IETF Logo Mail Archive

Re: Packet number encryption

"Brian Trammell (IETF)" <ietf@trammell.ch> Fri, 02 February 2018 09:35 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E488212FA97 for <quic@ietfa.amsl.com>; Fri, 2 Feb 2018 01:35:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 379jvZ78VF7L for <quic@ietfa.amsl.com>; Fri, 2 Feb 2018 01:35:48 -0800 (PST)
Received: from gozo.iway.ch (gozo.iway.ch [212.25.24.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3AE612FA90 for <quic@ietf.org>; Fri, 2 Feb 2018 01:35:47 -0800 (PST)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 937BF3409AD; Fri, 2 Feb 2018 10:35:44 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/6597.5220); Fri, 2 Feb 2018 10:35:44 +0100 (CET)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Fri, 2 Feb 2018 10:35:44 +0100 (CET)
Received: from [213.55.211.42] (account ietf@trammell.ch HELO [100.99.15.73]) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 44127957; Fri, 02 Feb 2018 10:35:43 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail-72F30DF4-7A3A-4B58-9DB5-10816DDC44EB"
Mime-Version: 1.0 (1.0)
Subject: Re: Packet number encryption
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
X-Mailer: iPhone Mail (15C202)
In-Reply-To: <CAM4esxRVecQUJZwSv-+fV43CyTER-OY7H7WZGAKU0yT84qn6aA@mail.gmail.com>
Date: Fri, 02 Feb 2018 10:35:41 +0100
Cc: Jana Iyengar <jri@google.com>, Ted Hardie <ted.ietf@gmail.com>, Roberto Peon <fenix@fb.com>, Christian Huitema <huitema@huitema.net>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Eric Rescorla <ekr@rtfm.com>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Transfer-Encoding: 7bit
Message-Id: <26AC90FF-EDC0-431A-86D7-8F78555B5DB9@trammell.ch>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <827BA6F8-5CA8-420A-B18B-60D8BC134A46@fb.com> <CA+9kkMDvp64NspznEuVy2tu8Eh1xmFkXu5S0AtDwbZKQ9Kq2fA@mail.gmail.com> <7F0C8A1D-1CE8-44E1-B3A4-ACFCB19D1F12@fb.com> <CABkgnnVsx9ohKO95bsDbYpM+bgWb-HQiVW2Yn=XWG458uzNgtg@mail.gmail.com> <CAGD1bZbH2qz2WL0YsOJJ=j7V-Lkt_V6K1RQ+5ZhMAzOWEAvdGQ@mail.gmail.com> <A236CE0B-24C1-41F0-A80D-7DD966D291B7@trammell.ch> <CAM4esxTj6Jv4nv975SDzczx9QEG-18WNm7UC7WxDcjyN+PeVgA@mail.gmail.com> <CAM4esxR_L9OvkEQ3G8z=yK1VgPQDJTMWeB2ts7CSgtV_de9MiQ@mail.gmail.com> <CAM4esxRVecQUJZwSv-+fV43CyTER-OY7H7WZGAKU0yT84qn6aA@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/F7jjzrAXMzONf35-JjSyVhhf0W8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 09:35:52 -0000


Sent from my iPhone

> On 2 Feb 2018, at 01:47, Martin Duke <martin.h.duke@gmail.com> wrote:
> 
> Brian, I can come up with a middlebox design that is trying to be "helpful" but ends up causing PN ossification, but as you suggest this requires the box to be dumb about versions. So, meh.

The insight hiding in my proposal about rapid versioning is exactly this: we should have a goal to minimize the deployability of boxes that are dumb about versions. Grease the version negotiation mechanism here is fake: it protects the codepoints but not the whole mechanism. As long as there is only one version you’ll get boxes that don’t need to care about tracking VN to know what’s going on. If version 2 follows on the heels of (or deploys simultaneously with) version 1, there will be fewer (none) of those boxes deployed.

> The other benefit of this scheme is that acks can go back to 1 byte PNs in ack frames for many connections, 

You get that with the random offset proposal as well.

As far as I can see the benefits of this proposal are (1) it lets us presuppose a single-sequence-number design for multipath in version 2, which has some nice properties; and (2) it lets us dispense with all the messiness of PN jumps on intentional migration. The first of these seems meh, the second is a little more convincing: packet number jumping is not pretty.

> as the true packet number will start at 0 (boo!) or 1 (yay!).

I actually have strong opinions on both sides of this argument, so I think I’ll go off in the corner and have a pointless fight with myself on this one.

