Re: [TLS] Record-level ACKs in DTLS 1.3
Hanno Becker <Hanno.Becker@arm.com> Wed, 04 March 2020 10:53 UTC
Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89F113A0C2E for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 02:53:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=N9YnoPPo; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=N9YnoPPo
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5wzC7BzZMpC for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 02:53:17 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80053.outbound.protection.outlook.com [40.107.8.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1EC23A0C2B for <tls@ietf.org>; Wed, 4 Mar 2020 02:53:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lJgD1FiBLGxzCwAXicIGkkY9U1VJj+/TKQkW8lcCJh4=; b=N9YnoPPoRVMBD+ozmeFiJc6YdTTJLgeM/vAXyxDE5Bk6Qq4rCrS842fY5gNp5ffR+iHf7ndWVNGTm+hHgHtR1A/GFzAKgiEknn7SR8L116etBObpfF/306HY/8WiYudJ8eqWP6sVlRj1/QGOhAksjOgnha9fpfA5G+G4X8Z6qnw=
Received: from VI1PR08CA0146.eurprd08.prod.outlook.com (2603:10a6:800:d5::24) by DB8PR08MB4138.eurprd08.prod.outlook.com (2603:10a6:10:a4::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.19; Wed, 4 Mar 2020 10:53:13 +0000
Received: from VE1EUR03FT005.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::209) by VI1PR08CA0146.outlook.office365.com (2603:10a6:800:d5::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15 via Frontend Transport; Wed, 4 Mar 2020 10:53:13 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT005.mail.protection.outlook.com (10.152.18.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11 via Frontend Transport; Wed, 4 Mar 2020 10:53:12 +0000
Received: ("Tessian outbound 62d9cfe08e54:v42"); Wed, 04 Mar 2020 10:53:12 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: de913ac27a62ef57
X-CR-MTA-TID: 64aa7808
Received: from a718b21001ac.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C0270ECF-66DF-401F-8D0A-D03A89C8833D.1; Wed, 04 Mar 2020 10:53:07 +0000
Received: from EUR02-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id a718b21001ac.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 04 Mar 2020 10:53:07 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GdUD6axztYQ0hQlDy6AeEtAmOieUjHrhZflFlAId089yd+u5tKVtq9bPEYH7UZA3evTb8Z0b0lqu0krHjSJqqUSegvwdrc0xnuUUaKwC0K6g4bEug3DprxdHDQB3ItJzqqDGzAc3l6qh0l+AiltxNbtKlzy9qSfMBpu/gCysfbSyMSrN3uYd3A1HqL5VIjmFGF28kE+KpUuf8BbM6Hp8YzdmS/QNm/VB5LXrrN1LLJYOUorwREXwwLhx69sC5j0dNc1yeTMGPq5C9ZXrjPzMrbToCnXOypYOaxl3NLX199H7LdlYFtVmQ6vQlK6O5jD5A5b78nRIL9Vxz1tb0gMkCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=lJgD1FiBLGxzCwAXicIGkkY9U1VJj+/TKQkW8lcCJh4=; b=KAWzeb8spyDRUekIPoSfMT1UmHELni42bRlMNlK+N7Fn0BQynnbFj4gh0IfR+nf3iLf9ZoeNX/fHzTxSvIRk5Z96HIKbi/tsNVkX4rIuf6pXn7iByHubkBNpW7VRDPLG6B5ORhVxUCvdznlEDj28JwqGDVjj2niBuwENtXXCMGCj/Mb5ECNt1RpLwjkmQv5k1OAHkPyU/n6SC+M84fnkhRgc1B14KVTyjUhbTZvYf6A52gfVQyZayZ7xwdWTDMwhIUPG0B4Af0LO6kqMFOI42IeliskYdfmNQN6Yc0jTVn8Uur8DDVrh8kP94QBv4SH/Kt2lT1uoGpyUYOyW8V0tNg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lJgD1FiBLGxzCwAXicIGkkY9U1VJj+/TKQkW8lcCJh4=; b=N9YnoPPoRVMBD+ozmeFiJc6YdTTJLgeM/vAXyxDE5Bk6Qq4rCrS842fY5gNp5ffR+iHf7ndWVNGTm+hHgHtR1A/GFzAKgiEknn7SR8L116etBObpfF/306HY/8WiYudJ8eqWP6sVlRj1/QGOhAksjOgnha9fpfA5G+G4X8Z6qnw=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (52.135.163.143) by AM6PR08MB4753.eurprd08.prod.outlook.com (10.255.98.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.16; Wed, 4 Mar 2020 10:53:05 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::cc7b:fca1:7ea2:9c61]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::cc7b:fca1:7ea2:9c61%6]) with mapi id 15.20.2772.019; Wed, 4 Mar 2020 10:53:05 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Record-level ACKs in DTLS 1.3
