Re: Explicit measurability in the QUIC wire image (was Re: Packet number encryption)

Martin Thomson <martin.thomson@gmail.com> Wed, 07 February 2018 10:10 UTC

MIME-Version: 1.0
In-Reply-To: <CAN1APddkFxLFREQQe+0Kqqi+zJeU20ALjzN4R0Muf9FD1BzZUg@mail.gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <BY2PR15MB07754D83A1721F2BD742359BCDFE0@BY2PR15MB0775.namprd15.prod.outlook.com> <2CD9DC43-D69B-43F0-8474-DFE798850A52@akamai.com> <CAGD1bZaUuNxqpDkn62B0wWcFD8=mCUWrAwWGG-rAOxH7Mf1=cQ@mail.gmail.com> <CY4PR21MB01334E30C7AF6AE75F58EEFDB6FE0@CY4PR21MB0133.namprd21.prod.outlook.com> <CAGD1bZaxrqzdkk0wxRaULwOTgg6wnrSrXNBK31s4uxdozaACBA@mail.gmail.com> <CAGD1bZbOAaSBcQw4nVtGuwRunaAW8MYHq9yPxNN6DdKHzt5HtQ@mail.gmail.com> <CANatvzx+uDHMV5XS=OuVYBqe_RYX=EmVWAmjuONS8BpNYCPweA@mail.gmail.com> <5233815B-00F3-4961-ABB8-505906258B89@trammell.ch> <CAN1APdcuKSLYw4Odyc4g=+4_+ojsNekeqmM9eYqxykkfxRx3Cg@mail.gmail.com> <CANatvzz3rmGPRgu1Z5+bAHhgjiN3L5OVTDhb4fmpPX+M8o4z3w@mail.gmail.com> <DB6PR10MB17661B9957DF90733FA28EC5ACFD0@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <DB6PR10MB176682C63A91007574BBEAECACFC0@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM> <CAN1APddkFxLFREQQe+0Kqqi+zJeU20ALjzN4R0Muf9FD1BzZUg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 07 Feb 2018 21:10:20 +1100
Message-ID: <CABkgnnXkEsQkmdgX6c4_9w6YhTaPYrtdhUEJ8imi7NSChyC32g@mail.gmail.com>
Subject: Re: Explicit measurability in the QUIC wire image (was Re: Packet number encryption)
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: Kazuho Oku <kazuhooku@gmail.com>, "Brian Trammell (IETF)" <ietf@trammell.ch>, QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4-Mr6E7-m30KBVJdslZIBL9qMKM>
Precedence: list

I looked into these when I first considered packet number encryption.
They are not typically bijective on 2^N-1.  That's not a great outcome
here.  Also, random access is a requirement and that isn't
straightforward here, even with the good ones.  Also reversing is
possible, but more complicated.

