RE: Packet number encryption
Praveen Balasubramanian <pravb@microsoft.com> Fri, 09 February 2018 07:26 UTC
Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7A1712741D for <quic@ietfa.amsl.com>; Thu, 8 Feb 2018 23:26:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.469
X-Spam-Level:
X-Spam-Status: No, score=0.469 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gSaqCnFrMvDM for <quic@ietfa.amsl.com>; Thu, 8 Feb 2018 23:26:02 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0135.outbound.protection.outlook.com [104.47.34.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DB98124234 for <quic@ietf.org>; Thu, 8 Feb 2018 23:26:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CUDyPD/Mcq8L2A2/8hS6186mNTStd0cHhpWIYRiaLTA=; b=AKCxw8MZTbZ+Udg7hrXg1xakqGb5vYikL2PxbDoNZzcaDaRVxjeDE02WGMXBkIiyDShwJimRfrcxbq1Qn77v0E7fN5Fu0OY0vSBXxEntX3pl68wH5gDwchkaVA9YgU2gL7C5d82Jgekha4FWkYIkLUvqu3WTMFHXVfBj3mTfLb4=
Received: from CY4PR21MB0133.namprd21.prod.outlook.com (10.173.189.15) by CY4PR21MB0632.namprd21.prod.outlook.com (10.175.115.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.506.3; Fri, 9 Feb 2018 07:25:42 +0000
Received: from CY4PR21MB0133.namprd21.prod.outlook.com ([fe80::f4bd:bebf:7ea5:7dc5]) by CY4PR21MB0133.namprd21.prod.outlook.com ([fe80::f4bd:bebf:7ea5:7dc5%6]) with mapi id 15.20.0506.011; Fri, 9 Feb 2018 07:25:42 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, Mike Bishop <mbishop@evequefou.be>, "quic@ietf.org" <quic@ietf.org>, huitema <huitema@huitema.net>
Subject: RE: Packet number encryption
Thread-Topic: Packet number encryption
Thread-Index: AQHTmW31V+0GAWpR/E2VqOCVLx9SYqOMgUQAgABeoYCAAAgUAIAAd3KAgAA8YgCAACPEAIAAAiYAgAOBloCAALfdgIAACBkAgAEGGACAANx9AIAAn5KAgAB7w4CAADUigIAADBeAgADUsaCAAGk3gIAAEEgAgACizACAADhiAIAAHkiAgAADUYCAACdFAIAAVRYAgAAUZQCAAA5oAIAAD4fQgABGjACAAAGHQIAACNQAgAAAqaCAAAeBgIAAC4qAgACi02CAAe6PgIAACzgAgAARh3CAAEwGwIAADioAgAARigCAAABaEA==
Date: Fri, 09 Feb 2018 07:25:42 +0000
Message-ID: <CY4PR21MB0133F887774049426C51145DB6F20@CY4PR21MB0133.namprd21.prod.outlook.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com> <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <CABkgnnW4xr_YzpsvCxaJJgcQdBTuX=Yv735_sdd4VoMfji8mbA@mail.gmail.com> <CY4PR21MB0133C759D4A08A4988B641B2B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <bdf88936-8edc-d56e-ee59-c9d597058edd@huitema.net> <CY4PR21MB01337C8A700E58B49D90B712B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <119b3276-5799-1cc3-8982-7479171bbf27@huitema.net> <CAOYVs2pi8-NVuS+crNMfjsP-n5upK3=5tPeQ8OSGpOvL6RTrjA@mail.gmail.com> <CY4PR21MB0133A1117B2733BBCF049C5FB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB24327A7BB5AE1AE70FE5CDB1DAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net> <MWHPR21MB0144C68102972A668611E1FCB6F20@MWHPR21MB0144.namprd21.prod.outlook.com> <CY4PR21MB01332141C3563ABBA240C566B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB2432EAF7D176BBFCA28DF3FFDAF20@MWHPR08MB2432.namprd08.prod.outlook.com> <CAN1APdeUzoxMaA-U6Ls4q_hw1b4BXZzwOCvo2dGm=s8YTokWAQ@mail.gmail.com>
In-Reply-To: <CAN1APdeUzoxMaA-U6Ls4q_hw1b4BXZzwOCvo2dGm=s8YTokWAQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:6::712]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0632; 7:0+PqKv/U0yuFsWsINO6YAAH3CsieytwMeoIYdu1CmUp/Ejw7DrkaxPEd/0WQDrVf428PiYVOkaiaU/p3KsCArRFrh1aJtPRwSa4edzLH2XNZ0E9nEJXQBVT4RBOMq5qGlaNh9mGy8eFEIOpIBw0Hg3539jkrmfY76h6AewaAbhqBxV6sJ4JaYnYqfn4uvLd3uGw06YaEx992Q4Ty3VThEUYQH2TutKRfQnseEeXLuGIMbXPSK0stZe84BElBPDD/
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d3f9b41d-a9b0-448f-b1dd-08d56f8e53c6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:CY4PR21MB0632;
x-ms-traffictypediagnostic: CY4PR21MB0632:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <CY4PR21MB06320E0734946D8585E64D90B6F20@CY4PR21MB0632.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(108984395545644)(89211679590171)(189930954265078)(85827821059158)(219752817060721)(21748063052155)(228905959029699);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040501)(2401047)(5005006)(8121501046)(3231101)(2400082)(944501161)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041288)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:CY4PR21MB0632; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0632;
