IETF Logo Mail Archive

Privacy for connection IDs

Eric Rescorla <ekr@rtfm.com> Wed, 07 June 2017 07:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF40912EAF3 for <quic@ietfa.amsl.com>; Wed, 7 Jun 2017 00:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCMFgRWdLYUJ for <quic@ietfa.amsl.com>; Wed, 7 Jun 2017 00:45:46 -0700 (PDT)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425AB12EAF0 for <quic@ietf.org>; Wed, 7 Jun 2017 00:45:46 -0700 (PDT)
Received: by mail-yw0-x22d.google.com with SMTP id 141so1495173ywe.2 for <quic@ietf.org>; Wed, 07 Jun 2017 00:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=gYMNySUBha/MbLoMj9Jg9tvqI8yVWH04y+lbh0mt84g=; b=PrA/nvwXNy4x36EhC8rfP/P42terUVWGZHaY7gz/0oKjl2NCwqoXwAGWaucpco6aZD gdkHip100CZVj9h16nT7Rhg74zggC+SQpjgctt9uI1ICd8iCH5K/ck+NTD2XbF/49vFb iF5QzvRZ34q6z+RifdC507AYK22CJKmlBQc8TZepd9C6fchITVw9+18fVddRjEj1y7Ut iePEkSLNmZuVG0Nrsx0znv9f0NuzHiNX1z6L7+ACWoJcV1SSnZ3hTzUIX43oUgIqXF29 bvzCv+sQC43ZB/RDFIhbDvZPPALnra99XzJaCWWwRLAUgTLAfGGzFNB7uI5bKYfN7D6J 4M6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gYMNySUBha/MbLoMj9Jg9tvqI8yVWH04y+lbh0mt84g=; b=peQXVlW8xQuFhj8I80LmB1dMB5dqA8q+IiDoruXnkfBsSvxy9kKpcPj2cMAH7e8pfi gnL03Zp4Aufr9EkGFSsnVMawR6y3oASBd+GZVScW1yJ8azY8CQNJ8V4rqCw4y+qlnhIl 0UAcWJUtKECHhoZgU9ehYmZ/fmHDai2axslWmVHyiLiUKdcOvB7tO6PNk8xH+pBn0muI B2Z8eoVMQkwd3f5yK6TJwb7AhrxHQen/eP+ZDXVtvDaM/oqAIjQ6qunWvwbVHgcLDXxz ZaUJR6zboOeJziqMDxar8RDZ1l6zD5gmmebJXM9sp845n5asj/wY3QqWlNZjEUII6YcF a3+Q==
X-Gm-Message-State: AODbwcCHt+Y0cm4FnwUExWVM4eQFgCdGEQ6eHRqdROW8aWqIRTD6fWxS hU1ozYpkMudS7zv5j6gKcnlmFbhP2OkatjGLGA==
X-Received: by 10.129.57.138 with SMTP id g132mr5650287ywa.312.1496821545256; Wed, 07 Jun 2017 00:45:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.4 with HTTP; Wed, 7 Jun 2017 00:45:04 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 07 Jun 2017 09:45:04 +0200
Message-ID: <CABcZeBOpBE93-5jvcQZY-Owi6pjMDWD5WDZQT2WSJp0wnsngMA@mail.gmail.com>
Subject: Privacy for connection IDs
To: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a114c76b47f5d0a055159ecbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/BewPbhaHEZhiQZl79d7Cx9UNGOk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 07:45:48 -0000

[Also filed as https://github.com/quicwg/base-drafts/issues/598]

I and some others have been looking at how to protect the connection
ID from correlation between any two packets. The basic threat model
here is that it's possible to have unknown network transitions and so
if you just have the client initiate non-linkage events, then you
might have unknown linkage. Thus it should be, to the extent
practical, impossible to link any two packets. We can -- and I'm sure
will -- debate whether this is the right threat model, but the topic
of this email is just techniques.

There are two main sources of potential inter-packet linkage:

- The conn_id (which is the same)
- The packet number (which is sequential)


The current design, which allows you to occasionally change the
conn_id and then has a random PN increment, doesn't scale well to this
scenario.

I'm aware of two primary overall designs here, either of which will
work but neither of which is a complete no-brainer.


1. Omit the connection ID and then directly encrypt the packet number
   with a per-connection key. This basically forfeits the automatic
   connection mobility feature that the conn_id provides, because the
   server/LB needs to use the 5-tuple to recover the key.

2. Have the server provide the client with a pool of connection
   tokens, each of which is actually a wrapped version of the
   (conn_id, PN) pair. The client uses one token per packet, and the
   server/LB then unwraps the pair upon packet receipt.  In order for
   this to work, the server has to periodically replenish the pool,
   though it's not a disaster if the client runs out, because we can
   probably invent some way to reuse a token with a PN delta, though
   at some privacy cost.

Neither of these designs is 100% ideal. The first isn't at all
consistent with automatic mobility or recovering from NAT rebinding,
which was the motivation for connection ID in the first place
(basically, you have no connection ID). It also may come at some
additional bandwidth cost because the PN is used to compute the
per-packet nonce, but at absolute worst it's 16 extra bytes per
packet.

The second doesn't require giving up mobility/rebinding resistance,
but comes at some additional costs, specifically (1) some protocol
complexity (2) bandwidth overhead because you need to send the tokens
in the reverse direction [best estimate is 16-24 overall additional
bytes on the wire in both direction] (3) the LB will have to do some
crypto to recover the connection ID (most likely one AES operation).


We have detailed designs for both of these, though it's possible they
can be optimized further. Happy to go into these, but I think it's
more useful to discuss this at a high level rather than going into
the detailed mechanisms at this time.

-Ekr

v2.23.0 | Report a Bug | By Email