On Wed, Feb 7, 2018 at 8:10 PM, Mikkel Fahnøe Jørgensen
<mikkelfj@gmail.com> wrote:
> Instead of a static Pi table, an xorshift+ PRNG could be used. It would
> likely be preferable to shorten the cycle such that observers can use hash
> lookups and hamming distance computations against selected segments of the
> sequence.
>
> https://en.wikipedia.org/wiki/Xorshift#xorshift+
>
> http://xoroshiro.di.unimi.it/xorshift128plus.c
>
> uint64_t s[2];
>
> uint64_t next(void) {
> 	uint64_t s1 = s[0];
> 	const uint64_t s0 = s[1];
> 	const uint64_t result = s0 + s1;
> 	s[0] = s0;
> 	s1 ^= s1 << 23; // a
> 	s[1] = s1 ^ s0 ^ (s1 >> 18) ^ (s0 >> 5); // b, c
> 	return result;
> }
>
>
> A simpler 32-bit version could also be used since we do not care about long
> cycles.
>
> http://excamera.com/sphinx/article-xorshift.html
>
> uint32_t seed = 7;  // 100% random seed value
>
> static uint32_t random()
> {
>   seed ^= seed << 13;
>   seed ^= seed >> 17;
>   seed ^= seed << 5;
>   return seed;
> }
>
>
> The output would be the bits shifted out of the 32-bit our 64-bit word in
> either MSB or LSB first. I’d prefer LSB because it is slightly simpler to
> test the LSB bit and divide by 2.
>
> On 7 February 2018 at 01.29.18, Mikkel Fahnøe Jørgensen (mikkelfj@gmail.com)
> wrote:
>
> Also note that this approach is insensitive to skipped packet numbers in
> optimistic ACK attack defence. It leaks zero information when the network is
> perfect and if the CID hash is random.
>
> ________________________________
> From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
> Sent: Wednesday, February 7, 2018 12:58:33 AM
> To: Kazuho Oku
> Cc: Brian Trammell (IETF); QUIC WG
> Subject: Re: Explicit measurability in the QUIC wire image (was Re: Packet
> number encryption)
>
> I actually think a static 1KB table of Pi could work quite well.
>
> A subset of samples could be indexed in a hashtable and yield loss data
> early with some probability. Some samples would miss due to reordering or
> loss. If more exact analysis is wanted the levenshtein distance of a sample
> sequence against Pi from a synced offset would tell a lot about the data. Or
> DNA sequencing. This could be hardware optimized.
>
> Yet, transmission is always just the next bit in the Pi table.
>
> Since Pi is effectively random it will ebentually detect mutations if the
> observed sequence is long enough.
>
> Wrt privacy, the CID may be used as a start offset hash into the Pi table.
>
> There isn’t any need to cover a full RTT worth of Pi bits unless it is used
> for latency detection, but in that case the spin could be a pattern like
> 10101010 and 00001111 injected into the Pi sequence. A separate spin bit
> would be simpler.
>
>
> ________________________________
> From: Kazuho Oku <kazuhooku@gmail.com>
> Sent: Tuesday, February 6, 2018 5:22:35 PM
> To: Mikkel Fahnøe Jørgensen
> Cc: Brian Trammell (IETF); QUIC WG
> Subject: Re: Explicit measurability in the QUIC wire image (was Re: Packet
> number encryption)
>
> 2018-02-06 23:54 GMT+09:00 Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>:
>> This idea can be taken further: You can modulate the signal so you use
>> multiple packets to encode a zero or a one for half the wave duration. For
>> example 1 could be encoded as 0101 over four packets and zero could be
>> encoded as 0011 over four packets.
>> If there is any reordering, it would show up as an unexpected value in the
>> pulse.
>
> That's definitely an option.
>
> Actually, I considered using sin wave (that distributes the error
> among 1-bit samples) as an example instead of the square wave.
>
> The primary reason behind my preference to using a square wave is that
> it is easier to implement; in fact, emitting a square wave with the
> length of 512 packets is as easy as just taking the 9th bit (counting
> from LSB) of the packet number (if we forget about the gaps for a
> moment).
>
>
> --
> Kazuho Oku

Packet number encryption Martin Thomson
Re: Packet number encryption Ian Swett
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eggert, Lars
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Duke
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Dmitri Tikhonov
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge, UK)
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Piotr Galecki
Re: Re: Packet number encryption alexandre.ferrieux
Re: Packet number encryption Patrick McManus
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Roberto Peon
RE: Packet number encryption Piotr Galecki
RE: Packet number encryption Roni Even (A)
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Lubashev, Igor
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Willy Tarreau
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Reducing ossification through protocol design (wa… Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Roberto Peon
Re: Reducing ossification through protocol design… Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
RE: Packet number encryption Roni Even (A)
Re: Reducing ossification through protocol design… Mirja Kühlewind
Re: Reducing ossification through protocol design… Salz, Rich
Re: Reducing ossification through protocol design… Mirja Kühlewind
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Reducing ossification through protocol design… Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Marten Seemann
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Gorry Fairhurst
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
RE: Explicit measurability in the QUIC wire image… Roni Even (A)
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Stephen Farrell
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Martin Thomson
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Martin Thomson
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption David Benjamin
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Deval, Manasi
RE: Packet number encryption Deval, Manasi
Re: Packet number encryption Victor Vasiliev
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Ian Swett
Re: Packet number encryption Ian Swett
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: hardware offload (was: Packet number encrypti… Christian Huitema
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Eggert, Lars
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen