IETF Logo Mail Archive

Re: [TLS] Gaps in specification of DTLS 1.3 state machine

Hanno Becker <Hanno.Becker@arm.com> Thu, 05 March 2020 07:00 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC6C23A0E96 for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 23:00:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=8bXo7W1p; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=8bXo7W1p
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_sdNPHcuQk3 for <tls@ietfa.amsl.com>; Wed, 4 Mar 2020 23:00:20 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35FC73A0807 for <tls@ietf.org>; Wed, 4 Mar 2020 23:00:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WUGk9XvoCZiFEohEsKXWsVm+3hs0c2uU6XvjJC2etBI=; b=8bXo7W1pAP0h3TjamzouQgShUf9exUhCqtQvFlkjrFKr0H4lw2DbjkKn2gRUEadmyPcisITfGBbykLKgx30BtweYksDd564Djd4hQOTGcYq9ZB8I1w+94dDUuzGefYUpKGqPN26j3/eMB1zjVLOvsdGIlDDbuJYkTYekpHP+wVA=
Received: from AM6PR08CA0001.eurprd08.prod.outlook.com (2603:10a6:20b:b2::13) by VI1PR0802MB2317.eurprd08.prod.outlook.com (2603:10a6:800:9a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Thu, 5 Mar 2020 07:00:17 +0000
Received: from AM5EUR03FT022.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:b2:cafe::7d) by AM6PR08CA0001.outlook.office365.com (2603:10a6:20b:b2::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.14 via Frontend Transport; Thu, 5 Mar 2020 07:00:17 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT022.mail.protection.outlook.com (10.152.16.79) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11 via Frontend Transport; Thu, 5 Mar 2020 07:00:16 +0000
Received: ("Tessian outbound efdea641ed36:v42"); Thu, 05 Mar 2020 07:00:16 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 055070564c4cd132
X-CR-MTA-TID: 64aa7808
Received: from 806c1479d53d.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id B7BDB1B8-9CE5-4E55-A06B-F8FC0AC0CFEA.1; Thu, 05 Mar 2020 07:00:11 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 806c1479d53d.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 05 Mar 2020 07:00:11 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fLzB/ZYe/121re/NE/AtgYNY+PZ8NbuH/B4W/+PoyjdIlB3KVZ0xbnqAqSk6xHriwWhBRPr7vcKJDCGnGzwGS6v/DCSsCfyrL2qhLKV3pEliIQryvGg2CmBa1BshVmRqMgvwZd2HgBTTPcKASzRsSH3YErF/8WqrYdcWZnAZiqA/EuIZeT3GupkmaSF4CUPT4dGVbpP4+TiFZBBLbak88ZicBDC4FZqqQlLfQimipLvveL0/CymnJrRow3y6euI2HF+9ASd2x5YBdsGR2XVLB7Ap177bO4Ciq+0Y0xEXIZwRooX/X3rvakI3+wRYzQ2FUsrNHQEL69EL+PsHR0vpvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=WUGk9XvoCZiFEohEsKXWsVm+3hs0c2uU6XvjJC2etBI=; b=AMsmkhyPRSEsFfkcsBB1dA+ZEOFZqC9eW2HaRoQDcWT4jAnGRJFJ1g5PQAuZheweVcN2Aa0eNS3xBcyURPDdNPC9Dr95OPnjbc10C5lYX3Q7xPH/LCMmN7siWx6cJMzzKz7mpLpSQwfptu29sUfVZQUqAK9QnKmUtWbCia0DB5CMU9dxQ5K8AM+pRMU+1daskMSMK4Rlv0Pdyn350sd4Yt1ufvaYOLBE2+ksgWx6AGTA9jF9jQqHwuP7ZPTulJVElRudEJb02wr9RFatKGgpg1nd0fxS/qFAe1ibHgRVRXBwS2sXn3lZ0vvLvgpJ/Tgo5esBSxP9qIxrHecEIDOt8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WUGk9XvoCZiFEohEsKXWsVm+3hs0c2uU6XvjJC2etBI=; b=8bXo7W1pAP0h3TjamzouQgShUf9exUhCqtQvFlkjrFKr0H4lw2DbjkKn2gRUEadmyPcisITfGBbykLKgx30BtweYksDd564Djd4hQOTGcYq9ZB8I1w+94dDUuzGefYUpKGqPN26j3/eMB1zjVLOvsdGIlDDbuJYkTYekpHP+wVA=
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com (52.135.163.143) by AM6PR08MB5128.eurprd08.prod.outlook.com (10.255.120.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Thu, 5 Mar 2020 07:00:09 +0000
Received: from AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::cc7b:fca1:7ea2:9c61]) by AM6PR08MB3318.eurprd08.prod.outlook.com ([fe80::cc7b:fca1:7ea2:9c61%6]) with mapi id 15.20.2772.019; Thu, 5 Mar 2020 07:00:09 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Gaps in specification of DTLS 1.3 state machine
Thread-Index: AQHV8i/kjOxEBgrL9k2vj+OAIfvymqg5FgqAgABtZ84=
Date: Thu, 05 Mar 2020 07:00:08 +0000
