Re: [Masque] Encrypting between client and proxy
Eric Rosenberg <eric_rosenberg@apple.com> Wed, 16 November 2022 19:16 UTC
Return-Path: <eric_rosenberg@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 738CCC14F73A for <masque@ietfa.amsl.com>; Wed, 16 Nov 2022 11:16:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWRFxIpWCToo for <masque@ietfa.amsl.com>; Wed, 16 Nov 2022 11:16:38 -0800 (PST)
Received: from ma-mailsvcp-mx-lapp02.apple.com (ma-mailsvcp-mx-lapp02.apple.com [17.32.222.23]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62893C1522A7 for <masque@ietf.org>; Wed, 16 Nov 2022 11:16:38 -0800 (PST)
Received: from ma-mailsvcp-mta-lapp04.corp.apple.com (ma-mailsvcp-mta-lapp04.corp.apple.com [10.226.18.136]) by ma-mailsvcp-mx-lapp02.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) with ESMTPS id <0RLG00P7SG7O9U20@ma-mailsvcp-mx-lapp02.apple.com> for masque@ietf.org; Wed, 16 Nov 2022 11:16:36 -0800 (PST)
X-Proofpoint-ORIG-GUID: jGEa_w0iiZudLxxI86IH_x__-uoxhQ5J
X-Proofpoint-GUID: jGEa_w0iiZudLxxI86IH_x__-uoxhQ5J
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.545, 18.0.895 definitions=2022-11-16_03:2022-11-15, 2022-11-16 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 adultscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 mlxscore=0 bulkscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211160133
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=PQtXnPCZy3aQuii/96Z0UeroF83j64EhwTqfAyfHYHE=; b=R/uYAz3wHZ0KzdOgeKucwH2cIbyYTKcUmaSgSgMK0HQiGpG0RN7aAxzAxT2WtmoqjLUU pm6eTpEwA6+6/Q7VWzB6bEqItquSeX2iBF1lyPpViks+FBEUmIFd/o6spkoiqPti4QZH xRdoJAQAgZxw28aXBadSTiStSyhYvUYRupKt5XRpbPRoEKulqgrmhqvu3wGNyYKFmFuM XpqNx9dyM82EKF2I+AsZqR5AkHNUMf/DD7hRQa0gu9nucfVCVmxaWWrBKdtKKQaFgoTy 1H5gna/G3h4478efOVjRMl4IpdW40yjxjJ8TPTr8RnOZ/XhW2nEbHPfJbwS5fRDDHMvf Bg==
Received: from ma-mailsvcp-mmp-lapp04.apple.com (ma-mailsvcp-mmp-lapp04.apple.com [17.32.222.17]) by ma-mailsvcp-mta-lapp04.corp.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) with ESMTPS id <0RLG00440G7O8N00@ma-mailsvcp-mta-lapp04.corp.apple.com>; Wed, 16 Nov 2022 11:16:36 -0800 (PST)
Received: from process_milters-daemon.ma-mailsvcp-mmp-lapp04.apple.com by ma-mailsvcp-mmp-lapp04.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) id <0RLG00000FYNQA00@ma-mailsvcp-mmp-lapp04.apple.com>; Wed, 16 Nov 2022 11:16:36 -0800 (PST)
X-Va-A:
X-Va-T-CD: 3bb040730b919b3f9b9d8d914a0621bc
X-Va-E-CD: 28b7499be5551c6acccf47087dceddf9
X-Va-R-CD: 22ee0466426b5475f36bd6e57b53af0f
X-Va-CD: 0
X-Va-ID: 27ebf1db-8544-4b93-a024-5e993cc7126f
X-V-A:
X-V-T-CD: 3bb040730b919b3f9b9d8d914a0621bc
X-V-E-CD: 28b7499be5551c6acccf47087dceddf9
X-V-R-CD: 22ee0466426b5475f36bd6e57b53af0f
X-V-CD: 0
X-V-ID: 25074ab0-9be3-4f2a-aa3e-967acce2ffda
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.545, 18.0.895 definitions=2022-11-16_03:2022-11-15, 2022-11-16 signatures=0
Received: from smtpclient.apple (unknown [17.10.138.79]) by ma-mailsvcp-mmp-lapp04.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) with ESMTPSA id <0RLG00926G7B7000@ma-mailsvcp-mmp-lapp04.apple.com>; Wed, 16 Nov 2022 11:16:36 -0800 (PST)
From: Eric Rosenberg <eric_rosenberg@apple.com>
Message-id: <9CF39321-CB56-45AA-AF52-3E03AC8D4B2A@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_F029B11C-80C2-4090-91A8-CBE7BD4C2564"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 16 Nov 2022 11:16:21 -0800
In-reply-to: <CAHbWFkRv_z8FP8f9LcARQbXp1Q9x3KvkAuz075HLeo5BytybWA@mail.gmail.com>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, masque@ietf.org
To: Alex Chernyakhovsky <achernya=40google.com@dmarc.ietf.org>
References: <8e6fb1e1-6454-4706-a61a-53be58acaa61@betaapp.fastmail.com> <CAHbrMsCj2KHcQJFZdKr2DGUQDFSLLE6rK7CSqOUZ2ALNCrLAEQ@mail.gmail.com> <CAHbWFkRv_z8FP8f9LcARQbXp1Q9x3KvkAuz075HLeo5BytybWA@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/GT9nbDvRoTTgZGl9eoj5FlxYxKA>
Subject: Re: [Masque] Encrypting between client and proxy
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2022 19:16:42 -0000
The two main advantages from forwarding mode are avoiding cumulative MTU loss and making it easy for the proxy to skip parts of the send and receive path. If we can employ per-hop encryption for forwarded mode packets in a way that doesn’t suffer from cumulative MTU loss, that sounds like a pretty compelling way to solve the “I want to chain many proxies” problem while removing the “observers on both sides of the proxy” caveat that’s included in the current draft’s security considerations. Assuming encryption can be done in a way that doesn’t incur cumulative MTU loss, it’s worth considering how it affects the efficiency of implementations. Taking our current implementation as an example, we’ve opted to perform all forwarding