Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)

Kazuho Oku <> Fri, 25 May 2018 08:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 63942124BE8 for <>; Fri, 25 May 2018 01:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Yqb67i5kBai0 for <>; Fri, 25 May 2018 01:57:32 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 049741201FA for <>; Fri, 25 May 2018 01:57:32 -0700 (PDT)
Received: by with SMTP id a22-v6so2271819pfn.6 for <>; Fri, 25 May 2018 01:57:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=pzzhsJk0NQ3l8LuAvpNoQMLDlDdDvoccRKAnBBStRow=; b=PFwH88xM7ANR76bezhOEhrJgRrA3k+caS7oTx8R7ryfCKrtS9WB9n6gTUVgP+MvILv 5agF5g4o4E1iRk1RrHTruXUxFgTGg5s/sHoSPL3SB1OA5H1gO0tQfNBDUHZXyU0OYmK1 RLuzWk3Fit3Rnn0du13PygOiFvTzlEQPqvS9w8jPC9fma3gktQdqLGRNWgH19qZeMYok msf8dPge9RSiJ7Tx6PQZ8EIBViB3NfwsoH4JIr5yPRwJCPyA3Jhe3dikE7tY5EN0lAPP bHPEQf7WV9IQse0Zpj32DPSeXlp4Pe3SWW16AEaGpAPVhmVafNpLa1YFzFniVAie0Z9s 6hEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=pzzhsJk0NQ3l8LuAvpNoQMLDlDdDvoccRKAnBBStRow=; b=aOpr1mLm+oiQRgPQqKPYosn9Sa2tvXWAAGvuFCLhMcun372Bicj/WVpIIW0LSpeq1c +eO/t9p42BWaoxKnxmdmNun26727cKqMgAZ2+vuRaxDvzcVs8r4DrZeSZIAuc7OtNhNx J+b4P3O3yKKOp8LjXirQVWmTGtEsVmXweWrfzlOoCzH65V4MU8ZW1vg2eCB+FWHR3yfa 2TwxMQVxwnj7WSan2lfLnrX7Oo95jEKzJtnZZvMw9mxmdIPGTSBHHTiy5l8HZUFgbwG4 Vsdn6jGZ7DS9o5xow+TodTL703E/rgFSr7Bi/7oChImx/TNNwd70S7AhFlNtjT2JNPqk WOkg==
X-Gm-Message-State: ALKqPwfYg+xb0paj/sjicfVGdjTQ4FDZX7+ZVIHwYk5c7AqwN3/y3cht 8ls5w4Hr9jSTV334IdQbOVDOIvpbzEXHTO4T9fw=
X-Google-Smtp-Source: AB8JxZq8rsLpn8Wl2Wu8RxeSACzZTumJNcwpjKu6YNE+A4VV5zW0SAPDmqAz4rWKzkwSyVMsgkoBQhLHcqUKQaZNL30=
X-Received: by 2002:a65:61c8:: with SMTP id j8-v6mr1291412pgv.370.1527238651246; Fri, 25 May 2018 01:57:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:1189:0:0:0:0 with HTTP; Fri, 25 May 2018 01:57:30 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <>
From: Kazuho Oku <>
Date: Fri, 25 May 2018 17:57:30 +0900
Message-ID: <>
Subject: Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)
To: Mikkel Fahnøe Jørgensen <>
Cc: Martin Thomson <>, Eric Rescorla <>, Jana Iyengar <>, QUIC WG <>, Ian Swett <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 May 2018 08:57:35 -0000

2018-05-25 17:33 GMT+09:00 Mikkel Fahnøe Jørgensen <>:
> The overview doc seems to be clear on ACK’s in general, not sure about EOED
> specficially.
> section 2.2
> ACKs in 1-RTT packets will acknowledge the receipt of 0-RTT or 1-RTT
> packets.  ACKs cannot be sent in 0-RTT packets.

Thank you for pointing that out.

That statement in the doc seem to contradict with the following
statement in the PR.

  - ACK frames MAY appear in packets of any encryption level, but
    MUST only acknowledge packets which appeared in that encryption

Maybe the reference to "encryption level" should be corrected to
"packet number space."

