Internet Engineering Task Force 104, 26 Mar 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF104-QUIC-20190326-0900

Description

QUIC meeting session at IETF104
2019/03/26 0900

https://datatracker.ietf.org/meeting/104/proceedings/

A

B

Okay, everyone: this is quick good morning little cabal in the shut it down just shut it down, Acker shut it down.

B

If everyone yeah, but he's Joe your record, so if everyone could have a seat, this is quick. We have two hours today and two hours tomorrow, I believe think so yeah. So let's go ahead and get started.

B

First of all, this is the note well statement. You should be familiar with this, but if you're not you can find it by searching for IETF note well on your favorite internet search engine, including waste and gopher, and anything else, I guess these are the terms which we participate in this work under regarding intellectual property regarding your behavior regarding things like harassment, code of conduct. So if you're not familiar with these, please do take a look at them.

B

We do take them seriously and indeed we have an almost Budds team if you have any issues regarding people's conduct. So if you have any issues, please do talk to Lars or I or the other folks that are nominated for these roles.

B

Spacebar is broken. There we go. Administrivia blue sheets are going around. Thank you, Joe! No, we're trying to go! That's weird! Okay! We have scribes. Thank you very much. Patrick McManus, with a backup of Brian jabber relay Craig volunteered to relay whatever happens on jabber. Thank you so much and we are using the ether pad. That's linked from the minutes. Correct sorry from the agenda correct. Just if folks, we start having performance problems on that people who aren't actively editing disconnecting might be a good idea because the ether pad does tend to have some issues.

B

Once you get a certain number of people on there I'll. Let you two coordinate that in in the case that it becomes necessary. If that's all, right our agenda for today, I.

B

C

B

So we had the hack of thought on the weekend today. We'll have a quick report of what happened at the hackathon from Lars, and then we have one discussion from the editors about discarding old keys and then we'll go into. The focus for today is mostly on the recovery draft, so ian is going to go over, what's happening, the recovery draft and the relevant issues and we'll try and focus on that take advantage of the time we have here in Prague with the larger IT have to talk about that.

B

Since when we have our interim meetings, it's often the case that we don't have all the right people in the room. If we have time permitting after that, we're gonna have a quick discussion of quick connection migration and then on Wednesday. We go into issue discussion on transport, TLS and HTTP. Talk about our next steps and I. Don't think we have any other as time permits. There's.

A

One pending that will be on Wednesday if it happens. Ok, any.

B

Bashing on that plan of work.

B

Ok, so before we get into that a couple of quick things, all I need to go back to this, don't I!

B

So, as you know, we have a changeover of the Guardian a DS, so we wanted to take an opportunity to thank Spencer for being an ad for the life so far over the quick working group. Thank you very much for your service stand up.

A

Thanks for troubling us, yes,.

B

And we'd like to welcome our our new ad Magnus Magnusson. Please stand up and make sure of it. Is you sorry.

B

Don't go to the mic for bad jokes, please! So yeah, that's Magnus! If you have any problems with the way the working groups running or or- and you can't resolve them with us, Magnus is the person to talk to make sure you forget what he looks like No, okay, that doesn't work. I, guess and one other thing we wanted to mention. We have scheduled an interim meeting for May the 20 the week of May, the 20th I believe in London.

B

A

The hotel rates are surprisingly cheap.

B

We'll see how this goes, we consulted with a lot of people before we chose that date and time and we waited as long as we could to see what the future would look like and then the future changed very quickly, of course, so we're still going ahead at this time. I don't see us canceling the meeting unless things get quite dire, which some people predict, but people sometimes get in the habit of predicting dire things.

B

So we plan to see everyone in London that week we have an interrupt two days and we have a two day working group meeting scheduled with any luck. This might be our last interim meeting for the quick, v1 walk.

B

You do that after.

D

B

Can get a very reasonable rate on it. Trust me.

A

B

We're going to talk about this right, yeah, so there's so.

A

It depends so whether or not we're going to keep having interims will depend on how quickly people will want to make progress and some of the stuff that is next on the agenda, like media /, quick and multipath right. So let's talk about there on Wednesday and we I see as also still organizing interrupts, but since they're not ITF events that is sort of a bit orthogonal to whether we're gonna have an interim.

B

And and indeed one of the things we'll talk about is having physical interrupts separate from interims, but that's that's Wednesday. So today, let's get back into the agenda Lars. How did the weekend go? Went.

A

Well, can you click on the thing, the the thing that says sheet somewhere? If you go up? Yes, that the Google Docs thing right, so so we've been doing this for a long time now. Basically this interrupts at a hackathon, um and we have every time there's at least like one implementation that either hasn't participated in a long time or is new. So this was no exception. It's starting to look pretty solid in terms of the base functionality.

A

It's there's a lot of green happening, and you you see that that you know there's pretty broad inner up across the board. It's a little misleading, so some columns are dark or some fields are darker than others. That's because we we added a bunch of new tests for this inner up round that not a lot of clients have implemented the tests for yet, like you know, Natura, binding or but the other guys, peak, CCN and so on.

A

So it's a little bit misleading because I'm guessing that, if more clients we're testing these things, you would see darker shades of green, because some servers already support them, except that, if they're not tested for that yet so it looks pretty good. I will point out that, so my personal opinion is that for specifically connection migration, there's a whole bunch of edge care case testing of who needs to happen at the moment. Everybody seems to so.

A

If somebody tests this, maybe to be the exception of Christian I, don't know, everybody's just sitting passively seem to close support in spider ports. The IPS doesn't change to support, number changes and there's not really any artificial, reordering or any fancy stuff like that being introduced. Yet so I expect we were gonna hit some more corner cases there, but it looks pretty good and given that night. So this is a 18 that we're testing here.

A

19 is already out with reasonably minor changes at the recovery and and trans what level I think many of more to changing. On the HTML side, it also looks pretty good, so this is the compared to the last time. I think we did this there's a lot more h3, that's being tested, which is very, very very nice.

A

Mike, always says it would be excellent if we actually got a browser very soon that that did h3 over quick, because that seems to be a catalyst for many things, we're kind of hopeful that might happen soon and and if we get more than one browser that would obviously be even better but I think it looks pretty good, but but the devil is in the details and there's the basic functionality.

A

When you have a nice clean path between decline and the server things seem to work really well up, I'm guessing that there's gonna be a whole bunch more issues when we're running over some. You know stranger edge case for us, so it's arrium, so the ietf network is a pretty good test because it's usually not great in terms of packet loss and again they had so in Bangkok, and here there's a box in the network that likes to order UDP packets by size, which means that so the knock knows about this we've.

A

We figured this out in Bangkok, it's it. The box is present. Somebody found it during you interrupt because they were wondering why they persistently get this one ticket after the other. That is why so, the ITF networks an excellent test network, but we we don't have sort of a lot of repeatability here yet and then this comes back to tooling and and Ottomans has supported Christian.

E

Kushina Itamar, yes, one thing I did observe in his intro up is that lots of stuff are working well. But if you start digging like, for example, if you start trying to download hundred megabyte or something that you do find issues, and there are lots of issues about confusion between the transporters one way on the other way or these, and that so dust is and and then the retransmission and the management of flow control I mean we need more tests. They're in a.

A

I I agree, so I. Think of the the first stacks are now sort of getting to the point. We're doing well. I think nick has been doing performance testing for a while, but but some of the other sects are also now getting to the point where the X we wonder what kind of through Patek they're getting and and where they actually try to push a lot of data over connection or multiple connections, and that exposes a bunch of stuff.

F

I'm Jenna you're just two notes: one eye on that on that point: I think it's super important for people to start doing attention to the tooling stuff and- and we are having presentations in psv area on quick, tooling and that's gonna- be very helpful for working on performance going forward, I'm, hoping that those folks will also show up to the Interop to help people integrate their tooling with their own implementations.

F

I, don't know if we can do anything to support that, but it'd be lovely to actually figure out if there's a way to support, because at least one of them robinus is a university student and lovely to get that support.

A

I mean one thing: is we have a bunch of students and academics show up that I mean if you profess over and you have students that are looking for master's thesis topics. This is not I mean there's PA cheese here too, but a lot of tooling is more like a master level kind of exercise, but it would actually help. You know a large part of this community significantly. If there was some more open source being written along those lines.

A

Well then, and it makes for a pretty nice thesis so come talk to the implementers I think everybody has things like that that are pretty baked and somebody could go and do a master's on ya.

F

A

F

Point was to me: you talk about browser showing up. Browser, did show up and actually did manage to work this time. So I don't see it on a chart, though so I wasn't there for that.

A

So maybe which browser chromium yeah but guessing. So thank you for saying that so so yeah that was a I didn't know that that line was actually chromium rather than just the library. Oh.

F

A

Gonna run for that: okay, great I. Let.

F

Skinned Ozzy fill in the blanks there.

G

Very briefly, okay.

H

It's kasi, who just want to clarify that that is the chrome implementation of quick, but we did not test the actual browser because we, as you could see, we have the handshake benign HTTP. So the browser is not gonna render anything useful.

A

D

A

Which is nice very.

G

Briefly, um Erik Kinnear from Apple we have flouted books there we go hello, that's better Eric Kinnear from Apple. We have loaded quick over Safari. So all the way, through the stack top to bottom awesome.

E

G

A

Can we use that someone? Can we get a build for that? Is that something that's possible at some point: okay, I catch, no yeah I'll take a new phone any day, but I.

F

Think that was a Throwdown to the chromium folks.

I

F

Is the implementation actually called G? Quick? That's super unfortunate. Oh! It's not G, quick! That's right! I'm! Sorry! That's what it does! It's not! It's still dodgy.

B

All right all right anything else only interrupt okay, Thank You Lars. Oh there.

A

Was a discussion where they're gonna do a virtual interrupt day between now and London and and what version we would do it. So, if you will care about that, I think it's on the general channel on slack and if you're not on the slack, and you want to be honest, like send email to them. Mark of me, yeah.

B

For those not aware we're using slack as a way to coordinate between the implementers, it's not wear any normative, discussion of issues happens or anything covered by the IETF. No well happens. It's just for coordination between implementers.

I

B

Martin Thompson discarding old keys. Please.

