IETF Logo Mail Archive

Re: Packet number encryption negotiation

Christian Huitema <huitema@huitema.net> Thu, 09 March 2023 02:48 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5F82C14F748 for <quic@ietfa.amsl.com>; Wed, 8 Mar 2023 18:48:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OneQ7lJltD5A for <quic@ietfa.amsl.com>; Wed, 8 Mar 2023 18:48:29 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96307C1522BE for <quic@ietf.org>; Wed, 8 Mar 2023 18:48:29 -0800 (PST)
Received: from xse363.mail2web.com ([66.113.197.109] helo=xse.mail2web.com) by mx202.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1pa6KH-000H3U-Hz for quic@ietf.org; Thu, 09 Mar 2023 03:48:26 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4PXDBj5GQ8zBJR for <quic@ietf.org>; Wed, 8 Mar 2023 18:48:13 -0800 (PST)
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1pa6KD-00014P-Jh for quic@ietf.org; Wed, 08 Mar 2023 18:48:13 -0800
Received: (qmail 32075 invoked from network); 9 Mar 2023 02:48:13 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.192]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ianswett=40google.com@dmarc.ietf.org>; 9 Mar 2023 02:48:12 -0000
Message-ID: <d66259ee-2031-fc12-d1af-95b87ea1c0f8@huitema.net>
Date: Wed, 08 Mar 2023 18:48:12 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Boris Pismenny <borispismenny@gmail.com>
Cc: Michael Eriksson <michael.eriksson@ericsson.com>, IETF QUIC WG <quic@ietf.org>
References: <CAKJMo+ttNyyTOhKg99k9HEgFCCZfR-yY_GeQ-ot6_09U1T3LPw@mail.gmail.com> <2b54d5c1-e094-d128-5c37-88ed63a0a0d8@ericsson.com> <CAKJMo+u=OZtNAmwYhSOXnrxNKTFFfup6k_W14=sos00gvqeP6g@mail.gmail.com> <b53ca341-2ff7-c5f9-758e-cc94fba923d7@ericsson.com> <CAKJMo+vi9GHCA4eVV5tT3fa5WnAUeFgyQZaGujZ172t6s0beVg@mail.gmail.com> <CAKcm_gO97aTkfw_2UMCq_gm797vd1Mhg3r7r_-0ca9awu_2g4w@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: Packet number encryption negotiation
In-Reply-To: <CAKcm_gO97aTkfw_2UMCq_gm797vd1Mhg3r7r_-0ca9awu_2g4w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.197.109
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.21)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9CZ9LCK9ocScU9S/ROES1nPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCGG4 bdrypHtqpDHMN/JS5TTmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imca/0wY0a5WA9UvCDoq8EmWJBQ6V51u76v35b1wNe/MvdJfuyxq 0gGRfA+RDnTb/PqJ2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEEIgtEXyXj6S3SDvReMcV 8TXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7iff8pZ9ure3k2YtJj4Q8Z7xTSSKxTxUOwWDEIsf7VNaG0cGuYD75hgSmhRUzE0W7vK 5/3E8hCwUuNeFU1VxZ+BC8CKASqFe0kBQ5ZmwPhPJiyZvdx3ZJDsPzrvEdt+b8mxX4OQOI/UQ6jn FfMBgzwOSHunMg5j/UO+IMRndiIcrkgzsrud14M4nlts+XYIJ/PZcpPgEJKLbDyaC/LdLvvY8tAF bhSCv6l42NpMrWpvl/pVB9v9zY0h8asEYmbGGsJD9ySC20IzFkBtfP+lFUR4WYNwCUKFYO4dZyBQ PDMQyb13qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine14.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/9sI0mmIvrVji3tlwpAsEcT9_nqg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 02:48:33 -0000

Please don't mix two separate issues, Header Protection and mixing of 
the DCID sequence number in the IV when doing multipath. The latter is 
for ensuring the uniqueness of the nonce when using separate number 
spaces for each path. It does make hardware offload more complex, but 
not in the same way as Header Protection.

We did discuss the impact of adding 32 more bits in the IV on hardware 
encryption last year, before deciding to abandon the "simple multipath" 
option and go for the "number space per DCID" option. At the time, the 
impact on hardware encryption was considered manageable.

-- Christian Huitema

On 3/8/2023 2:02 PM, Ian Swett wrote:
> Speaking as an individual, I would like to see this discussed more in the
> QUIC WG, possibly in Yokohama.
> 
> Header Protection/PNE definitely helps with ossification, but when compared
> with highly optimized and sometimes non-standard networking protocols, QUIC
> without PNE is a huge improvement.  In a datacenter environment,
> ossification is a concern, but it's rarely due to the wire image.
> 
> Ian
> 
> On Wed, Mar 8, 2023 at 8:02 AM Boris Pismenny <borispismenny@gmail.com>
> wrote:
> 
>>
>>>
>>>> What I want to add is that you should consider multipath QUIC when you
>>>> design your hardware. It affects the AEAD nonce generation.
>>>>
>>>> Regular, unipath, QUIC sets the top 34 bits of the packet number to zero
>>>> when generating the nonce. In the upcoming multipath extension, the top 32
>>>> bits can be set to non-zero values.
>>>>
>>>> https://www.rfc-editor.org/rfc/rfc9001.html#name-aead-usage
>>>>
>>>> https://www.ietf.org/archive/id/draft-ietf-quic-multipath-03.html#name-packet-protection-for-quic
>>>> -
>>>>
>>>
>>> Thanks for the pointers, I've encountered multi-path QUIC on another
>>> discussion about QUIC offload (
>>> https://github.com/microsoft/quic-offloads/issues/9#issuecomment-1305823308
>>> <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-88d69ea0099e1120&q=1&e=e27b5977-1b4e-4703-957b-3236511a2976&u=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fquic-offloads%2Fissues%2F9%23issuecomment-1305823308>).
>>> IIUC, the main challenge with multipath will be to synchronize receive side
>>> NIC offloads when two NICs are being used in parallel to carry the same
>>> flow's packet number space.
>>>
>>>
>>> There will only be separate packet number spaces for each path in the
>>> upcoming version of the multipath draft. Then I guess you will not have the
>>> problem you mention above. If you still would, why is this not a problem
>>> with regular unipath QUIC?
>>>
>>>
>> Indeed, this can also happen with unipath QUIC. In both cases, it is
>> probably not the common case. But, if it does happen, it will make
>> offloading more challenging.
>>
>

v2.23.0 | Report a Bug | By Email