IETF Logo Mail Archive

Re: Packet number encryption

Roberto Peon <fenix@fb.com> Sat, 03 February 2018 18:39 UTC

Return-Path: <prvs=5572e8670e=fenix@fb.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 178CC12DA00 for <quic@ietfa.amsl.com>; Sat, 3 Feb 2018 10:39:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.73
X-Spam-Level:
X-Spam-Status: No, score=-0.73 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=pgDM1utr; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=Bc+99CMn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VLzOZ1EIRl5o for <quic@ietfa.amsl.com>; Sat, 3 Feb 2018 10:39:06 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F074012D890 for <quic@ietf.org>; Sat, 3 Feb 2018 10:39:05 -0800 (PST)
Received: from pps.filterd (m0044008.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w13IXqfg012012; Sat, 3 Feb 2018 10:38:18 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=sChxcuKdCa+3hmG4aSv+//StloN4ShtPhsFSSzSeS74=; b=pgDM1utr/Erw6OgODrojpZPlHQP8sLDszLVaUlnFRd29hJ1osIbAepdU+qnnNVGTuuPu pMSlOxFgRFn36fDqIzf+vzCsOLUp79sZyKukeecCD/4V6uKzclLIk5lD6RTL7oDhvLnr skLzCHeLIK5I85hO22yT+SrjdWvoiPhHgcw=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2fw9972gpt-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 03 Feb 2018 10:38:18 -0800
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.26) with Microsoft SMTP Server (TLS) id 14.3.361.1; Sat, 3 Feb 2018 13:38:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sChxcuKdCa+3hmG4aSv+//StloN4ShtPhsFSSzSeS74=; b=Bc+99CMnr7PZ+kA7owXn0YvRd1ELJz10pfpjc3AL8klFtcJugFru48RVzRRYnFFZBJDC1ka1aq7idRbUx9EqKVRvo2BJjiUT7lbWxLXbMpFmLpboNu28gpMoEIPxK1T3IYLyd6TFLQuc9PNZJ9OKLF/HJpJVBxf06MkPWnMZP9c=
Received: from BY2PR15MB0775.namprd15.prod.outlook.com (10.164.171.11) by BY2PR15MB0486.namprd15.prod.outlook.com (10.163.110.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.11; Sat, 3 Feb 2018 18:37:57 +0000
Received: from BY2PR15MB0775.namprd15.prod.outlook.com ([10.164.171.11]) by BY2PR15MB0775.namprd15.prod.outlook.com ([10.164.171.11]) with mapi id 15.20.0464.012; Sat, 3 Feb 2018 18:37:57 +0000
From: Roberto Peon <fenix@fb.com>
To: Piotr Galecki <piotr_galecki@affirmednetworks.com>, Jana Iyengar <jri@google.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
CC: Gorry Fairhust <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>, Christian Huitema <huitema@huitema.net>, "Eggert, Lars" <lars@netapp.com>, Brian Trammell <ietf@trammell.ch>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: Packet number encryption
Thread-Topic: Packet number encryption
Thread-Index: AQHTmW3+HjM5RmHWDkij9J5s6UBSSaOMgUQAgABeoYCAAAgUAIAAd3KAgAA8YgCAACPEAIAAAiYAgAOBloCAALfdgIAACBkAgAEGGB4=
Date: Sat, 03 Feb 2018 18:37:56 +0000
Message-ID: <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com>, <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local>
In-Reply-To: <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [98.234.190.115]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BY2PR15MB0486; 20:q46ccVwZOBYlYZhDw+q9rPUjhd72ySR3NYFV1T/CPULDirJJ+WctTrDDIyEfem3d652LoWEqEznhW+lAUbqkAbrEaGBGZAJckg5sSFZMADZa5mSFqxacsMviDUKKT3BYqQs7L3t8VZklbVjEv3uSrGVYPp4nEN4nWonB7o3y3M0=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: c22a8ab4-49b1-4d0f-ce7d-08d56b353ed2
x-microsoft-antispam: UriScan:(130329453890623); BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:BY2PR15MB0486;
x-ms-traffictypediagnostic: BY2PR15MB0486:
x-microsoft-antispam-prvs: <BY2PR15MB04861F0766EEF0742C128D0FCDF80@BY2PR15MB0486.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(10436049006162)(72170088055959)(82608151540597)(85827821059158)(211936372134217)(179696456005106)(153496737603132)(130329453890623);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(3231101)(11241501184)(2400082)(944501161)(3002001)(93006095)(93001095)(6041288)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011); SRVR:BY2PR15MB0486; BCL:0; PCL:0; RULEID:; SRVR:BY2PR15MB0486;
x-forefront-prvs: 05724A8921
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(39380400002)(39860400002)(366004)(396003)(11905935001)(377424004)(199004)(189003)(2900100001)(105586002)(4326008)(5660300001)(7116003)(4001150100001)(3846002)(39060400002)(77096007)(6116002)(6506007)(53546011)(102836004)(26005)(25786009)(55016002)(3280700002)(6436002)(99286004)(9686003)(68736007)(2950100002)(236005)(97736004)(229853002)(53936002)(66066001)(86362001)(3660700001)(6306002)(54896002)(74316002)(7736002)(478600001)(6246003)(7416002)(14454004)(2906002)(3480700004)(93886005)(8936002)(8656006)(81156014)(966005)(8676002)(81166006)(7696005)(76176011)(316002)(59450400001)(186003)(54906003)(106356001)(110136005)(33656002)(561944003)(606006)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR15MB0486; H:BY2PR15MB0775.namprd15.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Ry1cjhvXkpUbIx1wTGDcQsAG8Jq7VBucFzuTRECBG9kS3HV9980TcVBPui4UyofFSMCGE4nmf4zJ1gbdmNSaRQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR15MB07757473DB9788558B902EB5CDF80BY2PR15MB0775namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c22a8ab4-49b1-4d0f-ce7d-08d56b353ed2
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Feb 2018 18:37:56.8297 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR15MB0486
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-03_05:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/CIRYQCx8hqJDyKcfj58xZGPL0kk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2018 18:39:08 -0000