Message-ID: <AM6PR08MB33182017F0D9EA53A8B247DF9BE20@AM6PR08MB3318.eurprd08.prod.outlook.com>
References: <AM6PR08MB331811E58E80173B1D74D8349B1C0@AM6PR08MB3318.eurprd08.prod.outlook.com>, <0287f75a-015e-49eb-a052-cf7a53f03035@www.fastmail.com>
In-Reply-To: <0287f75a-015e-49eb-a052-cf7a53f03035@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
x-originating-ip: [2a00:23c5:ee06:1300:863a:4bff:fe0f:dc60]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: d1a2d5e0-e043-4c70-d98c-08d7c0d2dc4a
X-MS-TrafficTypeDiagnostic: AM6PR08MB5128:|VI1PR0802MB2317:
X-Microsoft-Antispam-PRVS: <VI1PR0802MB2317280604E2C83F360C7C9F9BE20@VI1PR0802MB2317.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 03333C607F
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(376002)(346002)(366004)(136003)(396003)(39860400002)(189003)(199004)(5660300002)(2906002)(86362001)(64756008)(66946007)(19627405001)(52536014)(66446008)(66476007)(966005)(66556008)(71200400001)(55016002)(9686003)(316002)(7696005)(76116006)(478600001)(8936002)(53546011)(6506007)(8676002)(110136005)(81156014)(33656002)(81166006)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB5128; H:AM6PR08MB3318.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: ZbsyW0QtvZ+MVFDdYI/DUcGd44hDIRKn+CWys3ohuowMgW8IW6rXS3X8Y79qfDyqJB75W2gWfK0XyOLA5MPoxwAmA4FIFfKtvvo5eKpzhpRXNwVUzTr4Ol3zwvVeNLLXPYpFVO+8FcnBVuTH93NrvUGJZzMuZAtfGa3ETrIYxB9UxdD/UOTV8WjsTqkkxBKrB/G5Uul+JbBGOCecv6RXf8izq5RPyeJtOgo/nvssfXF3+xZmjefcvpYo0npyFKom31LPcTDmA/YiuEDo0mUpQTlZzsMgDf+VfzaaoZmsonlALgygx2+Zlvh30Ht6DPZNF3+1WygXsjy5+IV9qaKkx+4T0OoXaWe5xaeckMERwmMYmEEEGlt9MU09HhHBWRjhvOIuekKZkthbGvIqZSBj8cAT9W9SiINTJrTSr2m/3NYZQSVvmpC7/P7blMmbQMZTge+8W+GyC8JcmdisBU0FNvAzUbWVl3extfsMnanfNJU/Z7ugEqDvksyoYpmBiaNuFUs7A7tzJZpomAB/OnkVXg==
x-ms-exchange-antispam-messagedata: FPY+fRk7I5zFNGWEsZQzflkUm+P1cl666EAzUqvAFFlrafbNmPpZ9IFEbM97cfGovKZJg8Xu3SutBao1+ryKqFOTEE0EFfFweBaubukjH4NCoBgUxD3yNZxlXXMmc7cZlJo3yCGKxOatWYWLeZqLoJ5ooCDcyjBOlfcpsydwalcgGTe9zr8fU5iTsg7nuoz/PeQG7jzJ6WUmcwkd8xPVQg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB33182017F0D9EA53A8B247DF9BE20AM6PR08MB3318eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB5128
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hanno.Becker@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(136003)(346002)(396003)(189003)(199004)(33656002)(26826003)(70206006)(30864003)(70586007)(86362001)(2906002)(26005)(36906005)(316002)(52536014)(8676002)(19627405001)(81156014)(186003)(356004)(8936002)(81166006)(5660300002)(110136005)(7696005)(966005)(55016002)(478600001)(6506007)(53546011)(9686003)(336012); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0802MB2317; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; MX:1; A:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 6f2ae01a-0be4-4c93-10fd-08d7c0d2d7a9
X-Forefront-PRVS: 03333C607F
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: JI54P9fHlfWaGzeoRf6//xeV13lw6biSrSazj29XYakvqYtAAyaw8bMxqIBrtVBzxzAa5MXn/Pl9kLrord67fZJUwMhtuN1CY7Hf26j/LlOWwZxNZoAw8rLGvNWDcZFQm2hSe4tloAuGpAEbjetnAH7Wh7AHQgL8Ajy85KEpD4AezSH5kJFNSupEhKU5Jo7d8VEeJGG6Zzgel1NBm1YRwbJpDMlex4bP7GugTnRNN/QJo1MDccSdgVpVz8trjZ3r8+HCTr2Uz9CikTTHVtrRi6MQLVWjW9CmHCbr81WrywbygKexTgh2Y5n7bOyDffgPE8XBszTvS2JezV0SNh5ArbgBD/QiG6sf9dP9lvwDkbmFE04OQHbi3dKcMh8JS503km82yk6UUqvspSmqTAwEcFRzw14VFx8CsniKjt/qrZF8d+NmXjvLpXEc9xnOiBYFnGaRISyYZ1wGJrfEt7yGAcNduZvBL5O0+yZua7uSPpm0BA8MwLY1RmVKoh4BU1BfvMNqJcbdXpyFn3y/9/t5/A==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2020 07:00:16.6991 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d1a2d5e0-e043-4c70-d98c-08d7c0d2dc4a
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2317
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NNRU0pw7yJsVw10TLlPvg00g1qc>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 07:00:24 -0000

