E73E355A8B32B0@DM5PR2101MB0901.namprd21.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.100.13.1)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IR1PBh07X5FBltMP2SlcWXCWwW1878Y7SY t2cTu0XPAm4HFo8Ty66weuycdZfdY8mSn0weT7YdZw5gieKySUnNySxLLdK3S+DKmPHnBXNB a25Fx5EFLA2MrXFdjJwcEgImEs+vX2LrYuTiEBLYzyTxfPlnVpAEr4CgxI/J91hAbGaBMIn9 DZuYIIo2MkmsWvmEHcLpYpJYf2sVE8Qodok/v3awQNjaEsvOTGGHsd8/3g1nT5l4Dcrmkliw 9TTQNg4gW1fibm8RRJhNYv2JJVAjtSSW71zIAmM37lnPDGMfOPKUDcLmlDj/ZSLUSB2JtZ+W Q93WySSx7NB5qEHZEi8Xb4KygyWub2mDKupmkti3YTM7yBHCAhISm/ckgtSwCahIHP+2gRkS EjYSdyb+BVsmLGAkcfDnbLA4i4CqxPIz18GhxSmQLLHj6jFWSGjVS1x8dQzsaBEBc4kZ919C 7brDJHH32AmoS9Uk5t9+wTqBUWEWUmjPQgrtWUAnMQuoS0yZkgsR1pZ48u4CK4StJrHw9yIm ZPEFjGyrGIVzEzNzdDPzjEz1EgsKclL1kvNzNzGCUtBqJskdjF9fGx5iFOBgVOLh/fEiMlqI NbGsuDL3EKM0B4uSOO/HXWLRQgLpiSWp2ampBalF8UWlOanFhxiZODilGhgbf+YIXpI4ebHg b/4Rzj9uN3609bv9ftf0d9+JXvmfmSVyNUpm5+0ny92fqnR50b7FfktLnqxNlppy/W/qvZ0q KnX+4jfiwpgUdUVZvnRMN8ywzmmRkeezmt9vq2NuYxb/TWBvZsj2lU/u9WafrHfPiiriCuQQ b3yYJKPxuGH9vYJUiwssJUosxRmJhlrMRcWJABRy6z8iAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/oS4Ywd7ziACbGGTWLnnSnwO_Mo4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 16:09:36 -0000

First off, I'd like to +1 to the points Kazuho made, as I think he did a very good job of expressing the concern I have.

To elaborate on the point about separation of spaces making things easier to reason about:

While the table below does indicate that there are 4 different encryption levels/sets of keys, there can and should be a connection between the 0-RTT and 1-RTT spaces. 

| Packet Type     | Encryption Level | PN Space  |
|:----------------|:-----------------|:----------|
| Initial         | Initial secrets  | Initial   |
| 0-RTT Protected | 0-RTT            | 0/1-RTT   |
| Handshake       | Handshake        | Handshake |
| Retry           | N/A              | N/A       |
| Short Header    | 1-RTT            | 0/1-RTT   |

Effectively, there are three different levels of trust at play, which determine the type of frame content that may be sent:
- For Initial packets, there is no established trust at all
- For Handshake packets, there is only the established trust that the peers are the same ones that performed the Initial exchange; at this point it is safe to perform authentication
- For both 0-RTT and 1-RTT packets, there is the trust that the peers have completed an authenticated handshake; only here is it safe to send application data

These three levels of trust are not specific to TLS, but a common feature of security handshakes.

Separated packet number spaces allows an implementation to very discretely separate its handling of frames and retransmissions between the three levels of trust. The architecture that this promotes is one that (I hope) is less likely to have bugs in which frames that must only be sent in higher levels of trust are sent in lower levels.

Thanks,
Tommy

> On Jul 25, 2018, at 9:37 PM, Nick Banks <nibanks=40microsoft.com@dmarc.ietf.org> wrote:
> 
> Since there are four encryption levels, the fact that there are only three packet spaces only makes things more confusing IMO.. If your argument is that matching them together makes things easier, then I’d think there should be four packet spaces. I think having all this duplication and separation just adds unnecessary complexity.
>  
> Sent from my Windows 10 device
> [HxS - 15254 - 16.0.10325.20083]
>  
> From: tpauly@apple.com <mailto:tpauly@apple.com> <tpauly@apple.com <mailto:tpauly@apple.com>> on behalf of Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>>
> Sent: Wednesday, July 25, 2018 9:26:49 PM
> To: Dmitri Tikhonov
> Cc: Martin Thomson; Nick Banks; QUIC WG
> Subject: Re: Go Back to Single Packet Number Space
>  
> As another implementer, I also prefer having the split packet spaces. The point isn't necessarily that it's good to have the triple spaces, but rather that it's nice to have the packet number spaces correspond tightly with the packet types and protection. The logic for handling a space can be treated more uniformly in that way, although it does involve potentially more memory to store the state.
> 
> Thanks,
> Tommy
> 
> > On Jul 25, 2018, at 8:01 PM, Dmitri Tikhonov <dtikhonov@litespeedtech.com <mailto:dtikhonov@litespeedtech.com>> wrote:
> > 
> > On Thu, Jul 26, 2018 at 11:41:48AM +1000, Martin Thomson wrote:
> >> The feedback I've heard is that the simplification is subjective.
> >> Others have said that a single space would complicate their
> >> implementation considerably more.
> > 
> > EKR is one of the "others" [1] -- are there other implementers who
> > prefer the triple packet space?
> > 
> >  - Dmitri.
> > 
> > 1. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fquicwg%2Fbase-drafts%2Fissues%2F1579%23issuecomment-405720217&amp;data=02%7C01%7Cnibanks%40microsoft.com%7C86b0eb2ea03c48a3fc7808d5f2b00684%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636681760204180396&amp;sdata=fstGdvwnKKfApVKVQZFuJYdWAZkXCafUsEH0t1YtH8U%3D&amp;reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fquicwg%2Fbase-drafts%2Fissues%2F1579%23issuecomment-405720217&amp;data=02%7C01%7Cnibanks%40microsoft.com%7C86b0eb2ea03c48a3fc7808d5f2b00684%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636681760204180396&amp;sdata=fstGdvwnKKfApVKVQZFuJYdWAZkXCafUsEH0t1YtH8U%3D&amp;reserved=0>
> > 
>