Re: Unrecoverable loss pattern

Martin Thomson <> Thu, 01 March 2018 21:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 391A712FABF for <>; Thu, 1 Mar 2018 13:28:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XhgCabjmaMVp for <>; Thu, 1 Mar 2018 13:28:32 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6B90712FAB8 for <>; Thu, 1 Mar 2018 13:28:32 -0800 (PST)
Received: by with SMTP id t185so5603541oif.6 for <>; Thu, 01 Mar 2018 13:28:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n3epjL1xJKYqAXoA3bsGNC9jcwe8AQnImZnwvi7tfII=; b=PGJJqHT7vBn3zXD58+bX94eaH1JxEYnL49T1IKIWYWdT/derderhHq0DOSNEbDwUTK 7inNXGSgvas0KvpVoCEoffwrHXmtiv5tr3j484SMrLegeRyN+/4N7VWp6IZoPGYb9loP qcWI0DqzKtyxp3AwTt6Dt3BtHAhOceLaEvndTLacuLHAfW9rEkFqSZN8q+wUvW8XSrHd LWkVb8HBcHJIDHNxJeid1n9RXdn9t3tK2FfdAplZVSGBZGS94zaRXQu3Aqj+36cl7Mqa 62MBOqTA6I6YWdtMICioawpJX/t9vdDy9zzSZHvDz+PFUWMqwmHC/1RNey36o+9I5xoT W+cw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n3epjL1xJKYqAXoA3bsGNC9jcwe8AQnImZnwvi7tfII=; b=FG23AmTAir2tQ3J5AF9lZ2jAw2gDbn+Ni+XsUFej3mQ3oQ8ZKGyEaJsSQI6DC7o9rW knHJE7lqTIQg8mN1uVZsV8J4Sh2/zRyfwoKnPqJ26neJQrkXiay25Q3ztCgVAK2lrSPC qCnL7hwCwLts9bbt9w2N1vjyye/NP3HREC9mJBVaZrNI33vsl6CBfGTg9zIwUKXJ2KjJ 0CadtUM0XsQzaPn1HcLgNXv8N1GHQHXtk0qMxow0twbzkZzBfJ54GiFA/TSR8Mar4IRN gjhGEI253yviFt67BAobsLQ0qf9WVnaVPeie/EqewgLyY+hIfDmc9Mjlvs+kSBgF63NS Pi6Q==
X-Gm-Message-State: AElRT7Ga/zMH1GECL9+0jIRMg5k1lHdoyXEeESKrgp34T8YPxkbHZcRH 34P7iuKUhJxReTEiE+1FBI18lmm80ajPBKaiE4KmvA==
X-Google-Smtp-Source: AG47ELuSllyR8TSQMUs88xoKg/eg9dhF8XER09tryNYZIS4b+FsceqkHLxVw3sA+X+uXaDtOkilSdFmhEMvgSsNwUYI=
X-Received: by with SMTP id j127mr2282932oih.346.1519939711564; Thu, 01 Mar 2018 13:28:31 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 1 Mar 2018 13:28:31 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
From: Martin Thomson <>
Date: Fri, 02 Mar 2018 08:28:31 +1100
Message-ID: <>
Subject: Re: Unrecoverable loss pattern
To: Ian Swett <>
Cc: Christian Huitema <>, Marten Seemann <>, IETF QUIC WG <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Mar 2018 21:28:34 -0000

Two timers solves the problem because it leads to the request being
sent on TLP (or RTO), which unsticks the whole thing.  That is, if you
consider the problem to be less that the Finished isn't read, but more
that the handshake timers disable TLP/RTO.

On Fri, Mar 2, 2018 at 6:13 AM, Ian Swett <> wrote:
> I'm a bit confused about which case we're concerned by, so I'll try to talk
> through my understanding.
> Two timers won't solve the problem of the ack of the Finished being lost(and
> then the acknowledgement never being sent again) that Marten was discussing,
> because as Christian said, we won't process re-transmissions of the Finished
> message because they're not encrypted and it will be stuck in an
> undeliverable/unackable state.
> The one byte frame could be an explicit signal to move on, but we still need
> a way to stop re-transmitting the Finished.  Does that frame serve as an
> acknowledgement of the Finished as well?  Doesn't the receipt of encrypted
> packets also serve as an acknowledgement of the Finished?  In either case,
> we're discussing an implicit ack of sorts.
> One totally different(and possibly poor) alternative would be to only send
> unencrypted handshake data on stream 0, and when you receive an encrypted
> packet and your handshake has completed, if stream 0 isn't already closed,
> reset it, since you'd know the handshake has completed.  We'd have to
> allocate a different stream for post-handshake encrypted data, but that may
> be a win anyway, since it would clearly define which streams were encrypted
> and which weren't?
> Related Q: At some point, weren't we discussing not sending finished?
> On Mon, Feb 26, 2018 at 1:45 PM Christian Huitema <>
> wrote:
>> On 2/26/2018 12:51 AM, Martin Thomson wrote:
>> > The issue in #1018 (as I understood it) was the fact that Finished
>> > could be protected (and thereby authenticated), but it was not.  Not
>> > having it protected makes it vulnerable to all sorts of attack.
>> >
>> > This is different, it's not an attack, it's just an unfortunate
>> > interaction between the loss recovery algorithms and the TLS mapping.
>> Actually, the issue was that allowing Finished to be repeated in clear
>> text allows for a DOS attack on the server. The spec changed to ignore
>> handshake packets after Finished is received once. That closes the DOS
>> issue, but it opens the "ACK of Finished" issue.
>> >
>> > Other than running multiple timers as I suggested, you could also
>> > force the server to respond to cleartext packets with a repeat of its
>> > ACK.  It doesn't even have to look at what it received, it just plays
>> > out the last ACK.  That's what we do in our DTLS 1.3 implementation.
>> > It works.  The trick there is that once you have an ACK for the ACKs
>> > that acknowledge the handshake you stop the special behaviour.
>> >
>> That was actually the first solution I thought off. That works too, but
>> there are two downsides. First, you get a "twitch trigger" -- send an
>> handshake packet, get the server to send an ACK. Not a very big deal,
>> but slightly annoying. Second, it relies not only on implementing ACK of
>> ACK, but also on triggering a special behavior for the ACK of the ACK of
>> the last handshake packet. Many implementations do ACK of ACK
>> management, but grafting a special case in that path is a bit tricky.
>> That was my thought process before proposing a simple one byte
>> "handshake complete" frame. The special frame is easier to integrate in
>> the receive processing.
>> -- Christian Huitema