Ossification:
In the past tcp middleboxes expected in-order, monotonically increasing offsets and tried to fix reordering before forwarding. This middlebox behavior, predicated on observable flows, prevented deployment of things which would have made tcp more efficient.

 This is the kind of non-theoretical ossification that drove the creation of QUIC in the first place.

Network monitoring:
Networks may always wrap the packet(s) they have received with whatever data they wish, and unwrap before forwarding. This can allow any network to understand ordering,  loss, etc within its boundaries.

Debugging:
Debugging of flows can still happen for flows that wish to be debugged-- the QUIC connection's key material(s) can be shared manually and used by the debugging tool. This is how one debugs http2, https, etc. already today.

-=R



-------- Original message --------
From: Piotr Galecki <piotr_galecki@affirmednetworks.com>
Date: 2/2/18 7:00 PM (GMT-08:00)
To: Jana Iyengar <jri@google.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>
Cc: Gorry Fairhust <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>, Christian Huitema <huitema@huitema.net>, "Eggert, Lars" <lars@netapp.com>, Brian Trammell <ietf@trammell.ch>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: RE: Packet number encryption

What is the group’s proposal for allowing network monitoring tools to detect packet retransmission or packet reordering ?
These metrics are pretty straightforward to measure for TCP flows.
Tools like Wireshark can analyze packets and spot issues.
How can the network tools perform this kind of measurements for QUIC flows if PN field is encrypted?


From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Jana Iyengar
Sent: Friday, February 02, 2018 9:31 PM
To: Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com>
Cc: Gorry Fairhust <gorry@erg.abdn.ac.uk>; Eric Rescorla <ekr@rtfm.com>; Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>; Christian Huitema <huitema@huitema.net>; Brian Trammell <ietf@trammell.ch>; Eggert, Lars <lars@netapp.com>; QUIC WG <quic@ietf.org>; Martin Thomson <martin.thomson@gmail.com>
Subject: Re: Packet number encryption

A few points as I catch up on this thread.

First, I'll remind folks that QUIC is an encrypted transport. I say this because the cost of this operation is trivial in the context of encrypting every packet. The cost is borne at the servers and not at middleboxes, so the additional crypto cost is basically trivial.

Second, this simplifies and increases robustness of implementation. Avoiding random PN jumps, as Kazuho points out, makes special-casing of code unnecessary. Special code that is exercised occasionally is a strong bug attractor, and I would strongly argue for as few of those as possible in implementation.

Third, yes, ossification is a real concern. A simple example: using increasing packet numbers as a signature for detecting QUIC. Even if you argue against this example, there are innovative ways in which ossification will happen. This is based on a true story: We had no idea how GQUIC's flags field could get ossified, the value that was being used commonly became used as a signature for QUIC traffic (see Section 7.5 in the SIGCOMM QUIC paper<https://urldefense.proofpoint.com/v2/url?u=https-3A__static.googleusercontent.com_media_research.google.com_en_pubs_archive_46403.pdf&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=C0sUo-LFNBaYfyoaCsf6TA&m=SY87I4v_IqTCGOds-j5NCOwkQ0cJcYHGyKdXmMIVn6I&s=U9o6dI-dwzKwvXHvvmv7WtVm84puvxhaP0cN2of3VvA&e=>).

There's a win here in terms of implementation complexity and several implementers have said so. There's a win in terms of ossification and our experience says so. There's a potential loss of manageability, in being able to detect reordering. This is the trade-off, and I am still in favor of encrypting packet numbers.

On Fri, Feb 2, 2018 at 7:32 AM, Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com<mailto:thomas.fossati@nokia.com>> wrote:
On 31/01/2018, 10:06, "QUIC on behalf of Eggert, Lars" <quic-bounces@ietf.org<mailto:quic-bounces@ietf.org> on behalf of lars@netapp.com<mailto:lars@netapp.com>> wrote:
> On 2018-1-31, at 10:52, Gorry Fairhurst <gorry@erg.abdn.ac.uk<mailto:gorry@erg.abdn.ac.uk>> wrote:
> > +1 - Simply: This *is* complicated and seems to add little.
>
> So as an implementor (chair hat off), this adds very little to the
> overall complexity of the protocol.

This doesn't sound great.  It's a bit like saying that adding the Higgs
mechanism to the standard model's lagrangian doesn't make it much more
complicate :-)  (*)

More seriously though, I'd like to point out that it is not just about
implementation complexity, it's also the energy cost per packet that is
quite crucial.  I haven't done the math but ISTM that bringing in
another batch of non-optional crypto computation on a per packet basis
is not going to move the needle in the right direction for stacks that
run on low power (IoT).

This is not a catastrophe - we have CoAP and a (D)TLS profile - but
neither it's ideal, since cutting off the small things from the wider
ecosystem creates an artificial gap which then will need a middlebox to
bridge.  (Sure, we have specified the behaviour of a similar box
already, but it'd be really better if the extra translation logic could
be avoided in the first place.)

I guess what I'm saying is that PN encryption being a core mechanism
that can't be negotiated at handshake time reduces our ability to later
profile QUIC for the IoT, which would be a bit unlucky.

So the question is: would it be possible to make this property a
configurable knob instead?

(*) https://www.symmetrymagazine.org/article/the-deconstructed-standard-model-equation<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.symmetrymagazine.org_article_the-2Ddeconstructed-2Dstandard-2Dmodel-2Dequation&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=C0sUo-LFNBaYfyoaCsf6TA&m=SY87I4v_IqTCGOds-j5NCOwkQ0cJcYHGyKdXmMIVn6I&s=etIO0AUHiJm8zucsWaTgo-XULFisCMoG2iDvwC69s9Q&e=>

v2.23.0 | Report a Bug | By Email