J

So this wide dick was updated, I think yesterday and it's out of date, so I'm gonna go through it anyway. Part of the problem here is that we're dealing with I think three or four different things. That would the various reasons decided to lump into the same bucket. So let's go ahead and we'll see if we can make any progress here, but I don't hold high hopes. Next sorry, I should not be so negative early in the morning.

J

So talking about discussing initial keys as soon as possible.

J

There's some debate about whether that's a goal we're talking about discarding the handshake keys, weren't appropriate, and there are some problems that we discovered in key updates that need to be fixed, probably the biggest one being that if you, if you update too quickly and both peers, do that at the same time, you can end up in a situation where, where one peer cannot possibly just basically force to drop, every packet on the ground, basically kills connected connection the the agreement there was that we would limit the rate of key updates to one per RTT and how we do that is for debate.

J

But that was the basic basic idea there. There was an express preference for explicit signals over implicit ones.

J

Some people still think that timers are a good idea, but we'll get into that as I sort of work through the different options next place. Do you have a clicker.

J

J

So the basic idea that we were talking about- and this was something that Nick came up with in the interim- was having an explicit signal that we could use to say it's okay to move to the next one, or probably, maybe more precisely- it's okay to throw the other keys out, because we've got these ones and with them.

J

We can proceed anyway, and so there's really three distinct cases that we were concerning ourselves with here and and each one has some different nuances to them, and so I think we'll probably go through that a little bit more detail as we go and I'm waiting for a clicker. Let's see how this works out, I.

J

Notice that marks not willing to have the ITF clicker attached to his machine. Let's see if this works does this need to be turned on or something that's not working. Next.

J

So we've had four proposals: I think there may be a fifth one now I'll see if I can do that. One justices we work through this one. The first three of these use frames to sort of signal that things are ready to go. The fourth one steals one of those unused bits that we have in the first octet to create the signal, there's a fairly substantial differences between the first set and the last one, and in some regards, but essentially they're all some sort of explicit signal that we're ready to throw away the other keys.

J

The difference is in when they're sent and how they're interpreted and what you, what triggers you use to progress to the next ones. Next page, please the first one. This is my attempt to capture the state of the discussion out of the interim in Tokyo and.

J

This is the first set of changes that you can see here on the slider over the past day. The idea was that you would send this this frame when you believe that when you have read case for something- but we realized in discussing this- that what you really want to do is say send this frame. When you expect the peer to be sending with the corresponding keys, it implicitly identifies the keys. This is a point of difference with some of the other ones.

J

If it, if the frame is included in a packet, that's protected with key X, then it means that I'm willing to receive the corresponding packets that are protected with the corresponding key. It doesn't have a an explicit counter or something in there that identifies these things, and so, if you start sending these back these packets after key updates, that means something different, which is, which is something that we sort of do with acknowledgments.

J

But maybe acknowledgments are so special that they're, the only ones we can get away with out with I, don't know when you receive one of these things at least used to say when you send it. But when you receive one of these things, you know that the older keys that are associated with keys from the previous epoch are safe to be discarded. You may want to retain those all the keys, the the ones you use for reading packets for some amount of time and there's some discussion in the document about how that that works.

J

But the basic principle is, you: can your opposition now we can throw those ones away and you can proceed to make a new key update, which I think is because the key fix for the key update problems that we're talking about next place. I'm going.

K

J

Some pictures- hopefully, these decipherable at that range, it's very difficult to get these things on the one slide. But essentially, what happens here is that when you send the first handshake packet, you say well I'm expecting to receive packets that are protected with an Shakey's at this point, so I'm going to send this frame in that first handshake packet, and when you receive that packet containing this frame, it means that you're okay to proceed to the next one, and it also means that you're, okay to throw away the the previous keys.

J

And so, if you look at the the third initial, that's sent there from the client, which ostensibly contains an ACK of the server's initial.

J

When that arrives at the server the server may have thrown out the initial keys, depending on the ordering of things same happens at one RTT you'll notice that it's not sent in the first one RT t packet, because the server doesn't have the ability or it doesn't have an expectation that the that the client is is sending in one, not one RCT keys. Until it's it's gotten the one ITT that packets from the client.

J

This is I, think doing double duty here, as the I think the thing we've discussed many times is the handshake done frame and we would use this as a trigger for other things. Okay,.

L

J

L

Just trying to make sure I understand at this point, so let's take that first transition, if the let's assume the like as being natural, that the initial and the first handshake from the server bundle in the same Datagram and that the server and the client supplementing lay back. So what will happen here is if the point where the client is ready to send initial it'll already have received them processed the keys ready flag in the first hand, and an intuition of the circuit right. That might be the case unless shoulder.

J

That's gonna be delighted X in this case, because you're gonna be sending packets. You just your stuff, the accent it well.

L

L

Sorry you're quite the client is not let's say the client is not intended in an act upon receiving the initial packet prior to receiving the rest of stuff in the Datagram right yeah. You can call it the lay back or not as you please um so,.

J

So it processes the through the initial and the handshake and we'll have processed this frame before it sends the like that the color sense, the exploitation is, you will suppress transmission da frame, it could.

L

L

What'd it do so or would do so or must do so and what's the interaction with the AK that is, and that imagine is imagine that for some reason the Act does not appear in the server's initial. The Act does not appear in the service, and so now you have outstanding own act data.

L

The expectation is, you would drop it, so you would drop which so so, if the app does not appear in the server's initial yep now you have a case where you've deleted the key or you could delete the key for the rules right, but you haven't standing on act data one. Well, that's the question. I'm asking right: I tend to establish the rule. What the proposed rules are arguing the.

J

The proposed rules were that you can, you can drop everything on initial packet, so you can throw that stuff away, and now you have a you have a different channel for for establishing that you don't need to resend that initial packet, okay, so.

L

But more generally the rule is, and it is me me, I, don't think this. The only case that can happen. Maybe it is more done where the rule is that on that, if you have outstanding data on an empath that could not be sent, they cannot or should not send other epoch. When you receive he's ready on epoch, M, +, 1 or M +, M + anything, then you can be said that you see effectively so that an AK or you you start test.

J

Me right, but yeah you throw away all state for the the previous case, so it's not just the previous keys. It's all the state associated with it, which means crypto frames in the works. Yes, thank you, yep, there's a bunch of discussion about that.

J

You have to throw away recovery, state and and various other things as well next place, so the K update is similar here, the difference being that you again, you don't send the key ready frame when you send the first packet in the new epoch, you send the keys ready frame when you have an expectation that the peer is sending packets with the new epoch and so for the for the for the peer that initiates the key update.

J

They wait until they're, seeing packets from the new epoch before they they send the frame, and the consequence here is that you're allowed to update once you've received the the frame and there's there's no way that you can use this state machine to do anything faster than one key update per round trip and that achieves the goal. It fixes the problem. We can go from n to Oh without actually having packets from n in flight, and that causes the M's and the O's to be indistinguishable from each other and the connection to fail.

J

So we we patch the hole next place, so david brought up an alternative design for this one and this one that essentially says, rather than using the expectation of keys being ready.

J

You look at the data that you have to send in a given epoch and you say: has all of this stuff been sent to the other side and acknowledged, and so, when you have no more to say, you then are able to do the key disposal and and and move on to the next epoch.

J

This shares the property with the previous one that it implicitly identifies the the keys. It does have a little wrinkle for the initial handshake transition. It's it's a special case like with the other one you send it in the very first packet and that triggers the the drop of the initial keys in the same way. That's a little janky in some ways, because it's not it's not a consistent rule that you follow, but it has fairly similar properties.

J

Next slide will give us a little bit more information about how that works, and so it looks very similar. But you, if you look again at the at the picture here- is.

K

J

The one that did you drew David, because I think once I think you you had the retire keys in the first RTT packet of the first one RTG packet from the client is that right is this right? Okay, it looks fairly similar to the other one. The difference is. If you look at the one RCT case, you send the retire keys frame later at the client. I'm, not sure that I understand out, though, do you want to speak to this David.

L

Yeah I'm trying to show understand so you send retire keys. After all, the data that in the epoch that you're retiring has been acknowledged.

H

L

H

The this is the question. Please, yes, jarett's cannot see google, so we've been kind of going back and forth and I think what Martin has been doing a good job demonstrating is we can't find a like a really clean solution, but in indeed in that particular design? That was the one I had a few weeks ago. The idea was that you send retire keys when everything that you want to sent. There has been acknowledged from some implementers opinions.

H

It turns out in some cases it's hard to know when stuff has been act, cuz your act, Roisin ernie and your is kind of disconnected. So in that case we could actually bring that message earlier. The system still works without that was the initial design yeah.

M

H

J

This one is driven on driven by the the receipt of the acknowledgement for the handshake packet, so once you once you're sure that you've received everything once you're sure that the PIA has received all of your handshake messages, you can then send the frame so.

H

Right, yes, it is, and just as an alternative. Another way to key off, which we were talking about last night, is to key off the TLS state machine transition. We're on the client, you don't react necessary to a single packet, but when you're separate to us implementation off the top tells you I am now connected. The handshake is done. Then you can send it. Then that also works. You see if I didn't restate what you.

L

Just said, which is that, um let's take this case, let's take the case of the server just for convenience that the server would send retire keys upon receiving the clients finished. So in this diagram, what.

J

Identical I know it it's the acknowledgement, that's in the same packet, well,.

L

I know but they're the same packet. Well, no, he just said like my point, is that in this case those two are at this droids have two identical timings right and so John you were saying he's proposing a different rule, which is this on the state machine right yeah. So that was suggesting two different.

J

Two different rules that are effectively the same, which is not the same right. Well, no, no, not in fact, no not in theory nor in practice, but in a lot of cases there will be yes I.

N

Thought yeah: why wouldn't it oh yeah, this one's in the dark and okay I'll go over there next time, I just want to clarify another way, I think of staying who's dating what, and maybe this is what dude just said is that once you are done sending at that encryption level, you send this frame and once you have both sent and received this frame and an encryption level, then you know you are done and you can move on and that's that's my mental model for for how it works and there's a variety of ways.

N

You can decide that you are done sending in that frame. It could be an acknowledgment or it could be. I have henskee keys, so I know the peer got my initial. Well, that's an implementation to Pancho's on each pure side. When.

L

You say, but just to be clear done. Sending means is in this case the police means I, know your side had received it. Yes, yes, yeah.

E

L

So so particular you couldn't send it you you couldn't you in particular, you cannot send retire keys um for the in in the one that first one our key, because.

