IETF Logo Mail Archive

Re: KEYS_READY

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Wed, 13 February 2019 15:55 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CECD212D826 for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 07:55:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t53FzDHli-kV for <quic@ietfa.amsl.com>; Wed, 13 Feb 2019 07:55:34 -0800 (PST)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19D631286D8 for <quic@ietf.org>; Wed, 13 Feb 2019 07:55:34 -0800 (PST)
Received: by mail-ot1-x333.google.com with SMTP id i5so4746516oto.9 for <quic@ietf.org>; Wed, 13 Feb 2019 07:55:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=K+704Vxhe0gWKb66JFeP05xxoN+2VTLpraaRDHLhp38=; b=MFRqkFIxOy8K+IrTjb+mudeUozMs5EBFIHrmIv1OeEuBArIQGNUBNF8PMOyjEAELLE y5EM1JqH9K1+3hEvK0rlA0qcubG8JU9McA/vDY1yjy5NqFc+qyrtMx+hDhUbMFJC9xKv S3SQp63Ez1fYaOpSdgNjAeW1txIxMyNMqZeb1Zifdcma+H49bVADBX4wb7Yiit+dqhvl B9cRCVeaGC4VDzMVsYBxMQXONPHayxd3a+afRlct82VBNo0dpJSTTUO5lgN1rapcwWzq ZIjuMDf1fVGZjrNnnw39+JaI4W23SJScndkOu1D39Eg0GXWLYl7s2iDzjtuOeXrIz3og 4lTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=K+704Vxhe0gWKb66JFeP05xxoN+2VTLpraaRDHLhp38=; b=KnCMMtqQhzJk2rZlanw5kc9suNMf4YuG1pe/616ZrtLf4C1hNwLCHlqHTdyl8JxLzT L15KbEYgf6wlVrOk/cXt0gY2kIOCs1l+r1Yy7+A+hnSeCJEEWs7gSuklZ+IBCV7Dj1NG Xv8T/hYbzzqrp/vJBdUfnVcd23qjXFo2x48jLn5W7JUW3Gj0OHhmD2lKRjSj6p8QdfdX 24V6XLZc/VvWVNzIDWKU0lGa8lh8jbJj0gU65uvbYzNkXxi24x+iFHWHMh0dtiXtkfEn NUUU1xvEEVWG0mNhis+H1jjUcFko/fE1YWfy24aK5MH5m/7H6YEng39Pr/+xNpoVCAGt aR3A==
X-Gm-Message-State: AHQUAuahwiaOOpKWpI0wSF/EjXoDTVK9RDwcBGCLWoBKHEEn084ouZbl hBQ9Td9tz4s5B/Uqwl4lNIXBqhGdWgcKymlMx4I=
X-Google-Smtp-Source: AHgI3Ibr8YOiTL437sO2sFFP8FQOlS2u233y2VMVtRc3IKJONfSpYX1SfCoinl1fPak9Rrbl/NJn/zv6ZQQ+Paaj25g=
X-Received: by 2002:a02:2303:: with SMTP id u3mr734078jau.42.1550073333214; Wed, 13 Feb 2019 07:55:33 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 13 Feb 2019 07:55:32 -0800
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com>
References: <1550022355.557617.1656828112.4DD1CEE6@webmail.messagingengine.com> <CANatvzy_juza_meGR_-KuBV9FA=F754mv54aawxMb8hYWxb1gA@mail.gmail.com> <CAN1APdcVYKWuapZ3XHxXa_nVACwkRD-xeF3ub-5ROttE7QVrmQ@mail.gmail.com> <CAOYVs2ooxAuwu_zr2XZ-y9UqUP5kTbjoFrckAOi40bF9vODGOg@mail.gmail.com> <CAKcm_gNk=jKrnXM4Ht4yF0RX25wtVifjxz0c1gay0uie7PMw6A@mail.gmail.com> <CANatvzxBYzEaDZ1Ftt=o1zT5zVcVTd1EwtGiJOC-mkrNUWzVAQ@mail.gmail.com> <CAN1APdfzepc9DE98UsWw=hB4dM38qKLxdAjpsYuddDBatcscDA@mail.gmail.com> <739AFC55-DD02-47AA-A29E-B9C34ED7D6F9@gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Wed, 13 Feb 2019 07:55:32 -0800
Message-ID: <CAN1APddWLdmRo+ZZDnmvrBEFQk4TTcS3UK_9AU4KqAeSkiBvJQ@mail.gmail.com>
Subject: Re: KEYS_READY
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, IETF QUIC WG <quic@ietf.org>, Ian Swett <ianswett@google.com>, Marten Seemann <martenseemann@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000066f7350581c8927c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/uowYfv0KrQ_7T7PmJ1_w-aF11ic>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Feb 2019 15:55:37 -0000

The point is that under the rules set by the PR, it is not possible to
update keys before a KEYS_ACTIVE / KEYS_READY frame has been received. If
such a frame is sent, but lost, there is not path to update keys again.
This goes wrong after a (long) while, when the current key is exchausted.
It does not matter that updates are rare.


On 13 February 2019 at 16.48.57, Kazuho Oku (kazuhooku@gmail.com) wrote:

2019/02/14 0:29、Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>のメール:

I can see arguments for having the frame defined as ACK-eliciting,


It cannot not be ACK-eliciting, otherwise a lost packet could mean that no
new key updates would be possible.


IIUC key updates are rare, and therefore the frame can be
non-ack-eliciting. FWIW, the current design does not elicit an ACK in
response to key update.