x-forefront-prvs: 057859F9C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39380400002)(396003)(346002)(39860400002)(377424004)(189003)(199004)(316002)(102836004)(6506007)(59450400001)(7696005)(22452003)(7736002)(76176011)(966005)(5250100002)(110136005)(97736004)(8676002)(2501003)(106356001)(74316002)(93886005)(6116002)(790700001)(561944003)(6346003)(8936002)(3480700004)(606006)(81156014)(81166006)(33656002)(478600001)(9686003)(236005)(3280700002)(99286004)(6306002)(54896002)(3660700001)(19609705001)(68736007)(2906002)(10090500001)(10290500003)(39060400002)(14454004)(8990500004)(2950100002)(7116003)(229853002)(55016002)(5660300001)(186003)(25786009)(53546011)(86362001)(53936002)(6246003)(6436002)(105586002)(2900100001)(86612001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0632; H:CY4PR21MB0133.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-microsoft-antispam-message-info: IjQN8Lv0rwjlPcMdXH13D+3xXSO8vwzCHCjQRVfZ/3rG3iDBRjYaqDteqjbVBZSGtCIjJTi61EsAQYva2nZ3+w==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0133F887774049426C51145DB6F20CY4PR21MB0133namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d3f9b41d-a9b0-448f-b1dd-08d56f8e53c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2018 07:25:42.2956 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0632
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/46juM_1SWBUu9IDSHD6a_aYiVKI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 07:26:06 -0000
The proposal is to keep the PN in encrypted portion of header and use a dedicated nonce in plain text. If non-repeating nonce is needed with that probability then we will need much larger nonce since 10 Gbps+ rates are common in the datacenter. A nonce can simply be generated using PRNG. Why does the peer’s PRNG matter? The peer uses a different PN space. The jumps are completely determined by the sender as needed and its just to prevent ossification of assuming that nonce always increments by 1. From: Mikkel Fahnøe Jørgensen [mailto:mikkelfj@gmail.com] Sent: Thursday, February 8, 2018 11:22 PM To: Praveen Balasubramanian <pravb@microsoft.com>; Mike Bishop <mbishop@evequefou.be>; quic@ietf.org; huitema <huitema@huitema.net> Subject: RE: Packet number encryption You can’t safely reuse the combination of nonce and key, IIUC. Since key rollover is infrequent, the nonce has to change every packet and be guaranteed unique over the lifetime of, if not the connection, at least the current key. For CTR mode encryption which AES-GCM is, it is extremely bad to reuse the nonce. But it is still permitted if nonce only repeats with very low probability, like 2^-32 or so, don’t recall. This means that using a crypto hashed packet numbers as a nonce is an option, but a homegrown obfuscation is not. As to hashing the packet number instead of encrypting, there is hardly any worthwhile hash that is faster than using AES, but precomputing the AES over several blocks as Mike and I have suggested earlier, is an option unless you expect large losses where a small lookup table is insufficient on average. I share the concern on relying on the a peers weak PRNG for packet jumps etc. especially if it is not the same as the crypto PRNG because if that is broken, it doesn’t matter anyway. As the the 1% number - it is the only real life data we have, but I already argued that the overhead can much higher in low-latency operations with short packets. It has also been argued that packet number is lower than AEAD because it is shorter, but encrypting 64 bytes AEAD for a message is the same as encrypting 16 bytes packet number because of instruction level parallelism on current Intel hardware. You can see how the performance increases with data length in appendix A https://software.intel.com/sites/default/files/m/d/4/1/d/8/10TB24_Breakthrough_AES_Performance_with_Intel_AES_New_Instructions.final.secure.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsoftware.intel.com%2Fsites%2Fdefault%2Ffiles%2Fm%2Fd%2F4%2F1%2Fd%2F8%2F10TB24_Breakthrough_AES_Performance_with_Intel_AES_New_Instructions.final.secure.pdf&data=04%7C01%7Cpravb%40microsoft.com%7C20e615aa80de43354ae108d56f8dd2c9%7Cee3303d7fb734b0c8589bcd847f1c277%7C1%7C1%7C636537577282331419%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=2Sh%2BzP6WC7fBGrKwUHUh4CEJTe2hWk3bR8ZAN%2BQcD1c%3D&reserved=0> Mikkel On 9 February 2018 at 07.19.32, Mike Bishop (mbishop@evequefou.be<mailto:mbishop@evequefou.be>) wrote: You can’t safely reuse the combination of nonce and key, IIUC. Since key rollover is infrequent, the