at Linux’s XDP hook with an eBPF program. This allows us to run a custom program for each packet we receive. In this program, we only actually need to process up to the QUIC packet header in order to perform a rewrite and immediately send the packet out. How this program is actually executed is dependent on the network card and driver, but it can avoid copies, be executed before the Linux networking stack, and even be completely offloaded to the NIC. The numbers presented were not from full NIC offload, but rather “Native XDP” where the program runs on the main CPU, but may take advantage of direct memory access, avoid copies, etc.). Continuing with our implementation as an example, introducing encryption would likely require APIs (bpf helper functions) that aren’t available from mainline Linux kernels. We would likely have to patch our kernel to expose cryptographic operations to eBPF programs or we’d have to bring our forwarding implementation into userspace - both of which seem possible, but not something we’ve explored and it’s hard to say what the impact on performance/efficiency would be without testing. When considering full NIC offload, I wonder if network cards are less likely to expose cryptographic operations than they are to expose the very basic packet inspection and byte replacement for header rewriting required by the non-encrypting approach. Thanks, Eric > On Nov 16, 2022, at 2:18 AM, Alex Chernyakhovsky <achernya=40google.com@dmarc.ietf.org> wrote: > > > > On Tue, Nov 15, 2022 at 8:57 PM Ben Schwartz <bemasc=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: > On Tue, Nov 15, 2022 at 6:44 PM Martin Thomson <mt@lowentropy.net <mailto:mt@lowentropy.net>> wrote: > ... > The protected payload is high entropy, being comprised of ciphertext and is anywhere from 20 to 65506 bytes. This payload can be split into two, with a 12 byte sample being used as a nonce for AES-CTR. The remainder of the payload, plus part of the first byte, could then be protecting using AES-CTR. The remaining 8+ bytes could again be sampled again as a nonce to protect the first sample. > > The thing you are looking for is called a Pseudo-Random Permutation [1]. I would encourage you to use HCTR2 [2]. (I learned a bit about these while working on [3].) > > [1] https://en.wikipedia.org/wiki/Pseudorandom_permutation <https://en.wikipedia.org/wiki/Pseudorandom_permutation> > [2] https://github.com/google/hctr2 <https://github.com/google/hctr2> > [3] https://datatracker.ietf.org/doc/draft-cpbs-pseudorandom-ctls/ <https://datatracker.ietf.org/doc/draft-cpbs-pseudorandom-ctls/> > > ... > [1] A few people have noted that timing tends to be a dead giveaway here, as does packet size. I have some ideas about how that might be managed, but let's start with the basics. > I think enough of our threat model has to consider side-channels like packet size as out of scope (although I believe we do have the opportunity to add chaff to less-than-MTU packets); we can certainly do something about timing analysis. I would expect most interesting deployments of such a proxy to be very high throughput which would mean some amount of artificial queuing and mixing would go a long way towards increasing the search space for correlation. > > Personally, I think this is probably fatal, so the encryption is not really buying you anything. However, I would still support adding encryption here, at least optionally, for the sake of making the attacker's job a bit harder. It's not the easiest thing to specify in a threat model, but there is a real difference between "instant undeniable confirmation" and "strong statistical inference" for an attacker. > I am similarly in favor of trying to protect the packet further, but my understanding from the presentation at the session was that a lot of the CPU wins came from NIC offloads. If we end up hitting the host CPU to do the decryption, we should compare the implementation to the full CONNECT-UDP tunneling mode and see if it's worthwhile. > > ... > -- > Masque mailing list > Masque@ietf.org <mailto:Masque@ietf.org> > https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque> > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque
- [Masque] Encrypting between client and proxy Martin Thomson
- Re: [Masque] Encrypting between client and proxy Ben Schwartz
- Re: [Masque] Encrypting between client and proxy Martin Thomson
- Re: [Masque] Encrypting between client and proxy Alex Chernyakhovsky
- Re: [Masque] Encrypting between client and proxy Eric Rosenberg
- Re: [Masque] Encrypting between client and proxy David Schinazi
- Re: [Masque] Encrypting between client and proxy Ben Schwartz
- Re: [Masque] Encrypting between client and proxy David Schinazi