IETF Logo Mail Archive

Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)

Frederick Kautz <fkautz@alumni.cmu.edu> Thu, 05 April 2018 19:23 UTC

Return-Path: <ffk@alumni.cmu.edu>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E3A61243F6 for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 12:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=alumni-cmu-edu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yb1I9dj8fgDo for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 12:23:16 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5193124239 for <quic@ietf.org>; Thu, 5 Apr 2018 12:23:15 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id m134-v6so4014436itb.3 for <quic@ietf.org>; Thu, 05 Apr 2018 12:23:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alumni-cmu-edu.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=o9PDL865ZQjKFBXoVzKzUGwV0ScaPHAZtxhCGzKDivo=; b=2DOnFt7p5pFLNWdMVs0WRFq4lYBWhLf/ZlGoJH6eC15qRBNm9GvtxNj2eqpu3mdlnd adMltzilz+yDwDJocA3jNg1YcvZQPUu6oCvJtKqCO/POTg75znW8WDfHU9nnhyAyYWWC Emz04kLnYu98fX1vsQi/hm8Bpz5X/2YeRZi6emc5x8fjV6saJzUeCWV99OaMr0yUeVv0 FmJx9zq3oO3XTwHJUGx4jt4JLSTCW82SBmqiYrUaHg6SR8S234M1mNyVPtY2SAVcYVoY 3LMoL/UO4qhwqUMZC7ZHOrorz43kE9jLXFSeWWFxIvC4wZP13uGvbLDiELLpf2oxY28L akmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=o9PDL865ZQjKFBXoVzKzUGwV0ScaPHAZtxhCGzKDivo=; b=LeC1itdUVgXZpqakSwNiQEsoRxcZeo+ki4MjlkZzHaK4vOS0KKFp9U+4uMpAuFkeGi v3SpmRj6MSqziRItshZlqe/OwDa08fkazJUhQ3cma52EUcoEtuxqxEsTt7jv253lEkCa YuvAUP6dpRSyGQ5sE7JCLQEWjZQHGgG0YqrYDuX8pX2ckrYUuR3jIyeYTHAGXOFmNrlG KOasQKhqzrdT2eoeR4N+cla6LmzNjPYBjeXebRsLTqKAXn8B1gHpK/cU+t8/UwDlhkEu Od4SABBdqzZRzcC6yUMEFMxshSxjBaZri7lhnyc+HU/HQ10m1WvPwtCn/kTvfHduhLkM 63ug==
X-Gm-Message-State: ALQs6tAkPWBxsibsbXhA9unbMXtGSjQ0++GPJ7vil1o0+iBKenSI/aQ7 gWiQqTkKGFR2XONgqBNsfoJVqaGx38ocpWMYpQI3Ug==
X-Google-Smtp-Source: AIpwx480lNPfXyROdmWBvr60HXwGSrVxGj0a7TX7XSTGygsIpflH5v+OpqkhCrJevAUsBzPsOF7GANKn9S3O5QF20CQ=
X-Received: by 2002:a24:4507:: with SMTP id y7-v6mr15062246ita.112.1522956195163; Thu, 05 Apr 2018 12:23:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.38.11 with HTTP; Thu, 5 Apr 2018 12:23:14 -0700 (PDT)
In-Reply-To: <CANatvzxkm_iZAcdyJW-=UKgcnbB5nafUu-Ca=O2MQbuzTnmW3Q@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CAJGwveB=qs+J2iBQRs3d5jdGuP9yBWoAgv0t3mwD=Wrf6Q5g8g@mail.gmail.com> <F395D018-FFCA-405F-BBD5-1313C6F6DAF9@huitema.net> <CANatvzy8zTFKs-c-rR0jMSHdh2HJMvZrRmcR5A+b6qNpNPzkrw@mail.gmail.com> <SN1PR08MB1854010FD61AC17D19E497FDDABB0@SN1PR08MB1854.namprd08.prod.outlook.com> <CAN1APddJ7b+7Ydtw7i5c3XBHiC3mz9FmJEM-kZ0=Y8DvmpQ0eg@mail.gmail.com> <a02101a18f16419f81233058a1a6de15@usma1ex-dag1mb5.msg.corp.akamai.com> <CANatvzyEWb1esUcPL=pP6eDmyB7cmfuUOn6vGMTui3Jr+Z-oQQ@mail.gmail.com> <d9efb98a11304b049694cb89dcc04629@usma1ex-dag1mb5.msg.corp.akamai.com> <CANatvzxkm_iZAcdyJW-=UKgcnbB5nafUu-Ca=O2MQbuzTnmW3Q@mail.gmail.com>
From: Frederick Kautz <fkautz@alumni.cmu.edu>
Date: Thu, 05 Apr 2018 12:23:14 -0700
Message-ID: <CAJGwveB8z5KJMDAb6r0Vc_rnKp8exSdXX+sazC_yGHFXbdZAPQ@mail.gmail.com>
Subject: Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: "Lubashev, Igor" <ilubashe@akamai.com>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, Mike Bishop <mbishop@evequefou.be>, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Content-Type: multipart/alternative; boundary="0000000000000587e605691edfa7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Hit_mPgebxzhnLm-qKaFipiWTgw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 19:23:19 -0000

Maybe there could be some form of unencrypted header which load balancers
could use to land it to the correct location? This id could be set by the
server after a successful negotiation, and would be shared across all
connections to that same server. It can be used to ensure that the same
server internally always handles the given connection while attempting to
keep linkability low.

