IETF Logo Mail Archive

Re: [Moq] E2E encryption

Suhas Nandakumar <suhasietf@gmail.com> Thu, 23 March 2023 04:03 UTC

Return-Path: <suhasietf@gmail.com>
X-Original-To: moq@ietfa.amsl.com
Delivered-To: moq@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57965C1527A0 for <moq@ietfa.amsl.com>; Wed, 22 Mar 2023 21:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zf-D4PwzJq0 for <moq@ietfa.amsl.com>; Wed, 22 Mar 2023 21:03:24 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10C52C15256B for <moq@ietf.org>; Wed, 22 Mar 2023 21:03:24 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id bg16-20020a05600c3c9000b003eb34e21bdfso357652wmb.0 for <moq@ietf.org>; Wed, 22 Mar 2023 21:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679544202; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fJjkH+o1JbnLFIArQ6slgFzY8AnXqOgSgbuDHGeehDg=; b=ANtvG3kwT8UzZ/0yhW+Aq9Qa4EcAa9aGVPwgWXynaGK9/hOK4OjOfmQSqrm0rJT6uj u438e4A/k409+WC4XKcwC2uDz1qZH3C09SfnrAPv3IRzqR5rhHoyVEzycXZJw2BAjgFQ QUvCycw7j1vBTUFqRqKyS9hvnCisrIzSMLl8JgB7d4Z+2HW8NKhQQUmfykbZ5+5Bg2g2 yiiY7ot4u0bavko0wBi+u/gQAq+X6SCuSr/bwc6WfU7/tebWlVP6uH675J6pT6p/ZyAa R2b+HzRe8RcbLhBKeqeFL3c4E+SA0jhMBHWEhJTFXXea8qWkJOw7cQL88WmIrvfzlYFy rsqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679544202; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fJjkH+o1JbnLFIArQ6slgFzY8AnXqOgSgbuDHGeehDg=; b=RnaglYvdH7ALJoDTv4RRWXvGaKnzPMaZaRpjNb16HcoIgxoY4Gn9GafemQg3RvITK1 uB8fLsUxaok1Uta/GsMVAJo19v7NZ3Zg16Inhz31O3TX1aQYgK7CwGYD2edYuWt6Iz2i dncziIEOgcCLz/MS1dKp4rXEiob2HLLYnV0VphFsWAj+isIDFgLh2OpBZYy0xEuLKGEp qKgDjL1advm2RopwyvsxTwAA8Fe6yCmgQbO4di9bE/SltjiNoTEjTIAVWCc7k3LuCVLV z1Z5NGIqHbSef06yqG9ouwvxMhJHG9Smgx9Bx+kDPUpgDZsry49Ke13HumtBkghygqVV kWow==
X-Gm-Message-State: AO0yUKUTMFdzAoCUjURQ18+7R2lSH+rHp8m00Gm6CU9j4qTlxUbq4Iis 4fIXBlX+Vj21BR22aIayC9WZ8zTD7TYem/nP+QI=
X-Google-Smtp-Source: AK7set9HRlRLRvU57UVJzDEquQrJyZ0Ajm9BzngUP3JZ5RHGhu/Z4BjH0puJQkR3IPRHNGsrBkTRAhDaMXA6MBG/nfQ=
X-Received: by 2002:a1c:4c0b:0:b0:3ed:26fa:6ee5 with SMTP id z11-20020a1c4c0b000000b003ed26fa6ee5mr395017wmf.4.1679544201802; Wed, 22 Mar 2023 21:03:21 -0700 (PDT)
MIME-Version: 1.0
References: <1996E649-A467-4420-8C35-F50EF60536F0@cisco.com> <CAHVo=Zmuy=AgksZM2o75dbmDWv6_nSHZw-E8T_rVEtcqgqmA+g@mail.gmail.com> <CAMRcRGSdSUy8uU+UxrhxpsbxJncKfwoZgRLvoK-FzmgB+upn6Q@mail.gmail.com> <CAHVo=Zk1h5Jen3rDr1n8jrAUsJX5K2Nnyrbb-qrHP52Vw5M=JQ@mail.gmail.com> <fd3a2219294d44a18e9c7e6c11f067ad@huawei.com> <CAAZo2nEEo2VXJKQsY9kQUxR44RLm2m1wZct7dt0pvvCP3YwVJw@mail.gmail.com> <CAMRcRGRkhWwSjryz1bWHTo_URdqZ-L0QwOY=GTkKwbf=8c1KFA@mail.gmail.com> <CAHVo=Zngzi35_o4Oz-5rUXyA1=-ZxX3pRqrdkMBSSDieQboJbw@mail.gmail.com>
In-Reply-To: <CAHVo=Zngzi35_o4Oz-5rUXyA1=-ZxX3pRqrdkMBSSDieQboJbw@mail.gmail.com>
From: Suhas Nandakumar <suhasietf@gmail.com>
Date: Wed, 22 Mar 2023 21:03:10 -0700
Message-ID: <CAMRcRGQLOoPGPLu4o3sAYBYXk-T+NwNucqeVOOJ+KRcaJxzSDA@mail.gmail.com>
To: Luke Curley <kixelated@gmail.com>
Cc: Chuan Ma <simonkorl0228@gmail.com>, "Shihang(Vincent)" <shihang9=40huawei.com@dmarc.ietf.org>, "Mo Zanaty (mzanaty)" <mzanaty=40cisco.com@dmarc.ietf.org>, Victor Vasiliev <vasilvv=40google.com@dmarc.ietf.org>, Cullen Jennings <fluffy@iii.ca>, MOQ Mailing List <moq@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088781d05f7895b49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/moq/GmV6htbsNXZbCnqCsJ8ykGgZg1I>
Subject: Re: [Moq] E2E encryption
X-BeenThere: moq@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Media over QUIC <moq.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/moq>, <mailto:moq-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/moq/>
List-Post: <mailto:moq@ietf.org>
List-Help: <mailto:moq-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/moq>, <mailto:moq-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2023 04:03:25 -0000

