Re: Structuring the BKK spin bit discussion

Kazuho Oku <kazuhooku@gmail.com> Sun, 04 November 2018 01:52 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B53130DD4 for <quic@ietfa.amsl.com>; Sat, 3 Nov 2018 18:52:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2yWc9n7SAbS for <quic@ietfa.amsl.com>; Sat, 3 Nov 2018 18:52:17 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D27C130DFA for <quic@ietf.org>; Sat, 3 Nov 2018 18:52:17 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id u18so3742000lff.10 for <quic@ietf.org>; Sat, 03 Nov 2018 18:52:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=q5gLcAigi8F2m/fE16w/SnJm6X/m+wux/o0s199c1Ec=; b=J9tpWVis46KlVRZ2gmdoeVWuxdzyitUjCP6haLjmTJllURE9hkFDq8u17+tDrewJV3 jnEoEqcU2kb5wSfZwNfLw/ZhJv/RGjEVJIBJdtsxsAYht9RRorWnTbx/B/snso7/7erN t7UaZ3pkUtS4LOX6Gtimw59/IqPviTYRcLdB8Ssa3tTWczfQAgMZCR94sD9/PWfzGK6d lWISou34niW+ybjnzFYpZi72SnvyRslrp4VMFdXBzPEGLdTTHNu9Wndo6qFOSqP6hx5M cKYN889NmPhdlBn6TK96ffgXTEYMrLXRpQE3Mi8QDefnLOFU0G4yGQNwoUpA1sclxPoM aGOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=q5gLcAigi8F2m/fE16w/SnJm6X/m+wux/o0s199c1Ec=; b=T3trpws4YzYOCGclRrAH9psMBv7QLnkKet2k04hgLxS+tQpIhDTOEgboxaDym7Jj0Y LiWQmZY4Z3EJWmqLNUk+JHTA+QEK1uwiXjVWT5wbgnfWKBC1+eoFL9GDsZ8Ej9iYj31j 6mTR2wTSrpqLdXbdaZO42RegKimki8TEjxu+d+TbaaKqFrxUiWBhdJ4gfvpY4RaHB1CG u5j8J+yBkj6/j35yhvOgX1BZq0E9EaMVumMhg6wPoogrpRcDT2gV8i45F08b/wv7Dvmk cSNpEHX2nUUauqUzuF43Un6s0ZFBNeDhsH+YfOe1LaMkBbkFiLzVX0dWmFTjtZZscJRg ACBw==
X-Gm-Message-State: AGRZ1gKtHyPYCIhveBT6+QEj29saDUNQmFSeh+VcJQKrbTZpK5XLz5zd ZYzxjq9VTjaFtf3GxDRGWo44fo6oxkidaI7hsQU=
X-Google-Smtp-Source: AJdET5fWj2/Y0y3wYbEsegAQ6JZlBghjOahapumrkV+bqGJZhZB4VTQVuNzn4BJhsmUTLByqvorTMRJVHYL2rXF1dy8=
X-Received: by 2002:a19:6d0e:: with SMTP id i14-v6mr10060090lfc.57.1541296335480; Sat, 03 Nov 2018 18:52:15 -0700 (PDT)
MIME-Version: 1.0
References: <18A2F994-0E82-48E4-875D-93C674483D49@eggert.org> <20181029160802.GD7258@ubuntu-dmitri> <8268B90E-F109-424C-91A8-DB7BFE208F53@huitema.net> <CANatvzxt-QBmeJUwp+MjtbpYXstPiEigDzQe0KfWJN+q0XR4Kg@mail.gmail.com> <HE1PR0701MB23938B01BC31888DAC3629B8E2CD0@HE1PR0701MB2393.eurprd07.prod.outlook.com> <D8BB0373-FDEB-4312-94E6-BBA304D595BE@trammell.ch> <CANatvzwZZXB4d43N6g+jJ=HeTEzgdDK5KQVPKVdKDb=kBZzfpw@mail.gmail.com> <6E58094ECC8D8344914996DAD28F1CCD13047109@dggemm526-mbx.china.huawei.com>
In-Reply-To: <6E58094ECC8D8344914996DAD28F1CCD13047109@dggemm526-mbx.china.huawei.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Sun, 4 Nov 2018 08:52:03 +0700
Message-ID: <CANatvzzVZBCc-x0HCdo9SZe1zwZgrX-uxAnd5GKGoYgK9McvZA@mail.gmail.com>
Subject: Re: Structuring the BKK spin bit discussion
To: roni.even@huawei.com
Cc: Brian Trammell <ietf@trammell.ch>, Lars Eggert <lars@eggert.org>, marcus.ihlar@ericsson.com, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>, Dmitri Tikhonov <dtikhonov@litespeedtech.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Fv1h0cS4HaNBEVkk99eVUnNTgSo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2018 01:52:27 -0000