nonce has to change every packet and be guaranteed unique over the lifetime of, if not the connection, at least the current key. Since packet numbers also don’t repeat over the lifetime of the connection, I think using one as the variable part of the other was just taking advantage of the alignment. I don’t think having a randomized starting value and incrementing is necessarily any better than exposing the packet number. Having a PRNG seed established during the handshake and making the visible thing the next random output seems potentially interesting, but I’d want our more crypto-minded friends to comment. I think the real issue would be guarantees about never-repeating from the PRNG, particularly as you don’t have guarantees about your peer’s implementation. A defined key derivation and a counter can be verified in the protocol, independent of how good the peer’s PRNG is. From: QUIC [mailto:quic-bounces@ietf.org<mailto:quic-bounces@ietf.org>] On Behalf Of Praveen Balasubramanian Sent: Thursday, February 8, 2018 9:40 PM To: huitema <huitema@huitema.net<mailto:huitema@huitema.net>>; quic@ietf.org<mailto:quic@ietf.org> Subject: RE: Packet number encryption Actually taking a step back what if we don’t we overloaded packet number as the nonce? Can we: 1. Put packet number as a separate variable length field in the encrypted portion of the header. This allows for growth beyond 64 bits in future and completely avoids ossification. For short lived flows variable length encoding leads to minimal space overhead. 2. Put a separate plaintext nonce which starts out as a secure random number and monotonically increases as short random jumps (every packet or every few packets) and could then rollover. This will prevent linkability and scales to multi-path as well. No major compute overhead. We can also make the nonce optional for crypto algorithms that do not need a nonce saving more space. Some MSB of the nonce could be used for signaling reorder to the network if needed. I don’t have the historical context for overloading of PN as the nonce so pardon me if un-overloading option was discussed and ruled out before. From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Praveen Balasubramanian Sent: Thursday, February 8, 2018 5:51 PM To: huitema <huitema@huitema.net<mailto:huitema@huitema.net>>; quic@ietf.org<mailto:quic@ietf.org> Subject: RE: Packet number encryption >> and using separate packet sequences for each path This alone prevents linkability right? >> The packet number on each path will start at 1 (or maybe 0 ;-). Is supporting multiple paths at the same time a goal? If yes, then yes all paths will need to have separate tracking and ACK state and congestion control etc. I thought this is not part of V1 RFC. If its just one additional path for connection migration scenario then all you need is a (random) jump to a offset in packet number space for the new path so that the few packets in the old path can continue for a little bit. This works with just one ACK space so no implementation complexity. >> 2) Or, leaving the packet number in the clear but using different encryption contexts for each path, and using separate packet sequences for each path. In addition if the value in the clear was obfuscated with an XOR transform it will help prevent ossification. The obfuscation is not meant to guard against later analysis that reveals the packet numbers - why do we care about that. It is meant to grease the space and not make the numbers serial so middleboxes cannot assume ordering etc. All said if I am alone in being concerned about the perf hit then I’d say go on with option 1. From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian Huitema Sent: Thursday, February 8, 2018 3:54 PM To: quic@ietf.org<mailto:quic@ietf.org> Subject: Re: Packet number encryption On 2/8/2018 1:13 PM, Mike Bishop wrote: #2 won’t work. The packet number is an input to the AEAD nonce, so you have to get to the packet number before you can decrypt the payload. It can’t be based on anything internal to the encrypted packet. In Martin’s proposal, it’s using a combination of the encrypted payload (which requires nothing to access) and some stored state on each endpoint, which requires only the Connection ID to look up. You want the thing you XOR by to be constantly changing, or it becomes easier to look at sequences of obfuscated packet numbers and start