New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove initial packet number randomization #850
Comments
After some discussion at the Singapore Hackathon: The reason why #693 solves this, is because the client-chosen connection ID is used for the AEAD. This also applies in the case where the server directly replies with a Cleartext and uses a server-chosen connection ID. |
On whether initial packet number should be 0 or 1, with the new packet number encoding, we end up needing only 62 bis for the packet number, which means you can use a signed int for representing it and < 0 as a sentinel value. I'll be ok with either 0 or 1 as the initial value. |
Q on this. Should we allow using other initial packet numbers to make sure middleboxes don't assume all handshake packets are <20 or some magic number? Admittedly, the type byte is a lot more useful than packet number to identify handshake packets, but it's worth considering. Besides that, I'm greatly in favor of this and would like it to land ASAP. |
This changes the key schedule so that connection ID is part of the key derivation. Secrets are generally unchanged, except that the handshake secret is now fixed (we integrate the connection ID via key derivation). Packet numbers now start from zero, with an additive masking value that is derived in the same way that packet protection keys are. Closes #1034, #850.
With the resolution of #693 we no longer need initial packet numbers to be randomized.
The text was updated successfully, but these errors were encountered: