IETF Logo Mail Archive

RE: A better way to do conn id?

"Lubashev, Igor" <ilubashe@akamai.com> Wed, 24 January 2018 13:42 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B33124239 for <quic@ietfa.amsl.com>; Wed, 24 Jan 2018 05:42:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQQSAPreGs3p for <quic@ietfa.amsl.com>; Wed, 24 Jan 2018 05:42:49 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB2A11241F8 for <quic@ietf.org>; Wed, 24 Jan 2018 05:42:49 -0800 (PST)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0ODaruI006007; Wed, 24 Jan 2018 13:42:46 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=VSFaN8lvhQ1FdJ/HbdBhGTrv4kdWMx3++zIRzeaTGJQ=; b=ImrI1wpw0pK8Vp+dVy6/tx9OMHsyl/56kMrRvrGp+c19O3rXZ/dqdoGxHGZge2Fzo4RY I+5N9XpJtoDjjG3SbTcXlt59iheKb2NTgH0VNjYZuXS3QjSDWpQtc1gHUhPnMu34Pzhr 342K5GtYLskuAam9cfT7GnGcrdPfh1LLSxu/RfZIAUrdG99DV4LdPQdI5nHetRPth/99 AOWcVsrz5TsJ6xQ82d8BwXZyp1nhMHIhjurGEdoMM5ke8oJVhuRvvx98RR2WUX17eUsJ DI/G1JfNxPUleZKMmXGp2ul5q4XL8liIgOi7KVtGDZcUbiTYwSth4R3OJ0SAt+YB0eR2 ig==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by mx0b-00190b01.pphosted.com with ESMTP id 2fkxa1wp61-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 Jan 2018 13:42:46 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w0ODZc7e011807; Wed, 24 Jan 2018 08:42:45 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint2.akamai.com with ESMTP id 2fm1yyngdx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 24 Jan 2018 08:42:45 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 24 Jan 2018 08:42:44 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1263.000; Wed, 24 Jan 2018 08:42:44 -0500
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "martin.thomson@gmail.com" <martin.thomson@gmail.com>, "martin.h.duke@gmail.com" <martin.h.duke@gmail.com>, "subodh@fb.com" <subodh@fb.com>
CC: "quic@ietf.org" <quic@ietf.org>
Subject: RE: A better way to do conn id?
Thread-Topic: A better way to do conn id?
Thread-Index: AQHTlNFo0y0NS2zYe0mRyyv7KOC+e6OC0AuAgAAAc4D//60wMIAAf1gAgAALw4Y=
Date: Wed, 24 Jan 2018 13:42:43 +0000
Message-ID: <7d8388b249d141d795f9c9f3bdb88433@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <CAM4esxS4TDf1QwsdrQM1J7NBvTCjNaM0oi3Qm2i6oL0F9b5cnA@mail.gmail.com> <CABkgnnVfKGd9QYhUnJ0Tva5odNzRDvZCSU4ASN27bQFsAiUvPw@mail.gmail.com> <CAM4esxQtrZgQuqh=eeMR1BgKpx5SyDk2+7V0GBZJX9ak_H8yeg@mail.gmail.com>, <6d7331bfb9e041e4a712f3edf99a3001@usma1ex-dag1mb5.msg.corp.akamai.com>, <MWHPR15MB14559FAA5FAEF0577E1FC747B6E20@MWHPR15MB1455.namprd15.prod.outlook.com>
In-Reply-To: <MWHPR15MB14559FAA5FAEF0577E1FC747B6E20@MWHPR15MB1455.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_7d8388b249d141d795f9c9f3bdb88433usma1exdag1mb5msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-24_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801240183
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-24_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801240183
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/HmN2KyVQVCKDPtcwscWjEv14bBg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 13:42:52 -0000

The argument that connection id can be self-describing is not wrong.

Connection id can be self-describing, and it would need to be, if the sever is to allow using different lengths for different connections and to do key rotation. It does add complexity to connection id generation (cannot easily use AES instruction to do encryption) and reduces the number of available bits, even for shorter connection IDs.

Victor's suggestion is to use just one extra bit in the packet type octet to avoid all of these troubles. It does bring up questions of requiring consistency in those bits throughout the connection lifetime - a definite "cost" of the scheme. But it also has benefits (see above). So this seems to be a viable option, but not a obvious option (since trade-offs are needed).

- Igor

-----Original Message-----
From: Subodh Iyengar [subodh@fb.com]
Received: Wednesday, 24 Jan 2018, 3:00AM
To: Lubashev, Igor [ilubashe@akamai.com]; Martin Duke [martin.h.duke@gmail.com]; Martin Thomson [martin.thomson@gmail.com]
CC: IETF QUIC WG [quic@ietf.org]
Subject: Re: A better way to do conn id?


