IETF Logo Mail Archive

RE: Packet number encryption

Praveen Balasubramanian <pravb@microsoft.com> Fri, 09 February 2018 01:50 UTC

Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A17D120721 for <quic@ietfa.amsl.com>; Thu, 8 Feb 2018 17:50:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.991
X-Spam-Level:
X-Spam-Status: No, score=-1.991 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3F_Om6D5mTWn for <quic@ietfa.amsl.com>; Thu, 8 Feb 2018 17:50:49 -0800 (PST)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0119.outbound.protection.outlook.com [104.47.37.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCC78124207 for <quic@ietf.org>; Thu, 8 Feb 2018 17:50:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dsvtKBeZI1+BIB+qQux92bgYwJ1Cj+YSOpHw8SkFbl0=; b=hsxu81lD2Ywc0C3Xo1s36OWJu/l36oukWbHgO6TaBBViKGA0TFD1qV3/Kj/1kpcJxnfkj9BiYruSdlHc89t6iHZqer6Fz+I8//mIlWeqfSvXPC7v9flh8ewIYVRovy6SlUthGQJZJvuu03JsaRS0/pMBF0ZiHAOAgyIP7ExHCKg=
Received: from MWHPR21MB0144.namprd21.prod.outlook.com (10.173.52.14) by MWHPR21MB0640.namprd21.prod.outlook.com (10.175.141.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.506.3; Fri, 9 Feb 2018 01:50:47 +0000
Received: from MWHPR21MB0144.namprd21.prod.outlook.com ([10.173.52.14]) by MWHPR21MB0144.namprd21.prod.outlook.com ([10.173.52.14]) with mapi id 15.20.0485.000; Fri, 9 Feb 2018 01:50:47 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: huitema <huitema@huitema.net>, "quic@ietf.org" <quic@ietf.org>
Subject: RE: Packet number encryption
Thread-Topic: Packet number encryption
Thread-Index: AQHTmW31V+0GAWpR/E2VqOCVLx9SYqOMgUQAgABeoYCAAAgUAIAAd3KAgAA8YgCAACPEAIAAAiYAgAOBloCAALfdgIAACBkAgAEGGACAANx9AIAAn5KAgAB7w4CAADUigIAADBeAgADUsaCAAGk3gIAAEEgAgACizACAADhiAIAAHkiAgAADUYCAACdFAIAAVRYAgAAUZQCAAA5oAIAAD4fQgABGjACAAAGHQIAACNQAgAAAqaCAAAeBgIAAC4qAgACi02CAAe6PgIAACzgAgAARh3A=
Date: Fri, 09 Feb 2018 01:50:46 +0000
Message-ID: <MWHPR21MB0144C68102972A668611E1FCB6F20@MWHPR21MB0144.namprd21.prod.outlook.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com> <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <CABkgnnW4xr_YzpsvCxaJJgcQdBTuX=Yv735_sdd4VoMfji8mbA@mail.gmail.com> <CY4PR21MB0133C759D4A08A4988B641B2B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <bdf88936-8edc-d56e-ee59-c9d597058edd@huitema.net> <CY4PR21MB01337C8A700E58B49D90B712B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <119b3276-5799-1cc3-8982-7479171bbf27@huitema.net> <CAOYVs2pi8-NVuS+crNMfjsP-n5upK3=5tPeQ8OSGpOvL6RTrjA@mail.gmail.com> <CY4PR21MB0133A1117B2733BBCF049C5FB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB24327A7BB5AE1AE70FE5CDB1DAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net>
In-Reply-To: <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8::712]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR21MB0640; 7:oyWSnMts0gVmNcTGagCNhGT4K/tzIqEv6I5F5eU/tglcaIlkcmxQ0ukHiHleb+tCnzuOx5G0W7d7ACeiaaSDwzgOGA1xcSHygNdM2iLaCXyYsvgj/L9kNwFauX6fMqLxZKhlkk1AXhmRz7foftA+okUII10D5RF7umCkThU08K9AGAPS/GJzMSpfoMIgPX330S2kCbl2hbYO3AYUw5/8axYzDUAflRs7PPxi+M6m4C3ZmjyWqH1LFz+LyNx5/jhP
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0c5a5a2d-bb20-433d-f1be-08d56f5f8a21
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:MWHPR21MB0640;
x-ms-traffictypediagnostic: MWHPR21MB0640:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <MWHPR21MB0640EF28E94F35A975D41687B6F20@MWHPR21MB0640.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231101)(2400082)(944501161)(10201501046)(6055026)(61426038)(61427038)(6041288)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MWHPR21MB0640; BCL:0; PCL:0; RULEID:; SRVR:MWHPR21MB0640;
x-forefront-prvs: 057859F9C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39860400002)(39380400002)(366004)(346002)(396003)(377424004)(199004)(189003)(93886005)(6436002)(6116002)(790700001)(229853002)(77096007)(9686003)(2900100001)(106356001)(8990500004)(54896002)(6306002)(25786009)(316002)(6246003)(97736004)(55016002)(10090500001)(110136005)(3660700001)(5660300001)(7116003)(3280700002)(2950100002)(7696005)(561944003)(33656002)(99286004)(186003)(2906002)(76176011)(7736002)(10290500003)(53936002)(86612001)(102836004)(6346003)(86362001)(14454004)(81156014)(22452003)(478600001)(74316002)(2501003)(53546011)(59450400001)(8936002)(6506007)(105586002)(8676002)(81166006)(3480700004)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0640; H:MWHPR21MB0144.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-microsoft-antispam-message-info: BMZTq+6MrTOp9+KjLoxddpoE+sl6DVxaIEhpLBOW1N54QbX2oNyUyARNjnB2BVTcQmUKEGslInkSNI5V+8E2Gg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB0144C68102972A668611E1FCB6F20MWHPR21MB0144namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c5a5a2d-bb20-433d-f1be-08d56f5f8a21
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2018 01:50:47.0838 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0640
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/3suKH3vTNucsdI-0TEMwnXwZWPw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 01:50:53 -0000