2018年11月3日(土) 17:49 Roni Even (A) <roni.even@huawei.com>;:
>
> Hi,
> Inline
>
> -----Original Message-----
> From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Kazuho Oku
> Sent: Thursday, November 01, 2018 5:06 AM
> To: Brian Trammell
> Cc: Lars Eggert; marcus.ihlar@ericsson.com; Christian Huitema; IETF QUIC WG; Dmitri Tikhonov
> Subject: Re: Structuring the BKK spin bit discussion
>
> Hi,
>
> Marcus, Alexandre, Brian, thank you for the responses. My comments below.
>
> 2018年10月31日(水) 23:18 Brian Trammell (IETF) <ietf@trammell.ch>;:
> >
> > hi Kazuho, Marcus,
> >
> > +1 to this; the intra-network latency variation on the mobile segment of the mobile networks we looked at via the MONROE in the testbed in our PAM paper the followed from the RTT DT work (see https://github.com/mami-project/rtt-privacy-paper/blob/master/rtt-privacy.pdf, especially section 3.1 and figure 2(b)) makes RTT measurement on a mobile network useless for geolocation.
> >
> > We did notice (not shown in the paper) that different carriers (n = 4, if I recall correctly) had distinct latency distributions, so with traffic from all Japanese mobile users you could probably use RTT data in the aggregate to build a "carrier classifier". This is of course a useless exercise because you can already tell which carrier a subscriber is coming from by looking at the IP address of the CGNAT exit.
> >
> > IMO there are only a few edge cases where there are actual potential geoprivacy issues raised by the spin bit with respect to tunneled VPN traffic. All of these involve trans- or intercontinental tunnels (>30ms of additional RTT, for 3000km of location uncertainty -- how far is it from Okinawa to Hokkaido?). In every case the handshake latency gives you away as well, but in every case long RTTs might also have non-distance related causes. So while I see disabling the spin bit as a necessary feature, especially for clients to have, IMO its utility is more useful for peace of mind and information reduction than for actual information elimination.
>
> Thank you for sharing the research.
>
> FWIW, inhabited islands of Japan span across 3,000km, however the longest hidden path of the carrier-grade NAT will be around 2,000km because Tokyo is located near the middle. So it's a bit shorter than your numbers.
>
> I can understand that there are other factors that have impact on the RTT exposed by the spin bit, and that might overshadow the distance.
>
> OTOH, I think it's important to remember that the spin bit expose many RTT samples (every once an RTT) compared to handshake which is a one time thing for each connection, or compared to other behavior like client issuing HTTP requests.
>
> For cases like large file download (in which the only output from the receiver would be ACKs), I would assume that the spin bit would be by far the most accurate piece of information for an observer to determine the RTT to the connection.
>
> Roni Even: In this case since there are large packets to one direction and short to the other an observer can map the download file to its ack message and calculate the RTT without the spin bit

My understanding is that you cannot.

Because the payload of the packets are encrypted, you cannot tell
which ACK packets sent by the client correspond to which packets sent
by the server. All you can observe is that something is flowing
steadily from the server to the client.

>
>
> >
> > Cheers,
> >
> > Brian
> >
> > > On 31 Oct 2018, at 13:40, Marcus Ihlar <marcus.ihlar@ericsson.com>; wrote:
> > >
> > > Hi Kazuho,
> > > I believe the biggest difference is the size of the hidden network segment.
> > > In the NAT case the client and NAT are still in the same country or continent.
> > > A quick glacne at distancecalculator.net shows that the city farthest from Tokyo in Japan is Naha-Shi, at 1554 km.
> > > That translates to roughly 5ms at the speed of light, so the kinds of measurements to determine distance from Tokyo based on RTT will be extremely sensitive and error prone.
> > > Please note that the distance analyis can be performed on handshake RTT as well, for connections where the initial handshake is visible at the measurement point.
> > >
> > >
> > > Från: QUIC <quic-bounces@ietf.org>; för Kazuho Oku
> > > <kazuhooku@gmail.com>;
> > > Skickat: den 31 oktober 2018 11:20
> > > Till: Christian Huitema
> > > Kopia: Lars Eggert; IETF QUIC WG; Dmitri Tikhonov
> > > Ämne: Re: Structuring the BKK spin bit discussion
> > >
> > > 2018年10月30日(火) 1:54 Christian Huitema <huitema@huitema.net>;:
> > > >
> > > >
> > > >
> > > > > On Oct 29, 2018, at 9:08 AM, Dmitri Tikhonov <dtikhonov@litespeedtech.com>; wrote:
> > > > >
> > > > >> On Mon, Oct 29, 2018 at 05:26:34PM +0200, Lars Eggert wrote:
> > > > >> We'd specifically like to ask client and server implementors
> > > > >> with projected sizable deployments to indicate whether they
> > > > >> intent to implement and deploy, if the WG decided to include
> > > > >> the spin-bit in the spec.
> > > > >
> > > > > LiteSpeed Technologies will support the spin bit -- both in our
> > > > > server and client QUIC implementations -- if it make it into the
> > > > > draft.
> > > >
> > > > My implementation is not used in any large scale deployment, but it does support the spin bit. In fact, it has configuration options to support spin bit variants: node, just spin, spin + vec, spin + QR.
> > > >
> > > > I think the strongest objection to the spin bit was put up by Marten during the last interim: measuring the RTT with the spin bit discloses the use of hidden path segments like VPN. This issue was not discussed during the privacy analysis.
> > >
> > > May I ask if the VPN users are the only ones that lose some privacy
> > > with spin bits?
> > >
> > > I ask this because I live in a country where IIUC the mobile
> > > carriers place their nation-wide carrier-grade NAT near the capital
> > > city (i.e., Tokyo). That means that for people living in the
> > > country, having spin bits turned on could reveal their distance from Tokyo.
> > >
> > > So the question is: if VPN users need special care, do some NAT
> > > users as well? Or if the answer is no, what is the difference from
> > > between the two groups?
> > >
> > > Generally speaking, I am not against giving users the freedom to
> > > expose spin bits, however I am wondering how the endpoints should
> > > provide the freedom of choice (UI question) as well as what the
> > > default should be.
> > >
> > > >
> > > > The privacy issue could be mitigated by turning off the spin bit at privacy sensitive clients, but this would make these clients "stick out".
> > > >
> > > > One solution would be to remove the spin bit from the spec, trading off better privacy for worse management. I am considering another solution in which privacy sensitive clients hide the RTT by controlling the spin, for example spinning at fixed intervals. I plan testing that option in Picoquic.
> > > >
> > > > -- Christian Huitema
> > > >
> > > >
> > >
> > >
> > > --
> > > Kazuho Oku
> >
>
>
> --
> Kazuho Oku
>


-- 
Kazuho Oku