> Kind Regards,
> Mikkel Fahnøe Jørgensen
> On 25 May 2018 at 10.06.49, Kazuho Oku ( wrote:
> I think I might have found an issue in the explicit ACK approach that
> we use in the PR.
> That is that EOED cannot be ACKed.
> Assuming that EOED is sent using 0-RTT keys, it needs to be acked by
> the server using the same key, because the transmission of EOED needs
> to be guaranteed for the TLS handshake to complete.
> However, there is no 0-RTT send key on the server-side.
> Do we have any rule for dealing with this? I searched though the text
> of the PR but could not find an answer.
> 2018-05-24 14:49 GMT+09:00 Kazuho Oku <>:
>> 2018-05-24 13:43 GMT+09:00 Martin Thomson <>:
>>> The obvious solution for the problem of not retransmitting the client
>>> Finished is to retransmit it until it is acknowledged. With the proposed
>>> design, that means that the server sends a Handshake message after the
>>> handshake is done, which I think is fine. If the client sends Finished
>>> until it is acknowledged, then I think we're good.
>> I agree that that would work.
>> IIUC downsides compared to the implicit ACK approach are that the
>> server needs to keep the old keys for certain amount of time (e.g., 2
>> MSL) and that the additional Handshake packet will consume about 30
>> octets of the 3 packet window that we have for the server's first
>> flights.
>>> I can see the appeal in saying that if you receive an ACK for 1-RTT data
>>> then your Handshake packets must have been received. I can see that
>>> working even, but you have to be careful. It's just a signal that you can
>>> stop sending CRYPTO frames, not that you are done with the keys. You
>>> might
>>> need to send ACK again and you might still receive packets at that level.
>>> You could drop read keys and ACK only the old packets that you did
>>> decrypt,
>>> but I suspect that it's better to authenticate any packet and ACK
>>> faithfully, which would be better for your peer's congestion state.
>>> That also means that you probably need to have timers for cleaning up, to
>>> avoid the pathological case where acknowledgments are sent indefinitely.
>> I agree with your argument about congestion control.
>> One way of acquiring correct congestion control information in the
>> implicit ACK approach will be to send coalesced packets that combines
>> a Handshake packet with a packet protected by a higher encryption key.
>> That will guarantee that you would receive an ACK for the delivery of
>> the datagrams, and you can feed the information to the congestion
>> controller.
>> FWIW, I have implemented implicit ACK in quicly, and it only required
>> about 40 additional lines of code, including the retransmission logic
>> for Handshake_Done. The code can be found at
>> Coalesced packets is not implemented.
>>> I think that the FIN bit idea might work to close out the use of the
>>> "stream" for each set of keys. That is, as opposed to the crypto stream
>>> as
>>> a whole. But it's duplicative: the crypto handshake needs to know when it
>>> moves from one set of keys to the next and replicating that signaling at
>>> the QUIC layer only really adds things to check for consistency.
>>> On Thu, May 24, 2018 at 11:07 AM Kazuho Oku <> wrote:
>>>> 2018-05-24 3:46 GMT+09:00 Jana Iyengar <>:
>>>> > A thought occurs to me: a CRYPTO_HS frame with the fin bit set can be
>>> used
>>>> > to indicate that the handshake is done.This could be used as a signal
>>> (aka
>>>> > HANDSHAKE_DONE) to solve Marten's problem of a client rtxing a CFIN.
>>>> > Of
>>>> > course, this would mean that this particular CRYPTO_HS frame would be
>>>> > encrypted with a 1-RTT key... which *I think* is fine. What do you
>>> think?
>>>> I am not sure if that is a good approach.
>>>> I would assume that we would like to keep the handshake flow on the
>>>> 1-RTT key open for the lifetime of the QUIC connection, so that we
>>>> could send things related to the TLS (e.g. session tickets). Sending
>>>> FIN from the server right after receiving ClientFinished makes that
>>>> impossible.
>>>> Having said that, I do agree that the need for a dedicated frame is a
>>>> pain. It is a pain because we need to have a retransmission logic for
>>>> the frame.
>>>> I think that you are making a good point in suggesting to consider
>>>> reusing the retransmission logic that already exists for bidirectional
>>>> flows. But as said, FIN bit does not seem like an answer in this case.
>>>> IMO, ideally we should define a new TLS post-handshake message (that
>>>> does not convey any data), and send that from the server in response
>>>> to ClientFinished using 1-RTT packet. The message will act as a signal
>>>> that the server has received ClientFinished.
>>>> The benefit of this approach is that we can reuse the retransmission
>>>> logic that will exist for handshake flows. The downside is that TLS
>>>> stacks need to be aware of the new handshake message.
>>>> Considering the fact that the Design Team is already suggesting a
>>>> substantial change to the TLS stack, we might have chance in asking
>>>> for the addition of a new handshake message. But I am not sure.
>>>> --
>>>> Kazuho Oku
>> --
>> Kazuho Oku
> --
> Kazuho Oku

Kazuho Oku