Re: [Moq] E2E encryption
Suhas Nandakumar <suhasietf@gmail.com> Thu, 23 March 2023 04:03 UTC
Return-Path: <suhasietf@gmail.com>
X-Original-To: moq@ietfa.amsl.com
Delivered-To: moq@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57965C1527A0 for <moq@ietfa.amsl.com>; Wed, 22 Mar 2023 21:03:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zf-D4PwzJq0 for <moq@ietfa.amsl.com>; Wed, 22 Mar 2023 21:03:24 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10C52C15256B for <moq@ietf.org>; Wed, 22 Mar 2023 21:03:24 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id bg16-20020a05600c3c9000b003eb34e21bdfso357652wmb.0 for <moq@ietf.org>; Wed, 22 Mar 2023 21:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679544202; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=fJjkH+o1JbnLFIArQ6slgFzY8AnXqOgSgbuDHGeehDg=; b=ANtvG3kwT8UzZ/0yhW+Aq9Qa4EcAa9aGVPwgWXynaGK9/hOK4OjOfmQSqrm0rJT6uj u438e4A/k409+WC4XKcwC2uDz1qZH3C09SfnrAPv3IRzqR5rhHoyVEzycXZJw2BAjgFQ QUvCycw7j1vBTUFqRqKyS9hvnCisrIzSMLl8JgB7d4Z+2HW8NKhQQUmfykbZ5+5Bg2g2 yiiY7ot4u0bavko0wBi+u/gQAq+X6SCuSr/bwc6WfU7/tebWlVP6uH675J6pT6p/ZyAa R2b+HzRe8RcbLhBKeqeFL3c4E+SA0jhMBHWEhJTFXXea8qWkJOw7cQL88WmIrvfzlYFy rsqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679544202; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=fJjkH+o1JbnLFIArQ6slgFzY8AnXqOgSgbuDHGeehDg=; b=RnaglYvdH7ALJoDTv4RRWXvGaKnzPMaZaRpjNb16HcoIgxoY4Gn9GafemQg3RvITK1 uB8fLsUxaok1Uta/GsMVAJo19v7NZ3Zg16Inhz31O3TX1aQYgK7CwGYD2edYuWt6Iz2i dncziIEOgcCLz/MS1dKp4rXEiob2HLLYnV0VphFsWAj+isIDFgLh2OpBZYy0xEuLKGEp qKgDjL1advm2RopwyvsxTwAA8Fe6yCmgQbO4di9bE/SltjiNoTEjTIAVWCc7k3LuCVLV z1Z5NGIqHbSef06yqG9ouwvxMhJHG9Smgx9Bx+kDPUpgDZsry49Ke13HumtBkghygqVV kWow==
X-Gm-Message-State: AO0yUKUTMFdzAoCUjURQ18+7R2lSH+rHp8m00Gm6CU9j4qTlxUbq4Iis 4fIXBlX+Vj21BR22aIayC9WZ8zTD7TYem/nP+QI=
X-Google-Smtp-Source: AK7set9HRlRLRvU57UVJzDEquQrJyZ0Ajm9BzngUP3JZ5RHGhu/Z4BjH0puJQkR3IPRHNGsrBkTRAhDaMXA6MBG/nfQ=
X-Received: by 2002:a1c:4c0b:0:b0:3ed:26fa:6ee5 with SMTP id z11-20020a1c4c0b000000b003ed26fa6ee5mr395017wmf.4.1679544201802; Wed, 22 Mar 2023 21:03:21 -0700 (PDT)
MIME-Version: 1.0
References: <1996E649-A467-4420-8C35-F50EF60536F0@cisco.com> <CAHVo=Zmuy=AgksZM2o75dbmDWv6_nSHZw-E8T_rVEtcqgqmA+g@mail.gmail.com> <CAMRcRGSdSUy8uU+UxrhxpsbxJncKfwoZgRLvoK-FzmgB+upn6Q@mail.gmail.com> <CAHVo=Zk1h5Jen3rDr1n8jrAUsJX5K2Nnyrbb-qrHP52Vw5M=JQ@mail.gmail.com> <fd3a2219294d44a18e9c7e6c11f067ad@huawei.com> <CAAZo2nEEo2VXJKQsY9kQUxR44RLm2m1wZct7dt0pvvCP3YwVJw@mail.gmail.com> <CAMRcRGRkhWwSjryz1bWHTo_URdqZ-L0QwOY=GTkKwbf=8c1KFA@mail.gmail.com> <CAHVo=Zngzi35_o4Oz-5rUXyA1=-ZxX3pRqrdkMBSSDieQboJbw@mail.gmail.com>
In-Reply-To: <CAHVo=Zngzi35_o4Oz-5rUXyA1=-ZxX3pRqrdkMBSSDieQboJbw@mail.gmail.com>
From: Suhas Nandakumar <suhasietf@gmail.com>
Date: Wed, 22 Mar 2023 21:03:10 -0700
Message-ID: <CAMRcRGQLOoPGPLu4o3sAYBYXk-T+NwNucqeVOOJ+KRcaJxzSDA@mail.gmail.com>
To: Luke Curley <kixelated@gmail.com>
Cc: Chuan Ma <simonkorl0228@gmail.com>, "Shihang(Vincent)" <shihang9=40huawei.com@dmarc.ietf.org>, "Mo Zanaty (mzanaty)" <mzanaty=40cisco.com@dmarc.ietf.org>, Victor Vasiliev <vasilvv=40google.com@dmarc.ietf.org>, Cullen Jennings <fluffy@iii.ca>, MOQ Mailing List <moq@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088781d05f7895b49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/moq/GmV6htbsNXZbCnqCsJ8ykGgZg1I>
Subject: Re: [Moq] E2E encryption
X-BeenThere: moq@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Media over QUIC <moq.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/moq>, <mailto:moq-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/moq/>
List-Post: <mailto:moq@ietf.org>
List-Help: <mailto:moq-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/moq>, <mailto:moq-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2023 04:03:25 -0000
Hi Luke, On Wed, Mar 22, 2023 at 4:56 PM Luke Curley <kixelated@gmail.com> wrote: > > Hey all, > > My original idea in warp-02 is that every stream started with a HEADERS message containing the send order, so control messages could be prioritized alongside data messages. I'm not sure this is necessary though. The transport-draft (stream-mappings <https://datatracker.ietf.org/doc/html/draft-nandakumar-moq-transport-00#section-4.2>) refers to the following arrangements for the data streams as a mapping from the data model to QUIC streams( which is taken from QUICR design) For cases where the application wants to send multiple objects in one stream ( GOP per stream) +--------+------------+-------+------------+-------+------ | Group | Object | Bytes | Object | Bytes | | header | header (0) | (0) | header (1) | (1) | ... +--------+------------+-------+------------+-------+------ For cases where the application wants to send one object per stream ( one encoded frame per stream) +--------+------------+-------+ | Group | Object | Bytes | | header | header (n) | (n) | +--------+------------+-------+ with Group Header defined as group_header { message_type(i), media_id(i), group_id(i) } media_id is a hop-by-hop short-form identifier mapping to the track_id. The media_id gets set up as part of control message exchange (publish/subscribe requests) and Object header defined as object_header { message_type(i), object_id(i), [nb_objects_previous_group(i),] flags[8], object_length(i) } This will enable per object priority captured in the flags field. Something like this will give flexibility for applications to define the object granularity as it fits their requirements and units for applying the end to end encryption where necessary. I know this model doesn't include sendOrder and we need to discuss options for one vs the other as it applies to multiple use-cases. Does something like this work for you for describing the data streams to have group_header, [object_header, object bytes]... kind of setup ? > > > Here's my current mental model: > > Data streams are end-to-end. The relay is unaware of the contents of the data steam, outside of a few forwarding instructions in the header. ex. OBJECT > Control streams are hop-to-hop. The relay is aware of the contents of the control stream and uses it to change its behavior. This can include propagating a message to an upstream depending on deduplication. ex. SUBSCRIBE > > > Does this make sense? It's a similar design to HTTP/3, although without QPACK complicating the picture. > > > We still might use control streams for end-to-end purposes, like authentication, but any bulk transfers should be over a data stream. I think we can safely say that control streams are always the highest priority. > > > On Wed, Mar 22, 2023, 8:26 AM Suhas Nandakumar <suhasietf@gmail.com> wrote: >> >> >> On the control channel, PRs 96 and 97 does provide support for it. PR needs to be updated to reflect the multiple tracks in one subscribe/publish message, if needed. >> >> Also moq-transport proposes some ideas along those lines. >> >> Agree that we need to discuss the scope and usage of control and data streams in general. >> >> Also on E2E encryption, we need to spend some time defining its scope (what aspect of OBJECT payload it applies to) and implications. For control messages themselves, there might be few cases where one has to carry a payload that is end to end encrypted and the same E2EE properties might apply as well. >> >> >> >> >> >> >> On Wed, Mar 22, 2023 at 5:59 AM Chuan Ma <simonkorl0228@gmail.com> wrote: >>> >>> Dear All: >>> >>> I agree that we should define a control stream to offer reliable transmission and be marked with the highest priority. Such a stream can not only solve the problem of E2E authentication but also transmit other control messages, such as updates of subscriptions. The side effect mentioned in Hang's reply may be solved by leaving multiple control stream channels and assigning different priorities to them. Then it is possible to avoid head-of-line blocking in the control stream and helps to offer a flexible extension to MoQ endpoints. >>> >>> Nevertheless, this issue heavily depends on the design of the behavior of the MoQ relays. The critical question is that a relay may act differently when it receives different types of OBJECTS while the data is encrypted. In this discussion, we have at least two basic behaviors of a relay: changing the sending order of packets and dropping the packets. If we try to solve this problem by adding more flags to the OBJECT, we should first define all the possible behaviors the relay can do and how to use the flag to enable/disable a behavior. Considering the current MoQ's design, there may be other scenarios when the relay must act differently, and we may define more relay behaviors. So it may be better for us to clarify "What kinds of service the relay should offer" and "How the endpoint should 'ask for' the transport service the relays offer." In the current scope, I'd like to say if we are trying to hide the relays from the endpoints, then we should design something like control flows; if we are trying to make the relays cooperate with the endpoints, then we should consider ways to change the relay's action like using flags. How do you like this idea? >>> >>> Thanks, >>> Chuan Ma >>> >>> On