IETF Logo Mail Archive

Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)

Kazuho Oku <kazuhooku@gmail.com> Fri, 06 April 2018 02:06 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193D31241F3 for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 19:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XzvW0ez6esS7 for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 19:06:02 -0700 (PDT)
Received: from mail-pl0-x234.google.com (mail-pl0-x234.google.com [IPv6:2607:f8b0:400e:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7FAB1205F0 for <quic@ietf.org>; Thu, 5 Apr 2018 19:06:01 -0700 (PDT)
Received: by mail-pl0-x234.google.com with SMTP id k6-v6so16618393pls.5 for <quic@ietf.org>; Thu, 05 Apr 2018 19:06:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Pr2xegpcHnzXPl2vuWnFdozwP4gj50GU8i2IMDyAUTw=; b=PFd0k+1sI62+mzGQh7tBS5R8/XwcIVOUvFnX/lb6WnIUPztMFO1yOTujTz+F4EWTvd uAQllDgsg+5r8qzp/UTyHt/k8uFpDKjtRXzcLE3FK3yvj7SM7silj6NtmbtnrlQomohw i7ySl8Bfwe31dCTnH1zkFK19cjs06xDeR2W4RU3dm2H0DutUN8mQPPYrQBik4hmhguh6 CtpTSu5rUPXjzjCKDdsma1zFPOqDV7f3SmOVcjzxq11u3HmXfyVSEEHJH5Ccwn3MAmsk HijbZ+O1p+M0N0oj70iGNF0E9Xgf/BjOrXcxvfpqur9w4AbMcfDb3elmfc3rjnKw5Rbk sBOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Pr2xegpcHnzXPl2vuWnFdozwP4gj50GU8i2IMDyAUTw=; b=qubXgHbP9Fei58mBl8ap4wDtgXvrlA3RnrjfhrgdVI9/XfrLBUtxgWXQ4+s78GYsZL 6Oaw0R6CQRzQmDLefj6r13jUcn1V9aP3nQscsvJ/A4IMgsVV1pEmTrYDof7mKzc7rKf7 fuLIXJe4/ey1Q5RxmxHy6iPll3wyEaALtSXAI0AFScXDOlkPTOeufuiZ0jdj1/y+0pES F/r1adC+tQXLGQw/4X33PGxxiS65/6ycqDpI5rLn9Vau75uSK7a/MT/+raZLOmVJZgS/ X17S9oacuu49eGkiIumtuUiGl9yCXRR0hpjiLeE+0alkuZl/vMoWEc0dFOcn3gwi/E7+ 4OtQ==
X-Gm-Message-State: AElRT7GPdvrQ075QCk+DLv+4BABDQ+qiC3vMjprX4tJog6olbI4DzFRp WxTqhzK+pB5Vj3omd97Hu8dG+NNuamf2gw/VY+s=
X-Google-Smtp-Source: AIpwx4+XJwm9sA595TcQTehxlM7z5YS4vEkO+Gj4sx5tOrNzSYu+1zR6+5laGcOhi6FCWH4lT06Lw7En7G+z4ec1qtw=
X-Received: by 2002:a17:902:209:: with SMTP id 9-v6mr24744899plc.403.1522980361395; Thu, 05 Apr 2018 19:06:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.130 with HTTP; Thu, 5 Apr 2018 19:06:00 -0700 (PDT)
In-Reply-To: <CABkgnnWAgGJaKs8teKTURiNDRA61fRhN6pxYQuD1MbkPDqasKQ@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CAJGwveB=qs+J2iBQRs3d5jdGuP9yBWoAgv0t3mwD=Wrf6Q5g8g@mail.gmail.com> <F395D018-FFCA-405F-BBD5-1313C6F6DAF9@huitema.net> <CABkgnnWAgGJaKs8teKTURiNDRA61fRhN6pxYQuD1MbkPDqasKQ@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 06 Apr 2018 11:06:00 +0900
Message-ID: <CANatvzwKCqHQB1Mvp0K+Ref507s3YZCzV0xK=SgM9mAyA7s7yg@mail.gmail.com>
Subject: Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Christian Huitema <huitema@huitema.net>, QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Frederick Kautz <fkautz@alumni.cmu.edu>
Content-Type: multipart/alternative; boundary="00000000000070e2080569247f23"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Aazu9czaZWSxf6b_WpBbLDWuhaI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2018 02:06:04 -0000

2018-04-06 9:38 GMT+09:00 Martin Thomson <martin.thomson@gmail.com>:

> On Fri, Apr 6, 2018 at 2:08 AM, Christian Huitema <huitema@huitema.net>
> wrote:
> >> On Apr 5, 2018, at 8:58 AM, Frederick Kautz <fkautz@alumni.cmu.edu>
> wrote:
> >>
> >> Are you concerned that middleware boxes may be trained to reject
> migrations, thereby forcing a new connection with a visible negotiation?
> >
> > Yes. Hence the need to grease. For example, have clients do some
> gratuitous migration to a new source port number rather frequently.
>
> This seems like a simple fix, particularly since Mike recently added
> text that suggests occasional use of new connection IDs.  In the
> spirit of keeping the wheels greased:
>
> https://github.com/quicwg/base-drafts/pull/1269
>
>
Would you mind explaining how you would solve the issue?

If I understand correctly, Christian's concern is that some middleboxes
might only create a hole if the first packet sent by a client (using a new
port) looks like a Initial packet.

Consider the case where you want to build a middlebox that allows QUIC, but
no other UDP-based protocols.

By observing the QUIC packets, you think that you can implement such a
middlebox by creating a hole only when the UDP flow starts with a packet
starting with 0xff (long header + Initial). But such a design will block
migration.

The question is if we need to address the issue proactively, and how.

FWIW, I can see at least three possible approaches here.

1. frequent gratuitous migration by clients, so that middlebox vendors can
notice that there design is wrong prior to shipping it
2. make long header packets not easily indistinguishable from short header
packets (by encrypting the type field)
3. mimic 0-RTT handshake when gratuitously switching to a new UDP flow
(depends on #1262)

1 and 2 have been discussed on this thread. I haven't yet seen 3 being
discussed.

The concerns so far being raised for 1 is that NATs might run out of
unassigned ports and that switching to a new path might trigger the restart
of congestion control on large-scale NATs that use multiple public
addresses.

The concern so far being raised for 2 is that stateless load balancers
would be required to decrypt the type field (or the entire packet,
depending on how we encrypt) to determine if a packet is trying to initiate
a new connection.

-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email