Thread-Index: AQHV7ix8mXje6TWNu0+lhHSpDYxOZKgwrrWAgAeP3L8=
Date: Wed, 04 Mar 2020 10:53:05 +0000
Message-ID: <AM6PR08MB3318B0F99E60EE48B6DC34449BE50@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM6PR08MB3318E5A347314EB509AC91759BE80@AM6PR08MB3318.eurprd08.prod.outlook.com>, <CABcZeBNZ4SZzdAs64a4H3g8ato=-zTJv=0ACgCLDcAn5gnSOkQ@mail.gmail.com>
In-Reply-To: <CABcZeBNZ4SZzdAs64a4H3g8ato=-zTJv=0ACgCLDcAn5gnSOkQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [217.140.106.49]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 6faf95d1-7a1a-4efc-8305-08d7c02a3c38
X-MS-TrafficTypeDiagnostic: AM6PR08MB4753:|DB8PR08MB4138:
X-Microsoft-Antispam-PRVS: <DB8PR08MB4138E77405082DE7D8DE10D09BE50@DB8PR08MB4138.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0332AACBC3
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(376002)(136003)(366004)(346002)(199004)(189003)(4326008)(33656002)(478600001)(86362001)(52536014)(7696005)(2906002)(6506007)(8936002)(55016002)(8676002)(81166006)(5660300002)(26005)(9686003)(81156014)(66476007)(76116006)(6916009)(186003)(19627405001)(66446008)(64756008)(53546011)(316002)(66946007)(66556008)(71200400001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4753; H:AM6PR08MB3318.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: sabIppgnA6zhV/spGp6k37BGhu2apHn2XMbwa6gA2LNYYNoQNRvyxwejTcvWTqZMEXBoyxm9bCELyDITcCIQbHNiIoN9TBrhbEVWqH4vtasqL7iLTSsa34dnI/zKUxK8Dzhnr1S8XqjxIi58MPOeu//d6jk8nHh4I0ibXTC8AVUHFkznyOKRDeJ+PVdhghfAvo7NQZ1K/KP0hXnkASBoRNttR000EK9LdWefEU65zNbvEjyj3MTkInYF6zvMKX+uOqBznfl/2wRI8dTlHU+JT95OAZqMiL3JCnVtzPQ5HETmJ1IIxaeH/MYHkiY5jOr7tA9m8tOsIS7abUmTxQjyLHAOowP+eTop2qdUXoTp0XHW3u0VpgIAMR1xCtq0OTxahdZfeT1pNQE4EI4PppBtJCMfuS0swsdFopQr8Od0kW1XO2vWt73bmCXI3iqOMXB+
x-ms-exchange-antispam-messagedata: UQIuP7JnrCLdebmlqrto0ARZAlP2xHS1Yv1z6SCFaGeCu+a9FttjukO8lYGkigVGbR1mQBA/Wn1klZsMsrVOz8uJ8lPZPAKUFHIkzbvXLJoYWGwLaPzJVYEDEVZAATgd0+ZiFw3V589EKVe4ZBBgnA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3318B0F99E60EE48B6DC34449BE50AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4753
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT005.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(39860400002)(136003)(346002)(199004)(189003)(7696005)(4326008)(26005)(6862004)(6506007)(316002)(186003)(33656002)(9686003)(53546011)(19627405001)(33964004)(36906005)(5660300002)(8676002)(356004)(81166006)(8936002)(70206006)(70586007)(2906002)(81156014)(30864003)(55016002)(86362001)(26826003)(52536014)(478600001)(336012)(579004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB8PR08MB4138; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 6d71adfb-2b44-4300-1f1b-08d7c02a37ac
X-Forefront-PRVS: 0332AACBC3
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Oa+vUlMmIwVFSSs+Ky1lcdW9PanLDpOkkhrvtrY4dFUu22LoSmdgG06wt9PQQyLi8p4d4KjoP4NU8j0Y2A28OIyGcvb1u72GDno/0M18JDrLeUHDEejEpSAo62TLtFEgkRjnwNnUDugMif/ZLCIwBLewX5X5qkR5dIfJCWcW0my2eSL+32RqEflSy05LaUX5rZhxaqDi8+FBIahCQm96aWnQIBWYHw9ZEE9eK7eYsKLtae7T2xji/PHiNRTVc9+d+c1NwqI/wk5+LSHuA6pCc78rzluL+dfLI/zrZeFDfCpxMoayp5O6h6rZloqSjcREYqVoVU4NFNuZ4nEuLas64l4Yktc+QxDviTLqBeMAOSJH/inBfJYfwkXv1ftlj0b8u4MrnKgyol0vFN0WYEtg7GiZzdQqE7PV2IOfQCveapf6b3F5uhXxQBF3e3Okrv9k
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2020 10:53:12.6289 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6faf95d1-7a1a-4efc-8305-08d7c02a3c38
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4138
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9WuhwHngyJGEs8XiG42vE_p0qNs>
Subject: Re: [TLS] Record-level ACKs in DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 10:53:21 -0000
Hi Ekr,
thanks for your prompt reply.