Thanks Martin for your thoughts.

>  It's unavoidable in any case.  If you generate your own post-handshake message and
> then have to respond to post-handshake authentication, there will be two concurrent
> exchanges.

Yes that's an instance of the second question b) which the post didn't further go into.

I'm not yet convinced that this situation unavoidably creates the need for duplicating state machines, though, and think that if possible we should avoid it for the sake of implementation simplicity.

Moreover, even if it is acceptable that state machines should be duplicated, it isn't clear (to me) how to logically separate them because they're all tied together by the use of the same global handshake sequence number. This creates non-trivial ambiguities like the following:

Imagine after the handshake the server requests post-handshake authentication while, simultaneously, the client initiates a key update. When the server receives the KeyUpdate, it assumes from the handshake sequence number that it is the reply to his CertificateRequest, and only when inspecting the type of the handshake message it'll notice the mismatch. Usually, a type mismatch would be treated as a protocol violation and lead to failure of the connection, while here, we'd need the server to drop the message or notice that it should fork a new state machine.

Note that this problem already exists, albeit in less prominent form, in DTLS 1.2, where both sides may simultaneously trigger a renegotiation.

Thinking about it, it seems that the way to make this work is to segregate the part of the retransmission state machine which establishes in-order delivery via handshake sequence numbers, and to have the duplicated contexts one level higher. When a handshake message comes in, it would be trial-fed into all existing contexts, either until one of them accepts it after checking type and content, or potentially leading to the forking of a new context.

However, this asynchronous nature of handling multiple post-handshake messages is in conflict with the serialized nature of the handshake transcript used e.g. in the CertificateVerify message:

Imagine a post-handshake client authentication to happen interwoven with another post-handshake message from client to server. When the client writes the CertificateVerify, that would require the transcript of the entire handshake up until the CertificateVerify message. Assuming this should include all post-handshake messages, not just those belonging to the client authentication, this may lead to the situation where the server receives a CertificateVerify message with a transcript it cannot validate because it hasn't yet received all other authentication-independent post-handshake messages that went into the transcript.

Maybe I'm overcomplicating things, but as it stands it seems to me that the above are serious issues to be further discussed and clarified even if we accept state machine duplication.

Happy to hear your thoughts.

Cheers,
Hanno
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <mt@lowentropy.net>
Sent: Wednesday, March 4, 2020 11:32 PM
To: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine

Option A please.  Multiple state machines.

It's unavoidable in any case.  If you generate your own post-handshake message and then have to respond to post-handshake authentication, there will be two concurrent exchanges.  We already require acknowledgment for both request and response in a two-way exchange.  Since 2 is a member of the third class of numbers (0, 1, ∞), we might as well deal with the full implications of that.

Handling this is fairly simple though.  We can recommend limiting to only one active transmission at a time.  And if implementations have an especially low tolerance for concurrency they can close connections.

