From e2644eab4016bdf990a888ae5948be3d5bddd1aa Mon Sep 17 00:00:00 2001 From: mirjak Date: Fri, 6 Feb 2026 15:14:33 +0100 Subject: [PATCH 1/5] Improve Nonce description This is a first try for a table but not sure that helps much... Or was the request to show the table in bits...? --- draft-ietf-quic-multipath.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index cebd0c43..e68099ac 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -297,7 +297,14 @@ is less than 12 bytes cannot be used with the QUIC multipath extension. For example, assuming the IV value is `0x6b26114b9cba2b63a9e8dd4f`, the path ID is `3`, and the packet number is `54321` (hex value `0xd431`), -the nonce will be set to `0x6b2611489cba2b63a9e8097e`. +the nonce will be set to `0x6b2611489cba2b63a9e8097e`, as illustrated in the +following table: + +| Type | Value | +| -------------------- | ---------------------------------------------------------- | +| padded packet number | 0x3 (32 bits) + 0x0 (2 bits) + 0xd431 (62 bits) | +| IV | 0x6b26114b9cba2b63a9e8dd4f (96 bits with optional padding) | +| AEAD nonce | 0x6b2611489cba2b63a9e8097e | ## Key Phase Update Process {#multipath-key-update} @@ -1574,8 +1581,8 @@ The limits as discussed on {{Appendix B of QUIC-TLS}} apply to the total number of packets sent on all paths, not each path separately. -This specification changes the AEAD calculation by using the path ID as part of -AEAD nonce (see {{nonce}}). To ensure unique nonces, path IDs +This specification changes the AEAD nonce calculation by including the path ID +as part of the calculation (see {{nonce}}). To ensure unique nonces, path IDs are limited to 32 bits and cannot be reused for another path of the same connection. # Acknowledgments From 90fbea8e45e0f0f1be5f696cbcef4f840b90f56f Mon Sep 17 00:00:00 2001 From: mirjak Date: Fri, 13 Feb 2026 11:41:59 +0100 Subject: [PATCH 2/5] Add TLS presentation for PPN Co-authored-by: Christian Huitema --- draft-ietf-quic-multipath.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index e68099ac..c426c840 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -295,6 +295,15 @@ is left-padded with zeros to the size of the IV. The exclusive OR of the padded packet number and the IV forms the AEAD nonce. An AEAD algorithm where the nonce length is less than 12 bytes cannot be used with the QUIC multipath extension. +~~~ + Path And Packet Number { + Path Identifier (32), + Zeroes (2) = 0b00, + Packet Number (62) + } +~~~ +{: #fig-path-and-packet-number title="96 Bits Path-And-Packet-Number"} + For example, assuming the IV value is `0x6b26114b9cba2b63a9e8dd4f`, the path ID is `3`, and the packet number is `54321` (hex value `0xd431`), the nonce will be set to `0x6b2611489cba2b63a9e8097e`, as illustrated in the From e0e62228709c689c8596ed7438ebae17942aa250 Mon Sep 17 00:00:00 2001 From: mirjak Date: Fri, 13 Feb 2026 11:44:56 +0100 Subject: [PATCH 3/5] reference to new PPN figure Co-authored-by: Christian Huitema --- draft-ietf-quic-multipath.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index c426c840..3124e740 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -290,7 +290,8 @@ is limited to a max value of 232-1, as specified in {{nego}}. To calculate the nonce, a 96-bit path-and-packet-number is composed of the 32 bits of the path ID in network byte order, two zero bits, and the 62 bits of the reconstructed QUIC packet number in -network byte order. The IV length is equal to the nonce length. If the IV is larger than 96 bits, the path-and-packet-number +network byte order, as illustrated in {{fig-path-and-packet-number}} using the conventions of TLS 1.3. +The IV length is equal to the nonce length. If the IV is larger than 96 bits, the path-and-packet-number is left-padded with zeros to the size of the IV. The exclusive OR of the padded packet number and the IV forms the AEAD nonce. An AEAD algorithm where the nonce length is less than 12 bytes cannot be used