> Thanks for your note. I don't think your proposal will be an
> improvement. It destroys information which could otherwise be used for
> improve round-trip and loss estimation (cf. the difference between
> QUIC and TCP ACKs).
What information is destroyed that was there before? You can still
use handshake metadata in place of record sequence numbers and
do the same analysis as before.
Also, with QUIC and TCP, we're mainly talking about throughput optimization
at the application stage, where DTLS doesn't ACK anyway.
> Second, it prevents the receiver from saying
> some non-sensical things like acknowledging part of a received packet.
> It's of course true that the current design allows you to ACK
>non-received packets, but that's much more straightforward to detect.
I don't think this is actually a complication: In both cases you
have a list of messages you've sent which are tagged somehow -- either
by a record sequence number or handshake metadata which at this point
can be treated opaque -- and if you receive an ACK for a non-existent
tag, you ignore it or fail, whatever the policy.
Beyond that, I consider the more fine-grained ACKing at the handshake
level a benefit, because it allows to acknowledge parts of records
containing multiple handshake messages only some of which could be
processed. Example:
+---------------------------------+
| Seq No 1 |---------------> Received
| Fragment 0..a |
+---------------------------------+
+---------------------------------+ lost
| Seq No 1 |----------x
| Fragment a+1..b |
+---------------------------------+
+-----------------+----------+
| Seq No 1 | Seq no 2 |-------------------> Received
| Fragment b+1..N | complete |
+-----------------+----------+
If this happens with an implementation which only supports contiguous
reassembly (I think GnuTLS does it this way, or at least used to), it
will drop the second fragment, but the second message might still be
buffered and hence ACK'ed. With record-level ACKs, such fine-grained
ACKing isn't possible, and HS Seq No 2 will need to be resent even
though it has been received.
> I don't think your proposal will be an improvement.
I uphold this: ACKing at the handshake level does not lead to complications
while (a) easing memory efficient implementations for IoT devices and
(b) increasing conceptual clarity by avoiding the current semantic ambiguity
of record level ACK with dependency on implementation-specific handshake
level details like buffering and reassembly strategy.
> Yes, I agree that you need to only ACK data which you have processed.
> I would be happy to take a PR to clarify this point.
It's actually a MUST only, not a need only, which is an important point
because it means that ACKing can _not_ be implemented as an automatic
mechanism at the record layer.
I'll file a PR once the discussion has concluded.
Best,
Hanno
________________________________
From: Eric Rescorla <ekr@rtfm.com>
Sent: Friday, February 28, 2020 2:44 PM
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Record-level ACKs in DTLS 1.3
Hanno,
Thanks for your note. I don't think your proposal will be an
improvement. It destroys information which could otherwise be used for
improve round-trip and loss estimation (cf. the difference between
QUIC and TCP ACKs). Second, it prevents the receiver from saying
some non-sensical things like acknowledging part of a received packet.
It's of course true that the current design allows you to ACK
non-received packets, but that's much more straightforward to
detect.
I agree that the current design requires keeping somewhat more
state during the period when no ACKs have been received. However,
your proposal actually requires retaining a similar data structure
once they have been received.
Some detailed comments below.
> Hi,
>
> TL;DR
> This is all about various aspects of how ACKs work in DTLS 1.3:
> - The DTLS 1.3 specification requires clarification regarding
> when ACKs should be sent.
> - Record-level ACKs make efficient implementations for IoT
> devices harder. I argue that handshake-level ACKs reduce
> implementation complexity and allow for optimized
> implementations.
