Re: Hardware acceleration and packet number encryption
Eric Rescorla <ekr@rtfm.com> Sat, 24 March 2018 16:26 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED6812D7E4 for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 09:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q6GMggm4Bbnm for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 09:26:37 -0700 (PDT)
Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20784127698 for <quic@ietf.org>; Sat, 24 Mar 2018 09:26:37 -0700 (PDT)
Received: by mail-ot0-x22e.google.com with SMTP id i28-v6so16439118otf.8 for <quic@ietf.org>; Sat, 24 Mar 2018 09:26:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7FMOKSPh+xvTy+Mh9dbMA8S8s5ik4Gf5LUUpWQ06zO8=; b=UjbARX72exRWcohv6q70zsIglYGM8z3Q2cdxE2BnfDv5Jk6Hz8jdRC/VBIB7yua2+D +nqkKhuVGxgkjsA0YJtbvwgS4a9iqaLLrVm/keUdOcZNYkhtRxbR+fil36utoerz2NCU U+Gc5mNmf2iUX1Gkzs7Mh0Hcb8zdYEKQdNrcG+0SS36ZZtxUD44c3ylStjgKCJXUMaqc C82pyX2izRX95AswCTakTuZPyjski8EWI6l4P0ZjA+s5UwV71joGygLON2yBmnKfPUm9 3q/f6lAaHDXQc/Hfk9WhTPIv9O17M/brJ5ToG16xH49+lBKZGjcNXJmYvGD/DwvafIhq SD1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7FMOKSPh+xvTy+Mh9dbMA8S8s5ik4Gf5LUUpWQ06zO8=; b=LRt219X6DlWQqotrQc58iIpU9zyRWtJb+/dSPgTeEI48FyNQv4gT9r6nt529wjTeLK JTiWhq7nHmhz9z/kfhfVyrL59uzElQF+aK6IpjsomD6pLZM2j9J1By9AIPimT0DKS66+ DSiD+mHIGL2kIw5vknjdmWZHs/soUkxncxAJMUREB7fIeq/IzzpjrSGKYdN9DFiY8qOw y5vNsCwnipxE4PcN/1C8fmp2EPx58j0G+FgfcY+Q0fLRD/R2zblaf510UgxA519qdCHv F2H5oKGrG8DCeAOwUpnviBKi4QP34KZm8yKCHeIxc/CZUVsnguJ1V/9GiI9rzibnU/lR afxw==
X-Gm-Message-State: AElRT7HRP3J+iN9QaOMEGrV/PH5MBpkcrls/ov9kNS27EFF2yZZuZPUW vGqKHm6O0FU0ZxuE2EIts3QK0+EoffOtGC9zndOr+w==
X-Google-Smtp-Source: AG47ELvt1A+DxxnZ3lgMSYcy7uin1RUigjuUd7jhQ+aMGzweljieMQXsSd73o2E+CLHftcfy5nGMoGCw80sG7N96P4s=
X-Received: by 2002:a9d:222a:: with SMTP id o39-v6mr22278066ota.176.1521908796180; Sat, 24 Mar 2018 09:26:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.23.21 with HTTP; Sat, 24 Mar 2018 09:25:55 -0700 (PDT)
In-Reply-To: <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 24 Mar 2018 16:25:55 +0000
Message-ID: <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com>
Subject: Re: Hardware acceleration and packet number encryption
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>
Content-Type: multipart/alternative; boundary="0000000000002d5cfb05682b0156"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/83QwhW8UGHg0pJsEf2CHtiE9rx8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 16:26:40 -0000
I think it would probably be useful to ask this question in two pieces. 1. Is PN something we would want to do if it were free from a performance perspective? 2. What are the technical options for building PN encryption, and then are the costs acceptable? My answer to #1 is "yes", but I imagine there are others who disagree. So we should probably get that out of the way. #2 obviously requires some technical thought. I am aware of three major design options: 1. One like the one in PR#1079 where you separately encrypt the PN. 2. One with an external nonce like the one Kazuho describes. 3. A more exotic solution like AERO ( https://tools.ietf.org/html/draft-mcgrew-aero-00#ref-MF07). PR#1079 has the disadvantage of double buffering. An external nonce is possible but is a bit tricky. It is critical it be nonrepeating, and if you randomly generate n-bit nonces, then the collision bound gets scarily large before 2^{n/2}. So, for instance in Kazuho's suggestion, you would be able to encrypt well less than 2^{32} packets before you needed to rekey in some way, which is pretty suboptimal. Even 96 bits is not great. The difficulty of getting this right is one reason why TLS 1.3 changed from TLS 1.2's explicit nonce to an implicit nonce based on the counter. The canonical way to generate a sequence like this is to feed a counter into a pseudo-random permutation, but our standard efficient PRP is AES, and that works on 128 bits. I'm asking cryptographers if they have a better plan. Finally, we could use a more exotic solution like AERO. The draft has details, but roughly speaking, it's like an extension of AEAD which also takes the sequence number as an input on encryption and then returns it on decryption, so you don't need a separate sequence number or nonce. Obviously this is pretty much designed for our purpose, but it's a relatively new construction and so I don't know how much analysis there