Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify crypto context for Connection Close #1818

Merged
merged 3 commits into from
Oct 21, 2018
Merged

Clarify crypto context for Connection Close #1818

merged 3 commits into from
Oct 21, 2018

Conversation

martinduke
Copy link
Contributor

Partially resolves #1786.

@MikeBishop
Copy link
Contributor

Seems reasonable.

kazuho
kazuho reviewed Oct 2, 2018
View reviewed changes
draft-ietf-quic-transport.md Outdated Show resolved Hide resolved
@martinduke
Addressed Kazuho's issue
ccbaf4c 
changing criteria for sending 1-RTT connection close.
@mikkelfj
Copy link
Contributor

mikkelfj commented Oct 5, 2018

Is this sufficient? The peer might ignore handshake level packets when ACK'ing 1-RTT.

@martinduke
Copy link
Contributor Author

@mikkelfj It shouldn't. If it decrypts the packet, it MUST tear it down. Worst case, it's already tossed the keys, which seems a bit premature in this context. But we could suggest sending in both contexts.

@kazuho
Copy link
Member

kazuho commented Oct 6, 2018

@mikkelfj I think what the PR says is sufficient, because it an endpoint is expected to hold the Handshake key for 3 RTO after all transmission using the key has been complete. Quoting from Section 4.9 of the TLS draft:

After all CRYPTO frames for a given encryption level have been sent and all expected CRYPTO frames received, and all the corresponding acknowledgments have been received or sent, an endpoint starts a timer. For 0-RTT keys, which do not carry CRYPTO frames, this timer starts when the first packets protected with 1-RTT are sent or received. To limit the effect of packet loss around a change in keys, endpoints MUST retain packet protection keys for that encryption level for at least three times the current Retransmission Timeout (RTO) interval as defined in [QUIC-RECOVERY]. Retaining keys for this interval allows packets containing CRYPTO or ACK frames at that encryption level to be sent if packets are determined to be lost or new packets require acknowledgment.

martinthomson added a commit that referenced this pull request Oct 19, 2018
@martinthomson
I decided to reword this after reading it. It missed a few key things.
552e087 
I think that the second piece to #1786, which was to make allowances for
fatal errors arising from Initial packets won't be necessary.  I'm happy
to see a PR, of course, but the sentiment I've heard expressed is that
it is very hard to manage this, and the spec wouldn't expressly prevent
someone from trying to build a system that was resilient to
maliciously-crafted Initial packets, but we wouldn't take steps in this
document to deal with that.  As previously agreed, if you are attacked
and the attacker was able to modify Initial packets, then they can deny
you the ability to connect.

Closes #1818, #1786.
@martinthomson martinthomson mentioned this pull request Oct 19, 2018
Merged
@martinthomson martinthomson merged commit 4230867 into quicwg:master Oct 21, 2018
martinthomson added a commit that referenced this pull request Oct 21, 2018
@martinthomson
I decided to reword this after reading it. It missed a few key things.
9138fd9 
I think that the second piece to #1786, which was to make allowances for
fatal errors arising from Initial packets won't be necessary.  I'm happy
to see a PR, of course, but the sentiment I've heard expressed is that
it is very hard to manage this, and the spec wouldn't expressly prevent
someone from trying to build a system that was resilient to
maliciously-crafted Initial packets, but we wouldn't take steps in this
document to deal with that.  As previously agreed, if you are attacked
and the attacker was able to modify Initial packets, then they can deny
you the ability to connect.

Closes #1818, #1786.
martinthomson added a commit that referenced this pull request Oct 21, 2018
@martinthomson
Remove #1818 changes as duplicates
8c2aaa3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kazuho kazuho kazuho left review comments

@ianswett ianswett ianswett left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Advice and Rules for CONN_CLOSE in Initial and Handshake
6 participants
@martinduke @MikeBishop @mikkelfj @kazuho @ianswett @martinthomson