Cheers,

Brian

> On Feb 1, 2018 12:09 AM, "Brian Trammell (IETF)" <ietf@trammell.ch> wrote:
> hi Jana, all,
> 
> > On 1 Feb 2018, at 03:46, Jana Iyengar <jri@google.com> wrote:
> >
> > I like this proposal for the ossification reason that Roberto described, but I also like it because it really simplifies things from an implementation perspective.
> 
> There seems to be a largely unquestioned assumption that packet number encryption has utility for ossification prevention. I am not convinced of this.
> 
> Our experience with TLS greasing shows that placing random values in fields that would otherwise largely be static over the lifetime of the protocol improves the ability to use those fields later. Packet number encryption is greasing only by analogy. "Field X has value Y" is a fundamentally different observation than "The values of field X over time are governed by function F", and I'm not sure that intuition in the simpler case applies directly to the more complicated one.
> 
> Specifically, for packet number encryption, the assumption appears to be that in-network devices will deploy during the operational lifetime of QUIC v1 that will make use of the observation that packet numbers monotonically increase, in a way that will impair the deployment of QUIC vN > 1 that does not have packet numbers that monotonically increase, or packet numbers that appear at a different location in the header. In other words, these devices will fail on this new version of QUIC in such a way that it will impair service to endpoints using QUIC vN.
> 
> Analogies to the TCP sequence number here are a bit flawed. The most important difference is that the open nature of TCP's wire image means that usage of the sequence number isn't limited to observation: on-path devices can change it, and forge or delay ACKs based on it. The only thing an on-path device can do with a QUIC packet with a packet number it doesn't like is to drop it. This function might have some utility as part of an in-network QUIC garbage filter, as part of an anti-DDoS system, but any such device would need to track the version number as well (indeed, tracking version negotiation and handshaking would be a useful primitive here in its own right), and would therefore have enough information to not break on new versions it knows about.
> 
> (Note we specifically don't care about the case where devices making use of this observation stop working in a way that the end-to-end properties of QUIC vN are preserved: the invariants as of a given version are the public wire-image interface to the protocol, anything else is at-your-own-risk, no-user-servicable-parts-inside).
> 
> I suspect that similar arguments can be had about all but the simplest proposed applications of greasing to functions more complex than "the value of field X is always Y or Z". The example of packet number tracking points to an anti-ossification approach that I have much more confidence in, though:
> 
> The vigorous and meaningful exercise of the version negotiation and version coexistence systems built into QUIC would force agility on on-path devices. The earlier we do this, the more effective it would be. I've already said this in other contexts, but I'll explicitly suggest it here: let's do QUIC 2, and soon (say, July 2019?), and use version negotiation *itself* as a method to "grease" the version negotiation mechanism along with the rest of the header.
> 
> > We currently have packet number gaps to be used with new CIDs, but these are the same packet numbers on the wire as within the transport. So, when used with connection migration or after quiescence, the sender and receiver of ACKs has to deal with potentially large gaps... this is encodable on the wire, sure, but these gaps are unnecessary within the transport.
> >
> > Encrypting packet numbers reduces complexity in that you get a packet number gap on the wire without having to explicitly model it inside the transport. The transport machinery starts packet numbers at 0, increments it by 1 irrespective of migration or quiescence, and the ACK frames similarly carry the plaintext packet number. Separating what's used within the transport and what's visible on the wire allows you to do things like use multiple CIDs within the same 5-tuple.
> 
> This is a more convincing argument for packet number encryption -- it does seem hard to get this elegance in the transport while having a non-trivially-linkable wire image without it.
> 
> > I see it as a clean separation of concerns, with consequent simplification in implementation and an additional degree of freedom.
> >
> > I'm not convinced of the value of packet number in measuring reordering degree, since this can be trivially done by looking at the IP ID field for packets on the same 5-tuple.
> 
> For IPv4 packets, on implementations where IPID is not randomized, yes. I don't have numbers on how prevalent these are; in any case, where it isn't randomized, that's arguably a bug that should be fixed. Should the guidance in the manageability draft, then, be "use IPv4 if you care about loss and reordering detection"? I am not optimistic about the chances of that getting past the IESG. ;)
> 
> Cheers,
> 
> Brian
> 
> > On Wed, Jan 31, 2018 at 6:00 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> > With some light editing for quoting purposes...
> >
> > On Thu, Feb 1, 2018 at 12:02 PM, Roberto Peon <fenix@fb.com> wrote:
> > >> Or do you mean CIDs 1-3 may be used on any of the 5-tuples A-C, for the same
> > >> communicating peers  Alice'sPhone and Bob'sBankServer93?
> > >
> > > The latter assuming we allow the server to specify it.
> >
> > I find "assuming we allow the server to specify *it*" to be strangely cryptic.
> >
> > To be clear, my operating assumption is while that servers can provide
> > multiple connection IDs, those connection IDs need to be usable on any
> > 5-tuple.  Are you suggesting that a server might need to signal where
> > a connection is usable?  (I can see how that might make sense, but it
> > isn't possible with the protocol as specified.)  Or are you suggesting
> > that there might need to be some signal that allows clients to
> > distinguish between connection IDs that are for concurrent use? That
> > is, as opposed to what you might assume to be sequential use based on
> > the current specification.
> >
> > FWIW, it should be possible to remove the sequencing field from
> > NEW_CONNECTION_ID after making this change.  The only reason left for
> > sequential connection ID use is to give the server the ability to know
> > when certain connection IDs no longer need to be available.  A server
> > might then be able to clean up associated state and even reuse them.
> >
> > Of course, that likely only makes sense if the server is creating
> > explicit mappings for each, which - as discussed at the interim -
> > isn't super practical in many deployments.  Right now, I think that
> > the assumption is an assumption only, and that relying on strictly
> > linear use of connection IDs would be unwise.
> >
> >
> 
>

v2.23.0 | Report a Bug | By Email