IETF Logo Mail Archive

Re: Stream0 Proposal: EMPTY_ACK

Eric Rescorla <ekr@rtfm.com> Thu, 24 May 2018 04:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 642DE1243F3 for <quic@ietfa.amsl.com>; Wed, 23 May 2018 21:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5IjaDEllfpEy for <quic@ietfa.amsl.com>; Wed, 23 May 2018 21:00:16 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9B14120227 for <quic@ietf.org>; Wed, 23 May 2018 21:00:15 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id a6-v6so229377oia.2 for <quic@ietf.org>; Wed, 23 May 2018 21:00:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1nNS8CeQEY9E096FdR4lyTKjDFihQY6aYaVy5aR5d3U=; b=L0uIxXo0e7IIrPfFYLSSnVUzeBrLSzVBpVJfGtY55IT+uvQel3UDFVdnBcnbptTofR Jq8TyaNGZo0wCt/QovBG+VsbCLfIA756BvMF7hwhJxC6zYwQVKAGPxCUqmxoIOO2xbFZ iU4VSZGnTRCU/tdrQ7WNarCUhWwZKV1z0BcGrHA0R8zmtFRYpS0fWlKXfjfJg6yPx5Fn 39bDRrwV8EKW8t/vtFuZUtlCyC8DjJ00SIj5MzJ76xGG9iFvka/Z4GfqqBFbB3EKYolw 2Da0jDB4y3t7ZWTaM0fX7jaatB+RxL8M5PfmJNjptv4evb7QNrBm/kgpGDblwwubBMd6 1z8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1nNS8CeQEY9E096FdR4lyTKjDFihQY6aYaVy5aR5d3U=; b=GiulZjDHm3Wjky+tiDSAvoNYI4ZQkZLXps5eb9L2thSWWBOp0GfRgqMHQakgnjfjur JOnO9i0V0tl7CIuAlmDBHSs9IJ/pCP2qDmJuB6lauRfEbEiaqnOF0s5K1pcBr7cobLed rYK6yJBIsusjNr8GYPaqP1QeeNN2eSyInfcm8yRfc6djf0qxYGy7YlqtETp1qyJO18Cg 6EZ6kjaADxU6i3ZR2kP/9BnCFlWR/gnuY8sY9F50eWOt/k3ndDC9eClWiTcHPEplYNJL vU/TDyvYZ7pVqe0em3MqeYdXGH68VHKDA2/BQxTNez7HtCMSOyGYdkpz5aA+/D+ulLvS /O2A==
X-Gm-Message-State: ALKqPwehIIL4rQHpszrG7UvMfWe1hJjgC4o+JGoVJ9DxSzBhOeYey0qO BrkH8i7bJccy8Fbi84LI9L0jJmaZjoqfVrftr8h/yQ==
X-Google-Smtp-Source: AB8JxZrpN4zdU2pZjN/A5qZ2OyRuNwl9y2lcYwYfcWE5DWDspqepG/eCaysKpG7O/PNMeCAx2dy1nIUqgacSzju9TmI=
X-Received: by 2002:aca:4c11:: with SMTP id z17-v6mr3173641oia.174.1527134415160; Wed, 23 May 2018 21:00:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:66:0:0:0:0:0 with HTTP; Wed, 23 May 2018 20:59:34 -0700 (PDT)
In-Reply-To: <C48DFD01-BB1F-418D-A2A6-E2BD80407465@huitema.net>
References: <CACpbDcckRvyn18qowWbLRT+sX2EGj3_yPtoS2d-h6ypg4dFrVQ@mail.gmail.com> <6d80b771-ba07-cab7-fa86-d4e31d56b919@huitema.net> <CABcZeBPtjbMVL2RQMyLZJg_QyHcgA5E_g8SAgoHUqjpLrJRA4g@mail.gmail.com> <C48DFD01-BB1F-418D-A2A6-E2BD80407465@huitema.net>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 23 May 2018 20:59:34 -0700
Message-ID: <CABcZeBM1hKYxVe2aFgfQe3zAwhpgQEi03jRuzJShXt8Q1=7dKg@mail.gmail.com>
Subject: Re: Stream0 Proposal: EMPTY_ACK
To: Christian Huitema <huitema@huitema.net>
Cc: Jana Iyengar <jri.ietf@gmail.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000571f24056cebb070"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/s-XdAiCCX9oUYM3d1jdAGnJnuNU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 04:00:19 -0000

