diff --git a/i2p2www/spec/proposals/159-ssu2.rst b/i2p2www/spec/proposals/159-ssu2.rst
index a9e0453b5362643ade9d4bcb1b7886a489e28812..944944e60ad36a53cf2f263672e231feb601fcb8 100644
--- a/i2p2www/spec/proposals/159-ssu2.rst
+++ b/i2p2www/spec/proposals/159-ssu2.rst
@@ -2594,13 +2594,13 @@ Before header obfuscation and protection:
Short Header
`````````````
-The short header is 13 bytes. It is used after a session is created, for Data messages.
+The short header is 16 bytes. It is used after a session is created, for Data messages.
or (maybe?) for unauthenticated messages.
-TODO 16 bytes would be a lot easier for both AES and ChaCha20.
-We have to decrypt the first part to get the packet type,
-and then must decrypt further if it's actually a long header.
-How can we save the state and continue decrypting the next 16 bytes?
+16 bytes is required, because
+the receiver must decrypt the first 16 bytes to get the message type,
+and then must decrypt an additional 16 bytes if it's actually a long header,
+as indicated by the message type.
Before header obfuscation and protection:
@@ -2611,17 +2611,24 @@ Before header obfuscation and protection:
+----+----+----+----+----+----+----+----+
| Destination Connection ID |
+----+----+----+----+----+----+----+----+
- | Packet Number |type|
- +----+----+----+----+----+
+ | Packet Number |type| flags |
+ +----+----+----+----+----+----+----+----+
Destination Connection ID :: 8 bytes, unsigned big endian integer
+ Packet Number :: 4 bytes, unsigned big endian integer
+
type :: The message type, 0-10
- Packet Number :: 4 bytes, unsigned big endian integer
+ flags :: 3 bytes, unused, set to 0 for future compatibility
{% endhighlight %}
+Note: If any out-of-session relay or peer test messages are defined
+and used, we must also have the ver and id fields present.
+
+
+
Connection ID Numbering
```````````````````````````
@@ -2698,6 +2705,9 @@ Both the long and short headers are always obfuscated with AES-CBC using
For SessionCreated, where the destination router hash and IV are not yet known,
the source router hash and IV are used.
+TODO ChaCha20 instead?
+
+
Header Protection
```````````````````
@@ -3136,6 +3146,7 @@ Notes
with excessive padding. Bob will specify his padding options in Session Created.
Min/max guidelines TBD. Random size from 0 to 31 bytes minimum?
(Distribution to be determined, see Appendix A.)
+ TODO UNLESS minimum packet size is enforced for PMTU.
- On any error, including AEAD, DH, timestamp, apparent replay, or key
validation failure, Bob must halt further message processing and
@@ -3369,6 +3380,7 @@ Notes
Alice will specify her padding options in Session Confirmed.
Min/max guidelines TBD. Random size from 0 to 31 bytes minimum?
(Distribution to be determined, see Appendix A.)
+ TODO UNLESS minimum packet size is enforced for PMTU.
- On any error, including AEAD, DH, timestamp, apparent replay, or key
validation failure, Alice must halt further message processing and close the
@@ -3474,9 +3486,9 @@ Alice sends to Bob.
Noise content: Alice's static key
Noise payload part 1: None
Noise payload part 2: Alice's RouterInfo, options, data, and padding blocks
-Max payload size: MTU - 105 (IPv4) or MTU - 125 (IPv6)
-For 1280 MTU: Max payload is 1175 (IPv4) or 1155 (IPv6)
-For 1500 MTU: Max payload is 1395 (IPv4) or 1375 (IPv6)
+Max payload size: MTU - 108 (IPv4) or MTU - 128 (IPv6)
+For 1280 MTU: Max payload is 1172 (IPv4) or 1152 (IPv6)
+For 1500 MTU: Max payload is 1392 (IPv4) or 1372 (IPv6)
Payload Security Properties:
@@ -3526,9 +3538,9 @@ Raw contents:
{% highlight lang='dataspec' %}
+----+----+----+----+----+----+----+----+
|Short Header obfuscated with dest hash |
- +encrypted, bytes 8-12 +----+----+----+
- | header protected | |
- +----+----+----+----+----+ +
+ + encrypted, bytes 8-15 +
+ | header protected |
+ +----+----+----+----+----+----+----+----+
| ChaCha20 frame (32 bytes) |
+ Encrypted and authenticated data +
+ Alice static key S +
@@ -3579,17 +3591,17 @@ Unencrypted data (Poly1305 auth tags not shown):
+----+----+----+----+----+----+----+----+
| Destination Connection ID |
+----+----+----+----+----+----+----+----+
- | Packet Number |type| |
- +----+----+----+----+----+ +
+ | Packet Number |type| flags |
+ +----+----+----+----+----+----+----+----+
| |
+ +
| S |
+ Alice static key +
| (32 bytes) |
+ +
- | +----+----+----|
- + | +
- +----+----+----+----+----+ +
+ | |
+ + +
+ +----+----+----+----+----+----+----+----+
| |
+ +
| Noise Payload |
@@ -3599,8 +3611,16 @@ Unencrypted data (Poly1305 auth tags not shown):
| |
+----+----+----+----+----+----+----+----+
- S :: 32 bytes, Alice's X25519 static key, little endian
+ Destination Connection ID :: As sent in Session Request,
+ or one received in Session Confirmed?
