RE: Getting to consensus on packet number encryption

[Mike Bishop <mbishop@evequefou.be>]

At this point, I think we have multiple paths forward, pun intended.

(1) - Packet number encryption.  #1079's challenges have been amply discussed, though it's not the only possibility in this space.

(2) - Per-CID offset for obfuscation.  Rather than specifying a packet number gap, specify a number that will be added to the actual packet number for any frames sent with that CID.  This allows the path to observe, per CID, monotonically-increasing packet numbers without necessarily being able to recover the true packet number.

(3) - Status quo.


Problems I'm wrestling with:

- Specification holes.  With my editor's hat only half-on (since I'm not an editor on this particular document), I'll note that there are a number of thorny issues with (3) in the current drafts that just go away if packet numbers are encrypted.  The current obfuscation method, packet number gaps, simply does not play well with the connection migration design we chose.  Gaps assume a continuous monotonic progression through CIDs which are never used again once you've ever seen a packet with the next CID, and don't accommodate the possibility that you might be using different CIDs on different paths at the same time for probing.  This is the driving issue at the moment -- if the WG chooses (3), we then need to run these other issues to ground, which will not be quick.

- Linkability.  With (2), if an observer sees the beginning of the connection, they can figure out the offset for that CID, then track the packet number as long as that CID is in use, then make a fairly accurate guess about the offset of the next CID they see, if they're able to otherwise correlate them.  There is some correlation that can be made by the fact that one CID disappears and another one appears on (potentially) the same 4-tuple, of course.  (1) might let an implementation mask that by using more than one CID at once to blur the boundaries a little bit, but (2) would make that attempt obvious because the middlebox would be able to observe gaps that neatly fit the other CID's observed packet counts.

- "Helpfulness."  With TCP, we see boxes that try to "help" by correcting packets which appear to be out of order.  The principle we've followed so far is that we want to leave all transport-related activities in the end hosts, and we actively don't want "helpful" middle devices, because when such a device sees a gap (because some packet was sent on a different path) it interprets it either as loss or as something that needs to trigger corrective action on its part.  This only gets worse when we move from migration support to full multipath.  That's what forced MP-TCP into a per-path sequence number in addition to a global sequence number.  I think we'd prefer to avoid having both in QUIC.  (2) exposes the same increasing sequence to middleboxes, inviting them to attempt helpfulness in the same way, and likely creating the same problems that MP-TCP encountered.

- Cost.  (1) fundamentally consumes more CPU, and that's a drawback.  There have been workarounds proposed to the offload problem (e.g. pre-compute and throw away some of the encryption so that the hardware doesn't have to do two passes), but it fundamentally costs more CPU and is harder to offload.  This in turn means more CapEx for those who would deploy QUIC on the server side, with the risk of slower adoption as a result.

When you get right down to it, I'm sympathetic to the cost argument, but it doesn't outweigh the other two.  A given server can (I presume) sustain dramatically more Telnet connections than it can SSH connections, but people who advocate continuing to use Telnet for that reason are roundly ridiculed.  SSH has a different, better security profile and those differences justify the cost.  TCP versus QUIC seems similar.

As a result, I believe that the reasonable path forward must be (1).  Not necessarily in the form of #1079 -- if there's a more offload-friendly or CPU-efficient way to do it, I'm all for it.  But let's start there and move forward.  If a path signal becomes necessary, that's a separate discussion.

-----Original Message-----
From: QUIC <quic-bounces@ietf.org> On Behalf Of Mark Nottingham
Sent: Tuesday, April 3, 2018 9:58 PM
To: IETF QUIC WG <quic@ietf.org>
Cc: Lars Eggert <lars@eggert.org>
Subject: Getting to consensus on packet number encryption

Hi everyone,

The editors have told your chairs that this issue is starting to block progress on other aspects of QUIC. Coming to consensus on it soon (i.e., before Stockholm, if possible) would be good.

It looks like this thread has come to a natural pause. Reading through it, I think we agree there are some unpleasant tradeoffs here, but so far we have only one concrete proposal -- PR#1079.

My AU$.05 - While we're chartered to produce a protocol that's encrypted as much as operational concerns allow, and that privacy is a natural extension of that (especially in light of RFC7258 and RFC6973), there is no *requirement* that we produce a protocol that is able to be accelerated by hardware.

That being the case, I think we need to ask ourselves if we believe that inclusion of PR#1079 will significantly inhibit deployment of the protocol. Based on the discussion so far, that doesn't seem to be the case, but I'd be interested to hear what others think.

If we can get to consensus to incorporate the PR, and folks come back later with a more hardware-friendly replacement that doesn't change the Invariants or increase linkability, I suspect the WG will be amenable to that.

What do folks think?

Cheers,


> On 29 Mar 2018, at 11:39 am, Ian Swett <ianswett=40google.com@dmarc.ietf.org> wrote:
> 
> Thanks for the nice summary Jana.
> 
> As much as I'd love to have easier crypto HW acceleration, I've ended up arriving at the same conclusion.  I don't want to bite off the work to do proper multipath in QUIC v1, which I think is the only other reasonable option of those Christian outlined.
> 
> If someone comes up with a way to transform packet number to make it non-linkable, but doesn't have the downside of making hardware offload difficult, then I'm open to it.  But we've been talking about this for 2 months without any notable improvements over Martin's PR.
> 
> Given we never talk about any issue only once in QUIC, I'm sure this will come up again, but for the time being I think #1079 is the best option we have.
> 
> 
> 
> On Wed, Mar 28, 2018 at 8:03 PM Jana Iyengar <jri.ietf@gmail.com> wrote:
> A few quick thoughts as I catch up on this thread.
> 
> I spent some time last week working through a design using multiple PN spaces, and it is quite doable. I suspect we'll head towards multiple PN spaces as we consider multipath in the future. That said, there is complexity (as Christian notes). This complexity may be warranted when doing multipath in v2 or later, but I'm not convinced that this is necessary as a design primitive for QUICv1. 
> 
> We may want to creatively use the PN bits in v2, say to encode a path ID and a PN, for multipath. We want to retain flexibility in these bits going into v2. We've used encryption to ensure that we don't lose flexibility elsewhere in the header, and it follows that we should use PNE to retain flexibility in these bits as well. (Simplicity of design is the other value in using PNE, since handling migration linkability is non-trivial without it.)
> 
> This leaves the question of HW acceleration being at loggerheads with the design in PR #1079. First, I expect that the primary benefit of acceleration will be in DC environments. Yes, there are some gains to be had in serving the public Internet as well, but I'm unconvinced that this is the driving use case for hardware acceleration. I understand that others may disagree with me here.
> 
> AFAIK, QUIC has not been used in DC environments yet. I expect there are other things in the protocol that we'd want to change as we gain experience deploying QUIC in DCs. Spinning up a new version to try QUIC within DCs is not only appropriate, I would recommend it. This allows for rapid iterations internally, and the experience can drive subsequent changes to QUIC. It's what *I* would do if I was to deploy QUIC inside a DC.
> 
> So, in short, I think we should go ahead with PR# 1079. This ensures that future versions are guaranteed the flexibility to change the PN bits for better support of HW acceleration or multipath or what-have-you.
> 
> - jana
> 
> On Mar 26, 2018 9:41 AM, "Christian Huitema" <huitema@huitema.net> wrote:
> 
> On 3/26/2018 8:20 AM, Swindells, Thomas (Nokia - GB/Cambridge) wrote:
>> Looking at https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture it seems to imply a large range of server, desktop and mobile chips all have a CPU instruction set available to do AES acceleration and other similar operations (other instruction sets are also available).
>> 
>> If we are considering the AES instructions then it looks like it is (or at least will be in the near future) a sizeable proportion of the public internet have it to be used.
>> 
> 
> Certainly, but that's not the current debate. PR #1079 is fully compatible with use of the AES instructions. The issue of the debate is that the mechanism in PR #1079 required double buffering, first encrypt the payload, then use the result of the encryption to encrypt the PN. This is not an issue in a software implementation that can readily access all bytes of the packet from memory, but it may be an issue in some hardware implementations that are designed to do just one pass over the data.
> 
> 
> -- Christian Huitema
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/