> (Victor voiced this today) Steal a code point from the packet type: have 2 bits that represent

Why do we need to represent the size of the connection id as bits in the packet? We usually represent the lengths as bits in the packet for 2 reasons:


  1.  to be able to change them per packet
  2.  If they need to be interpreted by unrelated parties.

I raised this question in the meeting today whether or not connid size needs to change with every packet and the answer seemed no. Also in the current design the interpretation of connid is only relevant to the server / related parties, in which case the server could represent it's connid in its own self describing format which doesn't need any new bits. L3 load balancers and L7 load balancers would share the knowledge of the format of the connection id to determine how long it is. So it would seem like we don't need any extra bits. Are any of these assumptions I'm making incorrect?


Subodh

________________________________
From: QUIC <quic-bounces@ietf.org> on behalf of Lubashev, Igor <ilubashe@akamai.com>
Sent: Tuesday, January 23, 2018 9:34:47 PM
To: Martin Duke; Martin Thomson
Cc: IETF QUIC WG
Subject: RE: A better way to do conn id?


The two alternatives to allow for key rotation to “avoid” going over 16 octets are:



  1.  (Victor voiced this today) Steal a code point from the packet type: have 2 bits that represent:

0-byte connection id;

8-byte connection id;

16-byte connection id (key a);

16-byte connection id (key b)



  1.  “Trial Encryption” : Steal a bit from your 128 bit connection ID

Your bit 0 of your Connection ID will represent the key used for encryption.
Since you have entropy in your Connection ID, keep generating new entropy and encrypting, until bit 0 comes out just the way you want it.  On average, you will do 0.75 extra encryption operations.



  *   Igor



From: Martin Duke [mailto:martin.h.duke@gmail.com]
Sent: Wednesday, January 24, 2018 12:21 AM
To: Martin Thomson <martin.thomson@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
Subject: Re: A better way to do conn id?



Very well, replace 16 with whatever number you guys come up with.



On Wed, Jan 24, 2018 at 4:19 PM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:

We have already concluded that if you want to do sane crypto, plus
some sort of key identification, then you need MORE than 16 octets
(though not much more).  That makes things more complicated.  ekr has
an outcome that he will write up.

On Wed, Jan 24, 2018 at 4:08 PM, Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>> wrote:
> Today's variable-length connection ID discussion made me realize some
> problems with the current architecture, while the new architecture doesn't
> fix some of them and creates whole new ones. Issues:
>
> - The client desires unlinkability, but I suspect the market will provide no
> incentives for servers to work very hard to be unlinkable. There were
> conflicting "layer 9" arguments that variable conn ID makes this problem
> worse or better.
>
> - 16 Bytes is more overhead than 8 bytes.
>
> - The severity of this remains to be seen, but variable length conn ids will
> introduce more complexity in parsers and anything that utilizes the conn id
> (e.g. handshake key generation). It might make the invariants more complex
> as well. The whole thing, frankly, makes my head hurt.
>
> I humbly suggest the following proposal might avoid or mitigate some of
> these problems:
>
> 1. Every connection has a long-lived Client-generated Connection ID (CGCID)
> and Server-generated Connection ID (SGCID). The CGCID is 8 bytes and the
> SGCID is 16 bytes.
>
> 2. The CGCID is used to derive the handshake key. (unchanged from status
> quo)
>
> 3. The initial packet uses the CGCID.  All other handshake packets use the
> SGCID. This is unchanged from the status quo.
>
> 4. All 1-RTT packets by sent by the client use the SGCID. All 1-RTT packets
> sent by the server use the CGCID. This has two important properties:
>            a) The server gets the 16 Bytes of entropy the load balancer
> needs
>            b) The server->client direction, which in the usual case has most
> of the data, has a lower-overhead CID.
>
> 5. The algorithm that generates SGCID MUST have different output given a
> different CGCID. [We might strengthen this language further: you wouldn't
> want to simply add the NEW_CONN_ID sequence number to the existing SGCID,
> for instance].
>
> 6. In advance of migration, the client sends a NEW_CONN_ID frame to provide
> a new CGCID (possibly omitting the stateless reset token). The server MUST
> respond with a NEW_CONN_ID that provides a new SGCID derived from the new
> CGCID. All packets on the new path use these CIDs.
>
> If people like this, I can generate a PR. I am very open to various tweaks
> to the general approach as well. I wanted to get this out there before the
> variable-length CID team gets deep in the weeds.
>
> Martin Duke
>
>

v2.23.0 | Report a Bug | By Email