>> and using separate packet sequences for each path
This alone prevents linkability right?

>> The packet number on each path will start at 1 (or maybe 0 ;-).
Is supporting multiple paths at the same time a goal? If yes, then yes all paths will need to have separate tracking and ACK state and congestion control etc. I thought this is not part of V1 RFC. If its just one additional path for connection migration scenario then all you need is a (random) jump to a offset in packet number space for the new path so that the few packets in the old path can continue for a little bit. This works with just one ACK space so no implementation complexity.

>> 2) Or, leaving the packet number in the clear but using different encryption contexts for each path, and using separate packet sequences for each path.
In addition if the value in the clear was obfuscated with an XOR transform it will help prevent ossification. The obfuscation is not meant to guard against later analysis that reveals the packet numbers - why do we care about that. It is meant to grease the space and not make the numbers serial so middleboxes cannot assume ordering etc.

All said if I am alone in being concerned about the perf hit then I’d say go on with option 1.

From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian Huitema
Sent: Thursday, February 8, 2018 3:54 PM
To: quic@ietf.org
Subject: Re: Packet number encryption


On 2/8/2018 1:13 PM, Mike Bishop wrote:
#2 won’t work.  The packet number is an input to the AEAD nonce, so you have to get to the packet number before you can decrypt the payload.  It can’t be based on anything internal to the encrypted packet.

In Martin’s proposal, it’s using a combination of the encrypted payload (which requires nothing to access) and some stored state on each endpoint, which requires only the Connection ID to look up.  You want the thing you XOR by to be constantly changing, or it becomes easier to look at sequences of obfuscated packet numbers and start drawing inferences about what the XOR value is.  If overhead is the primary concern, I think there are a couple approaches that might allow you to precompute values and amortize the cost of doing the encryption step.  (At the cost of keeping the table of precomputed values, of course.)

I still think Jana’s pushing in the right direction here:  Let’s agree on goals, and then see if we can craft a design that meets those goals.  I hear you saying that low overhead is a goal, which I think we can all agree on.  I also think I hear you saying that 1-1.5% overhead is too high, but it sounds like there’s less agreement on that.  You also raise an interesting point that some clients will care less about linkability because they will never intentionally migrate.

I think Victor said it best, "Obfuscation is just encryption done poorly." Either we encrypt, or we don't. But there is no such thing as an obfuscation middle-ground. Obfuscation would just be a speed bump, easily broken. It won't provide privacy, and it won't prevent linkability.

As far as I am concerned, there are only two designs that prevent linkability:

1) Martin's PR, in which the packet number is encrypted using sensible crypto;

2) Or, leaving the packet number in the clear but using different encryption contexts for each path, and using separate packet sequences for each path.

The second option requires more computation when explicitly setting up a new path. The connection ID would be used as part of the "salt" when deriving connection contexts. The packet number on each path will start at 1 (or maybe 0 ;-). This requires maintaining separate SACK dashboards for each path/Connection-ID, and constraining ACK to be per/path, or alternatively adding a PATH-ACK frame that indicates the path for which packets are acked.

The pros and cons of the two options are easy to get:

1) Option 2 does not require the cost of encrypting every packet, thus per packet processing will be maybe 1% faster than option 1.

2) Option 2 requires computing encryption contexts for each path, which is more complex than option 1, but the cost will be amortized over the duration of the path.

3) Option 2 requires more complex data structures and ACK management, thus increasing the chances that something goes wrong.

4) Option 2 does nothing against packet number ossification. The packet number effectively becomes part of the invariants.

In short, the only advantage of option 2 is to avoid a single symmetric encryption operation per packet, while making the code significantly more complex, and at the cost of not protecting against PN ossification. The way I see that, there is hardly any debate.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email