Re: [quicwg/base-drafts] Consider simplifying Packet Number Encryption (#1575)

David Schinazi <> Mon, 24 September 2018 22:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73DB0131127 for <>; Mon, 24 Sep 2018 15:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.01
X-Spam-Status: No, score=-3.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tyCaz5pDcKi5 for <>; Mon, 24 Sep 2018 15:19:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7DCC1130E60 for <>; Mon, 24 Sep 2018 15:19:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=2IzGHj+0Yn7E2YPZSYfOl1Z0K7w=; b=P2STLmv5oSXG/Siv yLyrBoHeuUA0Yh6a7kFEfi+nLcPZa+aenKnzymehfDe4tsIxNliNCgF9KOve+wzc TKQB9VAvU6G1KO8QwgSTzHjQsf+PGg7A6+90ToXj5vB7LZy83kQ/giR5YdD9L9sU VI5XSJ1UF3bHdnMSwdwke9HW+Yk=
Received: by with SMTP id filter0011p1iad2-14159-5BA9630A-A 2018-09-24 22:19:54.077519446 +0000 UTC m=+1555045.533141739
Received: from (unknown []) by (SG) with ESMTP id twM3hUUpQgmlN7Wpz2Gtsw for <>; Mon, 24 Sep 2018 22:19:53.819 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTP id 05C53420318 for <>; Mon, 24 Sep 2018 15:19:54 -0700 (PDT)
Date: Mon, 24 Sep 2018 22:19:54 +0000
From: David Schinazi <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/1575/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Consider simplifying Packet Number Encryption (#1575)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ba9630a1396_54c93ff95fed45c02262a9"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: DavidSchinazi
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak0HhRYwsaykQP7xqTMJhLO+qzO/dGDZCxxxnm y3yrzIhApo4KRPgZSYWDszFoze6rI2F2qnEhADN9o4an5NditVMDOjNEHG9El+bFyuZIzPkXRi5DPv TfG6H+JLbDb3Ds+3OXn369IwdDtsI73pVlfRJtJ2peQwXmfQW6+MEnsiwqqCraEMpnL5PTMCGUqZlM Y=
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Sep 2018 22:19:58 -0000

I had a conversation with @ekr about this yesterday, and I'm wondering if the following proposal might get us the best of both worlds:
1) Require that QUIC packets MUST verify `length(packet number) + length(payload) >= 4`, by padding the payload if needed.
2) Always have PNE encrypt 4 bytes from the start of the packet number, and use the following 16 bytes as nonce.

In practice the padding overhead here is very low as it only impacts a small number of frame types when sent without an ACK frame. (Worse case scenario is a lonely PING frame with packet number below 63, and that case suffers 2 bytes of padding out of a 20+8+1+1+1=31 byte IPv4 packet)

It also has the nice property of obfuscating the packet-number length, as an observer can no longer tell when the packet number is below 63.

In terms of implementation, this is simplest for decryption, and the padding can be added right before encrypting the payload as that code needs to have access to the packet number as nonce anyway.

What are people's thoughts on this?

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: