Re: Greasing more of QUIC
Martin Thomson <martin.thomson@gmail.com> Thu, 07 December 2017 23:51 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A50DC1286B2 for <quic@ietfa.amsl.com>; Thu, 7 Dec 2017 15:51:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gyt-w5_IIIfb for <quic@ietfa.amsl.com>; Thu, 7 Dec 2017 15:51:49 -0800 (PST)
Received: from mail-ot0-x236.google.com (mail-ot0-x236.google.com [IPv6:2607:f8b0:4003:c0f::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31AF21275C5 for <quic@ietf.org>; Thu, 7 Dec 2017 15:51:49 -0800 (PST)
Received: by mail-ot0-x236.google.com with SMTP id v21so7880654oth.6 for <quic@ietf.org>; Thu, 07 Dec 2017 15:51:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N8ennN2OPKxTMiwNZZD7p3DQJfsRIVDIEkLcIvXOxVY=; b=nwHRTOnFeBOs+5Y6pcBWEjcb4538bD6MW2qEbPhUvxaHzFKQz+p0V6L3c/iUopmrPi XIShgZt9QLIO4D/Fxroa4vkjSF4IILcvUEiJcG0g8WVPbiYG0CgPTbk3ZAHl+KeiyXkv B2PrADa8DNkyyY5jp94Xdi4b288Igvgmj8T3VxVoWpbU33+gz1ZZZoawMI4MeeXw7/1a E5kSP1KCCRgww0WRfzprTheK8gPHSq1P+7xhrtYULxw8LhADcrDgOz97K7zvpT+T7uSp ytu3XwWx551gM8AzjgSNyj3H20gyhpw7Jxn17UVXJDobQBtCjLhdbhRMnFRBp5S+U5hk UTUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N8ennN2OPKxTMiwNZZD7p3DQJfsRIVDIEkLcIvXOxVY=; b=Hxj5XtI+H/yCuy06pjauLZ/5/VlR/I9THqaT4DTiFxajFr28kJC15IuZOFXbITfFov wPnsNbkYDA7tHxarljG2jNwapkJAL7di8Vl4JrhqGQyp1c0LnDiQk/PRziaSIILaRQ8J RQ3HKqkkKHMIujDUzjOAJUN+8OpSb1FoCpve+uSED8D/Lzbo8KwQm0Lz+jpTGqJn0Wyu MBLFOareQV6SAIC8e/QcD9hnjuAKMhsCA2QE1R5OCA4Oygjlfrb9Z7ubPMWMdQl6bOAY T+PSAUOibuiWIoM21cEzaEDwQ9wPWvsjoIexQFXuSKz8vU/UU7aObEw9jIaJuqXtL8XB fpAg==
X-Gm-Message-State: AJaThX4fR3UroIhrfhklu6yL6FPJ56Pw9muUA0uAYnDZ8OFQtxrhxUW9 LAKHYTzPz3p5nk0LMhXj4QFMVqyDbib218jsP9I=
X-Google-Smtp-Source: AGs4zMYrLmd28t9sXKJtcogs/ZXSQFhwqyAEYdxd5FKleJUA5XQQWG+mZWyq7oKRexE/DE2uOoXi0iXITqyd7FHAWPw=
X-Received: by 10.157.88.141 with SMTP id x13mr25513212otg.175.1512690708411; Thu, 07 Dec 2017 15:51:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.8.11 with HTTP; Thu, 7 Dec 2017 15:51:47 -0800 (PST)
In-Reply-To: <CAGD1bZZfvQ_6Phs5Gtw4Q5rqHFNBeGGytoxMFrafLeEewGjnMg@mail.gmail.com>
References: <CABkgnnUxr3cAv81m5PfzRb+LWbiUq1qaASMnLkG+hEokHR714A@mail.gmail.com> <CAGD1bZZfvQ_6Phs5Gtw4Q5rqHFNBeGGytoxMFrafLeEewGjnMg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 08 Dec 2017 10:51:47 +1100
Message-ID: <CABkgnnVPgXQkZscFtBVT5BuGhN7CaSE4Xh+F5CwKm8BxOOtS5A@mail.gmail.com>
Subject: Re: Greasing more of QUIC
To: Jana Iyengar <jri@google.com>
Cc: QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/GxOn6KXYf3s9YUVz2BZVhAF0a9s>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Dec 2017 23:51:51 -0000
On Thu, Dec 7, 2017 at 6:38 PM, Jana Iyengar <jri@google.com> wrote: > I suspect the mechanisms here are a bit heavyweight for the greasing model I > had in mind. Not really, see below. I included a more heavyweight option to show the range of options that I think we have in front of us. > The model I had in mind was that a middlebox that cared to read > the spec would be able to interpret the packet types, but it couldn't from > simply looking on the wire. I don't think we want to use a per-connection > key, as load balancers will want to know the packet type and won't have the > connection keys. Visibility for middleboxes is the reason we didn't encrypt > the packet types in the first place. I want to challenge this last point. I don't think that we've established a good reason for middleboxes to have visibility into the short header types, and anything that we do for the long header can probably only be based on the spec in exactly the way you describe - we never use anything other than a fixed key to protect packets with long headers. I'm personally more interested in packet numbers than packet types though. > If you wanted to do a PRP based on this weaker model you'd end up using a > known key per version, documented in the draft. Of course, the problem here > is that you don't grease any values since the same permutation is used for a > given version, and the permuted packet types remain fixed for the version. One property I'm looking for us to guarantee is that no value goes unused, even if the actual underlying value is the same. That means per-connection permutations. > You could combine the version-specific key with something from the packet, > perhaps the packet number (not the entire 64-bit number, only the visible > part on the wire, for stateless middlebox operation), to permute the packet > type, giving you more useful greasing. That's effectively what this does. The draft (I'm beginning to regret doing that now) mentions using connection ID, as input to the key. I should have added both packet number and even the ciphertext. You will observe that XOR is very close to what you describe if you take packet number as input to the key derivation (XOR and additional modulo N are very similar). If you took connection ID and packet number in the following form, you get almost exactly what you describe. E(x) = m ^ connection_id ^ packet_number > This is just me thinking off the top of my head, but that's roughly what I > had in mind. It obviously assumes a weaker form of greasing than the ones in > your draft is desirable. That is a reasonable position. Types will never really benefit much from anything more complex. For packet number, I wanted something stronger to support the ideas in the final section.
- Greasing more of QUIC Martin Thomson
- Re: Greasing more of QUIC Jana Iyengar
- Re: Greasing more of QUIC Brian Trammell (IETF)
- Re: Greasing more of QUIC Martin Thomson
- Re: Greasing more of QUIC Martin Thomson
- Re: Re: Greasing more of QUIC alexandre.ferrieux
- Re: Re: Greasing more of QUIC Mikkel Fahnøe Jørgensen
- Re: Greasing more of QUIC alexandre.ferrieux