From 7798ac352bd06075f53163868474c0d36e44bc20 Mon Sep 17 00:00:00 2001 From: Kazuho Oku Date: Tue, 4 Jul 2023 12:14:34 +0900 Subject: [PATCH 1/3] nonce size must be at least 12 bytes, nonce calculation uses lower 32-bit of CID seqnum, rewrite rollover requirement --- draft-ietf-quic-multipath.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index de8dc40e..a0c03944 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -622,24 +622,29 @@ the packet number alone would not guarantee the uniqueness of the nonce. In order to guarantee the uniqueness of the nonce, the nonce N is calculated by combining the packet protection IV with the packet number -and with the Destination Connection ID sequence number. +and with the least significant 32 bits of the Destination Connection ID +sequence number. {{Section 19 of QUIC-TRANSPORT}} encodes the Connection ID Sequence Number as a variable-length integer, allowing values up to 2^62-1; in this specification, a range of less than 2^32-1 values MUST be used before updating the packet protection key. -To calculate the nonce, a 96 bit path-and-packet-number is composed of -the 32 bit Connection ID Sequence Number in byte order, two zero bits, -and the 62 bits of the reconstructed QUIC packet number in network byte order. -If the IV is larger than 96 bits, the path-and-packet-number is -left-padded with zeros to the size of the IV. The exclusive OR -of the padded packet number and the IV forms the AEAD nonce. +To calculate the nonce, a 96 bit path-and-packet-number is composed of the least +significant 32 bits of the Connection ID Sequence Number in network byte order, +two zero bits, and the 62 bits of the reconstructed QUIC packet number in +network byte order. If the IV is larger than 96 bits, the path-and-packet-number +is left-padded with zeros to the size of the IV. The exclusive OR of the padded +packet number and the IV forms the AEAD nonce. For example, assuming the IV value is `6b26114b9cba2b63a9e8dd4f`, the Connection ID Sequence Number is `3`, and the packet number is `aead`, the nonce will be set to `6b2611489cba2b63a9e873e2`. +Due to the way the nonce is constructed, cipher suites with nonce size below 12 +bytes MUST NOT be used. Also, endpoints MUST NOT use more than 2^32 Connection +IDs without a key update. + ## Key Update {#multipath-key-update} The Key Phase bit update process for QUIC version 1 is specified in From 2f39f02fb324efce534b5cd63b4fd3f98ec57989 Mon Sep 17 00:00:00 2001 From: Kazuho Oku Date: Tue, 4 Jul 2023 14:10:47 +0900 Subject: [PATCH 2/3] specify the action to be taken when AEAD nonce size is below 12 --- draft-ietf-quic-multipath.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index a0c03944..8db8a935 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -262,6 +262,11 @@ The transport parameter "active_connection_id_limit" {{QUIC-TRANSPORT}} limits the number of usable Connection IDs, and also limits the number of concurrent paths. +Cipher suites with nonce size below 12 bytes cannot be used together with +the multipath extension. If such cipher suite is selected and the use of the +multipath extension is negotiated, endpoints MUST abort the handshake with a +TRANSPORT_PARAMETER error. + # Path Setup and Removal {#setup} @@ -641,9 +646,8 @@ For example, assuming the IV value is `6b26114b9cba2b63a9e8dd4f`, the Connection ID Sequence Number is `3`, and the packet number is `aead`, the nonce will be set to `6b2611489cba2b63a9e873e2`. -Due to the way the nonce is constructed, cipher suites with nonce size below 12 -bytes MUST NOT be used. Also, endpoints MUST NOT use more than 2^32 Connection -IDs without a key update. +Due to the way the nonce is constructed, endpoints MUST NOT use more than 2^32 +Connection IDs without a key update. ## Key Update {#multipath-key-update} From 1d56ce1b7bd0e0bf1e941a5d05f04ff3d79de811 Mon Sep 17 00:00:00 2001 From: Kazuho Oku Date: Tue, 4 Jul 2023 14:12:23 +0900 Subject: [PATCH 3/3] s/size below/shorter than/ --- draft-ietf-quic-multipath.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index 8db8a935..ca453d28 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -262,7 +262,7 @@ The transport parameter "active_connection_id_limit" {{QUIC-TRANSPORT}} limits the number of usable Connection IDs, and also limits the number of concurrent paths. -Cipher suites with nonce size below 12 bytes cannot be used together with +Cipher suites with nonce shorter than 12 bytes cannot be used together with the multipath extension. If such cipher suite is selected and the use of the multipath extension is negotiated, endpoints MUST abort the handshake with a TRANSPORT_PARAMETER error.