On Thu, Apr 5, 2018 at 11:35 AM, Kazuho Oku <kazuhooku@gmail.com> wrote:

>
>
> 2018-04-06 3:21 GMT+09:00 Lubashev, Igor <ilubashe@akamai.com>:
>
>>
>>    - It would not, *if* the stateless load balancer can AES-decrypt the
>>    packet (using the key derived from the packet header) to see if the packet
>>    is in fact a initial packet.
>>
>>
>>
>> Would not it need to first decide that the CID in the packet is unknown
>> (which means stateful)?  It would need to do some integrity check on CID,
>> which would require a large nonce to avoid accidentally classifying a
>> random CID as valid, because the cost of this mistake can be very large for
>> the client (see below).
>>
>
> AEAD tag that is used for checking if a packet is legitimate as a initial
> packet is currently 16 octets. That would not change. I believe that it
> would be enough to avoid 1-RTT packets being misclassified as handshake
> packets.
>
>
>>
>>
>>    - Or another way of solving the issue will be to always route the
>>    packet based on CID, then forward the packet between the endpoints behind
>>    the load balancer.
>>
>>
>>
>> This would not really work for a global load balancer – the one capable
>> of forwarding across a continent to a different anycast pop (due to
>> client’s change in attachment point or BGP reconvergence).
>>
>
> Agreed.
>
>
>>
>>
>>
>>
>>
>>
>> *From:* Kazuho Oku [mailto:kazuhooku@gmail.com]
>> *Sent:* Thursday, April 05, 2018 2:09 PM
>> *To:* Lubashev, Igor <ilubashe@akamai.com>
>> *Cc:* Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>; Mike Bishop <
>> mbishop@evequefou.be>; Christian Huitema <huitema@huitema.net>; IETF
>> QUIC WG <quic@ietf.org>; Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>;
>> Frederick Kautz <fkautz@alumni.cmu.edu>
>> *Subject:* Re: Privacy holes (was: Re: Getting to consensus on packet
>> number encryption)
>>
>>
>>
>>
>>
>>
>>
>> 2018-04-06 2:59 GMT+09:00 Lubashev, Igor <ilubashe@akamai.com>:
>>
>>
>>    - I'd prefer making handshake packets indistinguishable from short
>>    header packets. In essence, you move the flags of the long header inside
>>    the AEAD-protected area. An endpoint that receives a packet carrying a CID
>>    that does not belong to any known connection trial-decrypts the packet as a
>>    initial packet and handles it as a connection initiation, or sends a
>>    stateful reset if the trial-decryption fails.
>>
>> This change would wreck stateless load balancers that rely on being able
>> to distinguish CI packets (and route them based on IPs) from other packets
>> (and route them based on CID).
>>
>>
>>
>> It would not, *if* the stateless load balancer can AES-decrypt the packet
>> (using the key derived from the packet header) to see if the packet is in
>> fact a initial packet. Or another way of solving the issue will be to
>> always route the packet based on CID, then forward the packet between the
>> endpoints behind the load balancer.
>>
>>
>>
>> I agree that it would be a no-deal for stateless load balancers that are
>> incapable of doing such things.
>>
>>
>>
>>
>>
>> - Igor
>>
>>
>>
>> *From:* Mikkel Fahnøe Jørgensen [mailto:mikkelfj@gmail.com]
>> *Sent:* Thursday, April 05, 2018 1:31 PM
>> *To:* Mike Bishop <mbishop@evequefou.be>; Christian Huitema <
>> huitema@huitema.net>; Kazuho Oku <kazuhooku@gmail.com>
>> *Cc:* IETF QUIC WG <quic@ietf.org>; Mirja Kühlewind <
>> mirja.kuehlewind@tik.ee.ethz.ch>; Frederick Kautz <fkautz@alumni.cmu.edu>
>> *Subject:* RE: Privacy holes (was: Re: Getting to consensus on packet
>> number encryption)
>>
>>
>>
>> Hi
>>
>>
>>
>> On 5 April 2018 at 19.27.24, Mike Bishop (mbishop@evequefou.be) wrote:
>>
>>  An endpoint that receives a packet carrying a CID that does not belong
>> to any known connection trial-decrypts the packet as a initial packet and
>> handles it as a connection initiation, or sends a stateful reset if the
>> trial-decryption fails.
>>
>> I can see hiding things may be a good thing, but having to trial decrypt
>> all unknown packets as potentially creating a huge load, unless you combine
>> it with my proposal to add a checksum to the encrypted packet number so you
>> only need one crypto block on average to reject random packet content.
>>
>> It won’t solve all DDoS, but it will help. Forcing trial decryption fo
>> the full packet makes me a bit anxious.
>>
>>
>>
>> Mikkel
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Kazuho Oku
>>
>
>
>
> --
> Kazuho Oku
>

v2.23.0 | Report a Bug | By Email