Hi Luke,


On Wed, Mar 22, 2023 at 4:56 PM Luke Curley <kixelated@gmail.com> wrote:
>
> Hey all,
>
> My original idea in warp-02 is that every stream started with a HEADERS
message containing the send order, so control messages could be prioritized
alongside data messages. I'm not sure this is necessary though.

The transport-draft (stream-mappings
<https://datatracker.ietf.org/doc/html/draft-nandakumar-moq-transport-00#section-4.2>)
refers to the following arrangements for the data streams as a mapping from
the data model
to QUIC streams( which is taken from QUICR design)

For cases where the application wants to send multiple objects in one
stream ( GOP per stream)
   +--------+------------+-------+------------+-------+------
   | Group  | Object     | Bytes | Object     | Bytes |
   | header | header (0) |  (0)  | header (1) |  (1)  | ...
   +--------+------------+-------+------------+-------+------

For cases where the application wants to send one object per stream ( one
encoded frame per stream)

   +--------+------------+-------+
   | Group  | Object     | Bytes |
   | header | header (n) |  (n)  |
   +--------+------------+-------+

with Group Header defined as

 group_header {
     message_type(i),
     media_id(i),
     group_id(i)
   }

media_id is a hop-by-hop short-form identifier mapping to the track_id. The
media_id
gets set up as part of control message exchange (publish/subscribe requests)

and Object header defined as

object_header {
     message_type(i),
     object_id(i),
     [nb_objects_previous_group(i),]
     flags[8],
     object_length(i)
   }

This will enable per object priority captured in the flags field.

Something like this will give flexibility for applications to define the
object granularity as
it fits their requirements and units for applying the end to end encryption
where necessary.

I know this model doesn't include sendOrder and we need to discuss options
for one vs the other as
it applies to multiple use-cases.