with the QUIC multipath extension. From bce3c448bd6514440dab2a9a82b28c042cee9a3a Mon Sep 17 00:00:00 2001 From: mirjak Date: Fri, 13 Feb 2026 12:00:01 +0100 Subject: [PATCH 4/5] Add more TLS illustrations --- draft-ietf-quic-multipath.md | 42 ++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index 3124e740..ec644f60 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -287,34 +287,44 @@ IV with the packet number and with the 32 bits of the path ID. In order to guarantee the uniqueness of the nonce, the path ID is limited to a max value of 232-1, as specified in {{nego}}. -To calculate the nonce, a 96-bit path-and-packet-number is composed of the +To calculate the nonce, a 96-bit Path-and-Packet-Number (PPN) is composed of the 32 bits of the path ID in network byte order, two zero bits, and the 62 bits of the reconstructed QUIC packet number in -network byte order, as illustrated in {{fig-path-and-packet-number}} using the conventions of TLS 1.3. -The IV length is equal to the nonce length. If the IV is larger than 96 bits, the path-and-packet-number -is left-padded with zeros to the size of the IV. The exclusive OR of the padded -packet number and the IV forms the AEAD nonce. An AEAD algorithm where the nonce length -is less than 12 bytes cannot be used with the QUIC multipath extension. +network byte order, as illustrated in {{fig-path-and-packet-number}}. ~~~ - Path And Packet Number { - Path Identifier (32), + PPN { + Path ID (32), Zeroes (2) = 0b00, Packet Number (62) } ~~~ {: #fig-path-and-packet-number title="96 Bits Path-And-Packet-Number"} +The IV length is equal to the nonce length. If the IV is larger than 96 bits, the path-and-packet-number +is left-padded with zeros to the size of the IV. The exclusive OR of the padded +packet number and the IV forms the AEAD nonce. An AEAD algorithm where the nonce length +is less than 12 bytes cannot be used with the QUIC multipath extension. The following +figure illustrates this for a 96-bits IV. + +~~~ +IV(12); +N(12) = IV xor PPN; +~~~ +{: #fig-nonce-calculation title="Nonce Calculation"} + For example, assuming the IV value is `0x6b26114b9cba2b63a9e8dd4f`, the path ID is `3`, and the packet number is `54321` (hex value `0xd431`), -the nonce will be set to `0x6b2611489cba2b63a9e8097e`, as illustrated in the -following table: - -| Type | Value | -| -------------------- | ---------------------------------------------------------- | -| padded packet number | 0x3 (32 bits) + 0x0 (2 bits) + 0xd431 (62 bits) | -| IV | 0x6b26114b9cba2b63a9e8dd4f (96 bits with optional padding) | -| AEAD nonce | 0x6b2611489cba2b63a9e8097e | +the nonce will be set to `0x6b2611489cba2b63a9e8097e`, as illustrated below: + +~~~ + IV: 6b26114b9cba2b63a9e8dd4f +⊕ PPN: 00000003000000000000d431 +------------------------------------ + Nonce: 6b2611489cba2b63a9e8097e +~~~ +{: #fig-example-nonce title="Example Nonce Calculation"} + ## Key Phase Update Process {#multipath-key-update} From f1237b5e190a9631de0f6ea6ce0fac38fdc4581b Mon Sep 17 00:00:00 2001 From: mirjak Date: Fri, 13 Feb 2026 12:01:36 +0100 Subject: [PATCH 5/5] missing word --- draft-ietf-quic-multipath.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-multipath.md b/draft-ietf-quic-multipath.md index ec644f60..4f6a311e 100644 --- a/draft-ietf-quic-multipath.md +++ b/draft-ietf-quic-multipath.md @@ -281,7 +281,7 @@ the sender might prefer to send ACK frames. the use of a nonce, N, formed by combining the packet protection IV with the packet number. When multiple packet number spaces are used, the packet number alone would not guarantee the uniqueness of the nonce. -Therefore, the nonce N is calculated for 1-RTT if the multipath extension is used +Therefore, the nonce N is calculated for 1-RTT packets if the multipath extension is used by combining the packet protection IV with the packet number and with the 32 bits of the path ID. In order to guarantee the uniqueness of the nonce, the path ID