Re: [Masque] Design team PR for QUIC-aware forwarding
Antoine FRESSANCOURT <antoine.fressancourt@huawei.com> Fri, 26 January 2024 09:17 UTC
Return-Path: <antoine.fressancourt@huawei.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4A9C15155C for <masque@ietfa.amsl.com>; Fri, 26 Jan 2024 01:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.204
X-Spam-Level:
X-Spam-Status: No, score=-4.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vEN2edDlpPj for <masque@ietfa.amsl.com>; Fri, 26 Jan 2024 01:16:58 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C997C15155B for <masque@ietf.org>; Fri, 26 Jan 2024 01:16:58 -0800 (PST)
Received: from mail.maildlp.com (unknown [172.18.186.231]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4TLsSb36LFz6JBBS; Fri, 26 Jan 2024 17:13:51 +0800 (CST)
Received: from lhrpeml100001.china.huawei.com (unknown [7.191.160.183]) by mail.maildlp.com (Postfix) with ESMTPS id 9E4DD140AB8; Fri, 26 Jan 2024 17:16:56 +0800 (CST)
Received: from lhrpeml500003.china.huawei.com (7.191.162.67) by lhrpeml100001.china.huawei.com (7.191.160.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Fri, 26 Jan 2024 09:16:56 +0000
Received: from lhrpeml500003.china.huawei.com ([7.191.162.67]) by lhrpeml500003.china.huawei.com ([7.191.162.67]) with mapi id 15.01.2507.035; Fri, 26 Jan 2024 09:16:56 +0000
From: Antoine FRESSANCOURT <antoine.fressancourt@huawei.com>
To: Martin Thomson <mt@lowentropy.net>, David Schinazi <dschinazi.ietf@gmail.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
CC: MASQUE <masque@ietf.org>
Thread-Topic: [Masque] Design team PR for QUIC-aware forwarding
Thread-Index: AQHaT90+rOKMNsL+yEiGzGduFLnlsLDrShiAgAAgVwCAAGRM0A==
Date: Fri, 26 Jan 2024 09:16:56 +0000
Message-ID: <fc2973c28ce647709a6f95ddb34bc830@huawei.com>
References: <62F6E4BF-7BF5-4829-B17B-F496C5ED934C@apple.com> <CAPDSy+6tV70pHAiKAjS=TXaFyoBT5EUABbvLkiwA4NJ4fEXRVQ@mail.gmail.com> <e92645ae-6015-4945-acbc-7d48927c3903@betaapp.fastmail.com>
In-Reply-To: <e92645ae-6015-4945-acbc-7d48927c3903@betaapp.fastmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.206.215.65]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/vbPuhjVIm92HkBORVDxLUbasA5s>
Subject: Re: [Masque] Design team PR for QUIC-aware forwarding
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2024 09:17:02 -0000
Hello, We discussed padding quite a lot during the design team's work. One of the reasons why padding was not explicitly added in the forwarded mode of operation is that padding alone is not enough to mitigate elaborated deanonymization attacks, in which packet timing patterns are a strong enough signal to correlate ingoing and outgoing flows while looking at a given proxy. Besides, we discussed the method used to pad, and either a completely naïve padding strategy seemed to be a waste of resources (i.e. padding every packet to the MTU) or seemed complex to implement (i.e. padding to match a given traffic pattern). Note that padding is not explicitly ruled out, and personally I think padding is an essential element in protecting privacy with QUIC. In the proposed draft changes, there is room to define other scrambling protocols than the one that is currently presented, and I think this is where more elaborated proposals including padding or packet timing might be presented and studied. In the hope that I didn't describe the design team's intentions wrong, Antoine -----Original Message----- From: Masque <masque-bounces@ietf.org> On Behalf Of Martin Thomson Sent: vendredi 26 janvier 2024 04:10 To: David Schinazi <dschinazi.ietf@gmail.com>; Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> Cc: MASQUE <masque@ietf.org> Subject: Re: [Masque] Design team PR for QUIC-aware forwarding So you don't scramble the first byte and you don't pad. You know... there is a way to achieve both with minimal additional complexity and no additional overhead aside from any added padding: If you encrypt the first byte, you can also use 0x80 to signal whether padding is present. Then you can use a zero pad sequence terminated by a non-zero byte at either end of the packet (suggestion: the end). On Fri, Jan 26, 2024, at 12:13, David Schinazi wrote: > Thanks Tommy! > > In case it's helpful to others, here's a rendered diff between this > branch and main: > https://author-tools.ietf.org/diff?url_1=https://ietf-wg-masque.github > .io/draft-ietf-masque-quic-proxy/draft-ietf-masque-quic-proxy.txt&url_ > 2=https://ietf-wg-masque.github.io/draft-ietf-masque-quic-proxy/design > -team/draft-ietf-masque-quic-proxy.txt > > David > > On Thu, Jan 25, 2024 at 2:23 PM Tommy Pauly > <tpauly=40apple.com@dmarc.ietf.org> wrote: >> Hi MASQUErs, >> >> On behalf of the design team for draft-ietf-masque-quic-proxy that was tasked on adding a proposal to add encryption on the forwarding path, I’d like to share the pull request to the document that represents the proposal of the team. This is largely what was presented at the last IETF meeting, adding support for negotiating protocol transforms, and defining the “scramble” transform. >> >> Here is the PR against the base document: >> https://github.com/ietf-wg-masque/draft-ietf-masque-quic-proxy/pull/9 >> 9 Here is the rendered version: >> https://ietf-wg-masque.github.io/draft-ietf-masque-quic-proxy/design- >> team/draft-ietf-masque-quic-proxy.html >> >> Please take a look and feel free to add comments to the PR or the mailing list! >> >> Thanks, >> Tommy (& David, Ben, Eric, Mirja, Antoine, & Tiru) >> -- >> Masque mailing list >> Masque@ietf.org >> https://www.ietf.org/mailman/listinfo/masque > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque -- Masque mailing list Masque@ietf.org https://www.ietf.org/mailman/listinfo/masque
- [Masque] Design team PR for QUIC-aware forwarding Tommy Pauly
- Re: [Masque] Design team PR for QUIC-aware forwar… Martin Thomson
- Re: [Masque] Design team PR for QUIC-aware forwar… David Schinazi
- Re: [Masque] Design team PR for QUIC-aware forwar… Christian Huitema
- Re: [Masque] Design team PR for QUIC-aware forwar… Martin Thomson
- Re: [Masque] Design team PR for QUIC-aware forwar… Christian Huitema
- Re: [Masque] Design team PR for QUIC-aware forwar… Antoine FRESSANCOURT
- Re: [Masque] Design team PR for QUIC-aware forwar… Ben Schwartz