On Thu, Mar 5, 2020, at 01:19, Hanno Becker wrote:
>  Hi,
>
> [TL;DR]
> The DTLS 1.3 spec (draft 34) doesn't fully describe the retransmission state
> machine in the case of post-handshake messages, which requires clarification.
> For example, is it allowed to send multiple post-handshake messages without
> waiting for ACKs for the previous ones? If so, how is the retransmission
> state machine modeled for sender and receiver in this case?
> I'll describe and assess a few possible options, but I don't know the best
> answer, and so this post is mostly a request for discussion, hopefully
> resulting in some common understanding and clarification of the spec.
>
> Details:
>
> The following cases need addressing:
> a) Is it allowed to send multiple post-handshake messages (e.g.,
> multiple session
>  tickets) without waiting for ACKs for the previous ones? If so, how is
> the
>  retransmission state machine modeled for sender and receiver in this
> case?
> b) How should simultaneous sending/receiving of post-handshake messages
> be handled?
>  The current retransmission state machine doesn't allow sending and
> receiving
>  at the same time.
>
> Some thoughts on a) first:
>
> The spec mentions that post-handshake messages are treated as
> single-message flights.
> As such, the sender would enter WAITING state after sending the
> post-handshake message,
> and move to FINISHED on receipt of the corresponding ACK. This,
> however, forbids sending
> another post-handshake message in between, since sending isn't allowed
> in WAITING state.
>
> Option A: Fork state machine
>
> One could circumvent this by 'forking' the retransmission state machine
> for post-handshake
> messages, i.e. declaring their semantics as if there were multiple
> independent state machines
> for each outstanding post-handshake message. This essentially degrades
> the DTLS' ACK scheme
> to a per-message acknowledgement.
>
> I believe that such an approach is not in the spirit of the rest of the
> protocol and moreover
> significantly increases complexity and thereby comes at the danger of
> slower adoption and/or bugs.
> Moreover, it will significantly harden efforts for formal verification,
> which should be considered
> in light of previous efforts on TLS 1.3.
>
> Option B: Don't allow multiple post-handshake messages
>
> Forcing implementations to await an ACK before sending the next
> post-handshake message is a theoretical
> option which would allow to stick to the existing state machine.
> However, this significantly increases
> the latency of, say, the delivery of multiple session tickets, which is
> a valid use case. This is therefore
> not a convincing option, either.
>
> Option C: Merge consecutive post-handshake messages into a single flight.
>
> Another approach would be to treat multiple post-handshake messages as
> a single flight on the sender.
> That is, when the sender is in state WAITING after sending the first
> post-handshake message, and the
> user request to send another one, it moves into SENDING and then back
> into WAITING as usual, appending
> the new post-handshake message to the (so-far single-message) flight.
>
> How would that be handled on the receiver side?
>
> That's not entirely clear because a basic property of the TLS handshake
> that DTLS leverages now no longer
> holds: Namely, that both sides implicitly know and agree on the bounds
> of flights. Here, multiple post-
> handshake messages would be treated as a single flight on the sender,
> but the receiver doesn't know
> when the flight is over. How should this be handled?
>
> This is to be explored further. One way to address this would be the following:
>
> Option D: Add an 'end-of-flight' signal to handshake messages to allow
> dynamic-length flights.
>
> Recall that the handshake logic must inform the retransmission state
> machine about when a flight
> is over in the main handshake, allowing the state machine to transition
> accordingly. This signal,
> however, isn't explicitly conveyed to the receiver, because the
> receiver can figure it out for
> himself.
>
> As mentioned, this isn't true anymore for batched post-handshake messages.
>
> One simple way to deal with is to add an explicit 'end-of-flight' bit
> in the handshake header
> which informs the receiver about when a flight is over, in those
> situations where it's not
> clear from the context.
>
> This would allow to keep a single retransmission state-machine as-is
> while allowing for
> batched post-handshake messages such as multiple session tickets.
> Moreover, such a signal
> would be trivial to implement because it's already implicit in the main
> handshake.
>
> For the wire-format, we can discuss different options, but that's an
> orthogonal question
> to the issue of finding the correct conceptual approach.
>
>
>
> Happy to hear everyone's thoughts. It would be great if we could come
> up with some
> precise description of the state machine evolution for post-handshake
> messages that
> is both simple and supports batched post-handshake messages.
>
> Best,
> Hanno
>  IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy
> the information in any medium. Thank you.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email