On Wed, May 23, 2018 at 8:54 PM, Christian Huitema <huitema@huitema.net>
wrote:

> What vulnerability? At a minimum, reflection Dos.
> Send UDP packet with "0rtt" content. Trigger emty-ack.
>

Given that you can already trigger transmission of the full cert chain with
CH, this doesn't seem very interesting.

-Ekr


> -- Christian Huitema
>
> On May 23, 2018, at 7:45 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Wed, May 23, 2018 at 7:10 PM, Christian Huitema <huitema@huitema.net>
> wrote:
>
>> I dislike the EMPTY_ACK because they are "responses to something that
>> could not be decrypted". You don't know where the packet came from, it
>> could be spoofed. So you have on one hand a possible optimization, on the
>> other hand a possible vulnerability, and in all cases additional complexity.
>>
> What's the vulnerability? Anything more than a spurious retransmit?
>
> -Ekr
>
>
>> On 5/23/2018 4:27 PM, Jana Iyengar wrote:
>>
>> (Moving more discussions from main thread)
>>
>> ---------- Forwarded message ----------
>> From: Subodh Iyengar <subodh@fb.com>
>> Date: Wed, May 23, 2018 at 3:37 PM
>> Subject: Re: Stream0 Design Team Proposal
>> To: Mike Bishop <mbishop@evequefou.be>, Christian Huitema <
>> huitema@huitema.net>, "quic@ietf.org" <quic@ietf.org>
>>
>>
>> FWIW I see EMPTY_ACKs as being very similar to a Duplicate ack. We
>> thought about using Duplicate acks as well but we thought that EMPTY_ACks
>> would be simpler to implement and be able to convey similar information.
>>
>>
>> Subodh
>> ------------------------------
>> *From:* QUIC <quic-bounces@ietf.org> on behalf of Mike Bishop <
>> mbishop@evequefou.be>
>> *Sent:* Wednesday, May 23, 2018 3:26:35 PM
>> *To:* Christian Huitema; quic@ietf.org
>> *Subject:* RE: Stream0 Design Team Proposal
>>
>>
>> Christian, can you expand on why you dislike the EMPTY_ACK?  Being able
>> to say “I’ve received some packets from you, but am unable to process any
>> of them because I’m missing some handshake data” seems like a useful way to
>> short-circuit timeouts on clients.  It also doesn’t commit the server to
>> holding any state – IIUC, a server could form a packet containing an
>> EMPTY_ACK and then discard its internal state until it gets the
>> retransmitted (or delayed) Initial packet.
>>
>>
>>
>>
>>
>> On Wed, May 23, 2018 at 4:25 PM, Jana Iyengar <jri.ietf@gmail.com> wrote:
>>
>>> (Forking this discussion off from the main thread.)
>>>
>>> On Wed, May 23, 2018 at 2:13 AM, Kazuho Oku <kazuhooku@gmail.com> wrote:
>>>
>>>> 2018-05-23 14:29 GMT+09:00 Christian Huitema <huitema@huitema.net>:
>>>> > I like the proposal. In particular, I really like the encryption of
>>>> > handshake packets with the handshake key, as it does close a number of
>>>> > avenues for attacks. And I like that it solves the "ack promotion"
>>>> issue
>>>> > that I was complaining against for some time. Turns out that in the
>>>> current
>>>> > draft, it is very hard to contain that problem if you enable client
>>>> auth.
>>>> >
>>>> >
>>>> > On the other hand, I agree with Martin that a lot of the additions to
>>>> > transmission recovery should be moved to separate PRs. I am not
>>>> enthusiastic
>>>> > with the EMPTY ACK mechanism, or with the proposed "implicit
>>>> > acknowledgement" of a lower crypto stream by a higher level ack.
>>>>
>>>> At the moment I do not have a strong opinion on the Empty ACK mechanism.
>>>>
>>>> However, regarding how we close the Initial and Handshake contexts, my
>>>> preference goes to using implicit ACKs (i.e. use the successful