Wed, Mar 22, 2023 at 4:20 PM Shihang(Vincent) <shihang9= 40huawei.com@dmarc.ietf.org> wrote: >>>> >>>> It seems like the requirement of the E2E encryption is that some message/OBJECT needs to be transmitted reliably. Are there any other messages(SUBSCRIBE/SETUP/GOAWAY/CATALOG) sharing the same reliability requirement? >>>> >>>> This is related to https://github.com/kixelated/warp-draft/issues/105 proposed by Luke. We can specify a dedicated stream(say stream 0) for these messages which needs to transmitted reliably and ASAP(which means highest priority). All other streams can be used to transmit the media data OBJECT which can be dropped. The side effect of a dedicated stream is that they all share the same priority, will be delivered in order(which implies that the newer message depends on the older message). Are these side effects acceptable? >>>> >>>> >>>> >>>> Cheers, >>>> >>>> Hang >>>> >>>> From: Moq <moq-bounces@ietf.org> On Behalf Of Luke Curley >>>> Sent: Tuesday, March 21, 2023 7:41 AM >>>> To: Suhas Nandakumar <suhasietf@gmail.com> >>>> Cc: Mo Zanaty (mzanaty) <mzanaty=40cisco.com@dmarc.ietf.org>; Victor Vasiliev <vasilvv=40google.com@dmarc.ietf.org>; Cullen Jennings < fluffy@iii.ca>; MOQ Mailing List <moq@ietf.org> >>>> Subject: Re: [Moq] E2E encryption >>>> >>>> >>>> >>>> Hey Suhas, >>>> >>>> >>>> >>>> We could add an incremental (or atomic) flag. It makes sense in Mo's example; when packaging multiple frames into a single authenticated OBJECT payload. I would still add text to say that a relay SHOULD NOT buffer objects, even when flagged as atomic, because that will add latency at each hop. >>>> >>>> >>>> >>>> On an implementation detail, we could reuse the message size. A size of 0 means incremental and continues until the end of the stream, while a non-zero size means atomic and the specified number of bytes. A separate flag works too. >>>> >>>> >>>> >>>> >>>> >>>> As for auth tags, the premise of end-to-end encryption is that a middle-man (relay) cannot modify or drop any of the payload, including the signature. The signature doesn't need any special treatment and should just be part of the opaque object payload; with AEAD it's usually just appended to the ciphertext. Could you explain why you think this would be an attack vector? >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Mar 20, 2023 at 11:40 AM Suhas Nandakumar <suhasietf@gmail.com> wrote: >>>> >>>> Hey Luke, >>>> >>>> On Mon, Mar 20, 2023 at 10:49 AM Luke Curley <kixelated@gmail.com> wrote: >>>> > >>>> > On Mon, Mar 20, 2023 at 10:12 AM Mo Zanaty (mzanaty) <mzanaty= 40cisco.com@dmarc.ietf.org> wrote: >>>> >> >>>> >> The problem is if relays are blind to E2E authentication, they can make poor delivery decisions. For example, delivering most or all packets except the last packet containing the E2E auth tag, which is highly likely in a scheme like warp which starves or drops the tail of old data to send new data. >>>> > >>>> > >>>> > Just to clarify, Warp will only starve the tail of an OBJECT during congestion if you send an even more important OBJECT (decreasing send order). If you're going to put the auth tag at the end of a large object (ex. an entire GoP), then you're going to want some form of head-of-line blocking (increasing send order). Or possibly an incremental flag like HTTP/3 Priority to indicate when OBJECTs are (not) atomic. >>>> >>>> That would work if we define how to identify the incremental chunks >>>> and define where to find the authn tag. Relays need to know this , >>>> otherwise, there is a security issue when relays don't forward the >>>> authn tag and will be an attack vector. >>>> >>>> Thoughts ? >>>> >>>> > -- >>>> > Moq mailing list >>>> > Moq@ietf.org >>>> > https://www.ietf.org/mailman/listinfo/moq >>>> >>>> -- >>>> Moq mailing list >>>> Moq@ietf.org >>>> https://www.ietf.org/mailman/listinfo/moq
- [Moq] E2E encryption Mo Zanaty (mzanaty)
- Re: [Moq] E2E encryption Luke Curley
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Luke Curley
- Re: [Moq] E2E encryption Shihang(Vincent)
- Re: [Moq] E2E encryption Chuan Ma
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Luke Curley
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Luke Curley
- Re: [Moq] E2E encryption Christian Huitema
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Luke Curley
- Re: [Moq] E2E encryption Ted Hardie
- Re: [Moq] E2E encryption Christian Huitema
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Mo Zanaty (mzanaty)
- Re: [Moq] E2E encryption Suhas Nandakumar
- Re: [Moq] E2E encryption Luke Curley