IETF Logo Mail Archive

RE: Consensus Calls for Transport/TLS issues, post-Cupertino

Mike Bishop <mbishop@evequefou.be> Wed, 23 October 2019 18:53 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F8012087B for <quic@ietfa.amsl.com>; Wed, 23 Oct 2019 11:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6eLV-I4w6_v for <quic@ietfa.amsl.com>; Wed, 23 Oct 2019 11:53:51 -0700 (PDT)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-eopbgr720104.outbound.protection.outlook.com [40.107.72.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FAC12029C for <quic@ietf.org>; Wed, 23 Oct 2019 11:53:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CdqyIw0eextgtCZOwPrherbl4nd84yNKw6YIc0toYTT+3XXR63yT+fHdXa19OfHG47L/GoxbFhvEwoeR5veHsW9OZBqfA8m1sXZR2Ib+dgbE2dxnKwpD3362U0iIfq6r0vySDTcM7yZ5n/XpFlJ6cyVwI5m0agjTtcMr3Tg4IhsM3jUI0kgfk7vL+ftBTkFNdu+39ZvsLuoXbls0LS4Oh2eziNsY/SNFT5w3GGgeqHbqEPv2rR7Z/0FKALZv1Di4DEzPUEWD38m383xu7XS2Wbg7p73EPAmuiwbXkdl9IzwBqdkC5yo7yemMaE5BYHOMkVKVUExO+XoP8FRsLjlrgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=phawMbFtwT3ITsoMSerLwCip9g5sjLJbIw1fjDwbPWM=; b=UqGc/ZVx6pJ6s/RPayWFBMGorWNQ9t/3KqtU8OIBC/8a3JGYkDr57Lnc89ANh8XZB4aQ815cr464gcqxAufH9XYT3pdRdm7WxX4nKVw6R4ZpQ6jOt3vylMkHx0lGrSEc20j5lUHVAIP/iYLabKtOHMBdwsRRpAVtt2L1ICuQwaBJ0yUnuh4Orb7FRPrFpnKIBIJSavHwW00J0CjuHo2TPW8PD2mrkiteZEDRiEwuLJ7ObNtp0frgD/J+WGfxah4BaDRxz0Sowjh0IgyC+kmcoa56D8t9aSqa8dtGd2jWBo16EOQoMaugWuwpglmcbF7XIVdXlgCMRT2PKo7/CPbRMA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=phawMbFtwT3ITsoMSerLwCip9g5sjLJbIw1fjDwbPWM=; b=aDGmDRt222ehKJMivRx7aGuS1ZNmOKHrrKaAhiWW3dClnVVyVHsDE1BdkpV1n80l/URC+DY9V7QZpB2baFLbCRg0dcUzSYz7Z1xUgYRd2fRK2V7XCVUN1CzNQ/boaXtH8JH2IpdfNEMz8hMU+ok4Xbi1jNXWZImLe272D29TyM4=
Received: from BN6PR2201MB1700.namprd22.prod.outlook.com (10.161.152.144) by BN6PR2201MB1715.namprd22.prod.outlook.com (10.161.158.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.20; Wed, 23 Oct 2019 18:53:32 +0000
Received: from BN6PR2201MB1700.namprd22.prod.outlook.com ([fe80::d9e:768a:ed0e:5a04]) by BN6PR2201MB1700.namprd22.prod.outlook.com ([fe80::d9e:768a:ed0e:5a04%3]) with mapi id 15.20.2367.022; Wed, 23 Oct 2019 18:53:31 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: David Schinazi <dschinazi.ietf@gmail.com>, Jana Iyengar <jri.ietf@gmail.com>
CC: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, IETF QUIC WG <quic@ietf.org>, Martin Thomson <mt@lowentropy.net>, Kazuho Oku <kazuhooku@gmail.com>
Subject: RE: Consensus Calls for Transport/TLS issues, post-Cupertino
Thread-Topic: Consensus Calls for Transport/TLS issues, post-Cupertino
Thread-Index: AQHViHGZIuF5g6IoEE6LYrhgawqNGqdl3+KAgAACSQCAABB9gIAAJugAgAAEuICAACuwgIAAzYuAgAF9CnA=
Date: Wed, 23 Oct 2019 18:53:31 +0000
Message-ID: <BN6PR2201MB17008576E4F8400B5DDB696FDA6B0@BN6PR2201MB1700.namprd22.prod.outlook.com>
References: <4D6397AF-B411-4E67-AFD2-76E8F2AD462C@mnot.net> <CANatvzwYA-NN+p5jLu4vpgKY_G-ZoUM03CacZWS2FAPyPqgiiw@mail.gmail.com> <BN3PR00MB0083E9A10A58F4CCC7B8A5C6B3680@BN3PR00MB0083.namprd00.prod.outlook.com> <22517ab5-9a6c-4486-b7ea-03badc064cbe@www.fastmail.com> <CANatvzx=RWB1Bio7tqX7nN_Vn1SfSaE69LZbuiU5pWeXP=BwNQ@mail.gmail.com> <DB6PR10MB176678E88FF226C2EB8FF78EAC680@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <CACpbDccOe01VBjwwy=mdSi5nync8bXa506OMTbLPpBH-hoj4Sw@mail.gmail.com> <CAPDSy+4S06qHBbitdH07Ah6gJYV+ZMY4huYLVGw14Q-n6isCrg@mail.gmail.com>
In-Reply-To: <CAPDSy+4S06qHBbitdH07Ah6gJYV+ZMY4huYLVGw14Q-n6isCrg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2600:2b00:931f:a301:74fe:e1eb:9fd7:63dc]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8a86e60f-f6d1-4086-adbc-08d757ea4cd3
x-ms-traffictypediagnostic: BN6PR2201MB1715:
x-microsoft-antispam-prvs: <BN6PR2201MB171507322C224E256C6D88DCDA6B0@BN6PR2201MB1715.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 019919A9E4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(396003)(346002)(136003)(366004)(39830400003)(376002)(51444003)(189003)(199004)(31014005)(7696005)(25786009)(66946007)(76116006)(561944003)(64756008)(6116002)(790700001)(5660300002)(66476007)(66446008)(229853002)(52536014)(66556008)(74316002)(508600001)(76176011)(99286004)(316002)(54906003)(8936002)(110136005)(81156014)(81166006)(8676002)(14454004)(7736002)(440504004)(517774005)(54896002)(6306002)(9686003)(71200400001)(71190400001)(236005)(102836004)(14444005)(55016002)(6436002)(66574012)(6506007)(5070765005)(53546011)(186003)(476003)(6246003)(4326008)(11346002)(46003)(486006)(446003)(2906002)(33656002)(256004)(86362001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR2201MB1715; H:BN6PR2201MB1700.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZVZH+dorZZijRjTm2n4lemZ12waWlSXeeyId4dK618XWmqzG+bbetRGa2BObt+7O4xAdR4jBagdfsbYDTtvb298pCxcV2rexDCTMcoPEb+1KrR1fUNVr58Op3KmpB4W1/LO2ce6te7oDhU6zAjL8d4NGNbK7geCEpOh5cyQVRFg+4CbhaYIO9L/HUr2vM2fPkZuz8k0fwDVdJ43Q8n+zEPXV1Ih3xa4nS1fT+5t8Lcl+XgjfmMC7yhZEem/HeT+ANcDkYkHNHWdUvosBKp12+EDbY4eaHZo0pJ8I6f31lUx3zkhn3opjNNumLPPqiKlpvlPrpOYMjTYJVyn9eLJYknV5OhiQvGYFXcqpxOr+yAMGgwBLF65fm5hHTypnc8M9J5LihloRjCDn0HNLAJhQXG01cjf3S6X20aySRPsUvvTu29uhmK4Ol+1wBXQHODqc
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN6PR2201MB17008576E4F8400B5DDB696FDA6B0BN6PR2201MB1700_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a86e60f-f6d1-4086-adbc-08d757ea4cd3
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2019 18:53:31.6840 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4CHAmCCvTwVfRmciTPCberW3wB3TvY8EbeP5elwqY8gh/kSZkQR595qJ0BeuN/FBaOVPRP2ZD8TE2VWxcfyBkQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1715
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/q9-mIPDfM24U2mtP6wn7J_fu9YE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 18:53:55 -0000

I think we’ve amply demonstrated that implicit signals don’t work.  I’d like to see an explicit confirmation of handshake completion that happens at 1-RTT.

From: QUIC <quic-bounces@ietf.org> On Behalf Of David Schinazi
Sent: Tuesday, October 22, 2019 4:07 PM
To: Jana Iyengar <jri.ietf@gmail.com>
Cc: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>; IETF QUIC WG <quic@ietf.org>; Martin Thomson <mt@lowentropy.net>; Kazuho Oku <kazuhooku@gmail.com>
Subject: Re: Consensus Calls for Transport/TLS issues, post-Cupertino

+1

I think the text we have in the spec today is better than the proposal to never discard the handshake keys.
My preference would be to spend the time to fix the issue, and not add a temporary workaround for now.

On Tue, Oct 22, 2019 at 12:51 AM Jana Iyengar <jri.ietf@gmail.com<mailto:jri.ietf@gmail.com>> wrote:
I agree with Kazuho here. The issue of migration was not one we had considered. I was going through this with Kazuho, and we may have identified yet another issue with handshake retransmissions and migration, which is present in the current spec.

Sadly, I don't think we can call this issue done.

On Tue, Oct 22, 2019 at 2:14 PM Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com<mailto:mikkelfj@gmail.com>> wrote:
Without a way to move to a single PN space I find this a deal breaker. I might do a custom version of the protocol.


________________________________
Fra: QUIC <quic-bounces@ietf.org<mailto:quic-bounces@ietf.org>> på vegne af Kazuho Oku <kazuhooku@gmail.com<mailto:kazuhooku@gmail.com>>
Sendt: tirsdag, oktober 22, 2019 6:58 AM
Til: Martin Thomson
Cc: IETF QUIC WG
Emne: Re: Consensus Calls for Transport/TLS issues, post-Cupertino



2019年10月22日(火) 11:38 Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>>:
On Tue, Oct 22, 2019, at 12:39, Nick Banks wrote:
>  I'd also prefer to fix the problem, even if it means bringing back
> something like RETIRE_KEY.

I would prefer to think of this proposed resolution as a temporary one.  I don't think that we agreed to keep the handshake keys indefinitely, only that we would use that option as a fallback position until we found a better solution.

I might point out that #3121 is not proposal-ready as a way to resolve #2863. That is because it does not define how to send and receive Handshake packets until or after migration happens. There would be a deadlock unless both endpoints agree on how that should be done (e.g., how to select SCID, whether the path used for Handshake packets migrates too).

Without that being clarified, can we say that we are ready for a consensus call?


On that basis, I think that it would be best if we open a new issue that says "Handshake keys can't ever be dropped".

We might still conclude not to address that issue, but the important thing is to ensure that any solution works properly.


--
Kazuho Oku

v2.23.0 | Report a Bug | By Email