>>>> receipt of a packet that is protected under a higher level of
>>>> encryption key as the signal) rather than explicitly ACKing the last
>>>> flight of data.
>>>>
>>>> As I see, there are two downsides in the Explicit ACKing approach.
>>>>
>>>> * Explicit ACKing requires sending two additional packets during the
>>>> handshake, which means that we would have more AES operations plus
>>>> somewhere around 60 bytes of overhead on the wire.
>>>> * Explicit ACKing requires more signaling from the TLS stack. In case
>>>> of implicit ACKing, the TLS stack need to only provide the AEAD
>>>> contexts and the messages, whereas in case of explicit ACKing, the TLS
>>>> stack also needs to provide a signal indicating the end of the
>>>> transmission at each encryption level.
>>>>
>>>> The downside of the implicit ACKing approach is that the server needs
>>>> to signal the termination of the Handshake context using a special
>>>> frame sent using a 1-RTT packet.
>>>>
>>>> But even taking that into consideration, I think that implicit ACKing
>>>> is still easier to implement, considering the need for the additional
>>>> signal in the explicit ACK case that have been described above.
>>>>
>>>>
>>>> > In any
>>>> > case, starting as simple as possible would help having the first
>>>> > implementations and tests.
>>>> >
>>>> >
>>>> > On 5/22/2018 8:26 PM, Subodh Iyengar wrote:
>>>> >
>>>> > As an implementor of fizz, I support this design and am willing to
>>>> implement
>>>> > this as well.
>>>> >
>>>> >
>>>> > While this is a change in the API that TLS classically exposes, I
>>>> think this
>>>> > is the right tradeoff because it helps make things way more explicit
>>>> which
>>>> > will prevent several other bugs from happening in the future.
>>>> >
>>>> >
>>>> > Subodh
>>>> >
>>>> > ________________________________
>>>> > From: QUIC <quic-bounces@ietf.org> on behalf of Martin Thomson
>>>> > <martin.thomson@gmail.com>
>>>> > Sent: Tuesday, May 22, 2018 8:00:40 PM
>>>> > To: Ian Swett
>>>> > Cc: ekr@mozilla.com; QUIC WG
>>>> > Subject: Re: Stream0 Design Team Proposal
>>>> >
>>>> > First of all, thanks to the design team for the work they have done.
>>>> I
>>>> > haven't digested everything yet, but I think that I have a good sense
>>>> of
>>>> > the shape of the proposal.
>>>> >
>>>> > Overall, this looks like a workable design.  It's a lot more invasive
>>>> of
>>>> > the cryptographic handshake implementation than I had thought people
>>>> were
>>>> > willing to stomach originally.  But it's clear that we've run into
>>>> problems
>>>> > with the current, more abstract API and this is a fairly natural way
>>>> to
>>>> > split TLS.  I've spent a little time thinking about how this might be
>>>> > implemented and I think that it's not going to be *too* painful.  The
>>>> proof
>>>> > will be in the pudding there though.
>>>> >
>>>> > In looking at the PR, I really appreciate seeing all the changes
>>>> together..
>>>> > BTW, the link above points to the wrong PR, so be careful (it appears
>>>> to
>>>> > have the same content, but that's not guaranteed).  The actual PR is
>>>> here:
>>>> > https://github.com/quicwg/base-drafts/pull/1377
>>>> >
>>>> > I've pushed a branch to the main repo so that you can preview the
>>>> entire
>>>> > document set:
>>>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__quicwg.
>>>> github.io_base-2Ddrafts_stream0_&d=DwIBaQ&c=5VD0RTtNlTh3ycd4
>>>> 1b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T
>>>> 0_NEMiHYSM0Q_u1JA&s=ususmtxI3BTaLlBWe_HkQUWRH4sBI0Cggj1oWZMBHak&e=
