IETF Logo Mail Archive

Re: A question about user tracking with QUIC

Christian Huitema <huitema@huitema.net> Mon, 07 June 2021 15:21 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4801F3A1A1E for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 08:21:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZPscs7x3RSv for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 08:21:45 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B0E43A1ABE for <quic@ietf.org>; Mon, 7 Jun 2021 08:21:39 -0700 (PDT)
Received: from xse114.mail2web.com ([66.113.196.114] helo=xse.mail2web.com) by mx135.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lqH4E-001BqH-VY for quic@ietf.org; Mon, 07 Jun 2021 17:21:38 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4FzHCC5ByYzBtq for <quic@ietf.org>; Mon, 7 Jun 2021 08:21:27 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1lqH4B-00026w-Ie for quic@ietf.org; Mon, 07 Jun 2021 08:21:27 -0700
Received: (qmail 6247 invoked from network); 7 Jun 2021 15:21:26 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.69]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <lucaspardue.24.7@gmail.com>; 7 Jun 2021 15:21:25 -0000
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: IETF QUIC WG <quic@ietf.org>, Robin MARX <robin.marx=40uhasselt.be@dmarc.ietf.org>, Lucas Pardue <lucaspardue.24.7@gmail.com>
References: <20210607123854.GA16312@nic.fr> <CAC7UV9bkqOeCgDsCH+Hdq0v=zmRKNNDtpfiq6Ap_vzm5zUzGVg@mail.gmail.com> <CALGR9oZiUe5TyY3Tv432__GH=v+Lpv2EZah0G4ZD+g3E2FkaMg@mail.gmail.com> <20210607130422.GA27971@sources.org> <EE723B6D-7B6B-4B68-A4A1-F1809CF68F1B@gmail.com> <20210607142015.GA31240@sources.org> <C1B56269-0EF7-42EC-8824-70F7485807B2@gmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: A question about user tracking with QUIC
Message-ID: <bc4714c6-61c4-f384-9d08-f4278264364c@huitema.net>
Date: Mon, 07 Jun 2021 08:21:24 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <C1B56269-0EF7-42EC-8824-70F7485807B2@gmail.com>
Content-Type: multipart/alternative; boundary="------------AC6E73259323B3331813A82E"
Content-Language: en-US
X-Originating-IP: 66.113.196.114
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCM/P Qk9+BBkGseiUkBL7t6LmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imca053GwGyhzY/+A1Bez9k2eBQ6V51u76v35b1wNe/MvdL/hXir I7jpLA3NtNK1rbkD2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7jZ1h/HfDRQ5Ig8VhPsPE8NlkBmbR1LS6Kx8w5MHqDEE8D8g0IqoxA0+tq3OZe9KUgj Jx7mapXdzPjNZZp0PXTODRojSVizNl0ce/s7u0P9b9Tml6eOMCV9kYYwkPx6ZsXvIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfP/oEKsvd2e583xeej+zeONUoFIvD3sIcP1fhJPM6B/8E87g FOY5u7jFKLUFDeVt76N3bHguNqWzClEEbhv4VUmJ+dym1L8cD17Js0v4cp1M5+6HWswkGYxQx+MX ohjg/zcKVNeVJ9BXyu9+ceCqThTYg2px1fSoqxQCCHnLMo/m9VKh99btUAanjnMCAH2co+fBoeG+ Hs0afhsY/5zhNYWRVYKU9W9tbmVXJBqdHHDmZEKhyNAv1N35kYWaEdgLurFV5oTvAcwA4rM3FkfW 8/1kE/e7sUnsVpINvARNxpFO
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/-yHTYOK63hNXQ4zAUsgu6dyiV38>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 15:21:50 -0000

I think Stéphane raises an interesting point: QUIC does enable 
trade-offs between privacy and performance, and these trade-offs are not 
well documented in the published RFC. The main trade-off comes from the 
use of session resumption, including 0-RTT. A similar trade-off results 
from using retry tokens provided in NEW TOKEN frames. A secondary 
trade-off comes from the use of connection migration.

Session resumption in QUIC uses the mechanisms described in TLS 1.3. The 
risks is actually documented in RFC 9001, in section 9.1 of the session 
considerations, "Session Linkability". The entire text says: "Use of TLS 
session tickets allows servers and possibly other entities to correlate 
connections made by the same client; see Section 4.5 for details." 
Section 4.5 is the description of the resumption mechanism. The relevant 
text in that section says: "Session resumption allows servers to link 
activity on the original connection with the resumed connection, which 
might be a privacy issue for clients. Clients can choose not to enable 
resumption to avoid creating this correlation. Clients SHOULD NOT reuse 
tickets as that allows entities other than the server to correlate 
connections; see Appendix C.4 
<https://www.rfc-editor.org/rfc/rfc8446#appendix-C.4> of [TLS13 
<https://www.rfc-editor.org/rfc/rfc9001.html#TLS13>]."
<https://www.rfc-editor.org/rfc/rfc9001.html#name-session-linkability>

The session resumption risk is not new to QUIC. This is exactly the same 
issue as resumption of a TCP/TLS session. QUIC does add an additional 
tracking mechanism with the "NEW TOKEN", which is designed to bypass 
source address verification and save one RTT by showing a proof that the 
IP address was already verified. This token could certainly allow some 
form of tracking. We can debate whether this is an additional risk 
compared to the TLS session token, but Stéphane's point hold: this 
trade-off between performance and privacy is not analyzed and documented.

Similarly, there are potential trade-offs with the support of connection 
migration. A client that attempts migration reveals the new IP address 
used for that migration. A client that acts on a "server preferred 
address" parameter may end up using and revealing a new IP address. We 
can argue that the trade-offs are OK, but they are just that, 
trade-off.And they are indeed not documented in the RFC.

There are mitigations to all these risks. For example, the classic 
mitigation for session resumption privacy risk is for the client to not 
use it at all, or to only use it if the IP address did not change and if 
the ticket was provided recently. The same apply for the "NEW TOKEN" 
variants of retry tokens. It is actually hard for clients behind NAT to 
know that their IP address did not change, so such mitigations need 
work. Similarly, there is a worthwhile discussion of migration risks, 
which are different if the client identifies itself to the server at the 
application layer and if it doesn't. It might be a very good idea to 
publish that.

-- Christian Huitema

On 6/7/2021 7:37 AM, Mikkel Fahnøe Jørgensen wrote:
> Also note that a lot of dicussions have taken place on github issues and pull requests.
>
>> On 7 Jun 2021, at 16.20, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
>>
>> On Mon, Jun 07, 2021 at 03:36:31PM +0200,
>> Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> wrote
>> a message of 37 lines which said:
>>
>>> User tracking has been discussed a lot during the development of the
>>> QUIC protocol.
>> User tracking BY THE SERVER? I'm sure the WG left no stone unturned
>> but I cannot find this discussions in the email archives. I probably
>> used the wrong keywords.
>>
>>> For servers, it is necessary to track users across migrations,
>>> because you need to maintain connection state and to maintain the IP
>>> address of where to send data.
>> This is why that I suggested (but it may be a bad idea, may be I
>> didn't think of everything) that a privacy-conscious client may be

>> better by not using connection migration, and resetting to an entirely
>> new connection when the IP address changes.
>>

v2.31.3 | Report a Bug | By Email | System Status