Does something like this work for you for describing the data streams to
have group_header, [object_header, object bytes]...
kind of setup ?
>
>
> Here's my current mental model:
>
> Data streams are end-to-end. The relay is unaware of the contents of the
data steam, outside of a few forwarding instructions in the header. ex.
OBJECT
> Control streams are hop-to-hop. The relay is aware of the contents of the
control stream and uses it to change its behavior. This can include
propagating a message to an upstream depending on deduplication. ex.
SUBSCRIBE
>
>
> Does this make sense? It's a similar design to HTTP/3, although without
QPACK complicating the picture.
>
>
> We still might use control streams for end-to-end purposes, like
authentication, but any bulk transfers should be over a data stream. I
think we can safely say that control streams are always the highest
priority.
>
>
> On Wed, Mar 22, 2023, 8:26 AM Suhas Nandakumar <suhasietf@gmail.com>
wrote:
>>
>>
>> On the control channel, PRs 96 and 97 does provide support for it. PR
needs to be updated to reflect the multiple tracks in one subscribe/publish
message, if needed.
>>
>> Also moq-transport proposes some ideas along those lines.
>>
>> Agree that we need to discuss the scope and usage of control and data
streams in general.
>>
>> Also  on E2E encryption, we need to spend some time defining its scope
(what aspect of OBJECT payload it applies to) and implications. For control
messages themselves, there might be few cases where one has to carry a
payload that is end to end encrypted and the same E2EE properties might
apply as well.
>>
>>
>>
>>
>>
>>
>> On Wed, Mar 22, 2023 at 5:59 AM Chuan Ma <simonkorl0228@gmail.com> wrote:
>>>
>>> Dear All:
>>>
>>> I agree that we should define a control stream to offer reliable
transmission and be marked with the highest priority. Such a stream can not
only solve the problem of E2E authentication but also transmit other
control messages, such as updates of subscriptions. The side effect
mentioned in Hang's reply may be solved by leaving multiple control stream
channels and assigning different priorities to them. Then it is possible to
avoid head-of-line blocking in the control stream and helps to offer a
flexible extension to MoQ endpoints.
>>>
>>> Nevertheless, this issue heavily depends on the design of the behavior
of the MoQ relays. The critical question is that a relay may act
differently when it receives different types of OBJECTS while the data is
encrypted. In this discussion, we have at least two basic behaviors of a
relay: changing the sending order of packets and dropping the packets. If
we try to solve this problem by adding more flags to the OBJECT, we should
first define all the possible behaviors the relay can do and how to use the
flag to enable/disable a behavior. Considering the current MoQ's design,
there may be other scenarios when the relay must act differently, and we
may define more relay behaviors. So it may be better for us to clarify
"What kinds of service the relay should offer" and "How the endpoint should
'ask for' the transport service the relays offer." In the current scope,
I'd like to say if we are trying to hide the relays from the endpoints,
then we should design something like control flows; if we are trying to
make the relays cooperate with the endpoints, then we should consider ways
to change the relay's action like using flags. How do you like this idea?
>>>
>>> Thanks,
>>> Chuan Ma
>>>
>>> On Wed, Mar 22, 2023 at 4:20 PM Shihang(Vincent) <shihang9=
40huawei.com@dmarc.ietf.org> wrote:
>>>>
>>>> It seems like the requirement of the E2E encryption is that some
message/OBJECT needs to be transmitted reliably. Are there any other
messages(SUBSCRIBE/SETUP/GOAWAY/CATALOG) sharing the same reliability
requirement?
>>>>
>>>> This is related to https://github.com/kixelated/warp-draft/issues/105
proposed by Luke. We can specify a dedicated stream(say stream 0) for these
messages which needs to transmitted reliably and ASAP(which means highest
priority). All other streams can be used to transmit the media data OBJECT
which can be dropped. The side effect of a dedicated stream is that they
all share the same priority, will be delivered in order(which implies that
the newer message depends on the older message). Are these side effects
acceptable?
>>>>
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Hang
>>>>
>>>> From: Moq <moq-bounces@ietf.org> On Behalf Of Luke Curley
>>>> Sent: Tuesday, March 21, 2023 7:41 AM
>>>> To: Suhas Nandakumar <suhasietf@gmail.com>
>>>> Cc: Mo Zanaty (mzanaty) <mzanaty=40cisco.com@dmarc.ietf.org>; Victor
Vasiliev <vasilvv=40google.com@dmarc.ietf.org>; Cullen Jennings <
fluffy@iii.ca>; MOQ Mailing List <moq@ietf.org>
>>>> Subject: Re: [Moq] E2E encryption
>>>>
>>>>
>>>>
>>>> Hey Suhas,
>>>>
>>>>
>>>>
>>>> We could add an incremental (or atomic) flag. It makes sense in Mo's
example; when packaging multiple frames into a single authenticated OBJECT
payload. I would still add text to say that a relay SHOULD NOT buffer
objects, even when flagged as atomic, because that will add latency at each
hop.
>>>>
>>>>
>>>>
>>>> On an implementation detail, we could reuse the message size. A size
of 0 means incremental and continues until the end of the stream, while a
non-zero size means atomic and the specified number of bytes. A separate
flag works too.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> As for auth tags, the premise of end-to-end encryption is that a
middle-man (relay) cannot modify or drop any of the payload, including the
signature. The signature doesn't need any special treatment and should just
be part of the opaque object payload; with AEAD it's usually just appended
to the ciphertext. Could you explain why you think this would be an attack
vector?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Mon, Mar 20, 2023 at 11:40 AM Suhas Nandakumar <suhasietf@gmail.com>
wrote:
>>>>
>>>> Hey Luke,
>>>>
>>>> On Mon, Mar 20, 2023 at 10:49 AM Luke Curley <kixelated@gmail.com>
wrote:
>>>> >
>>>> > On Mon, Mar 20, 2023 at 10:12 AM Mo Zanaty (mzanaty) <mzanaty=
40cisco.com@dmarc.ietf.org> wrote:
>>>> >>
>>>> >> The problem is if relays are blind to E2E authentication, they can
make poor delivery decisions. For example, delivering most or all packets
except the last packet containing the E2E auth tag, which is highly likely
in a scheme like warp which starves or drops the tail of old data to send
new data.
>>>> >
>>>> >
>>>> > Just to clarify, Warp will only starve the tail of an OBJECT during
congestion if you send an even more important OBJECT (decreasing send
order). If you're going to put the auth tag at the end of a large object
(ex. an entire GoP), then you're going to want some form of head-of-line
blocking (increasing send order). Or possibly an incremental flag like
HTTP/3 Priority to indicate when OBJECTs are (not) atomic.
>>>>
>>>> That would work if we define how to identify the incremental chunks
>>>> and define where to find the authn tag.  Relays need to know this ,
>>>> otherwise, there is a security issue when relays don't forward the
>>>> authn tag and will be an attack vector.
>>>>
>>>> Thoughts ?
>>>>
>>>> > --
>>>> > Moq mailing list
>>>> > Moq@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/moq
>>>>
>>>> --
>>>> Moq mailing list
>>>> Moq@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/moq

v2.23.0 | Report a Bug | By Email