>>>> >
>>>> > It seems like there are some core changes here and a bunch of
>>>> separable or
>>>> > at least secondary changes.  I'm sure that each one has its own
>>>> > justification, but that isn't always clear. The following changes
>>>> seem like
>>>> > they are separable:
>>>> >
>>>> > * The use of separate packet number spaces
>>>> > * The Retry packet changes (and NEW_TOKEN)
>>>> > * EMPTY_ACK
>>>> > * The TLS extension for flow control
>>>> >
>>>> > Right now, some of these appear to be entirely gratuitous.  I'd like
>>>> to get
>>>> > to the bottom of each before we continue.
>>>> >
>>>> > At a minimum, the PR we land first should include just the core
>>>> changes.
>>>> > As you say, reviewing a monster PR like this will only make GitHub
>>>> weep
>>>> > unicorns, but we might be able to cut this into smaller pieces.
>>>> >
>>>> > On Wed, May 23, 2018 at 11:31 AM Ian Swett <ianswett=
>>>> > 40google.com@dmarc.ietf.org> wrote:
>>>> >
>>>> >> Dear QUIC WG,
>>>> >
>>>> >
>>>> >> On behalf of the Stream 0 Design Team, I am pleased to report that we
>>>> > have consensus on a proposed approach to share with the WG. The DT's
>>>> > proposal will make QUIC and TLS work closer together and incorporates
>>>> ideas
>>>> > from DTLS, but it does not use the DTLS protocol itself.
>>>> >
>>>> >
>>>> >> The DT believes this solves the important open Stream 0 issues. The
>>>> > proposal will be a bit more invasive in TLS, but we believe it is the
>>>> right
>>>> > long-term direction and several TLS stacks (BoringSSL, PicoTLS, NSS,
>>>> and
>>>> > Mint) are willing and able to do the work necessary.. A number of
>>>> stacks
>>>> > are currently working on implementations of this new approach, which
>>>> we
>>>> > hope to have in time for the Interim meeting.
>>>> >
>>>> >
>>>> >> A design document describing the overall approach can be found at:
>>>> >
>>>> >
>>>> > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.go
>>>> ogle.com_document_d_1fRsJqPinJl8N3b-2DbflDRV6auojfJLkxddT93j
>>>> 6SwHY8_edit&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHt
>>>> wg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&s=j
>>>> DNnz34hmWvLSQnHkSnYdihW-jG-0xZ-YYqKq30wVGg&e=
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs..google.com_document_d_1fRsJqPinJl8N3b-2DbflDRV6auojfJLkxddT93j6SwHY8_edit&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=_vGK3zTKFrMOkFihJnPntLYw1T0_NEMiHYSM0Q_u1JA&s=jDNnz34hmWvLSQnHkSnYdihW-jG-0xZ-YYqKq30wVGg&e=>
>>>> >
>>>> >
>>>> >> A PR making the changes to the QUIC documents can be found at:
>>>> >
>>>> >> https://github.com/quicwg/base-drafts/pull/1377
>>>> >
>>>> >
>>>> >> A few design details did not have clear consensus, but it was felt it
>>>> > would be better to discuss those in the wider WG than delay the design
>>>> > team.  A consistent choice was made in the PR and these issues are
>>>> > mentioned in Appendix B of the design doc.
>>>> >
>>>> >
>>>> >> As always, comments and questions welcome. That said, this is a big
>>>> PR
>>>> > and we recognize that some editorial work is going to be needed before
>>>> > merging. In the interest of letting people follow along, and to keep
>>>> github
>>>> > from falling over, we ask people to keep discussion on the mailing
>>>> list and
>>>> > refrain from making PR comments.
>>>> >
>>>> >
>>>> >> See you in Kista!
>>>> >
>>>> >
>>>> >> Ian and Eric
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Kazuho Oku
>>>>
>>>>
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email