Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're making a normative change, I'd argue for SHOULD
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MAY or SHOULD abort if detects, but no requirement that it attempt to detect seems like a reasonable compromise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MAY SGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't object to this particular decision, but I would have assumed that you could always abort a connection whenever the peer violates a MUST. No?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that is generally true, and this makes it more explicit without adding any requirement on the server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, we can't stop them in the "no protocol police" sense, but we certainly can have a MUST-level rule that forbids it.
Why?
My general point is that text should do work. And if there is already a general rule permitting to you to error on MUST violations then why does this text need to be there? And working backward from that one might infer that no such rule exists.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My argument for why here is because this PN reuse can be a security issue.
That said, you're right that it's not as principled as I would like it to be; there also isn't such a general rule, and you make a good point that it might be useful to have a general rule.
Given that we don't have such a rule at the moment, I would be happy to take this text in and evaluate this with other MAYs in the general sense if there's enough interest to do it. Would you mind filing a separate issue for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like Jana's suggestion. Can we take this PR and create another issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree with this statement. There's only a security issue if the client resets the 0-RTT packet number space, but the server wouldn't be able to detect that, since it wouldn't even bother to unprotect 0-RTT packets. So the only violation that can be detected here is the reuse of packet numbers in the Initial packet number space. Since the Initial keys are publicly known anyway, this can't be a security issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally speaking, detecting MUST violations for Handshake and ApplicationData packets, after decrypting them, is fine because it will always be about a misbehaving peer, and because we do not (yet) have existing implementations that do not follow the MUSTs.
However, using information that is not protected by AEAD is going to be dangerous, as it is a potential attack vector. For unprotected data (incl. Initial packets), a reader should not assume that a MUST on the sender side implies a "MAY detect" on the receiver side. As can be seen on the issue, we discussed if we might or might not want to have a MAY here, knowing that we have a MUST on the sender side.
To summarize, I tend to believe that having an explicit MAY here makes sense.