J

You don't know she meant to rush transmit the handshake.

L

Right right right, you need to you need to wait for some acknowledgement of some sort. Yes, yeah great, just just as like give you this I'm, not trying to argue at the bat merit. So these things are to try and understand. Oh yeah, well in a minute, I should make sure I really understand exactly bill, proposing right.

J

And that's the point of this. This exercise here that I'm going through is to to sort of plot out the designs base for these things.

J

Then we can talk about the principles that drive them, because that's important too next next slide will actually highlight some of the interesting ways in which there's changes. So what's interesting with this proposal is that you send this packet in the very first packet you send in after a key update, because when you initiate a key update, you have to be sure that you are done with the previous previous epoch.

J

So what this doesn't show is the next key update, but it does show that you can initiate a key update once the once the retire keys frame has been and retires keys frame becomes the things that you would send in this epoch that need to get completed and transmitted and acknowledged before you move on to the next phase. So it's no longer crypto frames that were concerned with here. It's the retire keys frames that you would use to drive that that decision-making process, so that I know how to restate that.

J

Maybe maybe Jonathan restated in another way.

F

But I disappoint of clarification actually yeah.

J

F

Repair keys are encrypted with the old keys right no they're encrypted with a new case. Oh.

F

Right, because, okay, so the assumption is that I know that the peer has everything it needs to to use. The new keys, therefore I'm sending the techies under the new key. So.

J

Basic design, if the K update is there is always you can initiate it when you, when you know that the other size radiator.

E

J

We're putting the signal in at that point yeah yeah! Thank you. That's not in my head more questions. Yeah.

L

um So it seems to me that this actually is importantly different from the rule we applied in the previous slide, which is the rule applied in a previous slide. Was the data has been delivered and knowledged through a living on this slide, however, is not the day has been delivered in knowledge, because I can just send it. I can just send it again, the new epoch and so, and it's like I guess, I'm struggling to actually wrap my head around exactly what the rule long and apply my code is so.

J

This this becomes the the data that you you have to send and have acknowledged for the next update.

L

I understand but but the point is that, like on it um so I'm sending an M right, you know and I play like all sorts of data like stream data are standing in, am right, yeah and that, but that the stream data does not matter for the purposes of this calculation I I understand, but on the question is: when can you send retiree keys, right and you're gonna say on but I mean you're gonna say you can summer hierarchies well? The previous hierarchies has been acknowledged right, yeah.

E

L

H

L

H

Rule of the retired keys proposal: is you send it when you are done sending at the previous thing, so that is the rule.

L

H

Let me finish at.

B

The mic please occur.

H

So so yes, I will expand so rule. Is you send it when you know you won't send anything else at this layer? So for let's say this: wait for the handshake layer. What that means is everything's you've sent as handshake has been act for key update.

H

There is a very key difference, which is no pun, intended the fact that what you retractable Smit frames at layer m at layer n, so the you know you're done sending at a buck m the moment you have keys for a buck end, because you know you will never send anything at a buck. Em anymore, you don't need a mac at a park. M he's just like I have the keys. I will never send anything o'clock anymore. Yes,.

L

I understood this point, but my point, but the point I'm making is that that's like three different tests in the Co to have to make for each different kinds of transition, because the first rule use they did is not like a mechanic's enforceable and the other ones and the other ones. All the things mechanically enforceable.

H

L

H

That's absolutely fair. Yes, it is a the. What makes it kind of clean is the concept the implementation of this is not necessarily clean and I agree with that. That's why we're all arguing about these things, because none of them are perfectly clean.

N

Clarification questions are in sweat, Google um if that matters anymore in this conversation. So does the AK really need to drive this um because we're not like actually looking for axle retired keys, we're just saying you're done sending listen.

J

Well, you in this case you need to use the acknowledgement to drive that otherwise you don't get the round trip and we're back in the soup again when.

N

I'm going to send them a.

J

Retire keys in one directly and then the other direction, because if you, if you drive this just off the retire keys, you can get the simultaneous update. And then you end up with no round trip between that and the next one you can have. You can actually end up at a situation where you go from em to end.

J

Oh and you skip the end and you're back in the in the situation where you have packets coming in at 1:1, endpoint that a marked em and then oh and they have the same key phase bit on them and they're indistinguishable.

N

Possibly there's a detail of key update, I don't understand, but if two people simultaneously update, wouldn't they be in the same key phase at the same time they will be, but one of them doesn't.

J

Necessarily know that the other one has initiated the update, and so if they both simultaneously update and send the frame.

J

At the same time and from one side the packet is lost sure, but that side will receive the frame from it appear and think it's able to make another update, and it can do that, let's say half an RTT later that it updates again, and so, if all of the packets that it sends in that middle update a lost, you will have key phase zero, a bunch of lost packets on key phase, one keep a zero again and what it's pscs is I tried to initiate a key update and the other side didn't do anything except it started.

J

Sending me gibberish and that's all that's all we have at that point. Yeah thanks for clarifying I need to think about that month. That's real fun that that's the the essence of the bug that Martin found with the the key update situation.

O

Martin zoom on protocol apps, so looking at this diagram for key updates, it seems like all we are doing, is looking for the AK for the retire keys frame, so this would be equivalent to just not sending the retire keys frame and just looking for the up for the ACK of a packet in packet phase n. In fact, the retire keys frame is strictly worse than this, because it's a single signal, as opposed to a continuous signal, correct.

J

Yes, that is a nice observation. Thank you. Let's, move on to some of the other ones with we've got some more interesting options coming up.

J

If, though, if these ones weren't already interesting enough for people so max key updates takes a different approach entirely and it says: well, we have this thing that we do in the protocol, where we say that, there's a limit on how many things you can do of a given type number of streams, the number of bytes on the stream, the number of bytes in the connection- and we do the same thing for key updates.

J

We say you can initiate three key updates, including the ones you've already done up to that point, and so the you have a frame that has an explicit counter in it. So we deal with some of the retransmission logic problems that some of the other proposals had you don't drive things over hacks, you don't dry it. You don't have some weird retransmission logic for the frame in case of a key update. You simply have the frame that you send.

J

You can send them out of order if you wanted to I, don't know why you would but same sort of logic that we have for for max stream data and all those sorts of other ones, and you use that to fix the key update issues use the first one of these to signal that you're willing to start doing key updates, and then you simply send them as you get key updates in a way that allows you to control when the key updates happen and like most of these other ones it.

J

It means that you can hold off the key update in two till you're, probably ready for it. What Kazu has kazuo proposes in this one is not doing anything for the initial two handshake transition and using the text. That's currently in the draft that some people are unhappy about for driving, that transition, and otherwise, just using this frame to say when, when when a kid updates are possible, I think the the very first one of them would be used as the basis for signaling. Maybe we'll need to do things like.

K

J

And all sorts of other things we should talk about migration as well, because that's something that's come up next slide. Please I think we have something here, and so the idea here is that you have the the implicit drop, the initial keys somewhere I'm, not sure whether this is entirely correct, but you have the initial drop of the drop of the initial keys, driven off implicit signals of some sort and then once you're ready to start doing key updates.

J

Whenever that happens to be you, you send this frame, saying I'm, distantly updates, I, think 1 or 0 is the first one I'm, not sure whether that's I, don't think we fixed that one I put 0 in but I think we might. We might want to say that you know one is the right answer there, but that's another problem. Yeah.

F

Jonah, you know just again point of clarification. What is that? What.

J

Is that number supposed to mean so the number means the number of key updates that you're willing to accept, including the ones that have already happened. So, if I, this guy's, no key updates have happened, you send the frame I'm not willing to accept any more key updates on this connection. It's what 0 means. If you were to send one, it means that you can update once so. If there.

P

J

That means that your work, you can update 3 times. Oh I,.

P

K

So it seems from my.

J

Perspective I'm willing to do travel decryption to get post packets because we don't have put any explicit way of signaling which which keys are being used on those packets. So the moment.

F

In domer I would send that would be when I have both the read and the write keys available for this and.

J

This doesn't say anything about what what the trigger is it's entirely up to the endpoint as to when it sends this. Could that happen.

F

Any sooner than my keys that are available sure.

J

If you're willing to do trial decryption, you can send this way earlier, but as a practical matter, you're going to do this when the handshake is done and you're you're ready to start reading with the new keys and you're sure that you want you're fairly sure at least that you won't be receiving anything with. It can be confused for the key update that you're. Looking for.

F

So it seems to me that I think maybe this is the point you are trying to make by saying. Maybe there should be one, it seems to me that it should be one because you want to allow for the next update to happen right, okay, yeah and then we on the same page right, yeah,.

J

So a mistake on the slides.

E

Christian Reda mom when I look at these diagrams. There is one practical issue that I have is that I know when I can stop sending any given ebook right, because I mean if my back is severe acknowledged, I know: I, don't need that anymore. I could get rid of my right. Key I could get rid of my cache copies. I could get better many things. What I don't know is when I should stop acting whatever is sent by the peer.

E

Because what I don't know take the case of this diagram there, the client and check contains there. So the client finish the the first kind and check okay and the the problem for the client for the sellers to know it is to stop acting that saying if the clients repeats it because it believes it hasn't, been act, etc. So that's the rule I mean they will at what point. Do I not need to worry about sending repeated acts and things like that.

J

If you would like to think of it that way, Christian you're welcome to thank you.

I

Victor Oh silly if I have a question. So what are the circumstances under which I would want max key updates to have any value other than 0 or 1 when.

J

You've already had key updates and you want to enable more so the number continues to increase it's, not a it's, not a 0 1. It's a it's an.

I

It's like a flow control. It's.

J

Like a flow control kind of thing, that's the way you need to think about this one. All right, I would like to accelerate this.

E

A little longer.

J

Next next place, this one was in an earlier version of one of the four requests that I put together. I think because whoever suggested that we create a continuous signal by using a neck one of those spare bits that we have in that first octet, essentially the bit would be you can you can initiate a key update from this and you it's carried in every packet, so it has the the advantage of not having the problems that I think someone pointed out about Martin pointed out about the frames that we have.

J

If that, if the packet containing the frame is lost, then you delay any updates by another round-trip this one. Every packet contains.

K

J

Signal doesn't have any special retransmission rules, it's just a different way of signaling things, I think we're. Probably what we need to do now is discuss the the principles that are driving this one rather than then talk about the specifics of the of the signaling and talk about what the what the triggers are for, generating that that signaling, so I think I have a little bit more but I turn over. What's here, can we skip ahead? See? What's there all right?

