prop. 159 back to 16 byte short header

This commit is contained in:
zzz
2021-10-18 11:06:28 -04:00
parent 79f3bc3290
commit 5344482dbe

View File

@ -2594,13 +2594,13 @@ Before header obfuscation and protection:
Short Header
`````````````
The short header is 13 bytes. It is used after a session is created, for Data messages.
The short header is 16 bytes. It is used after a session is created, for Data messages.
or (maybe?) for unauthenticated messages.
TODO 16 bytes would be a lot easier for both AES and ChaCha20.
We have to decrypt the first part to get the packet type,
and then must decrypt further if it's actually a long header.
How can we save the state and continue decrypting the next 16 bytes?
16 bytes is required, because
the receiver must decrypt the first 16 bytes to get the message type,
and then must decrypt an additional 16 bytes if it's actually a long header,
as indicated by the message type.
Before header obfuscation and protection:
@ -2611,17 +2611,24 @@ Before header obfuscation and protection:
+----+----+----+----+----+----+----+----+
| Destination Connection ID |
+----+----+----+----+----+----+----+----+
| Packet Number |type|
+----+----+----+----+----+
| Packet Number |type| flags |
+----+----+----+----+----+----+----+----+
Destination Connection ID :: 8 bytes, unsigned big endian integer
type :: The message type, 0-10
Packet Number :: 4 bytes, unsigned big endian integer
type :: The message type, 0-10
flags :: 3 bytes, unused, set to 0 for future compatibility
{% endhighlight %}
Note: If any out-of-session relay or peer test messages are defined
and used, we must also have the ver and id fields present.
Connection ID Numbering
```````````````````````````
@ -2698,6 +2705,9 @@ Both the long and short headers are always obfuscated with AES-CBC using
For SessionCreated, where the destination router hash and IV are not yet known,
the source router hash and IV are used.
TODO ChaCha20 instead?
Header Protection
```````````````````
@ -3136,6 +3146,7 @@ Notes
with excessive padding. Bob will specify his padding options in Session Created.
Min/max guidelines TBD. Random size from 0 to 31 bytes minimum?
(Distribution to be determined, see Appendix A.)
TODO UNLESS minimum packet size is enforced for PMTU.
- On any error, including AEAD, DH, timestamp, apparent replay, or key
validation failure, Bob must halt further message processing and
@ -3369,6 +3380,7 @@ Notes
Alice will specify her padding options in Session Confirmed.
Min/max guidelines TBD. Random size from 0 to 31 bytes minimum?
(Distribution to be determined, see Appendix A.)
TODO UNLESS minimum packet size is enforced for PMTU.
- On any error, including AEAD, DH, timestamp, apparent replay, or key
validation failure, Alice must halt further message processing and close the
@ -3474,9 +3486,9 @@ Alice sends to Bob.
Noise content: Alice's static key
Noise payload part 1: None
Noise payload part 2: Alice's RouterInfo, options, data, and padding blocks
Max payload size: MTU - 105 (IPv4) or MTU - 125 (IPv6)
For 1280 MTU: Max payload is 1175 (IPv4) or 1155 (IPv6)
For 1500 MTU: Max payload is 1395 (IPv4) or 1375 (IPv6)
Max payload size: MTU - 108 (IPv4) or MTU - 128 (IPv6)
For 1280 MTU: Max payload is 1172 (IPv4) or 1152 (IPv6)
For 1500 MTU: Max payload is 1392 (IPv4) or 1372 (IPv6)
Payload Security Properties:
@ -3526,9 +3538,9 @@ Raw contents:
{% highlight lang='dataspec' %}
+----+----+----+----+----+----+----+----+
|Short Header obfuscated with dest hash |
+encrypted, bytes 8-12 +----+----+----+
| header protected | |
+----+----+----+----+----+ +
+ encrypted, bytes 8-15 +
| header protected |
+----+----+----+----+----+----+----+----+
| ChaCha20 frame (32 bytes) |
+ Encrypted and authenticated data +
+ Alice static key S +
@ -3579,17 +3591,17 @@ Unencrypted data (Poly1305 auth tags not shown):
+----+----+----+----+----+----+----+----+
| Destination Connection ID |
+----+----+----+----+----+----+----+----+
| Packet Number |type| |
