Skip to content

Commit ef61357

Browse files
martinthomsonmartinthomson
committed
Jana's review comments
1 parent 4ccdbe8 commit ef61357

File tree

2 files changed

+37
-34
lines changed

2 files changed

+37
-34
lines changed

draft-ietf-quic-tls.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1141,8 +1141,10 @@ stream 0, the packet number that the server selects, and any opportunity to
11411141
measure round trip time.
11421142

11431143
A server MUST send a TLS HelloRetryRequest in a Server Stateless Retry packet.
1144-
Using a Server Stateless Retry packet causes the client to reset stream offsets
1145-
and avoids the need to commit to an initial packet number.
1144+
Using a Server Stateless Retry packet causes the client to reset stream offsets.
1145+
It also avoids the need for the server select an initial packet number, which
1146+
would need to be remembered so that subsequent packets could be correctly
1147+
numbered.
11461148

11471149
A HelloRetryRequest message MUST NOT be split between multiple Server Stateless
11481150
Retry packets. This means that HelloRetryRequest is subject to the same size

draft-ietf-quic-transport.md

Lines changed: 33 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -516,13 +516,13 @@ A Version Negotiation packet has a type octet of 0x81 and is sent only by
516516
servers. The Version Negotiation packet is a response to a client packet that
517517
contains a version that is not supported by the server.
518518

519-
The connection ID field contains a connection ID that the client should use for
520-
subsequent packets, see {{connection-id}}.
519+
The connection ID field contains a server-selected connection ID that the client
520+
MUST use for subsequent packets, see {{connection-id}}.
521521

522-
The packet number and version fields contain the values from the client packet
523-
that triggered the Version Negotiation packet. This allows clients some
524-
assurance that the server received the packet and that the Version Negotiation
525-
packet does not contain a spoofed source address.
522+
The packet number and version fields echo corresponding values from the
523+
triggering client packet. This allows clients some assurance that the server
524+
received the packet and that the Version Negotiation packet was not carried in a
525+
packet with a spoofed source address.
526526

527527
The payload of the Version Negotiation packet is a list of 32-bit versions which
528528
the server supports, as shown below.
@@ -550,14 +550,7 @@ process.
550550

551551
Cleartext packets are sent during the handshake prior to key negotiation.
552552

553-
Cleartext packets all contain the current QUIC version in the version field.
554-
555-
The packet number is randomized for the Client Initial packet
556-
({{packet-client-initial}} and the first Server Cleartext packet
557-
({{packet-server-cleartext}}). It increases by one for each packet sent
558-
thereafter, see {{packet-numbers}} for details. The Server Stateless Retry
559-
packet ({{packet-server-stateless}}) contains the packet number of the packet
560-
that it is responding to.
553+
All cleartext packets contain the current QUIC version in the version field.
561554

562555
The payload of cleartext packets also includes an integrity check, which is
563556
described in {{QUIC-TLS}}.
@@ -574,13 +567,14 @@ selected values. The randomized packet number is incremented for each
574567
subsequent packet (see {{packet-numbers}}).
575568

576569
The payload of a Client Initial packet consists of a STREAM frame (or frames)
577-
for stream 0 containing a cryptographic handshake message, plus PADDING frames
578-
that increase the size of the packet to a minimum size (see {{packetization}}).
570+
for stream 0 containing a cryptographic handshake message, plus any PADDING
571+
frames necessary to ensure that the packet is at least the minimum size (see
572+
{{packetization}}).
579573

580574
The client uses the Client Initial Packet type for any packet that contains an
581575
initial cryptographic handshake message. This includes all cases where a new
582576
packet containing the initial cryptographic message needs to be created, either
583-
in response to a Version Negotiation packet, in response to a stateless retry
577+
in response to a Version Negotiation packet, or in response to a stateless retry
584578
({{packet-server-stateless}}).
585579

586580

@@ -593,8 +587,8 @@ that wishes to perform a stateless retry (see {{stateless-retry}}).
593587
The connection ID field in a Server Stateless Retry packet contains a server
594588
selected value, see {{connection-id}}.
595589

596-
The packet number contains the packet number from the packet that caused it to
597-
be sent. This allows a client to verify that the server received its packet.
590+
The packet number field echoes the packet number of the triggering client
591+
packet. This allows a client to verify that the server received its packet.
598592

599593
After receiving a Server Stateless Retry packet, the next cryptographic
600594
handshake message MUST be sent by the client on stream 0 at an offset of 0. The
@@ -605,21 +599,24 @@ connection is reset. Continuing the cryptographic handshake is necessary to
605599
ensure that an attacker cannot force a downgrade of any cryptographic
606600
parameters.
607601

602+
The payload of the Server Stateless Retry packet contains STREAM frames and
603+
could contain PADDING and ACK frames.
604+
608605
The client constructs a new Client Cleartext packet
609606
({{packet-client-cleartext}}) for subsequent cryptographic handshake messages.
610607

611-
The payload of this packet contains STREAM frames and could contain PADDING and
612-
ACK frames.
613-
614608

615609
### Client Cleartext Packet {#packet-client-cleartext}
616610

617611
A Client Cleartext packet has a type octet of 0x84 and is sent when the client
618612
has received a packet from the server, which will be either a Server Cleartext
619613
packet or a Version Negotiation packet.
620614

621-
The connection ID field in a Client Cleartext packet contains a connection ID
622-
that was selected by the server (see {{connection-id}}).
615+
The connection ID field in a Client Cleartext packet contains a server-selected
616+
connection ID, see {{connection-id}}.
617+
618+
The packet number field is incremented for each Client Cleartext packet sent,
619+
see {{packet-numbers}}.
623620

624621
The payload of this packet contains STREAM frames and could contain PADDING and
625622
ACK frames. If this packet is sent in response to a Version Negotiation
@@ -636,16 +633,20 @@ acknowledgments and cryptographic handshake messages from the server.
636633
The connection ID field in a Server Cleartext packet contains a connection ID
637634
that is chosen by the server (see {{connection-id}}).
638635

636+
The first Server Cleartext packet contains a randomized packet number. This
637+
value is increased for each subsequent packet as described in
638+
{{packet-numbers}}.
639+
639640
The payload of this packet contains STREAM frames and could contain PADDING and
640641
ACK frames.
641642

642643

643644
## Encrypted Packets {#packet-encrypted}
644645

645-
Packets that are protected with 0-RTT packets are sent with long headers.
646-
Packets that are protected with 1-RTT keys MAY be sent with long headers. The
647-
different packet types explicitly indicate the encryption level and therefore
648-
the keys that are used to remove packet protection.
646+
Packets that are protected with 0-RTT keys are sent with long headers. Packets
647+
that are protected with 1-RTT keys MAY be sent with long headers. The different
648+
packet types explicitly indicate the encryption level and therefore the keys
649+
that are used to remove packet protection.
649650

650651
Packets protected with 0-RTT keys use a type octet of 0x85. The connection ID
651652
field for a 0-RTT packet is selected by the client, unless the client has
@@ -656,7 +657,7 @@ it uses for 0-RTT packets.
656657

657658
Packets protected with 1-RTT keys use a type octet of 0x86 for key phase 0 and
658659
0x87 for key phase 1; see {{QUIC-TLS}} for more details on the use of key
659-
phases. The connection ID field for these packet types contains the value
660+
phases. The connection ID field for these packet types MUST contain the value
660661
selected by the server, see {{connection-id}}.
661662

662663
The version field for encrypted packets is the current QUIC version.
@@ -1198,8 +1199,8 @@ based on the value of the supported_versions list.
11981199

11991200
## Stateless Retries {#stateless-retry}
12001201

1201-
A server can process a the initial cryptographic handshake messages from a
1202-
client without committing any state. This allows a server to perform address
1202+
A server can process an initial cryptographic handshake messages from a client
1203+
without committing any state. This allows a server to perform address
12031204
validation ({{address-validation}}, or to defer connection establishment costs.
12041205

12051206
In order to ensure consistent state regarding stream offsets and packet numbers,
@@ -1216,7 +1217,7 @@ remember a randomized initial packet number: the Server Stateless Retry packet
12161217
includes a copy of the packet number from the client packet.
12171218

12181219
A server MUST NOT send multiple Server Stateless Retry packets in response to a
1219-
client handshake packet. Thus, any cryptographic handshake message that is used
1220+
client handshake packet. Thus, any cryptographic handshake message that is sent
12201221
MUST fit within a single packet.
12211222

12221223
In TLS, the Server Stateless Retry packet type is used to carry the

0 commit comments

Comments
 (0)