J

Let's talk about this: they don't all use a frame again slides problems, but there is an explicit signaling in all of the proposals. What's interesting about all the proposals that hasn't been discussed so far is that endpoints can block CLE updates by not sending the frame- and this has some nice properties for some from some angles, and otherwise what Kazuo pointed out is that, with the ability to block a key update, you can also control the number of keys that you have active at any one point in time.

J

So it's always the case that you can limit the number of right keys that you have to one, because you only ever need to write with one particular set of keys. Typically during the handshake is a little bit funny, but generally you can limit that to one, but the number of Reed keys that you have active if you allow unbounded key updates, there's the possibility that you need to maintain multiple of them. If you're concerned about not losing packets simply because they're on indecipherable the time limit.

J

There is something that we're suggested, but primarily the time loadings exists deal with reordering on the network and delay packets, but you can do things like delay the time that delay the time that you send the signal so that you have a period of time to accept all the packets from the old keys before you allow even newer keys to be installed, then you can work at things down next place. What's different is where the where the signals have happened so because I was arguing for an explicit counter.

J

Any of these proposals can be modified to use an explicit counter, and then you don't need to worry about it, David's, one less so because the way that it's that the logic works drawback is it's more stuff, it allows for more than one update. It can be wrong if it's wrong, just ignore it, but there's a bit more logic involved in dealing with it.

J

The problem with the encryption level and the ambient signal is that you need to worry about retransmission rules, whether it be to drive for the logic forward or whether it be to suppress free transmissions of the of the frame and it's smaller. But you know whatever these things are infrequent so I, don't think we need to worry about that one. It all that much next.

J

Because there are suggest that the implicit signal on the initial handshake handshake transition is is okay, others use an explicit signal. The thinking here has evolved a little bit those people who would prefer to drop initial keys as soon as possible. We should discuss this now, I think. If you want to talk about that, basically decided that you can throw away the initial read keys as soon as you have hand checked keys.

J

If you want to use any of these mechanisms, and the reason we might want to do, that is that we want to make sure that endpoints, don't accept connection closes, for instance, in initial packets and allow for denial of service for a connection that has gotten to the point where you have shared shared state of some sort, which would appear. So, let's talk about that for a little bit before we move on. It's.

H

Ganassi Google, so absolutely the initial keys are the ones that we really have a security problem if we don't drop as soon as possible for exactly the other reason, they're not authenticated and integrity protected. Anyone can send anything there so they're. The ones were even though I'm putting a very strong proponent of an explicit signal. All the time over something implicit, you can't physically send a message at the handshake level that the client like it'll, receive it necessary one RTT too late. So or those are that's on the server you know.

H

So what that means is you have to key off of having the client and server hello's, which means that now you have the handshake keys. So as soon as you have the handshake keys, you need to toss away the initial and one, do you want to talk about the being able to discard the read in the light and set the times? I? Think that's the key property here, yeah.

J

There's some interesting things to consider about the right keys in this context, but the the risk of denial of service comes from having retaining the willingness to receive initial packets, which are not authenticated.

J

As you say, and if those initial packets come from an attacker who's willing to in injector connection close, then you enter a situation where you've all to someone close in the faction after you've already reached the state where you, you have keys that you share with a bit with appear now, you don't have have an authentic hadith appear at the point that at this point, but you do have case with someone.

L

Start that who are you eres, caller weren't really needed? Are we um that.

J

Is your name right, you're, wrong, yeah.

L

Pretty much yeah I mean so this is a set of trade-offs and instead of trade-offs is a really quite minor palace or disclosure, and a system which already has an ALICE, but it serves exposure at this point in a handshake like 20 milliseconds earlier against complexity in a protocol design and so uh I'm.

L

If it turns out that it's convenient to discard the keys earlier, then I'm more than happy to do it in terms that's inconvenient I'm not happy to complicate the protocol for no particular extremely modest security benefit, if at all, um the UH and the complexity here is the complexity of having to manage the statement for this particular scenario, you're talking about where it's the server sending his first flight with the initial and the handshake is a server having to separately manage the app state machine for the initial and the handshake in the case of the loss of the initial packet from the server the client, in that these servers, or nearly services in the show, be retransmitted, and we spend an attack on it, I'm, Indian and zero.

L

If that is lost, do if that is lost, then you're, basically driving about some other similar signal right.

J

H

Actually, not so the idea on the server is you drop, the read keys for initial. You keep the right keys, so you put your server hello in your list of retransmit of all outgoing frames and you'll. Just your machine you'll keep sending it until it get sacked. They.

L

Can't be act exactly.

H

And then, once you finish, the entire handshake, you just toss the whole initial infrastructure away. So that's when you throw the read keys and the right keys, all the outstanding packets die. So that's not as clean. Yes, it doesn't get. Actually you just shoot that whole piece of memory in the head, yeah.

L

And quite possibly, you're like five or six times, even though actually you would even actually run an analogy before it, because the client certificate is potentially large and the end hazard has no events, so no the server the what causes, what what is it that causes the server to stop retransmitting its first flight, and the answer is that it perceives some acknowledgment from it from the client. What is that message and you handshake packet yeah? This is like holding your piece of machinery to solve this like really incredibly trivial, screwed apart.

L

So that's exactly what was complaining about.

H

Hey you're right, but I I would just say: I. Don't think that it's a trivial security problem because, like there's one of the things that we're trying to tighten versus TCP.

L

The twenty milliseconds before you had actually torn down.

J

But not the 500 milliseconds after yeah.

B

So I'm not gonna, cut the queues now, but I'm, very conscious that you know we asked the wider ITF community to come and talk about recovery in this session. I don't and it seems like the number of people who are really engaged in this discussion is relatively small and they see each other a fair amount. So, let's continue, but let's keep in mind that maybe we have ten or so more minutes to do this and see if we can make progress in that amount of time. Okay,.

O

Hello, yep it Mike so in in Tokyo I, like the idea of using a unified, explicit signal for dropping this, the keys or all keys. But looking at the different proposals that that were presented here, it seems like the initial and handshake keys are special and we will need special rules for them anyway, no matter which of the three three or four proposals we adopt.

O

The rules for initials will be special, so we might as well accept that it's a special case and build a special case for this and use the explicit unified mechanism for only for the key updates.

O

So I now prefer having an implicit signal to drop to drop initial keys, because I realized that there's a pretty cool thing we can do. Can you go back a slide to the diagram? Oh yeah just pick any diagram, the other one. So the server knows when it sent its server hello. So the server can drop the initial keys right after receiving the initial packet from the client, so the server will only accept a single packet with initial keys. So there's no injection attack possible in the direction of the server.

J

Yeah I think this was the point that was raised before there are complications with that, unfortunately yeah, the the primary complication there is the denial of service amplification mitigations that we have in place, and so whatever we do, there would have to you'd have to go back to the microphone, not.

O

To deal with those, but for the mitigation of the amplification, we don't actually have to read the packet for for being unblocked by the 3x limit. We only need to receive a certain number of bytes from the same address. What in those bytes doesn't matter at all? Ok, yes, I'd.

E

Like to say that I'm very much agree with what Martine said, ok is that the initial is special and you have to consider that any implementation will be tempted to do something special for the initial packets. So we could just as well acknowledge that and say yeah I mean basically, if I have my handshake keys, I don't need the initial anymore, at least on the client side and on the server side. It's pretty wise to keep it until. You know that this good client has handshake key too, but it's.

N

Yes, what Google, yeah I tend to increase agree that at this point, we probably should need to separate these signals. That's mostly what I was gonna say. The other comment was that David and Martin's comments are interesting. Ideas, I think it's best to think of those as optimizations a server could perform rather than a necessary feature of this mechanism, because I think, if that's what I think that's a better way of thinking about personal.

L

People operating under risk in order Montes environment, any injection attack you have to have assets that clients initial. Do your clients initials require generate your notepad can be valid for the server and his connection period. So your 330 peers to be that the attacker, for some reason, has access to the clients. Initial can't like can't like give the packet in before it for the other quarter. That happens and also can't transmit its own bogus initial.

L

The other direction, which which recalls the client about the connection down like neither of those things, is true in particular the second one. Is it true on and in particular to look so let us say that you have an attacker who's on path and but KITT, but can't control, and this guy's back by the way. My request was when actually, when a threat model for this situation, as opposed to think we're using trying to find a tax, they can count on that.

L

There are basically they're there, their attackers, which are on which are on path. You can see the traffic and will always win there and can always put their packet in front. There are attackers which can they put their packet in front and their attackers, which turns on those are three categories of attackers on the first kind of attacker will always you'll turn the connection. Regardless of anything we do here.

L

Second kind of your attacker, you might say, would not be able tear that connection, because it will always this race to the server, but then with them in the waste, a client, and so they only have to be a posture which is slated for Sur, which has to be president between the client server. They said that the client initial, which caused that has me, turned out so someone please describe to me an attack, it's actually defended against by by this mechanism. On that the best answer.

O

Yeah I can do that. So the thing is: if a client receives an initial packet that closes the connection, a client might be willing to wait for a certain time if it receives another and another initial packet. That looks valid, because the client has the interest in establishing the connection. So if you receive the the attackers initial, you just say like okay, it looks like a connection close, but a wait for another 100 milliseconds or so.

L

J

Can send the fellows so for how long.

L

J

L

Question closes so go hello with a won't. If you have one key like all this stuff about how all the stuff out, how we're gonna like put a branching tree of like all the possible stage from the server it's complete extra textual.

F

Iyengar's I think it's already starting to happen, and it might be worth actually not just continue. This conversation elsewhere, but I was gonna, say, is separated in the conversation. What Martin said, Martin's him and said earlier is important in another way, which is that the conversation for went drop. The initial keys can be separate from what to do with the handshake keys and one oddity he's I think it might be useful to actually separate those two conversations, because then you can talk about a threat model for the initial separately and deal with that separately.

F

J

I'm going to suggest that we share this particular initial position.

E

J

Because it's not going anywhere and we don't have a lot of time, but I would like to say if we can make some sort of progress on the key up that one here, because I think we got pretty firm. They are related. If you consider that they've considered.

