Re: [tcpinc] Adam Roach's Yes on draft-ietf-tcpinc-tcpcrypt-09: (with COMMENT)

Adam Roach <> Fri, 17 November 2017 03:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADD11127866; Thu, 16 Nov 2017 19:31:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YhM67HVuiRjW; Thu, 16 Nov 2017 19:31:30 -0800 (PST)
Received: from ( [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 52E951275F4; Thu, 16 Nov 2017 19:31:30 -0800 (PST)
Received: from Orochi.local ([]) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id vAH3VLii043275 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 16 Nov 2017 21:31:25 -0600 (CST) (envelope-from
X-Authentication-Warning: Host [] claimed to be Orochi.local
To: Daniel B Giffin <>
Cc: The IESG <>,, Kyle Rose <>,,
References: <> <>
From: Adam Roach <>
Message-ID: <>
Date: Fri, 17 Nov 2017 11:31:20 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [tcpinc] Adam Roach's Yes on draft-ietf-tcpinc-tcpcrypt-09: (with COMMENT)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Nov 2017 03:31:32 -0000

On 11/17/17 11:17, Daniel B Giffin wrote:
> Is your concern that these two peers can get "stuck" in a
> state where they repeatedly fail a mutual attempt at
> resumption, thus forever falling back to no encryption?
> In the case of a hash-collision of resumption identifiers,
> it seems we don't get stuck because the active opener will
> advance to the next session secret on the next connection:
> 	When proposing resumption, the active opener MUST use the lowest value
> 	of `i` that has not already been used (successfully or not) to
> 	negotiate resumption with the same host and for the same pre-session
> 	key `ss[0]`.

Ah, you're right -- this will prevent issues with hash collisions. I 
suppose there's still a small chance of this situation arising due to 
implementation errors, but I suspect it's not worth decreasing the 
incidence of resumption to account for those.