drawing inferences about what the XOR value is. If overhead is the primary concern, I think there are a couple approaches that might allow you to precompute values and amortize the cost of doing the encryption step. (At the cost of keeping the table of precomputed values, of course.) I still think Jana’s pushing in the right direction here: Let’s agree on goals, and then see if we can craft a design that meets those goals. I hear you saying that low overhead is a goal, which I think we can all agree on. I also think I hear you saying that 1-1.5% overhead is too high, but it sounds like there’s less agreement on that. You also raise an interesting point that some clients will care less about linkability because they will never intentionally migrate. I think Victor said it best, "Obfuscation is just encryption done poorly." Either we encrypt, or we don't. But there is no such thing as an obfuscation middle-ground. Obfuscation would just be a speed bump, easily broken. It won't provide privacy, and it won't prevent linkability. As far as I am concerned, there are only two designs that prevent linkability: 1) Martin's PR, in which the packet number is encrypted using sensible crypto; 2) Or, leaving the packet number in the clear but using different encryption contexts for each path, and using separate packet sequences for each path. The second option requires more computation when explicitly setting up a new path. The connection ID would be used as part of the "salt" when deriving connection contexts. The packet number on each path will start at 1 (or maybe 0 ;-). This requires maintaining separate SACK dashboards for each path/Connection-ID, and constraining ACK to be per/path, or alternatively adding a PATH-ACK frame that indicates the path for which packets are acked. The pros and cons of the two options are easy to get: 1) Option 2 does not require the cost of encrypting every packet, thus per packet processing will be maybe 1% faster than option 1. 2) Option 2 requires computing encryption contexts for each path, which is more complex than option 1, but the cost will be amortized over the duration of the path. 3) Option 2 requires more complex data structures and ACK management, thus increasing the chances that something goes wrong. 4) Option 2 does nothing against packet number ossification. The packet number effectively becomes part of the invariants. In short, the only advantage of option 2 is to avoid a single symmetric encryption operation per packet, while making the code significantly more complex, and at the cost of not protecting against PN ossification. The way I see that, there is hardly any debate. -- Christian Huitema
- Packet number encryption Martin Thomson
- Re: Packet number encryption Ian Swett
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Gorry Fairhurst
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Eggert, Lars
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Ted Hardie
- Re: Packet number encryption Ted Hardie
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Jana Iyengar
- RE: Packet number encryption Roni Even (A)
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Martin Duke
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Dmitri Tikhonov
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: Packet number encryption Jana Iyengar
- RE: Packet number encryption Piotr Galecki
- Re: Re: Packet number encryption alexandre.ferrieux
- Re: Packet number encryption Patrick McManus
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
- Re: Packet number encryption Stephen Farrell
- Re: Packet number encryption Roberto Peon
- RE: Packet number encryption Piotr Galecki
- RE: Packet number encryption Roni Even (A)
- RE: Packet number encryption Lubashev, Igor
- RE: Packet number encryption Lubashev, Igor
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Lubashev, Igor
- Re: Packet number encryption Stephen Farrell
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
- Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
- Re: Packet number encryption Stephen Farrell
- Re: Packet number encryption Willy Tarreau
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Brian Trammell (IETF)
- Reducing ossification through protocol design (wa… Brian Trammell (IETF)
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Roberto Peon
- Re: Packet number encryption Salz, Rich