Q

J

You can use it. We decided that we would use the same mechanism for the two of them, but I think we've come to the realization that I, don't think anyone's arguing for having a sign mechanism to the two of them. So.

F

Hang on so let my so hang on if we end up having the same mechanism for both of them after we saw the do problem separately, we can use the same mechanism across the board. That's it's unnecessary. To start with that posture record.

A

Line after occur, except if somebody wants a speaker innocent, hasn't been in the malign yet yeah.

F

I'm just saying that we don't need to started that posture. We can solve the problem separately if the mechanism and that ends up being the same, we can have the same mechanism across the board. I.

R

Just wanted to respond to it, cuz and well, there's a merit of service coming in child case as far as possible, because that approach allows only the client use the plank has the capability of handling multiple pairs of case. Then it would defense without requiring service to do a costly work. So I think it's a bit there's a benefit in letting the server to drop. 10 buckets I shall read case. Also, that's possible.

L

Yeah I think there may be some setting offenses but like I'm, like what I'm asking people actually worked out like I've seen a lot of the law of discussion, this working group for the past year and a half of like very specific attacks, then we've had various picks defense forward. Any concrete theory about we're actually trying to publish and what I'm asking for is a concrete or we're trying to accomplish about what exactly the hacker is allowed to do.

L

Monetarily not allowed to do scan analyze a protocol against that and the reason I'm putting back martin again saying, let's just cut this case off, is because on the like, if you saw the cases in all these cases separately and it's highly possible there's a reasonable solution is pretty good for both of them and then we've sold them and we sell them together.

L

That's good and and if you say like, let us build the absolute maximal solution for one and then not solve the other one that is possibly and with a very bad solution, the other one, because we because you haven't tried it, tries all together. That's why I'm pushing back on separating them so.

J

The reason that I suggested, that is, that these are very different things that we're discussing one is a bug and the other one is. It is we're dealing with this threat model question that you raised right and I think we can fix the bug, because we all agree that one party T explicit signal is the way we solve the bug, and so I would rather fix the bug, move on of that with that and try to close that discussion, and then we can argue to our.

L

J

Content about the other one, but.

L

It may not be the case that the best solution for the bug- the decision that by the people proposed, works well for the four other case, and so.

J

Which case will we we can say well, we'll just put the bug fix over to the other one I want.

L

To make forward progress, that's sort of why and and said I'm trying to do as a voice is a trade, peaceful solutions. They don't make forward progress generally. It.

B

Seems like we're getting to diminishing returns in the discussion here, or indeed, we've we've been there who, in the room, is in sorry Ted, we'll get you in just a second I just wanted to ask who, in the room, is interested in and feels invested in the outcome of this discussion. Quick show, hence: okay, it's mostly the usual suspects, Thank You Ted. Please go ahead. Teri.

D

I'm not sure whether I'm a usual suspect or a diminishing returns, possibly both yeah.

D

So the point I got up to say here is actually to reinforce something that I think we said earlier, which is that if we do split this off so that these are two separate cases, then it's relatively easy to then look at what we're optimizing for in the two different cases right and what we may be optimizing for in the two different cases can be different and then, in fact, I believe if we just took the the retired keys proposal and said, look retire, keys works, except in this corner case, where you have simultaneous key update unusual to begin with, and only one side of that simultaneous key update experiencing a packet loss of that key update.

D

We can actually say, okay, that that's a that's a bug that causes a reset and it's it's gonna, be rare enough. That reassociation in in quick is relatively cheap. Let's just do that. If what we're optimizing for is we never want to throw the packets on the floor and therefore we don't want this case to to exist.

D

Then we can go ahead with a zero sorry with a one RTT solution, but your your functionally believe it or not, going to be reinventing the spin bit in in the course of this by saying which one of them can can actually update at any particular time. Because, though, the way out of that that.

D

Sam nice open problem is to only permit one of them to do it per RTT and one side to do it per RTT and guess what you just reinvented so.

J

I'm I'm really happy that this group is so good at going back to the drawing board. Every time we discussed this issue, we discussed this in Tokyo and had largely the same discussion and I thought that out of the discussions of Tokyo, we at least made progress on the key updates thing, but it doesn't I'd like to see if we get somewhere towards in conclusion on that, and even if we have to wind that back I'd be happier my making forward progress on that then and and.

B

And just for but from my perspective and Lars, please say if you feel differently, I'm willing to let the editors organize the discussion of how we make progress on getting the stuff incorporating documents. Just abdication.

J

Of responsibility, yeah.

S

B

Martin is proposing support you, man, Jesus Christ, I'm, less interested in having a discussion in the working group and coming to consensus about how we attack the minutiae of each individual issue of how we stack it in the documents. I, don't think, that's a productive way to use our time so.

F

I know this is but not not on the topic of normal technical details here at all, but we have had actually fairly good success with using small design teams in this working group. I think in the past, even on thorny, complicated issues, we've actually managed to make some thing. I know it's not the best necessarily way to go forward.

F

But, as Martin just said, we've gone over this several times and every time there's just more things that show up and it's we are going to keep going around in circles until somebody says well, we've got this is one thing one way of doing it and it's good enough and we move forward, and it seems to me that if you can get a group of.

B

People together in a room we said this. That was my next suggestion. Was you know the number of people who raised their hands looked a little bit too big for a successful design team. So if we can pare that down to thing on the order of I'm thinking, eight ish people who are willing to spend some time this week, we might be able to make some progress I just.

I

Wanted to know that that was outcome of our discussion and talk is that when you designed him yes,.

B

But we didn't have the chance to get them together for an extended period of time here we're trapped in Prague for a week.

A

Bernhard at the minute least, a bug right, we've actually hit in inter up so that that is something that we certainly want to fix urgently and the other issue we've actually also hit with at least one stack, did something that was legal according to what we wrote down, but it cost interrupts. Is that have not worked very great, so those are not sort of your mate made up problems actually sort of they need. We need to fix them soon. If we want to ship b1, Brian, hi,.

L

Jana one thing that I sort of noticed while I was trying to keep up with that discussion is this. It does seem to be emerging consensus around splitting these right, like so that that seems like rough consensus and I would say that that might be the starting point for the design team is. Do the dog I mean it seems like that's where you were in Tokyo I wasn't in Tokyo, but.

A

This team forms I would personally prefer if, if somebody was coordinates, who wasn't an editor or otherwise already doing ten different PRS right. So so you don't have to step back if you, but, but so somebody who is whose understands this particular problem, spies and and has maybe a some spare cycles to corral the usuals together David. Thank you, okay, cool. So, if you're interested in this talk to David and.

B

Is it something that that you know folks can make a little time this week to have an initial discussion, at least, and indeed, if we could have a very short report tomorrow at the meeting that'll be fantastic if.

H

Anyone's interested, please come talk to me at the end of this session. Here. I will try to, according on some time, because it's gonna be hard to flavorful.

B

I put out there- maybe lunch today might be an issue might might be not approach. This is everyone's kind of making faces. Let's talk to at the end of this and then we'll figure it out just show a hands who's interested in being on this design. Team David have a good look around. Please yeah.

H

B

Kazuo, everyone picked.

H

Me on the quick, so I don't miss anyone's name. If you don't have that, send me an email they.

B

Create a channel there if you would I'll, create a channel okay. Thank you. We're.

A

Not doing any working group, that's like indeed,.

B

A

T

B

Thank You Martin, uh where are the blue sheets? Who has the blue sheets one second one who has the other blue sheet and who has not seen the blue sheet? Please raise your hand now: okay, we're still missing a blue sheet I'm a little bit concerned.

A

B

B

In sweat and if you could drive people, people need that.

B

Can you draw this long yeah.

N

All right so first thing when I start off weather update of recovery, sings Bangkok, so we've changed quite a number of things next slide. So a review of key points just about quick in general. Just so, if you're, forgetting from Bangkok pocket numbers, monotonically increase in send order, a cranes acknowledge one or more ranges of packets, there's an explicit actally on each act frame and the pier communicates the max act too late that it's going to use typically the time or value during the handshake. So each pier knows what the other appears max act.

N

Delay is there's an overview at ITF 103 from TCP M pitch other. Did it's very nice as well as 104 just yesterday, so the slides are linked for my slides, so there were almost as many changes since draft 16 as there have been in all previous revisions. I realize that when looking at the release notes so yeah there's been a fair number of changes, I'm gonna try to go over.

N

All of them feel free to ask questions and yeah, but we only have I think maybe now five design issues still open, which we will discuss right after this next one.

N

So one one change that sort of simplified. A lot of things is the old texts and the old pseudo-code assumed that you are either running in Thailand threshold, boss detection. So that's you know in in some time-space fraction of an RTT or in packet threshold. So you know kind of a typical FAQ or dewbacks iowa packet threshold loss detection. We are currently assuming now that you do both at the same time.

N

This simplifies some of the mechanisms actually because before, if you had only packet style, you still needed early retransmit, which is a separate timer based mechanism. Whereas now the standard time based one kind of subsumes it yeah.

N

So a larger change is to merge, TLP and RTO into something we're now calling probe time out. Quicks, TLP and RTO were always subtly different from TC P's, and it was not really particularly well thought out that one of them had a very different formula than the other. So, as you can see, TLP was 1.5 times s, RG t plus max AK, to lay with also a min time out. Rto was you know s RT, t plus RT T bar these two equations have something to do with each other, but are not particularly well related.

N

Tlp sent one packet, RTS n two packets RTO has exponential back-off Tila P did not it. There was really no I, think really good reasoning for the difference between the mechanisms, besides kind of historical accident, so we combine them so the time out is now very similar to the old RTO formula, smooth our TT plus max of four times RT t far and kate granularity. This is actually taken from that see is tcp our RTO RFC.

N

So we're still very much in keeping with the tcp principles by using this value, and you send one or two back three transmittable packets one. This expires.

A

N

A

N

Touche, thank you. Returns. Middle has also been renamed to active, listening I, believe that happened right before Bangkok. But yes, that is mm-hmm. They are intended to be the same thing. There's literally a wheel place one word with another because we transmittable head and they get ambiguous. Meaning is an editorial change.

N

Ping ping is a returns. Middle and oculus are active. Listening, yes, I didn't I, don't have slides for that, but yeah it was a purely editorial change, just matte one maps to the other. Do you.

J

Some on Thompson just to clarify we Trent retransmitted, all those notion that doesn't have anything to do with it, whether you're gonna actually retransmits something it's perhaps a bad night.

N

It's the one we have right now and no.

J

N

Have a cola something now yeah.

J

Echo listening right, yeah.

N

Sorry we had a tree transmittable, but it was wrong because you very.

J

Well may know: he's gonna, ask you some.

N

Questions about this one rightly so,.

U

Like I got what it used to be called and I still don't get what you are no wanting to call it. It.

N

Is now called active listening because eliciting act elicited it.

U

N

Only miss that what.

U

Does that mean but I'll read.

F

Let's try that with the few accents, because this is a strange word- it's AK eliciting like something that actually gets, gets a receiver to send an acknowledgement back.

G

Eric near so, do we actually need those to be the same thing. I know that, right now it seems like everything is but say we wanted to in an extension, Nasri transmit a frame, but still have it illicit acts, but those are two very different concepts that are, admittedly, related, but very much not the same thing for.

N

The the recovery graft, the word retransmitted doesn't exist anymore. I noticed that, yes, that's because it's not it really. It was just a misnomer gotcha. So that's the whole point. Is it confused people understand.

G

So we realign the word which.

N

G

Quite the same thing as saying that they must be equivalent. They.

N

We renamed the word to a more what I believe to be a more appropriate word, which is active listening gotcha. Yes, it is. The concept is exactly identical, as it always was before so.

L

Just to make sure I understand the concept here is that you send a packet which would cause the other side to send you an ACK if it was gonna, send axonal within.

N

The max actually, yes, that is the entire concept. Thank you. It's it's in the it's described much more nicely in the definition section of the draft I did not put that in here, because I did not realize that this issue was going to come up.

S

N

We did remove menarche, oh, this is in keeping with the max actually or the mad draft from TCP, and so men RTO is now replaced by a combination of K granularity and the max actually so next slide.

N

So Nick banks very nicely word up an excellent PR that took a bit of work from from a variety people, but was really nicely done to redefine the concept of what persisted congestion is so before. There's this concept that when you're RTO expired, you reduce your sea wood.

N

So in TCP, when you are do expires your you see or she went to, and you know that's kind of how you deal with persistent congestion, and then you unwind that if it turns out that the RTO was furious, so in quick we took the opposite approach, because it was a little bit easier to implement and a little bit cleaner than instead of doing an undo process.

N

You actually wait until you get a signal and then, as soon as you get the signal you decide was that a spurious RTO or not, and so in terms of packets, you send it's largely identical.

N

However, there are certain cases in this process during do where the timer's, our chef, that you can actually extend the RTO essentially- and you might not actually have you- know, an RTO or to RTOS or three darts year as fire, and instead you might just you know, trickle out some tiny amount of data for that period of time, and so the key concept here is c1 is reduced to minsu and when all packets prayed prior to an acknowledged RTO packet, are lost over a long enough period of time. Oh next slide.

N

Sorry, that's what I meant to be reading knew that didn't make any sense, and the period is currently three tons the PTO time. Oh so this is in terms of time very, very comparable to the old text. So we tried to keep the functionally as equivalent as possible, but this takes into account the fact that the application might be driveling data for a long period of time and the PTO timer might not actually fire just.

F

A clarification that's about three times beauty with the exponential back-off right. It's.

N

Three times the PTO time out is the current default in the draft. It's written as 2 to the K, persistent congestion threshold minus 1 times the PTO yeah I'm out. Ok and K, persistent congestion, congestion threshold defaults to 2, and so it ends up being 3 times the PTO demo next slide.

N

So there we are now going to limit active a to max. Actually so currently the the concept of active a is. You have an R, DT estimate that is actually observed, and then the P R communicates. Ok, you know there was this much delay back time before I actually sent that that action, so you can compensate in your SR GG measurements.

N

However, one could potentially say well, I know: I have 100 millisecond or it's T. I'm gonna give you like. You know a 95 millisecond actally, and you know that will cause you to shorten your timer and especially with the you know, I mean RTO that could potentially like cause appear. Just previously. We can spend a lot of data either intentionally or otherwise so next slide.

N

So nobody now limited to a minimum of actally and max act. Delay and that ensures that the peer is incentivized to actually advertise a max act away, value that is kind of consistent with what it actually believes it can it can. It can achieve, and so, if it ever does, is an overlay Lomax, actively value it'll just come out, as you know, into PSR TT measurement, just like it wouldn't tcp excellent.

N

Yes, we we had some nice text on discover discarding recovery state, so this came up earlier with the various keys ready proposals and basically there are a variety of situations in which you need to actually just discard your recovery state, because there is no way that it could possibly be acknowledged. So zero RTG rejection is one dropping keys is another and the solution is fairly straightforward.

N

You discard all the recovery state for those packets in terms of like tracking, what's outstanding and you remove them from bytes in flight because they can't be acknowledged or lost, and you will never know whether they are acknowledged or lost. So this is a fairly mechanical process, but particularly critical of given the conversations about key dropping we're having.

N

Yes, so previously, the quick draft did recommend packet pacing if at all possible.

N

However, it didn't really say like what to do if you weren't fast, the packet pacing, and so now we're actually specifically saying that you should be doing slow start after idle. If you are not pacing and if you are pacing, then you can send up to an initial window and then you must pace out the rest of the rest of the window. So we think this is in keeping both with kind of common desk processes and operating systems like Linux, and also providing a suitable incentive to add pacing to stacks.

N

Instead of sending very large person to the network, proving proving.

F

Myself, so one comment yourself in the when I was reading the draft, where this is defined. It's currently defined, as the idle state of the sender is defined as when there is nothing to send right and there is nothing outstanding in the network, but in if you look at the tcp RFC that define how to respond to idle.

F

It basically says that there has to be a peep there's, a period defined for which it has to be idle before you reset the clinician would know so that period is defined to be a birthday time-out, essentially how that ends up being like me, not even TCP, but I think we need to need a more crystal definition of what idle is, after, which you drop the congestion window. So that is missing, and the other thing I would like to point out is is not not many stacks are doing. Tcp stacks are doing this by default.

N

Not many stacks are doing pacing, and that means that you're doing so so after a.

F

Slow start over after I do okay.

N

Yeah I think quite a few Linux stats are now doing pacing after I talk were yeah I mean. Can you file an issue editorial or otherwise about what the first point so, yes, thank you.

F

General, you can just add a comment to that. I mean I. Think there's there's a difference, though right semantically, when TCP defines this to be clear. They do there's no talk about pacing at all, so the expectation is that bursts are okay right after you've gone into idle, I. Think the the premise that we've operated on- and maybe that's that's the issue that we need to discuss.

F

The premise we operated on here is that if you are pacing, then you should start pacing immediately as well and, and the idea is that you shouldn't send a whole initial Windows worth or you shouldn't, send the whole condition Windows worth of bursts up front now. This is different from what TCP does and I would. I would argue that TCP should also have this recommendation not to burst at any point in time, but that's a premise that we've applied here absolutely agree. I think this is a good change.

F

All I'm saying is that for implementations that are not facing the the idle period needs to be defined. More crispy, you mean more liberally because it is, it is different right now it's just defined as immediately I think that needs a little bit more debate, but yeah yeah I'll open an issue, and then we can discuss Thanks.

V

Here in Banjara, so I think rate limitation draft has some solid rate. Estimation draft has some sort of a notion of idle connection, which is a little more elaborate than what we are aiming for here. So I was wondering if we can apply that in general.

N

They're, very possibly I think they can I go back to what John and Praveen were just talking about. I think it probably makes sense to figure out what our our core goals are here. It seems like a good core goal is to to ensure we don't drop large earths into the network because the network's likely to drop them, and so we need to balance that with trying to be a little more liberal, with implementations that don't support pacing so yeah. If you could add a reference to that draft to the issue that Praveen opened.

N

That would be very helpful.

N

Next one, oh did you want o make.

B

K

Livin I would actually have expected Cori to be here, because there is a TCP window, validation right after, like you spent some time and I only actually decrease your congestion window.

K

Are you planning to somehow provide a reference to this? Let's say more about how to decrease your congestion window in idle. Oh, there.

N

I think that is currently referenced in the text, but we don't actually I think it's a informational reference, but there's no recommendation in regards to that.

K

Because if I understand aquatic, it's like either you do pacing and you keep your congestion window forever high level right or you don't do pacing, you decrease it. So there should be some middle ground. You should reduce overtime, that's what it is.

N

Do do you think that's common best practice or do you.

N

This is an honest question.

N

A

Wanna figure the details all didn't start an issue for us. Jana shakes his head.

F

Gouri so July anger, we've done this right in pcbm for quite a while. It's called new cwv and that's the that's the draft. That's actually that reference in the in the quick draft we've gone through yeah, sorry, yeah, the RFC now and that's that's already referenced in the quick draft and we basically said what what Ian said is that you know we have stuff they're saying you can follow the recommendations there, but we're just doing the bare minimum required here. I think the same considerations in that RFC apply here completely I.

K

Think the bare minimum is resetting the window.

U

Going first as part of the new TV thing and placing was the big thing and what you do afterwards, I guess we can just read the read the document again carefully and see if we can see anything but pacing after being idle is the big thing that really makes a huge difference.

F

Sorry to close that off, I think can be ended up having the discussion on the issue here in the room, Maria you're right. It is that's exactly what the draft says right now. Is you collapse the condition into as soon as you go idle and that's the conservative behavior? If you want something more liberal than go, look at me. So you see the V is what.

W

N

Please take a closer, read and yeah feel free to file an editorial issue. If you think it's just sufficiently clear, so we moved the pseudocode to the appendix the text was always intended to be normative and complete. I think there's still a few more PRS to to make that actually true. But there's also, ideally a goal that you know the pseudo-code might compiled by that some definition of compiled in the board Python. But it's it doesn't it currently not but yeah.

N

But the main goal here is to make the text a little more complete and to make it clear that people should be primarily relying on the text and relying on the pseudocode just to for clarifying questions.

N

Evarin program Python in 12 years.

N

Yes, the the text for particularly the pseudocode for multiple packet number spaces has been greatly improved. This is all pretty much editorial work, but the draft 16 essentially said, like you, should do: loss recovery in multiple packet number spaces and kind of left it at that.