On 13 February 2019 at 16.27.02, Kazuho Oku (kazuhooku@gmail.com) wrote:

2019年2月14日(木) 0:03 Ian Swett <ianswett@google.com>:
>
> I'm happy with the approach you outline here and wrote up in the PR, but
I did find the PR a bit confusing, partially because it's based on an
existing PR that's gone through a lot of revisions.
>
> I don't think tying transmission of this to an encryption level will be
overly complex, because since it's only a single byte, I might just put it
in every ack-eliciting packet until it's no longer necessary and not use
the standard retransmission logic.

I tend to agree, because to me it the same as having a variable length
packet header that, when being extended by one byte, indicates that
the next key is ready. Though it seems a bit flexible.

OTOH, I think it's interesting to discuss if the KEY_READY frame is
ack-eliciting. My understanding is that per the current PR it is,
because the list of non-ack-eliciting frames has not changed.

I can see arguments for having the frame defined as ACK-eliciting,
because it encourages endpoints to retire old keys soon. If we think
that to be a good property, I think that might be an argument for
using a frame (because calling a header bit ACK-eliciting would be
strange).

>
> I'd rather not burn another bit in the first byte for this.
>
> On Wed, Feb 13, 2019 at 8:00 AM Marten Seemann <martenseemann@gmail.com>
wrote:
>>
>> I went through a few key update scenarios under different packet loss
patterns, and I have to admit that I found the KEY_READY frame surprisingly
difficult to reason about. The problem seems to be that we're replacing
what is in reality a contiguous state (it is permitted to update the keys)
with a one-time signal, which has to be retransmitted (taking care to
either block further key updates until this frame has been acknowledged, or
canceling the retransmission when performing another key update). The
reason we decided to create an explicit signal instead of consulting the
loss recovery state, was that we wanted to avoid a tight coupling between
the loss recovery and the key management. I have the impression that we're
now just trading one tight coupling for a slightly different one.
>>
>> I agree with Kazuho that using a bit in the first byte seems to capture
the update logic we're looking for better. There's no need to retransmit
any information, since the bit is set on every subsequent packet.
>>
>>
>>
>> On Wed, Feb 13, 2019 at 4:36 PM Mikkel Fahnøe Jørgensen <
mikkelfj@gmail.com> wrote:
>>>
>>> Thanks for pointing out the second alternative, although reluctantly.
>>>
>>> I think the first option with anonymous KEY_READY has a problem with
idempotency as well as tying state to retransmission logic. This means that
naive retransmission of packet content in a new packet number is no longer
valid, and likewise, naive processing of a frame that passes authentication
is also no longer possible. That is a strong principle break and I don’t
think the minor simplicity of a label-less KEY_READY frame can justify that
(even if one ought no do such naive transmission).
>>>
>>> You could state that the KEY_PHASE bit is the lower bit the key counter
which increments by one on each key update, starting at 0 or 1.
>>> Then, a KEY_READY with a future count is a PROTOCOL_VIOLATION and an
old count is ignored. The key phase or the packet protection of the packet
containing the KEY_READY frame is of no significance.
>>>
>>> I also suspect that the alternatively two-bit proposal might have a
problem with idempotency, but I think it sorts itself by failing packet
protection.
>>>
>>> The text mentions that the updated key depends on the current traffic
key with reference to TLS 1.3. From reading this naively, it sounds like
forward secrecy is lost, which I am sure it is not.
>>>
>>> Finally, this is just a high level view. I find the overall text hard
to understand, notably because it is not crystal clear whether the two
endpoints update their transmission keys in sync with the ready keys, or if
the (currently implicity) key phase counters can count independently.
>>>
>>> That said, I like the idea of an explicit READY frame, and i probably
would also like and explicit handshake ready frame, if it isn’t effectively
the same thing, and if it is, perhaps formalise that.
>>>
>>> Mikkel
>>>
>>> On 13 February 2019 at 06.55.57, Kazuho Oku (kazuhooku@gmail.com) wrote:
>>>
>>> Hi, Martin
>>>
>>> Thank you for writing the PR. My comments inline.
>>>
>>> 2019年2月13日(水) 10:46 Martin Thomson <mt@lowentropy.net>:
>>> >
>>> > https://github.com/quicwg/base-drafts/pull/2237 has been updated to
include the discussed new frame.
>>> >
>>> > This allows us to remove the implicit-ish acknowledgment of Initial
packets, fix the problem Marten identified with discarding Handshake keys,
and the problem Kazuho found with multiple and simultaneous key updates.
>>> >
>>> > There were two designs that were valid here, and I want to ensure
that people think about the choice:
>>> >
>>> > The one I chose to write up uses a design like ACK. The keys used to
protect the packet determine how the frame is interpreted. That is,
KEYS_READY in a packet implies that the corresponding keys are in use. The
cost here is that you have to purge any potential retransmissions of
KEYS_READY when you update keys or you risk creating a false signal.
>>> >
>>> > The alternative involves more explicit signaling, and requires us to
label each set of keys unambiguously.
>>>
>>> My weak preference goes to burning a bit in the first byte (we have
>>> reserved bits in all the necessary packet types) due to the
>>> exceptional retransmission rule that we would have for the frame, but
>>> I'm not sure how much I care.
>>>
>>> > For that we could borrow the DTLS epoch convention, though that is
inconveniently out of phase with the Key Phase we use; not a major issue,
but a little hard to reason about. This doesn't have a retransmission
problem, but in addition to the need to document the counting system, we
would need to decide whether a mismatch between frame and packet is OK, or
something that can produce a connection error.
>>> >
>>> > Obviously, I have a preference for the former, but if people feel
differently, this is a good place to register your reasons.
>>> >
>>> > Editorial concerns should be directed toward the pull request.
>>> >
>>>
>>>
>>> --
>>> Kazuho Oku
>>>


--
Kazuho Oku

v2.23.0 | Report a Bug | By Email