Re: [Ppm] Seeking input on DAP PR #297
Christopher Patton <cpatton@cloudflare.com> Mon, 15 August 2022 15:17 UTC
Return-Path: <cpatton@cloudflare.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1663C1524BE for <ppm@ietfa.amsl.com>; Mon, 15 Aug 2022 08:17:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpNaZGK65Zq1 for <ppm@ietfa.amsl.com>; Mon, 15 Aug 2022 08:17:17 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72282C14CF1F for <ppm@ietf.org>; Mon, 15 Aug 2022 08:17:17 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id y13so13999785ejp.13 for <ppm@ietf.org>; Mon, 15 Aug 2022 08:17:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=/4qflvZ0ECN+SDUs8+BUD6tRD+gtOfkE4BqvRfmvEe8=; b=i/z5YtTxFFjlB1NAG67CsEyKCAGlpCGyYrzwxB4fWPlXxAXDp/nU4nAvSgiGz7B33T bcOCkaeJBex5pJJuZKRKu8oo//y7hpEkV8iQVVtPROP2mOs0AF1DEneCNWO9OCKIZLr6 q8Vq75H/XeoAJNrjh8hNC8I2YOL4yhYSFxo0c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=/4qflvZ0ECN+SDUs8+BUD6tRD+gtOfkE4BqvRfmvEe8=; b=V2aANp+V8sPwjJyNeUSrg4/1r4fTvg++6h5at15OZQKTbmLlSn6HBJOXCTpu4T7TKG 0IySPyNvBx663Emmp8DoqxJmecFPvYTUKDk63AxQWl0s7pwGA1ivIvJFcOTMiyQB5cnY zGXGG/dNKwZjyyKkrFbe6mrcBvBwMKelaABoFjuf81tChQ4y2CzFgwrQ4966ikKUEyYZ 5NGBt5NUambi15+FtZP11PwyKcmsmtIkB043X7osWrIwqiZZxkfDmHd2+rcO48i97n5q sOkaHPTBHSJnZIxFNAMZL04PlRESfO+B6pGn8WzE+GmxJWBCBcE4+Cu3bOoxYTIrf6Vj k9BA==
X-Gm-Message-State: ACgBeo2otI5CpT3tVZ+QfB9mb5QHvjgaqIfgJdF//anwlPzBwT/NWIuM Rf12Y+gGlTOSMv7TvWHty/oQPdxCl34HM2XJAIBg8x4YwMw=
X-Google-Smtp-Source: AA6agR7bl9PXriCLnfoHuOzWUa8xKQRoMIgM8g+j4cxof2IfVCO5Utu6zYmCDZFOgi18v4qhCuVI4qWe+lmuakeEGtI=
X-Received: by 2002:a17:906:7952:b0:732:f993:75bf with SMTP id l18-20020a170906795200b00732f99375bfmr10994735ejo.165.1660576635664; Mon, 15 Aug 2022 08:17:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi22BUdB+PhjWVneBSDb-c8-MnrpiYk5zV8PF4-mo6k7hqA@mail.gmail.com> <2aa207b5-7db5-cff5-aa41-eb00c8dc147b@mozilla.com>
In-Reply-To: <2aa207b5-7db5-cff5-aa41-eb00c8dc147b@mozilla.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Mon, 15 Aug 2022 08:17:04 -0700
Message-ID: <CAG2Zi232UE3-TCy93dRM1u-jnS_1yuzbdmfxB3+4=+bnHyp5pA@mail.gmail.com>
To: Simon Friedberger <simon@mozilla.com>
Cc: ppm@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007e47be05e64920ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/O30ecwZVEGD38Jybdp7CCES4WLo>
Subject: Re: [Ppm] Seeking input on DAP PR #297
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 15:17:21 -0000
> First, the statement "the Client knows exactly which batch its report is > included" is dubious. While the client technically knows that its report > is in a batch that covers its timestamp, this does not constrain when > that batch starts or ends, how many other reports there are in it, which > reports from the same time window have been dropped, etc. So what kind > of useful assurances can the client derive from this? > That's the question here :) Only one thing comes to mind for me. Without (3.), it seems easy for a malicious Leader to do a Sybil attack "on the side". In DAP-01, the Leader can aggregate a batch of one honest report with min_batch_size -1 bogus reports and, colluding with the Collector, learn the aggregate result. However this attack has a cost: because the batch corresponds to an interval of time which MUST NOT overlap with any previous or future batch interval, the Leader has to throw away all other honestly generated reports in the target interval. Without (3.) -- suppose we decide in DAP-02 not to send the batch interval in the AggregateShareReq -- the Leader can run this bogus aggregation on the side, without impacting throughput of real reports. Now, the fact that (3.) imposes this cost does not immediately benefit the Client, but perhaps there is a way to audit the Leader to make sure it's ingesting reports properly. (This is a bit contrived, but follow along with me for a second.) In particular, after the batch interval elapses in which its report would have been included, the Client could ask the Leader and Helper to see if its report was ingested. Of course, this attack falls into a bucket of other Sybil attacks that we currently don't have defenses for. We're not likely to find a one-size-fits-all solution for this problem, but it seems like there is a lot we can do to at least mitigate Sybil attacks or make them harder. Property (3.) seems to me like it would help. That said, I view this as a "nice to have", but not a requirement for all query types. I would like to spell the protocol in a way that enables it. > Second, there are technical issues. It is not clear that property (1.) > holds because it clashes with > https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/183. We just > have it because we haven't sorted out > https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/195 yet. > We have (1.) because we prevent batches from overlapping, i.e., we have (2.). You're right that, if/when we relax (2.), we'll definitely have to do something else. Chris P.
- [Ppm] Seeking input on DAP PR #297 Christopher Patton
- Re: [Ppm] Seeking input on DAP PR #297 Simon Friedberger
- Re: [Ppm] Seeking input on DAP PR #297 Christopher Patton
- Re: [Ppm] Seeking input on DAP PR #297 Simon Friedberger