N

At the current draft traffic 19, you know, has the the various studio code updated, so it kind of indicates what you should be tracking in multiple packet number spaces and is generally clearer about how this should have done. That's up next I think we're at the end. Okay, so these are just a bunch of, and these are basically the release notes in 16, 17 and 18. So you can thumb through those, but this.

K

N

Another slides you want me as they appear for issue discussion if.

B

There any questions or other comments and people have their discussions when have about the recovery draft now's. The time Provine.

F

Microsoft, I noticed one more change that was not mentioned here, which was not grow, the condition window application limited. That's a deviation from TCP and I think we need a lot more careful consideration before we put it in the draft Oh.

N

Interesting point, I think: is it possible that made it into draft 16 and that's why I did talk about it's.

F

In draft 19 right now so yeah, okay,.

N

I'll go I can go, dig that up and yeah.

F

N

F

N

Issue as well, because I think that means a little bit more discussion.

F

Before we put it in sounds.

D

P

A

Question right, so we we have the new process for that, we're already applying to transport and to TLS. Sorry, that's also I think this might lead to questions that that I don't want to answer, but recovery and HTTP at the moment do not follow a new process. Yet do people feel like specifically recovery is ready to be declared as capturing the consensus of the working group in 19 and I'm going forward.

A

We would apply this more rigorous process, or do we want to leave the editors with a bit more freedom to make rapid progress on on the next version? I guess will be 20 and maybe then decide to rein.

B

It in and and just to remind folks, you know, the editor still have the ability make purely editorial changes in terms of rearranging things and rewriting things that don't affect the normative heft of the document relatively freely under the new process. I think the question is whether that's going to be possible whether the rewrites might impinge upon that and need some working group consensus at this point.

B

L

Pravin go ahead.

F

Praveen, why I think a little bit more interrupt testing with like laws and they might help. So we read out all the issues. The other thing that might help is some sort of testing of TCP and quick on the same link.

A

I'm not saying that we want to close the document and freeze it right, so we want to move to so in for HTTP and for recovery, we're still giving the editors basically full control, letting them run ahead and change the text, and if people disagree right, we're rolling back this. This would flip it around. Where any changed at that mark and I decide is not purely editorial would need to see work group consensus first. So this is what we're doing in this late stage.

A

Process at mark send email about and- and the question is whether we wanna start applying a late-stage process to recovery, and then there's going to be similar to the discussion for HTTP. That.

F

Sounds a reasonable to me: okay,.

L

I thought he would Ian thanks.

N

I think we're getting close I think it might make sense you. We have a variety of changes, I hope to discuss today on the issues I'd like to close those out and then maybe start the new process. It started with draft 20. Okay, that's that's. My I feel I think I think we're pretty close to closing all the substantive non editorial issues that are open and so yeah that.

B

Sounds like between now and London kind of.

N

Yes, that would be my preference okay, so maybe we can do 20 and then do it on list. Consensus call contributed. Okay, so.

G

On over here, go ahead, I think we're just now, starting to see a lot of people actually doing Interop with recovery and finding bugs and I'm encouraged that most of the bugs that we've found so far I've been in the implementations and not as much in the spec. But at the same time, given the amount of stuff that we're trying to focus on I, don't think we've been steered wrong yet in recovery land by having the editors have a little bit more freedom to to fix things up as necessary.

G

So I, don't I, don't have any objection to to kind of raising the bar for that and switching to the new process, but at the same time I'm not seeing as strong a need for it. Given the amount of time that we're trying to put into everything else, I agree.

A

With you right, transport is the one that seen a lot of issues open against it continuously and that we want to control. Recovery has been much more stable and it's much the more steady development right and- and it's mostly sort of that eventually we want to basically have. We were kind of unusual when we started out because we wanted to move fast where we gave yeah there's lots of leash, and now we want to maybe become more like a regular ITF working group. Where is actually consensus based, it won't change much here.

A

I agree with you, it's just being clear what what model we're following right. So.

B

I just want to interject one there. The other part of this is that, as we move along having the editor have that a much capability also puts a lot of responsibility on their shoulders and and part of the discussion around TLS and and invariants and and the transport was that that was in some ways, unfair to the editors and so we're conscious that we don't want to put too much on Ian's shoulders here. The other factor for me is is that in an ideal world, I don't want all the documents.

B

I would like all the documents in one process rather than having a split process, because that's its own kind of overhead. So.

F

July as one of the editors of the TAT I can also say that we we really what Kinnear is saying what I'm seeing now is that there are people who are starting to interrupt and finding things you just suffered of income and talk about something. That's been there for a little while, but that's because they are starting to actually pay attention to the traffic now and I.

F

Personally, think that the load on recovery has not been very high in the past, it's not been very high and we don't I, don't think we and EMI can I think we might agree on this, but I don't think that there's a lot of there's, not a tremendous amount of churn on this and in the draft itself, I feel like there's. Some amount of agility at this moment would be useful, so I'm, gonna, I'm gonna push back against the late stage process. Yet.

A

Means proposal was that we're doing it we would maybe think about it for 20 and then I will also want to say that the late stage process really only makes the difference for design issues and I. Don't see very many design issues for recovery, they're, mostly editorial where either things were unclear or there's a buck in the pseudocode or the text. But we're not like this we're not designing a new pedestrian control protocol. Here right, we don't have very many of those like I, don't think that's true I mean literally.

F

That the two things that that one other things that being brought up is a design issue, the application limited stuff, and we just fix a persistent congestion thing last, which was a big design issue. What.

B

Let's not faceplant on the exact mechanics of this I think we could do this. We talked about this again in London, so let's, let's drain the cues and then yeah.

L

I was just that we target London ish for the same process, breach in Tokyo, which is surfacing the final issues last call for movie ad and then, if editors feel like they need more time after that, and we can discuss in London if they feel like they don't. Then we get I, think that sounds reasonable. Yeah hi.

N

Brian Graham, oh I, would caution a little bit against.

L

This because I, don't think that the interrupt testing on recovery has pushed any of the implementations anywhere near the end of their envelopes like, which is where we're recovery, stuff is, is more likely to show up. I would say that we really need to.

N

Have a few implementations.

L

Trust tested to the point like so praveen's praveen's, you know, run it on a challenging environment with TCP as well would be another thing that I would want to see before we say hey. This is done enough that we can that we can sort of go at the home stretch. Martin.

B

Gauri Martin.

T

Duke yeah just to amplify that I know about four to six weeks ago, Christian compose on slack that we add a Interop letter or some sort of at volume testing, possibly in parallel, TCP and I. Think doing them in Interop is probably the next best thing. Actually, someone deploying something like the latest draft in production, which it doesn't sound like it's close.

U

Gouri fares back and yeah and I think the auditors are doing a great job here that they're really kind of trying to buy to the problem, but the underneath they're trying to it with a new set of mechanisms to make these things work and I'm worried. We haven't done the congestion collapse, testing and really whether we got the words right so I'll be really lost to freeze it. I think they should be given time to do it until the numbered. If it's not about freezing the docq yeah. Okay I, know the process, but everyone.

A

So we wonder we want.

U

A

Work as we are, we have been working for a little while longer and and echo made a suggestion that maybe you visit us in London I think that's what we're! Okay.

B

Yeah I I, don't I get this on the amount of testing or the stress testing, but it does sound like that was a good suggestion. Is we'll talk about this again in London? If we think that it's appropriate, then then and we'll start the process in the list right after London. If.

A

Somebody from the editor from the from the implementers wants to write up a proposal for a stress test for throughput tests that that we could all sort of implement I. Think that would be useful and and pick a letter.

X

A

Else for Ian and or recovery.

Y

B

Do so sherry can you do tomorrow? Is that okay, okay, great thanks, so why don't we spend most the time on your.

N

Shoes and then we'll put you in I, think we can get through all I hope. Well, that's Brian, not true I hope we can get through all. Let's.

B

Work on hope, okay,.

N

But I don't know if they're prioritized correctly, do you listed occasion, design issues, recovery, I, sent you a link on slack, that's mostly correct, except they did not exclude editorial good moment. Then. Okay, I.

N

Think I think I want to talk about them approximately in reverse chronological order. So most recent first but I have to see the list where.

B

Did you send this link? It.

N

Was on the slack editors channel, it was probably the last message that gets sent.

N

Okay, yeah sorry I, don't know, I was looking back.

N

So let's do the initial arty at 100 milliseconds for comments most recently so 2184.

N

So the the core of this issue is what should be the initial handshake timeout when you have absolutely no other information about the network. For some reason, what are the defaults so praveen at the very bottom helpfully pointed me to a paper by a Googler from 2009 that kind of did a cumulative distribution of parties over the Internet and said, if you in the, if you have a one second timeout', you will have a like two percent spurious retransmit right.

N

According to those slides that yeah I point to and RFC 62 98 recommends a one second timeout'. My understanding is that is no longer the Linux default. I think the one is default is 300 milliseconds. Can someone correct me if I'm wrong and so there's there's sort of a divergence between common common practice and what is recommended in the RFC? The the number we currently recommend is a default RT RT g of 100 milliseconds, which results in a initial retransmission of 200 milliseconds.

N

So you know obvious here that we might be able to pick our 200 milliseconds 300 milliseconds cos Linux. Does it and one second, because it's in the most recent RFC that references this text to delight with some pros and cons here, picking a larger value by default is actually not all that bad because it might incentivize implementations to actually try to do something more intelligent, like remember, recent RTT estimates or do other intelligent things that might be overall beneficial to the network, so I don't have a super strong resistance to it.

N

At this point, I think I resisted it more initially saying that it seemed you. Conservative, but certainly implementations can choose to use other information, and that is explicitly called out in the draft. So I'm gonna, let proving go first cuz. He opened it but I. Please. There.

F

I kind of agree so I think, but the recommended value in the RFC should probably be conservative with text there. That implementations may choose to use previous information to you know see it.

F

The oddity I think it's only a problem when you're completely going blind into a network, because you could be like on a satellite link and then cause foodies, retransmissions, no reason I think that's the reason we have a conservative value by default, but yeah if implement I, think we should actually make a recommendation that implements patience, try to use the previous carriage path or TT as much as possible in that. If we do that, then I think the conservative value is not be that much of a problem in.

N

Televised here is your suggestion that we use the one second value from RFC 62-38, that.

F

Would be my recommendation I think we should also run it by the Linux kernel implementers, so you do TCP to see why they changed it to three hundred milliseconds. Maybe they have some data that we don't know about. Yeah.