+----+----+----+----+----+ +
| Packet Number |type| flags |
+----+----+----+----+----+----+----+----+
| |
+ +
| S |
+ Alice static key +
| (32 bytes) |
+ +
| +----+----+----|
+ | +
+----+----+----+----+----+ +
| |
+ +
+----+----+----+----+----+----+----+----+
| |
+ +
| Noise Payload |
@ -3599,8 +3611,16 @@ Unencrypted data (Poly1305 auth tags not shown):
| |
+----+----+----+----+----+----+----+----+
S :: 32 bytes, Alice's X25519 static key, little endian
Destination Connection ID :: As sent in Session Request,
or one received in Session Confirmed?
Packet Number :: 1 unless retransmitted or resent after Retry
type :: 2
flags :: 3 bytes, unused, set to 0 for future compatibility
S :: 32 bytes, Alice's X25519 static key, little endian
{% endhighlight %}
@ -3697,8 +3717,8 @@ Data Message (Type 6)
---------------------------
Noise payload: All block types are allowed
Max payload size: MTU - 57 (IPv4) or MTU - 77 (IPv6)
For 1500 MTU: Max payload is 1443 (IPv4) or 1423 (IPv6)
Max payload size: MTU - 60 (IPv4) or MTU - 80 (IPv6)
For 1500 MTU: Max payload is 1440 (IPv4) or 1420 (IPv6)
Starting with the 2nd part of Session Confirmed, all messages are inside
an authenticated and encrypted ChaChaPoly payload.
@ -3745,9 +3765,9 @@ Notes
{% highlight lang='dataspec' %}
+----+----+----+----+----+----+----+----+
|Short Header obfuscated with dest hash |
+encrypted, bytes 8-12 +----+----+----+
| header protected | |
+----+----+----+----+----+ +
+ encrypted, bytes 8-15 +
| header protected |
+----+----+----+----+----+----+----+----+
| ChaCha20 data |
+ Encrypted and authenticated data +
| length varies |
@ -3771,8 +3791,8 @@ Unencrypted data (Poly1305 auth tag not shown):
+----+----+----+----+----+----+----+----+
| Destination Connection ID |
+----+----+----+----+----+----+----+----+
| Packet Number |type| |
+----+----+----+----+----+ +
| Packet Number |type| flags |
+----+----+----+----+----+----+----+----+
| Noise payload (block data) |
+ (length varies) +
| |
@ -3780,9 +3800,11 @@ Unencrypted data (Poly1305 auth tag not shown):
Destination Connection ID :: As specified in session setup
Packet Number :: 4 byte big endian integer
type :: 6
Packet Number :: 4 byte big endian integer
flags :: 3 bytes, unused, set to 0 for future compatibility
{% endhighlight %}
@ -5070,10 +5092,10 @@ No IP fragmentation is assumed.
IP + datagram header is 28 bytes.
This assumes no IPv4 options.
Max message size is MTU - 28.
Data phase header is 13 bytes and MAC is 16 bytes, totalling 29 bytes.
Payload size is MTU - 57.
Max data phase payload is 1443 for a max 1500 MTU.
Max data phase payload is 1223 for a min 1280 MTU.
Data phase header is 16 bytes and MAC is 16 bytes, totalling 32 bytes.
Payload size is MTU - 60.
Max data phase payload is 1440 for a max 1500 MTU.
Max data phase payload is 1220 for a min 1280 MTU.
IPv6:
@ -5081,10 +5103,10 @@ No IP fragmentation is allowed.
IP + datagram header is 48 bytes.
This assumes no IPv6 extension headers.
Max message size is MTU - 48.
Data phase header is 13 bytes and MAC is 16 bytes, totalling 29 bytes.
Payload size is MTU - 77.
Max data phase payload is 1423 for a max 1500 MTU.
Max data phase payload is 1203 for a min 1280 MTU.
Data phase header is 16 bytes and MAC is 16 bytes, totalling 32 bytes.
Payload size is MTU - 80.
Max data phase payload is 1420 for a max 1500 MTU.
Max data phase payload is 1200 for a min 1280 MTU.
@ -5380,12 +5402,14 @@ Message Header+MAC Keys Data Padding Total Notes
================== =========== ===== ====== ======= ====== =====
Session Request 48 32 7 87 DateTime block
Session Created 48 32 7 87 DateTime block
Session Confirmed 45 32 1003 1080 RI block
Data (1 full msg) 13 14 27
Total 1281
Session Confirmed 48 32 1003 1083 (2 macs) 1000 byte RI block
Data (1 full msg) 32 14 46
Total 1303
================== =========== ===== ====== ======= ====== =====
TODO UNLESS minimum packet size in Session Request and Created is enforced for PMTU.