>
> Details:
> To illustrate, consider the following flight exchange, where the
> second and third message in the second flight get reordered:
>
> Client Server
> +----------+
> | Seq No 1 |--------------------------> Received
> | Rec No a |
> +----------+
> +---------------+
> Received <------------------------| Seq No 1 |
> | Rec No b |
> +---------------+
> +---------------+
> +-------------| Seq No 2 |
> | | Rec No c |
> | +---------------+
> |
> | +---------------+
> Received <------------------------| Seq No 3 |
> | | Rec No d |
> | +---------------+
> +-----------+ |
> | ACK |------------------------->
> | RecNo ??? | |
> +-----------+ |
> |
> |
> |
> Received <----------+
>
> The specification recommends that the client SHOULD send an ACK
> when it receives out-of-order handshake message - here message (3,d)
> while awaiting (2,c). However:
>
> Question:
> Which records does the client acknowledge in the ACK?
>
> This is in fact implementation-dependent:
> The client must only acknowledge record (3,d) if it has buffered it.
> Implementations which don't implement out of order buffering of handshake
> messages (to save RAM and ROM) must not acknowledge messages that weren't
> buffered. The reason is that otherwise the server is mislead in which messages
> need resending and which don't.
>
> Conclusion 1:
> If ACKs must only be sent for records which contain handshake messages
> which were actually fed into the flight buffering / reassembly module
> of the implementation, the specification should clearly say so.
> I consider this point to be prone to misinterpretation, potentially
> leading to incompatible implementations, because ACKs acknowledge
> receipt at record granularity, and yet they must be sent only under
> some assumptions on how their content was processed.
Yes, I agree that you need to only ACK data which you have processed.
I would be happy to take a PR to clarify this point.
> As I understand, the simplest implementation of the retransmission state
> machine using record-level ACKs works by buffering copies of records sent
> in a flight and retransmits those that don't get acknowledged. The record
> sequence numbers of the original and retransmitted records are internally
> associated with the opaque record content, so that ACKs for both the original
> and the retransmitted records can be recognized.
>
> In this approach, the record contents are opaque to the sender's retransmission
> state machine, which simplifies the implementation. However, it has major drawbacks:
>
> (1) It requires buffering the entire flight, which incurs high memory
> overhead that can be significant on constrained devices.
>
> Implementations should be allowed to not buffer handshake
> messages but re-generate them on the fly through a callback whenever
> retransmission is needed.
Note that many handshake messages cannot be re-generated without extensive
caching (for instance, ServerHello). However, as long as the messages
are generated consistently (a requirement in any case), then you in
fact need-not buffer them in memory; you merely keep the record -> offset
mappings as an edit list.
> Two examples:
> - Consider the Certificate message: The raw certificate
> (chain) must reside in RAM/ROM already, and the Certificate message
> could easily be re-regenerated from that. Buffering handshake messages
> instead creates significant and unnecessary overhead.
>
> - This is of increasing importance with the advent of post-quantum
> cryptography, which comes with significantly larger key material.
>
> (2) It doesn't allow switching the MTU for retransmission.
>
> Once the MTU may change for retransmission, the sender cannot keep
> track anymore of a single set of record sequence numbers per message such
> that an ACK for any of them confirms receipt of the message.
>
> Of course, no implementation is strictly _forced_ to follow the above approach,
> but the current record-level ACKs design significantly hardens any other approach:
> For example, retransmission through callbacks or support for MTU switching
> requires maintaining the tuples (record seq nr, lists of handshake fragments)
> for all transmissions of the last flight. (Note that, in particular, just
> remembering the mapping for the last transmission isn't enough, since an
> acknowledgement for an earlier transmission might arrive late.)
Well, sort of. Nothing forbids duplicate transmission, so just remembering
the last transmission is mostly just inefficient.
> Conclusion 2:
> Handshake-level ACKs simplify the retransmission state machine
> for non-buffering implementations on constrained devices, while
> not hardening buffering implementations using record-level ACKs
> so far. I'm aware of the lateness of this proposal, but would be
> happy if the group would discuss and consider handshake-level ACKs
> instead of record-level ACKs.
As noted above, I do not believe we should make this change.
-Ekr
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [TLS] Record-level ACKs in DTLS 1.3 Hanno Becker
- Re: [TLS] Record-level ACKs in DTLS 1.3 Eric Rescorla
- Re: [TLS] Record-level ACKs in DTLS 1.3 Hanno Becker
- Re: [TLS] Record-level ACKs in DTLS 1.3 Eric Rescorla
- Re: [TLS] Record-level ACKs in DTLS 1.3 Hanno Becker
- Re: [TLS] Record-level ACKs in DTLS 1.3 Christopher Wood