Re: What to do about multipath in QUIC

[Yunfei Ma <yfmascgy@gmail.com>]

Dear Kazuho,

Thanks for providing this alternative solution. I think it's great, but
please correct me if I am wrong. In the quic-tls-32 section 5.3., it reads:

*"The exclusive OR of the padded packet number and the IV forms the
AEAD nonce."*


So my question is: if we want to embed the sequence number of the
connection ID into the AEAD nonce, don't we need to incorporate this
method into section 5.3.?


Thanks,

Yunfei


On Sun, Nov 15, 2020 at 9:19 PM Kazuho Oku <kazuhooku@gmail.com> wrote:

>
>
> 2020年11月16日(月) 8:25 Yanmei Liu <healing4d@gmail.com>:
>
>> Hi Christian and Lucas,
>>
>> Thanks a lot for the advice :-)
>>
>> > The use of AEAD is only safe if the same packet number is not reused
>> twice with the same key. If we use multiple packet number contexts, AEAD is
>> only safe if these contexts use different encryption keys. This requires
>> adding a key derivation procedure for the "sub connection", and also adding
>> ways to identify the relevant key in the incoming packets. This gets
>> complicated very quickly, especially if we want to keep the possibility of
>> using zero-length connection identifiers on the client side.
>> > I use a concept very similar to the sub-connection, but only as a way
>> to manipulate paths, so the client can instruct the server when paths ought
>> to be abandoned. Otherwise, I just keep track of which PN maps to which
>> path.
>>
>> We have tried to use the same packet number space in all the paths (or
>> sub-connections) before, and have found that it brought much complexity in
>> implementation for loss recovery.
>> In the meanwhile, the AEAD security problem mentioned above should be
>> solved. Another way to solve this problem is using different keys in
>> different paths, but it also brings much complexity in key derivation as
>> you have mentioned.
>>
>> We have found a third solution in
>> https://tools.ietf.org/id/draft-huitema-quic-mpath-req-01.txt : create
>> nonces by mixing the IV with both the path specific connection ID and the
>> packet sequence number.
>> If we can mix Destination Connection ID in for each packet's AEAD nonce,
>> then it will be safe to use the same key in all the paths with different
>> packet number spaces.
>>
>
> Or as an alternative, we can encode the sequence number of the connection
> ID directly in the unused part of AEAD nonce (size of nonce is 96 bits in
> AES-GCM, 128 bits in chacha20-poly1305, but we only use 62 bits). The
> benefit of such an approach is that endpoints would not be required to have
> additional state related to AEAD. Endpoints already have the mapping
> between connection IDs and their sequence numbers, all they need to do is
> pass that sequence number as part of the AEAD nonce.
>
> But since QUIC-TLS has been in the last-call period, would it be able to
>> add this modification into QUIC-TLS?
>>
>
> I do not think we have to, especially if we embed the sequence number of
> the connection ID into the AEAD nonce.
>
>
>>
>>
>> Thanks,
>> Yanmei
>>
>>
>>
>>
>> On Fri, 13 Nov 2020 at 01:04, Christian Huitema <huitema@huitema.net>
>> wrote:
>>
>>>
>>> On 11/12/2020 3:10 AM, Mikkel Fahnøe Jørgensen wrote:
>>>
>>>   1. We think QUICv1 has already laid down the foundation to build a general-purpose multi-path since migration can be viewed as a special type of multi-path. Therefore, we think one should reuse the design of migration in QUIC-v1 as much as possible, along with the features such as PATH_CHALLENGE/PATH_RESPONSE for path challenge and address validation, and NEW_CONNECTION_ID/RETIRE_CONNECTION_ID for CID renegotiation of new path(which is called Sub-connection in our draft). Reusing these features of QUIC-v1 with small extensions has enabled us to get general-purpose multi-path features with very little efforts in
>>> Alibaba’s XQUIC(an implementation of QUIC-v1).
>>>
>>> Yes. That's a major investment in QUIC V1, and we should keep it.
>>>
>>>   2. We find that the simplest way to add a second path is to use a sub-connection. The concept of sub-connection is directly inherited from connection in QUIC-transport, defined as the logic session of each physical path. Similar to a connection, each sub-connection has its own packet number space for the purpose of loss detection and recovery.
>>>
>>>
>>> I did not want to do that in my own draft for a couple of reasons. The
>>> main one is the interaction with encryption.
>>>
>>> The use of AEAD is only safe if the same packet number is not reused
>>> twice with the same key. If we use multiple packet number contexts, AEAD is
>>> only safe if these contexts use different encryption keys. This requires
>>> adding a key derivation procedure for the "sub connection", and also adding
>>> ways to identify the relevant key in the incoming packets. This gets
>>> complicated very quickly, especially if we want to keep the possibility of
>>> using zero-length connection identifiers on the client side.
>>>
>>> I use a concept very similar to the sub-connection, but only as a way to
>>> manipulate paths, so the client can instruct the server when paths ought to
>>> be abandoned. Otherwise, I just keep track of which PN maps to which path.
>>>
>>>
>>>   3. To merge the gap between migration and the general-purpose multi-path, several new features need to be supported:
>>>   - (1) how to manage the lifecycles of individual sub-connections.
>>>
>>>   - (2) how to distinguish packets coming from different sub-connections.
>>>   - (3) how to co-operate with a multi-path scheduler.
>>>
>>> We would appreciate hearing any thoughts, comments and suggestions.
>>>
>>>
>>> I think we need more work on the "multi-path scheduler". We have heard
>>> of three application scenarios: maintaining the lowest RTT when sending
>>> voice segments (Apple Siri), avoiding buffering delays when playing music
>>> (Apple Music), and using two available links with equal preference (Ali
>>> Baba "high speed train"). I wish that we could distillate that into a
>>> couple of simple concepts.
>>>
>>> -- Christian Huitema
>>>
>>>
>
> --
> Kazuho Oku
>