How long is Initial

[ekr]

the TLS draft says:

QUIC requires that the first Initial packet from a client contain an entire
cryptographic handshake message, which for TLS is the ClientHello.  Though a
packet larger than 1200 bytes might be supported by the path, a client improves
the likelihood that a packet is accepted if it ensures that the first
ClientHello message is small enough to stay within this limit.

This clearly implies that you can have an Initial > 1200 bytes.

However, transport S 7.1 says

   Clients MUST pad UDP datagrams that contain only Initial packets to
   1200 bytes.  Once a client has received an acknowledgment for a
   Handshake packet it MAY send smaller datagrams.  Sending padded
   datagrams ensures that the server is not overly constrained by the
   amplification restriction.

But you can't pad to 1200 bytes if you are over 1200 bytes. so which one is it?

[mikkelfj]

Clients MUST pad UDP datagrams that contain only Initial packets to
ensure the size is at least 1200 bytes.

It is a bit vague if this includes AEAD tag or not. I assume it includes tag since this is the definition of QUIC packet size.

[ekr]

Well the text doesn't say "at least". It says "to". so are we talking about negative padding?

[mikkelfj]

It was my suggestion to clarify the text. Not negative padding, merely 0 padding if necessary. I think that is quite normal.

[martinthomson]

What it is is that the ClientHello needs to fit into a 1200 byte packet. That's a requirement on the cryptographic handshake.

It is also the case that a packet of less than 1200 bytes needs to be padded.

So we add "at least" and we're done, I think.

[ekr]

What it is is that the ClientHello needs to fit into a 1200 byte packet. That's a requirement on the cryptographic handshake.

I'm still confused, because here you're saying it has to fit in 1200 bytes, but the text above says it has to fit into a packet which implies that you could go to (say) 1600 bytes and have IP fragmentation. So which is it?

[martinthomson]

packet = QUIC packet unless specifically qualified.

This doesn't say anything about IP fragmentation.

[ekr]

I agree. So my point is that this text says it's legal to have your Initial packet by 2048 bytes long, because that fits in a QUIC packet. But your message above says that that's not OK.

[martinthomson]

An Initial packet can be 2048 bytes long. The 1200 byte cap is on the cryptographic handshake protocol and the FIRST Initial packet. (Yikes, this is starting to confuse me.)

[ekr]

Hmm... I looked and tried to find that restriction on either of these and couldn't find it. Maybe I'm just missing it though?

[martinthomson]

You will observe that the first text you quote says "first" and the second does not. Is that too subtle?

[ekr]

Maybe I just need to read this more closely, but here's how I read this text.

1. The first Initial MUST fit within a single QUIC packet.
2. Subsequent Initials may span multiple QUIC packets.
3. The first initial MUST be of a certain minimum size (1200)
4. We advise you to make the first initial no more than 1200.

However, I don't see where in the text we say that the first initial may not be arbitrary sized (within the limits of IP packets). Do you agree with this, or am I missing something.

[martinthomson]

Yes, we don't explicitly say that the first Initial has to be a single packet (or even a single IP packet, which is probably best).

[mikkelfj]

The first initial MUST be of a certain minimum size (1200)

I don't think that is the case. I believe the first UDP packet payload including coalesced packets must be at least 1200. It is one of the arguments for having coalesced packets, but not the primary one. But this is from memory of discussions, not concrete text.