N

If anyone here could add anything about that idea for and.

U

Go first, a slightly different touch if we choose one second and those people who get routed over satellite hops are very long, devious routes because the operators decide to do that for their traffic still function. And if you have some caching method, then we can also deal with it. But please don't optimize. Just for 99% of people than 1% get a big problem.

N

Yeah I mean we're mostly talking about one spurious retransmission of a single client hello. So it's almost.

U

People it's every well.

N

Well, that bends Eliza's.

U

Remembering information.

N

Hopefully, so to go with the point that I think we're converging on Michael.

Q

N

Q

Oh I'm sure yeah I have one question which will go to the initial oddity that it applied to zero additi connection or just to initial or one oddity connection in.

N

Practice you would never expect it to imply to 0rc connections, because your RTD connections should have the type of cached information associated with the zero TTT information and I. Think we call that out in the draft and if we don't, we should I'm pretty sure we do so. We basically say if you think you know, do reserve our two tier assumption. You should really store their RTT of the resume connection. What we don't say is what useful anarchie. Oh we don't. We don't say what which, if.

A

That's what you should be transmitted that.

B

We say I think we well yeah, so just just a level set here. How many issues do you think you need to get through here in like three okay.

M

This is the hardest one we're a little tongue constrained. So, let's, let's focus please go ahead. Microcosm. We have a working document about RTO considerations in general and T CPM and the statement there is. You must not use a value less than one second capital at a must all right now, the other thing you said you cash, the Archie. You use a cash value for the Archie Oh formula for the RT for the.

N

Initial RTT from the previous 0tt connection, which could be one year ago, the in practice, these credentials typically expire between 24 hours and 7 days.

F

So just one clarification that is not just one spurious retransmissions, depending on the value they take, even with exponential back-off, it could be two or three.

N

Yes, although the number of users are networks with more than like two second RTT is more.

F

Than one second right, so if you pick 200, then it's like 200 for.

N

About the one second, okay,.

F

Lower than one second, then, there could be more seriously transmission x that do have a Trekkie greater than my composure.

U

It's not number of uses it's for some users. This is all the time so.

A

It sounds like so I heard mild reference to to go towards one second, but point out that maybe Linux uses 300 millisecond explain that if you can cache it, you benefit so I, don't know if that's the way forward here. Let's assume.

F

That's the proposal on it, I'm.

A

Gonna think I'm gonna.

F

Suggest something here, pretty specific: you actually have Michael Dixon point of RT o consider as a draft and eCPM and you're gonna have to. You know basically be seven between these two drafts for the iesg to stamp this anyways. So the draft actually and I've discussed with McCallum and the wording here and it's very carefully written. It says, in the absence of any knowledge, about the latency of the path the RTO must be conservatively set to one second to just counter what Michael said.

F

This actually gives us room to do three hundred milliseconds or whatever small value we want in zero, RTT and I honestly think that we need to we it's okay, to be conservative in the non zero oddity case, simply because it's not the common case anyways, and so it seems to me that we should be focusing on the zero oddity. So.

N

I think that's weird yeah I grain.

D

N

Why yourself so right.

B

So we've got ten minutes left. So let's drain these queues or move on to the next. You.

N

Actually can can I ask: does anyone strongly disagree with the idea of just changing the default one? Second, and then maybe tightening up the text about 0rt and making it clear that you really should try to use. You know some more appropriate value. If you have better information.

B

I see agreements before.

L

You answer that have a question or you use one second increment today, but we we will sure I mean question because, like if none of the browser's use one second then like.

N

It's like silly to say one second and claims generically use like like ten milliseconds, that it's oi to say. One I believe this will strongly incentivize us to keep a aw ma of recent handshake, RT values and use that instead, that's that's the implementation.

A

E

Making sure that's my implementation plan.

N

Sure, okay, I'm, not I'm, gonna use one second, when the browser starts up and I have no information and never again, yes, okay, Tommy Tommy.

X

Paulie so I, like the direction of this I, think the one second with caching is a good approach with regards to zero or TT I think we still do need to make some recommendations about what you do in the absence of any RTT information, because you can definitely do zero RTT on a different network right. So if I was on life, I have never been on the cellular network before I. Don't know the RTT there. I do need to differentiate that.

X

So, when we're talking, if we're giving guidance about caching RT T's I, think we do need to be very specific that you can't assume the RT T's are the same across completely different network attachments. That's.

N

A good clarification, although I, would add that most of the time when you're doing zero to T, you also need to have source address validation and that would be different across SL. What a Wi-Fi network! So you you could do the resumption, the the TLS presumption but right, but you could do source address validation to be living descending like three packets or something.

X

Yes, sir sure sure, but you still may, if you are doing 0 TT just for the TLS resumption, then you should take this into account. Yes, that's a good point. Craig.

B

P

Taylor relaying Ingemar Johansson note that LT in some cases can have a ping RT t greater than 100 milliseconds because of various battery saving technology. On the other hand, a flood ping may give 40 millisecond RT t as the radio is kept alive. So that's just a practical example of yeah sub1 at one second.

Q

Yeah mu, can we just change the name from initial data T to initial one entity.

A

N

You requesting a name to drop the English word and request.

N

Maybe I should clarify with you just.

F

One point that, in terms of cash values, I think it's cash per path. So it's a source test, IP combination. So when you change the networks, you will be using a different source address and, as is equivalent to starting the browser search. Basically, your only new network with no previous target information, so you should not use cash values soon.

B

Get through one more unit so.

A

While we're getting through so what appointed up doing testing we're doing interrupt, but it's actually very helpful to have two short initial oddities, because that means you're a.

K

A

Handshake packets in flight and that triggered a bunch of bugs infil for.

N

A

Testing you might want to keep using the the value.

N

For a little while longer I, actually this is a question for the for the group. There's a park tissue sender, control delayed at ratio. This is helpfully opened by bug. Brisco, there's extensive discussion, but at this point, I think we've all decided that this is probably appropriate for an extension or a quick v2. Is there anyone who objects to us closing this and declaring that I or someone else should write an extension for this Oh Bob.

Q

Do you still care I'm.

N

Not saying it's not a good idea and I very much want it, but in the interest of.

W

All right, Briscoe I, just want to explain the implications of not doing it. The number of networks of link technologies do act, thinning and the reason for primary reason for putting this. You know and they're all written. There are three main reasons in there, but the primary reason was that I wanted to make sure that quick did that act finning for them to discourage them from trying to work out which were the acts and thinning them. Yeah.

N

It's a very good point: yeah I think there are excellent technical arguments. Are you? Are you, okay, with punting this to version 2 or an extension or an illusion.

W

I believe so, yes, because that we can see whether it happens, yeah.

N

I think some experimentation would be very valuable. Ok,.

F

Yeah I, Jenna and God I think in the meanwhile. You all definitely recommend, as I've had to a couple of people, that the smallest packets you see on the wire are not necessarily axon quick, I. Just sort of make that point, because people have asked me that question for exactly that reason, because they want to thin those packets I'm like no actually, the smallest packets are not necessarily AG. They could be just packets carrying ping frames. So don't do that.

N

A

N

A

An issue and manageability for that- you, yes, yes, Oh to them.

B

So it sounds like we can close this as a quick v2, which is.

A

E

B

Of label for extension, or next or whatever it's.

N

Already part, sir one more issue: I warned it which I think it we can close now. So there is a good number of TLS probes. Ok, PTO is now be one or two twenty one 85.

N

So this is, this is fairly simple. The the text has been updated substantially. I guess my my question to both Praveen and the rest of the group is I. Believe the text currently says I cannot remember if it says you should send one and you may send two or if you should send to you or may send one, but I think does that we're pretty much kind of on one of those two recommendations.

N

Do people have particularly strong opinions on this, or should we just stick with whatever's growing in the draft which I apparently cannot recall, because that.

A

Should one me too, okay.

N

And then there's a consideration about why you might want to do I believe about wait. Actor I actually think it's about packet loss, clip.

F

So question the participant congestion definition, sort of depends on the dis currently right, because we previously said it's three times PTO. So if the implementation does in one time video do we need to clarify the definition as well.

N

This is the number sorry this is the number of packets I would say. This is sorry. This is not the number yes.

O

F

N

Number of packets.

F

N

Is the registration? Yes, this is okay, yeah, so I guess this is persisting iteration and so.

F

So the text going to be issued for one and may for two.

A

Just should one like, like you know,.

F

That's actually perfectly fine. Okay, this is not position condition. This is the BPO yeah.

N

B

We can close, that's good, you got any more yeah.

N

We can do one more.

N

Is there aa, 23 93 I have known this for Nick banks, ugly I, don't think next year, but there's a question of when K granularity, which is the alarm granularity and the max act. Delay, which is the peer specified max, actually should be added, whether it's before after exponential back-off, this issue suggested should be after is currently before it seemed safer to do at it before and that's why I did it that way, I'm not sure. If that's a well reasoned argument.

F

Proving to me it seemed like we have replaced min RTO with granularity, which actually kind of makes sense to me, because even in TCP, we never allowed you to set my not you're below the time of granularity, so kind of makes sense that we cannot have a time or lower than that right.

D

F

In TCP, the minority is included before so. In that spirit, I think keeping to a glamour ID before is consistent with what TCP is doing like. If you look at keygen right is a replacement formula at you, then then what we have right now is actually correct, but it right at the end, I actually posted a comment. Yesterday, where there was one possible change, we could do to the equation. We could probably take that offline, but I, think keeping K again and write it before is probably more consistent with PCP Jana.

B

You have 15 seconds July.

F

Anger, I'm gonna agree with that and give just one more add. One more comment, which is the whole point of exponential back-off, is that we waited this long and didn't hear anything back, so we should meet about twice as long. It's a rule of thumb. It's not you know some sort of magical expression. That's only going to give us the right answer here. The point is to try backing off and backing on back now.

F

Until you receive a response and then you collapse, the whole thing down anyways, so there's no long term effect to this I think just packing. The whole thing off exponentially makes a ton more sense, because that's the amount of time we waited all right.

N

Thank you our cause, this one, no, actually thanks. Okay,.

B

Thank You Ian, it's 11 o'clock, we'll see you all tomorrow. Hopefully Thanks.

A

I'm missing one blue sheet: it's ready with Bob, okay good! So if you haven't signed yet go to find Bob corner.