has been of its security. In addition, while it's based on AES-CTR, I don't know what the performance is like in hardware. -Ekr On Sat, Mar 24, 2018 at 1:59 PM, Kazuho Oku <kazuhooku@gmail.com> wrote: > Hi Christian, > > Thank you for starting the discussion. My comments inline. > > 2018/03/24 13:18、Christian Huitema <huitema@huitema.net>のメール: > > There were a number of corridor discussions of hardware acceleration of > Quic during the IETF meeting. In particular, Manasi Deval asked many of > us our opinion about packet number encryption. From the conversation, I > understand that packet number encryption as specified would make > acceleration of Quic difficult to implement on Intel's hardware. She was > trying to convince us that privacy is an unattainable goal, and that we > should just as well ditch the linkability requirement in order to > facilitate hardware acceleration. > > > I would argue that packet number encryption and hardware offloading are > not exclusive goals. > > > The only reason the current proposed form of packet number encryption is > requiring two-path encryption is because it uses packet number as a nonce > as well. > > > That means that we can attain both goals for example by using an explicit > nonce and sending packet number as encrypted payload. The downside of such > approach will be that per-packet overhead will increase (likely by 8 > bytes or so) and that we would be required to discuss how to tackle > nonce-reuse. > > > I am not sure if providing support for **current form of** hardware is > necessary, but assuming that we decide so, I'd prefer using explicit > nonce or any other way that provides both one-path encryption and packet > number encryption. > > > I would much rather see the issue > debated in the open than in a series of 1-1 conversations. After all, > open discussion is a key tenet of the IETF. > > When I look at the potential trade-offs, I see the following, which have > been proposed at different times: > > 1- Single sequence number of all paths, starting at 0 (or 1), numbers > sent in clear text; > > 2- Single sequence number for all paths, starting at 0 (or 1), > obfuscated via a different random offset for each path. (We will assume > that the offset is tied to the connection ID used in the path.) > > 3- Single sequence number for all paths, starting at 0, combined with > packet number encryption as specified in PR1079. > > 4- Separate sequence number for each path, starting at 0 (or 1), numbers > sent in clear text. (We will assume that the there will be a separate > connection ID per path, so the combination of connection ID and sequence > number is unique.) > > 5- Single sequence number for all paths, starting at 0, combined with a > simpler packet number encryption than specified in PR1079. > > These options have different costs in term of privacy (linkability), > ossification, hardware acceleration, and software complexity. > > Having a single sequence number sent in clear text on all paths (option > 1) makes it very easy to correlate different paths. We also know that > the random offset solutions (option 2) only provide a modest defense > against linkability if the activity on two paths overlaps. It would > definitely now be adequate for multipath, and it is probably not > adequate either for the "make before break" variants of path migration. > The other variants prevent linkability either by encrypting the sequence > number, or by using different sequence numbers on different paths. > > Only encryption prevents ossification. If we send packet numbers in > clear text (option 1 or 4), or even if we use simple obfuscation (option > 2), middle-boxes can find the position of the sequence numbers by > comparing the headers of successive packets. There are high chances that > we would then see half-brained schemes, such as delaying packets for > reordering, or enforcing some kind of sequence range. This is a classic > ossification scenario. > > Packet number encryption as specified in PR 1079 relies on a two-pass > algorithm. First encrypt the packet, then use the result of the > encryption as a nonce when encrypting the sequence number. It seems that > this two-pass approach forces double buffering in the acceleration > hardware. Opinions vary about how bad that is, and hardware specialist > should really explain the problem if they believe it is important. There > may be different ways to encrypt the packet number (option 5) that do > not require double buffering, but this is merely a theoretical > possibility. Those schemes are not specified. > > Using separate packet number for each path would prevent linkability and > facilitate acceleration, but it makes the protocol and the software > significantly more complex.. > > > Actually, I think that packet number encryption makes multi-path easier. > > > Both AES and chachapoly allows up to 96-bit nonce, while we only use 64 > bits. Remaining 32 bits are left zero. In that space, we can store > path-id (that is incremented by one for every new path) to avoid > nonce-reuse. > > > By doing so, each path can start with packet number zero while using the > same encryption key for all paths. > > > It requires using different keys or IV for > different paths, and it also require management of several sequence > number spaces. Since the packet with number "3" on path 1 will not be > the same packet as number "3" on path 2, the acknowledgements will need > to be tied to a path, either implicitly because they are sent on that > path, or explicitly by tagging the ACK frame with a path specific > connection ID. We would probably need both, because in migration > scenarios it is useful to send on the new path acknowledgement of > packets received on the old path. This kinds of complexity breeds bugs > and interoperability issues. Plus, this solution does not prevent > ossification, as discussed above. > > My personal preference is to start with PR 1079, which is a sound > solution to all problems except acceleration. The acceleration issue > should be discussed in the open, and we probably want to hear from more > than one possible hardware vendor. Do all hardware makers have an issue > with double buffering, or is this just specific to one particular > architecture? Is it worth exploring alternative packet number encryption > techniques that would not have the double buffering issue? > > -- Christian Huitema > > > >
- Hardware acceleration and packet number encryption Christian Huitema
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Kazuho Oku
- Re: Hardware acceleration and packet number encry… Eric Rescorla
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Kazuho Oku
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Eric Rescorla
- RE: Hardware acceleration and packet number encry… Deval, Manasi
- Re: Hardware acceleration and packet number encry… Eric Rescorla
- Re: Hardware acceleration and packet number encry… Subodh Iyengar
- Re: Hardware acceleration and packet number encry… Eric Rescorla
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Christian Huitema
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Ian Swett
- Re: Hardware acceleration and packet number encry… Christian Huitema
- RE: Hardware acceleration and packet number encry… Deval, Manasi
- Re: Hardware acceleration and packet number encry… Salz, Rich
- Re: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- Re: Hardware acceleration and packet number encry… Ian Swett
- RE: Hardware acceleration and packet number encry… Swindells, Thomas (Nokia - GB/Cambridge)
- RE: Hardware acceleration and packet number encry… Deval, Manasi
- Re: Hardware acceleration and packet number encry… Christian Huitema
- Re: Hardware acceleration and packet number encry… Jana Iyengar
- Re: Hardware acceleration and packet number encry… Ian Swett
- Re: Hardware acceleration and packet number encry… Watson Ladd
- RE: Hardware acceleration and packet number encry… Praveen Balasubramanian
- RE: Hardware acceleration and packet number encry… Praveen Balasubramanian
- RE: Hardware acceleration and packet number encry… Mikkel Fahnøe Jørgensen
- RE: Hardware acceleration and packet number encry… Praveen Balasubramanian
- Re: Hardware acceleration and packet number encry… Mark Nottingham
- RE: Hardware acceleration and packet number encry… Praveen Balasubramanian
- Getting to consensus on packet number encryption Mark Nottingham
- Re: Getting to consensus on packet number encrypt… Willy Tarreau
- Re: Getting to consensus on packet number encrypt… Mirja Kühlewind
- Re: Getting to consensus on packet number encrypt… Dmitri Tikhonov
- Re: Getting to consensus on packet number encrypt… Patrick McManus
- Re: Getting to consensus on packet number encrypt… Spencer Dawkins at IETF
- Re: Getting to consensus on packet number encrypt… Patrick McManus
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- Re: Getting to consensus on packet number encrypt… Patrick McManus
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- Re: Getting to consensus on packet number encrypt… Ted Hardie
- Re: Getting to consensus on packet number encrypt… Mirja Kühlewind
- RE: Getting to consensus on packet number encrypt… Mike Bishop
- Re: Getting to consensus on packet number encrypt… Dmitri Tikhonov
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- RE: Getting to consensus on packet number encrypt… Mikkel Fahnøe Jørgensen
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- RE: Getting to consensus on packet number encrypt… Lubashev, Igor
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- RE: Getting to consensus on packet number encrypt… Lubashev, Igor
- Re: Getting to consensus on packet number encrypt… Mark Nottingham
- Re: Getting to consensus on packet number encrypt… Ian Swett
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Mark Nottingham
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- RE: Getting to consensus on packet number encrypt… Mikkel Fahnøe Jørgensen
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Martin Thomson
- RE: Getting to consensus on packet number encrypt… Mikkel Fahnøe Jørgensen
- Re: Getting to consensus on packet number encrypt… Willy Tarreau
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- ECN signaling from userland Re: Getting to consen… Lars Eggert
- Re: ECN signaling from userland Re: Getting to co… Brian Trammell (IETF)
- Re: Getting to consensus on packet number encrypt… alexandre.ferrieux
- Re: Getting to consensus on packet number encrypt… Eric Rescorla
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Mirja Kühlewind
- Re: Getting to consensus on packet number encrypt… Philipp S. Tiesel
- Privacy holes (was: Re: Getting to consensus on p… Christian Huitema
- Re: Privacy holes (was: Re: Getting to consensus … Frederick Kautz
- Re: Privacy holes (was: Re: Getting to consensus … Christian Huitema
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Privacy holes Gorry Fairhurst
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- RE: Privacy holes (was: Re: Getting to consensus … Mike Bishop
- RE: Privacy holes (was: Re: Getting to consensus … Mikkel Fahnøe Jørgensen
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- RE: Privacy holes (was: Re: Getting to consensus … Lubashev, Igor
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- RE: Privacy holes (was: Re: Getting to consensus … Praveen Balasubramanian
- RE: Privacy holes (was: Re: Getting to consensus … Lubashev, Igor
- RE: Privacy holes (was: Re: Getting to consensus … Lubashev, Igor
- RE: ECN signaling from userland Re: Getting to co… Praveen Balasubramanian
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Frederick Kautz
- Re: Privacy holes (was: Re: Getting to consensus … Willy Tarreau
- Re: Privacy holes (was: Re: Getting to consensus … Martin Thomson
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Martin Thomson
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- RE: Privacy holes (was: Re: Getting to consensus … Lubashev, Igor
- Re: Privacy holes (was: Re: Getting to consensus … Mikkel Fahnøe Jørgensen
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Brian Trammell (IETF)
- Re: Privacy holes (was: Re: Getting to consensus … Martin Thomson
- Re: Privacy holes (was: Re: Getting to consensus … Brian Trammell (IETF)
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Grips in the Wire Image for In-Network State (was… Brian Trammell (IETF)
- Re: Grips in the Wire Image for In-Network State … Mikkel Fahnøe Jørgensen
- Re: Privacy holes (was: Re: Getting to consensus … Martin Thomson
- Re: Privacy holes Roland Zink
- Re: Grips in the Wire Image for In-Network State … Kazuho Oku
- Re: Grips in the Wire Image for In-Network State … Martin Thomson
- Re: Grips in the Wire Image for In-Network State … Brian Trammell (IETF)
- Re: Grips in the Wire Image for In-Network State … Brian Trammell (IETF)
- Re: Privacy holes Ian Swett
- Re: Grips in the Wire Image for In-Network State … Spencer Dawkins at IETF
- Re: Grips in the Wire Image for In-Network State … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- RE: Grips in the Wire Image for In-Network State … Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Mark Nottingham
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- Re: Getting to consensus on packet number encrypt… Ian Swett
- Bona fide loss measurement bits alexandre.ferrieux
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- Re: [Potential Spoof] Re: Getting to consensus on… Roberto Peon
- RE: Privacy holes (was: Re: Getting to consensus … Praveen Balasubramanian
- Re: Privacy holes Christian Huitema
- RE: Privacy holes Praveen Balasubramanian
- Re: Privacy holes (was: Re: Getting to consensus … Ian Swett
- Re: Privacy holes (was: Re: Getting to consensus … Kazuho Oku
- Re: Privacy holes (was: Re: Getting to consensus … Martin Thomson
- Re: Getting to consensus on packet number encrypt… Mirja Kühlewind
- RE: Privacy holes (was: Re: Getting to consensus … Mike Bishop
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Mark Nottingham
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- RE: Getting to consensus on packet number encrypt… Deval, Manasi
- Re: Getting to consensus on packet number encrypt… Jana Iyengar
- Re: Getting to consensus on packet number encrypt… Ian Swett
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- Re: Getting to consensus on packet number encrypt… Mikkel Fahnøe Jørgensen
- RE: Getting to consensus on packet number encrypt… Mike Bishop
- Re: Getting to consensus on packet number encrypt… Ian Swett
- RE: Getting to consensus on packet number encrypt… Mike Bishop
- Re: Getting to consensus on packet number encrypt… Ian Swett
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Erik Kline
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Patrick McManus
- Re: Getting to consensus on packet number encrypt… Ian Swett
- Re: Getting to consensus on packet number encrypt… Patrick McManus
- RE: Getting to consensus on packet number encrypt… Lubashev, Igor
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Kazuho Oku
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- Re: Getting to consensus on packet number encrypt… Jana Iyengar
- Re: Getting to consensus on packet number encrypt… Martin Thomson
- Re: Getting to consensus on packet number encrypt… Boris Pismenny
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- Re: Getting to consensus on packet number encrypt… Ian Swett
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- RE: Getting to consensus on packet number encrypt… Lubashev, Igor
- Re: Getting to consensus on packet number encrypt… Martin Thomson
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Martin Thomson
- Re: Getting to consensus on packet number encrypt… Benjamin Kaduk
- Re: Getting to consensus on packet number encrypt… Salz, Rich
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- Re: Getting to consensus on packet number encrypt… Spencer Dawkins at IETF
- Re: Getting to consensus on packet number encrypt… Ted Hardie
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Brian Trammell (IETF)
- RE: Getting to consensus on packet number encrypt… Lubashev, Igor
- Re: Getting to consensus on packet number encrypt… Ted Hardie
- RE: Getting to consensus on packet number encrypt… Lubashev, Igor
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- Re: Getting to consensus on packet number encrypt… Roberto Peon
- Re: [Potential Spoof] Re: Getting to consensus on… Roberto Peon
- Re: [Potential Spoof] Re: Getting to consensus on… Jana Iyengar
- RE: [Potential Spoof] Re: Getting to consensus on… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Spencer Dawkins at IETF
- Re: Getting to consensus on packet number encrypt… Mikkel Fahnøe Jørgensen
- Re: [Potential Spoof] Re: Getting to consensus on… Mikkel Fahnøe Jørgensen
- Re: Getting to consensus on packet number encrypt… Benjamin Kaduk
- Re: Getting to consensus on packet number encrypt… Ian Swett
- Re: Getting to consensus on packet number encrypt… Mirja Kühlewind
- RE: Getting to consensus on packet number encrypt… Roni Even (A)
- Re: Getting to consensus on packet number encrypt… Dmitri Tikhonov
- Re: Getting to consensus on packet number encrypt… Gorry Fairhurst
- RE: Getting to consensus on packet number encrypt… Praveen Balasubramanian
- Re: Getting to consensus on packet number encrypt… Christian Huitema
- Re: Getting to consensus on packet number encrypt… Mikkel Fahnøe Jørgensen
- Re: Getting to consensus on packet number encrypt… Christian Huitema