@@ -1465,37 +1465,48 @@ to 0xFFFF.
14651465# ## ACK Frames and Packet Protection
14661466
14671467ACK frames that acknowledge protected packets MUST be carried in a packet that
1468- has an equivalent level of packet protection. Functionally, this means :
1468+ has an equivalent level of packet protection.
14691469
1470- * Unprotected packets, such as those that carry the initial cryptographic
1471- handshake messages, can be acknowledged in unprotected packets. This has
1472- several consequences :
1473-
1474- * Acknowledgments for packets containing cryptographic handshake messages
1475- SHOULD be included in packets carrying the next cryptographic handshake
1476- message. For instance, a server can acknowledge a TLS ClientHello in the
1477- packet that carries the TLS ServerHello; similarly, a client can acknowledge
1478- a TLS HelloRetryRequest in the packet containing a second TLS ClientHello.
1479-
1480- * The initial set of server handshake messages, which could span multiple
1481- packets, SHOULD be acknowledged in unprotected packets even if the client
1482- uses 0-RTT keys to protect other packets that are sent at the same time. A
1483- server might decide to reject and ignore 0-RTT data, making it unable to use
1484- any acknowledgments that are protected with 0-RTT keys.
1485-
1486- * Packets that a client sends with 0-RTT packet protection MUST be acknowledged
1487- by the server in packets protected by 1-RTT keys. This can mean that the
1488- client is unable to use these acknowledgments if the server cryptographic
1489- handshake messages are delayed or lost. However, the same limitation applies
1490- to other data sent by the server protected by the 1-RTT keys.
1491-
1492- * Packets that are protected with 1-RTT keys MUST be acknowledged in packets
1493- that are also protected with 1-RTT keys.
1470+ Packets that are protected with 1-RTT keys MUST be acknowledged in packets that
1471+ are also protected with 1-RTT keys.
14941472
14951473A packet that is not protected and claims to acknowledge a packet number that
14961474was sent with packet protection is not valid. An unprotected packet that
14971475carries acknowledgments for protected packets MUST be discarded in its entirety.
14981476
1477+ Packets that a client sends with 0-RTT packet protection MUST be acknowledged by
1478+ the server in packets protected by 1-RTT keys. This can mean that the client is
1479+ unable to use these acknowledgments if the server cryptographic handshake
1480+ messages are delayed or lost. Note that the same limitation applies to other
1481+ data sent by the server protected by the 1-RTT keys.
1482+
1483+ Unprotected packets, such as those that carry the initial cryptographic
1484+ handshake messages, MAY be acknowledged in unprotected packets. Unprotected
1485+ packets are vulnerable to falsification or modification. Unprotected packets
1486+ can be acknowledged along with protected packets in cases where the peer has
1487+ packet protection keys.
1488+
1489+ An endpoint SHOULD acknowledge packets containing cryptographic handshake
1490+ messages in the next unprotected packet that is sends, unless it is able to
1491+ acknowledge those packets in later packets. Those later packets might be
1492+ protected by 1-RTT keys. At the completion of the cryptographic handshake, both
1493+ peers send unprotected packets containing cryptographic handshake messages
1494+ followed by packets protected by 1-RTT keys. An endpoint can acknowledge the
1495+ unprotected packets in a protected packet, because the peer has access to 1-RTT
1496+ packet protection keys.
1497+
1498+ For instance, a server acknowledges a TLS ClientHello in the packet that carries
1499+ the TLS ServerHello; similarly, a client can acknowledge a TLS HelloRetryRequest
1500+ in the packet containing a second TLS ClientHello. The complete set of server
1501+ handshake messages (TLS ServerHello through to Finished) might be acknowledged
1502+ by a client in protected packets, because it is certain that the server is able
1503+ to decipher the packet.
1504+
1505+ It is critical to use unprotected packets to acknowledge packets containing
1506+ cryptographic handshake messages from a server, even if the client has access to
1507+ 0-RTT keys. A server could decide to reject and ignore 0-RTT data, making any
1508+ acknowledgments that are protected with 0-RTT keys unusable.
1509+
14991510
15001511# # WINDOW_UPDATE Frame {#frame-window-update}
15011512
0 commit comments