+ Packet Number :: 1 unless retransmitted or resent after Retry
+
+ type :: 2
+
+ flags :: 3 bytes, unused, set to 0 for future compatibility
+
+ S :: 32 bytes, Alice's X25519 static key, little endian
{% endhighlight %}
@@ -3697,8 +3717,8 @@ Data Message (Type 6)
---------------------------
Noise payload: All block types are allowed
-Max payload size: MTU - 57 (IPv4) or MTU - 77 (IPv6)
-For 1500 MTU: Max payload is 1443 (IPv4) or 1423 (IPv6)
+Max payload size: MTU - 60 (IPv4) or MTU - 80 (IPv6)
+For 1500 MTU: Max payload is 1440 (IPv4) or 1420 (IPv6)
Starting with the 2nd part of Session Confirmed, all messages are inside
an authenticated and encrypted ChaChaPoly payload.
@@ -3745,9 +3765,9 @@ Notes
{% highlight lang='dataspec' %}
+----+----+----+----+----+----+----+----+
|Short Header obfuscated with dest hash |
- +encrypted, bytes 8-12 +----+----+----+
- | header protected | |
- +----+----+----+----+----+ +
+ + encrypted, bytes 8-15 +
+ | header protected |
+ +----+----+----+----+----+----+----+----+
| ChaCha20 data |
+ Encrypted and authenticated data +
| length varies |
@@ -3771,8 +3791,8 @@ Unencrypted data (Poly1305 auth tag not shown):
+----+----+----+----+----+----+----+----+
| Destination Connection ID |
+----+----+----+----+----+----+----+----+
- | Packet Number |type| |
- +----+----+----+----+----+ +
+ | Packet Number |type| flags |
+ +----+----+----+----+----+----+----+----+
| Noise payload (block data) |
+ (length varies) +
| |
@@ -3780,9 +3800,11 @@ Unencrypted data (Poly1305 auth tag not shown):
Destination Connection ID :: As specified in session setup
+ Packet Number :: 4 byte big endian integer
+
type :: 6
- Packet Number :: 4 byte big endian integer
+ flags :: 3 bytes, unused, set to 0 for future compatibility
{% endhighlight %}
@@ -5070,10 +5092,10 @@ No IP fragmentation is assumed.
IP + datagram header is 28 bytes.
This assumes no IPv4 options.
Max message size is MTU - 28.
-Data phase header is 13 bytes and MAC is 16 bytes, totalling 29 bytes.
-Payload size is MTU - 57.
-Max data phase payload is 1443 for a max 1500 MTU.
-Max data phase payload is 1223 for a min 1280 MTU.
+Data phase header is 16 bytes and MAC is 16 bytes, totalling 32 bytes.
+Payload size is MTU - 60.
+Max data phase payload is 1440 for a max 1500 MTU.
+Max data phase payload is 1220 for a min 1280 MTU.
IPv6:
@@ -5081,10 +5103,10 @@ No IP fragmentation is allowed.
IP + datagram header is 48 bytes.
This assumes no IPv6 extension headers.
Max message size is MTU - 48.
-Data phase header is 13 bytes and MAC is 16 bytes, totalling 29 bytes.
-Payload size is MTU - 77.
-Max data phase payload is 1423 for a max 1500 MTU.
-Max data phase payload is 1203 for a min 1280 MTU.
+Data phase header is 16 bytes and MAC is 16 bytes, totalling 32 bytes.
+Payload size is MTU - 80.
+Max data phase payload is 1420 for a max 1500 MTU.
+Max data phase payload is 1200 for a min 1280 MTU.
@@ -5380,12 +5402,14 @@ Message Header+MAC Keys Data Padding Total Notes
================== =========== ===== ====== ======= ====== =====
Session Request 48 32 7 87 DateTime block
Session Created 48 32 7 87 DateTime block
-Session Confirmed 45 32 1003 1080 RI block
-Data (1 full msg) 13 14 27
-Total 1281
+Session Confirmed 48 32 1003 1083 (2 macs) 1000 byte RI block
+Data (1 full msg) 32 14 46
+Total 1303
================== =========== ===== ====== ======= ====== =====
+TODO UNLESS minimum packet size in Session Request and Created is enforced for PMTU.
+