Privacy for connection IDs
Eric Rescorla <ekr@rtfm.com> Wed, 07 June 2017 07:45 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF40912EAF3 for <quic@ietfa.amsl.com>; Wed, 7 Jun 2017 00:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCMFgRWdLYUJ for <quic@ietfa.amsl.com>; Wed, 7 Jun 2017 00:45:46 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425AB12EAF0 for <quic@ietf.org>; Wed, 7 Jun 2017 00:45:46 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id 141so1495173ywe.2 for <quic@ietf.org>; Wed, 07 Jun 2017 00:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=gYMNySUBha/MbLoMj9Jg9tvqI8yVWH04y+lbh0mt84g=; b=PrA/nvwXNy4x36EhC8rfP/P42terUVWGZHaY7gz/0oKjl2NCwqoXwAGWaucpco6aZD gdkHip100CZVj9h16nT7Rhg74zggC+SQpjgctt9uI1ICd8iCH5K/ck+NTD2XbF/49vFb iF5QzvRZ34q6z+RifdC507AYK22CJKmlBQc8TZepd9C6fchITVw9+18fVddRjEj1y7Ut iePEkSLNmZuVG0Nrsx0znv9f0NuzHiNX1z6L7+ACWoJcV1SSnZ3hTzUIX43oUgIqXF29 bvzCv+sQC43ZB/RDFIhbDvZPPALnra99XzJaCWWwRLAUgTLAfGGzFNB7uI5bKYfN7D6J 4M6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gYMNySUBha/MbLoMj9Jg9tvqI8yVWH04y+lbh0mt84g=; b=peQXVlW8xQuFhj8I80LmB1dMB5dqA8q+IiDoruXnkfBsSvxy9kKpcPj2cMAH7e8pfi gnL03Zp4Aufr9EkGFSsnVMawR6y3oASBd+GZVScW1yJ8azY8CQNJ8V4rqCw4y+qlnhIl 0UAcWJUtKECHhoZgU9ehYmZ/fmHDai2axslWmVHyiLiUKdcOvB7tO6PNk8xH+pBn0muI B2Z8eoVMQkwd3f5yK6TJwb7AhrxHQen/eP+ZDXVtvDaM/oqAIjQ6qunWvwbVHgcLDXxz ZaUJR6zboOeJziqMDxar8RDZ1l6zD5gmmebJXM9sp845n5asj/wY3QqWlNZjEUII6YcF a3+Q==
X-Gm-Message-State: AODbwcCHt+Y0cm4FnwUExWVM4eQFgCdGEQ6eHRqdROW8aWqIRTD6fWxS hU1ozYpkMudS7zv5j6gKcnlmFbhP2OkatjGLGA==
X-Received: by 10.129.57.138 with SMTP id g132mr5650287ywa.312.1496821545256; Wed, 07 Jun 2017 00:45:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.4 with HTTP; Wed, 7 Jun 2017 00:45:04 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 07 Jun 2017 09:45:04 +0200
Message-ID: <CABcZeBOpBE93-5jvcQZY-Owi6pjMDWD5WDZQT2WSJp0wnsngMA@mail.gmail.com>
Subject: Privacy for connection IDs
To: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a114c76b47f5d0a055159ecbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/BewPbhaHEZhiQZl79d7Cx9UNGOk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 07:45:48 -0000
[Also filed as https://github.com/quicwg/base-drafts/issues/598] I and some others have been looking at how to protect the connection ID from correlation between any two packets. The basic threat model here is that it's possible to have unknown network transitions and so if you just have the client initiate non-linkage events, then you might have unknown linkage. Thus it should be, to the extent practical, impossible to link any two packets. We can -- and I'm sure will -- debate whether this is the right threat model, but the topic of this email is just techniques. There are two main sources of potential inter-packet linkage: - The conn_id (which is the same) - The packet number (which is sequential) The current design, which allows you to occasionally change the conn_id and then has a random PN increment, doesn't scale well to this scenario. I'm aware of two primary overall designs here, either of which will work but neither of which is a complete no-brainer. 1. Omit the connection ID and then directly encrypt the packet number with a per-connection key. This basically forfeits the automatic connection mobility feature that the conn_id provides, because the server/LB needs to use the 5-tuple to recover the key. 2. Have the server provide the client with a pool of connection tokens, each of which is actually a wrapped version of the (conn_id, PN) pair. The client uses one token per packet, and the server/LB then unwraps the pair upon packet receipt. In order for this to work, the server has to periodically replenish the pool, though it's not a disaster if the client runs out, because we can probably invent some way to reuse a token with a PN delta, though at some privacy cost. Neither of these designs is 100% ideal. The first isn't at all consistent with automatic mobility or recovering from NAT rebinding, which was the motivation for connection ID in the first place (basically, you have no connection ID). It also may come at some additional bandwidth cost because the PN is used to compute the per-packet nonce, but at absolute worst it's 16 extra bytes per packet. The second doesn't require giving up mobility/rebinding resistance, but comes at some additional costs, specifically (1) some protocol complexity (2) bandwidth overhead because you need to send the tokens in the reverse direction [best estimate is 16-24 overall additional bytes on the wire in both direction] (3) the LB will have to do some crypto to recover the connection ID (most likely one AES operation). We have detailed designs for both of these, though it's possible they can be optimized further. Happy to go into these, but I think it's more useful to discuss this at a high level rather than going into the detailed mechanisms at this time. -Ekr
- Privacy for connection IDs Eric Rescorla