- Re: Packet number encryption Jana Iyengar
- RE: Packet number encryption Roni Even
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Roni Even (A)
- Re: Packet number encryption Roberto Peon
- Re: Reducing ossification through protocol design… Gorry Fairhurst
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Kazuho Oku
- RE: Packet number encryption Roni Even (A)
- Re: Reducing ossification through protocol design… Mirja Kühlewind
- Re: Reducing ossification through protocol design… Salz, Rich
- Re: Reducing ossification through protocol design… Mirja Kühlewind
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mike Bishop
- RE: Reducing ossification through protocol design… Mike Bishop
- Re: Packet number encryption Jana Iyengar
- Re: Packet number encryption Jana Iyengar
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Ted Hardie
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Marten Seemann
- RE: Packet number encryption Roni Even (A)
- Re: Packet number encryption Marten Seemann
- Re: Packet number encryption Brian Trammell (IETF)
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Gorry Fairhurst
- Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
- Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
- RE: Explicit measurability in the QUIC wire image… Roni Even (A)
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mirja Kühlewind
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Stephen Farrell
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- RE: Packet number encryption Mike Bishop
- Re: Packet number encryption Jana Iyengar
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Eric Rescorla
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Ian Swett
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Martin Thomson
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Christian Huitema
- Re: Packet number encryption Marten Seemann
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Martin Thomson
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mirja Kühlewind
- Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Packet number encryption Brian Trammell (IETF)
- RE: Packet number encryption Praveen Balasubramanian
- Re: Explicit measurability in the QUIC wire image… Christian Huitema
- Re: Explicit measurability in the QUIC wire image… Christian Huitema
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Explicit measurability in the QUIC wire image… Kazuho Oku
- Re: Packet number encryption Victor Vasiliev
- Re: Packet number encryption Salz, Rich
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mike Bishop
- Re: Packet number encryption Christian Huitema
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mike Bishop
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Salz, Rich
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Eric Rescorla
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Ian Swett
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Salz, Rich
- Re: Packet number encryption Ian Swett
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption David Benjamin
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Deval, Manasi
- RE: Packet number encryption Deval, Manasi
- Re: Packet number encryption Victor Vasiliev
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: hardware offload (was: Packet number encrypti… Ian Swett
- Re: Packet number encryption Ian Swett
- Re: Packet number encryption Martin Thomson
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- RE: Packet number encryption Praveen Balasubramanian
- Re: Packet number encryption Salz, Rich
- RE: Packet number encryption Praveen Balasubramanian
- RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
- Re: Packet number encryption Salz, Rich
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Victor Vasiliev
- Re: hardware offload (was: Packet number encrypti… Christian Huitema
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: hardware offload (was: Packet number encrypti… Eggert, Lars
- RE: Packet number encryption Praveen Balasubramanian
- RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
- RE: Packet number encryption Praveen Balasubramanian
- RE: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Victor Vasiliev
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Kazuho Oku
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen
- Re: Packet number encryption Mikkel Fahnøe Jørgensen