IETF Logo Mail Archive

RE: Hardware acceleration and packet number encryption

"Deval, Manasi" <manasi.deval@intel.com> Sun, 25 March 2018 01:09 UTC

Return-Path: <manasi.deval@intel.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3C7212706D for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 18:09:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wq38WvV_5Lel for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 18:09:10 -0700 (PDT)
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0680912025C for <quic@ietf.org>; Sat, 24 Mar 2018 18:09:09 -0700 (PDT)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Mar 2018 18:09:09 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.48,357,1517904000"; d="scan'208,217,223";a="211050612"
Received: from orsmsx109.amr.corp.intel.com ([10.22.240.7]) by orsmga005.jf.intel.com with ESMTP; 24 Mar 2018 18:09:08 -0700
Received: from orsmsx111.amr.corp.intel.com ([169.254.12.250]) by ORSMSX109.amr.corp.intel.com ([169.254.11.24]) with mapi id 14.03.0319.002; Sat, 24 Mar 2018 18:09:08 -0700
From: "Deval, Manasi" <manasi.deval@intel.com>
To: Eric Rescorla <ekr@rtfm.com>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
CC: Kazuho Oku <kazuhooku@gmail.com>, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>
Subject: RE: Hardware acceleration and packet number encryption
Thread-Topic: Hardware acceleration and packet number encryption
Thread-Index: AQHTw2pQL/NusTeZMUCinV37uQawVaPf3xiAgAAo/YCAAFZ6AIAADAQA//+ZhQA=
Date: Sun, 25 Mar 2018 01:09:07 +0000
Message-ID: <1F436ED13A22A246A59CA374CBC543998B5CCEFD@ORSMSX111.amr.corp.intel.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com> <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com>
In-Reply-To: <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.0.116
dlp-reaction: no-action
x-originating-ip: [10.22.254.138]
Content-Type: multipart/alternative; boundary="_000_1F436ED13A22A246A59CA374CBC543998B5CCEFDORSMSX111amrcor_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/IXdqnd2y7E4v4dpJjY7epDyBI78>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Mar 2018 01:09:11 -0000

From talking to several of the folks last week, I understand that unlinkability is the goal of this protocol and there may be some flexibility in how that can be achieved.

Christian’s e-mail has a detailed list of options.  Here is the list of favored options as I understand them.



1.      Packet number encrypted as current suggestion - The current proposal for PR 1079, uses a two stage serialized approach such that the stream header(s) and payload(s) need to be encrypted and the outcome of encryption forms the nonce of the packet number encryption.


2.      Packet number encrypted alternative 1 - One of the ideas suggested was to encrypt the stream header(s) and payload(s) with the packet number as nonce, but have an additional nonce in the clear to encrypt the packet number. A scheme like this can allow for these two encryption operations to occur in parallel. This still has the issue of serialization in decrypt.



3.      Packet number encrypted alternative 2 – Another option is to generate 2 IVs – one for PN and the other for stream header(s) and payload(s). The nonce can be a random value in the clear. This allows us to encrypt and decrypt the two fields in parallel. The packet number is encrypted so it also solves the ossification problem. Another variation of this is to generate a single IV but use one part of it to encrypt the PN.



4.      PN in the clear – this is a complex scheme and in the discussion with Ian, Jana and Praveen, they seemed to think this may be ok. If folks think this is implementable, then we may need to find an alternate solution for ossification.


Thanks,
Manasi





From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: Saturday, March 24, 2018 3:18 PM
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: Kazuho Oku <kazuhooku@gmail.com>; Deval, Manasi <manasi.deval@intel.com>; Christian Huitema <huitema@huitema.net>; IETF QUIC WG <quic@ietf.org>
Subject: Re: Hardware acceleration and packet number encryption



On Sat, Mar 24, 2018 at 9:35 PM, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com<mailto:mikkelfj@gmail.com>> wrote:
AERO: I did not read all of it, but it does indeed sound esoteric.
It can do two things of interest: reduce space used by packet numbers, and presumably fix the encryption issue.

However, it has a W parameter which is the limit of reordering which is default 64 and recommended at most 255 for security reasons. This is way way too low (I would assume) if packet clusters take multiple transatlantic paths.

That's just a function of how the packet numbers are encoded. It's not difficult to come up with a design that tolerates more reordering.

-Ekr


If we accepted such a limit, I could very trivially come up with an efficient solution to PN encryption. Since we cover at most 64 packets, we only need a 5 bit packet number and reject false positives on AEAD tag. To simplify, make it 8 bits. The algorithm is to AES encrypt a counter similar to a typical AES based PRNG. Then, for each packet take one byte from the stream and use it as packet number. The receiver creates the same stream and maps the received byte to an index it has. It might occasionally have to try multiple packet numbers since the mapping is not unique. Longer packet numbers reduce this conflict ratio. To help with this detection some short trial decryption might be included. The PN size can be extended as needed.

The cost of doing this is much lower than direct encryption for as proposes in PR because 1) a single encryption covers multiple packets, 2) the encryption can be parallelised resulting in a 4-5 fold performance increase. Combined this results in sub-nanosecond overhead for AES-NI.

However, you have to deal with uncertainties which is why this isn’t a very good idea unless you have some very good knowledge of the traffic pattern. It also complicates HW offloading, but I don’t see why it couldn’t be done efficiently.


Mikkel


On 24 March 2018 at 17.26.47, Eric Rescorla (ekr@rtfm.com<mailto:ekr@rtfm.com>) wrote:
3. A more exotic solution like AERO (https://tools.ietf.org/html/draft-mcgrew-aero-00#ref-MF07)..

v2.23.0 | Report a Bug | By Email