New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax age out text #172
Relax age out text #172
Conversation
draft-ietf-tls-dtls13.md
Outdated
age out the epoch 1 keys upon receiving the first epoch 2 record | ||
and SHOULD NOT accept epoch 1 data after the first epoch 3 record | ||
prevents in TLS. Servers SHOULD NOT accept epoch 1 data after the first epoch 3 record | ||
is received. (See {{dtls-epoch}} for the definitions of each epoch.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the original advise was too strong, but I think that this is still too strong.
Early data has been accepted, the risk exists. Being tolerant of packet ordering is a good practice. I don't see why this couldn't just be:
Servers SHOULD NOT accept records from epoch 1 indefinitely once they are able to process records from epoch 3. Though reordering of IP packets can result in records from epoch 1 arriving after records from epoch 3, this is not likely to persist for very long relative to the round trip time. Servers could discard epoch 1 data that arrives after the first epoch 3 data, or retain the ability to process epoch 1 data for a short period.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see the purpose here as trying to limit damage. The complete handshake retrospectively blesses the 0-RTT data I believe. I see the purpose as just "age out keys fast". But I think your text is fine too. @chris-wood ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the goal is to encourage people not to keep 0-RTT keys too long, because they might not have PCS. The replay risk is essentially a non-issue, except to the extent that it might already have been replayed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinthomson's suggested text seems in line with how QUIC deals with this reordering issue, so I'd vote to take his suggestion.
draft-ietf-tls-dtls13.md
Outdated
age out the epoch 1 keys upon receiving the first epoch 2 record | ||
and SHOULD NOT accept epoch 1 data after the first epoch 3 record | ||
prevents in TLS. Servers SHOULD NOT accept epoch 1 data after the first epoch 3 record | ||
is received. (See {{dtls-epoch}} for the definitions of each epoch.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinthomson's suggested text seems in line with how QUIC deals with this reordering issue, so I'd vote to take his suggestion.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
For my understanding: what is the harm of keeping the 0-RTT keys around till the end of the handshake? |
"Yes, the goal is to encourage people not to keep 0-RTT keys too long, because they might not have PCS. The replay risk is essentially a non-issue, except to the extent that it might already have been replayed." |
You don't want to age out before you get epoch 3 because otherwise you might be dropping when you have handshake packets.