IETF Logo Mail Archive

Re: Getting to consensus on packet number encryption

"Brian Trammell (IETF)" <ietf@trammell.ch> Mon, 09 April 2018 08:36 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D9DA127419 for <quic@ietfa.amsl.com>; Mon, 9 Apr 2018 01:36:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79J-Me9A7Env for <quic@ietfa.amsl.com>; Mon, 9 Apr 2018 01:36:24 -0700 (PDT)
Received: from gozo.iway.ch (gozo.iway.ch [212.25.24.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9978E126C19 for <quic@ietf.org>; Mon, 9 Apr 2018 01:36:24 -0700 (PDT)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 89512340D44; Mon, 9 Apr 2018 10:36:22 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/6597.16195); Mon, 9 Apr 2018 10:36:22 +0200 (CEST)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Mon, 9 Apr 2018 10:36:22 +0200 (CEST)
Received: from [145.14.214.39] (account ietf@trammell.ch HELO [10.11.33.5]) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 51048847; Mon, 09 Apr 2018 10:36:22 +0200
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
Message-Id: <37129F6C-71C2-437D-A6F4-7AC651FDFBE3@trammell.ch>
Content-Type: multipart/signed; boundary="Apple-Mail=_95AE2A92-59EC-47D4-93A8-C9921FA33760"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Subject: Re: Getting to consensus on packet number encryption
Date: Mon, 09 Apr 2018 10:36:21 +0200
In-Reply-To: <9BCB9BA5-A282-445A-B7A1-8F7C539C28F9@mnot.net>
Cc: Praveen Balasubramanian <pravb@microsoft.com>, Lars Eggert <lars@eggert.org>, IETF QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <pmcmanus@mozilla.com>, Kazuho Oku <kazuhooku@gmail.com>
To: Mark Nottingham <mnot@mnot.net>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com> <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CCEFD@ORSMSX111.amr.corp.intel.com> <CABcZeBNfPsJtLErBn1=iGKuLjJMo=jEB5OLxDuU7FxjJv=+b=A@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CDAD4@ORSMSX111.amr.corp.intel.com> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <CAOdDvNo9QS=CX5YUWK8Lxs_SYX4nEM7OWv2+zB=VGhOX6J-BEw@mail.gmail.com> <CANatvzyo6xz7Kwh=EJ4GExBM35Dpw_=pLsAYiFA==vVBJwhCXw@mail.gmail.com> <CABkgnnV8ya_YdhU1VE+BuiMvuuZOO1-j-2=YHAGbmdE3OMk7Gg@mail.gmail.com> <CY4PR21MB0630A6AA3D38CC10DC29AB79B6BB0@CY4PR21MB0630.namprd21.prod.outlook.com> <9BCB9BA5-A282-445A-B7A1-8F7C539C28F9@mnot.net>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/KwEOd_F8WxtV6k8LHIKYjsFopsM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2018 08:36:27 -0000

hi Mark, all,

> On 9 Apr 2018, at 04:54, Mark Nottingham <mnot@mnot.net> wrote:
> 
> Praveen,
> 
> In previous discussions, there's been strong interest in including connection migration -- in a limited form (for the "parking lot" use case) -- in QUICv1 (discussed in Melbourne in some detail; see <https://github.com/quicwg/wg-materials/blob/master/interim-18-01/minutes.md#connection-migration>).
> 
> It looks like the discussion in <https://github.com/quicwg/base-drafts/issues/1271> about making it optional and how that gets indicated / negotiated is going nicely. Thanks for opening an issue.
> 
> AFAICT, (at least) two assumptions need to be proven to have that help the PNE issue:
> 
> a) There isn't a linkability issue during NAT rebinding

Isn't the question we should be asking here "does QUIC with connection migration disabled (and no PNE) have similar linkability characteristics to QUIC with connection migration enabled (and PNE)?"?

I'm still confused as to how PNE is supposed to mitigate linkability across a NAT rebinding that occurs without client knowledge in the presence of a server-supplied CID, which seems to me to be the most common NAT rebinding event type. If it indeed does not, then the linkability characteristics seem identical to me.

> 
> b) Having two packet number schemes is acceptable to implementers (given the probable popularity of migration)
> 
> I haven't yet seen much discussion of either of these specific aspects.
> 
> As an aside -- the other threads about modifications to PNE to make them single-pass seem extremely promising; I'd encourage folks there to continue discussions and make a PR.

+1. Making the design of PNE less problematic for offload and other future optimizations won't solve the underlying requirements problem (i.e. we are both treating linkability among 5-tuple flows by a specific on-path device, the LB, as a requirement to support via CID, as well as a requirement to mitigate linkability among 5-tuple flows by a all generic on-path devices via PNE, which is inherently contradictory  without a very precise definition of under which circumstances which requirement takes precedence). But it will reduce the cost from "probably mostly harmless" to "almost definitely mostly harmless", which should make the decision easier.

Cheers,

Brian


> 
> Cheers,
> 
> 
> 
>> On 6 Apr 2018, at 2:41 am, Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org> wrote:
>> 
>> Love this idea. Expanding it a bit further I don’t think we need to make PN transform a transport parameter but rather connection migration itself. We could also simply use QUIC versioning for this.
>> 
>> 1. Ship QUIC v1 with no support for connection migration. Servers behind load balancers that are not QUIC aware will only advertise this version. I expect this to be a large fraction of servers especially those hosted in AWS, Azure, GCP. *This is important - I want the group to acknowledge that servers needs to be able to advertise support for connection migration*.
>> 2. Ship QUIC v2 with support for connection migration. If a client and server use this version they MUST do PNE as per #1079. If we find a more efficient scheme before November then we use that instead.
>> 
>> Eventually we will ship QUIV vN which has support for multi-path and we can revisit if PNE is needed or multiple PN spaces will work. Until then I can live with higher CPU cost for the fraction of connections that will migrate.
>> 
>> Now there is the ossification problem in QUIC v1 as referred to above. We already require a random starting PN. The next problem is one that Kazuho brought up where middleboxes will start seeing strict increasing PN and try to reorder. I was thinking about short random jumps to fix this problem but the monotonic increase will remain. While I think sane middleboxes will not do any reordering, there might be a few crazy outliers like with TCP. I think we can solve this by making the in clear PN jump both forward and back within a "reordering degree". I am thinking about some ideas here and will reply back if I find a simple scheme.
>> 
>>>> FWIW, what I got from the info that Praveen and Ian have shared is that there are enough problems to solve with UDP that worrying about the performance hit from encryption is premature
>> Martin, we have plans to make UDP screaming fast in software. But the real advantage for TCP comes from the batch offloads (see email with subject " Impact of hardware offloads on network stack performance"). Batch offloads for QUIC are impossible to do without crypto offload. I would be happy to explain more on this front. I think we will exhaust software optimizations soon and then get blocked on crypto offload.
>> 
>> 
>> -----Original Message-----
>> From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Martin Thomson
>> Sent: Wednesday, April 4, 2018 9:36 PM
>> To: Kazuho Oku <kazuhooku@gmail.com>
>> Cc: Lars Eggert <lars@eggert.org>; Mark Nottingham <mnot@mnot.net>; IETF QUIC WG <quic@ietf.org>; Patrick McManus <pmcmanus@mozilla.com>
>> Subject: Re: Getting to consensus on packet number encryption
>> 
>> On Thu, Apr 5, 2018 at 10:57 AM, Kazuho Oku <kazuhooku@gmail.com> wrote:
>>> It is true that #1079 has issues with hardware crypto offload. I am
>>> happy to support switching to a better encryption scheme (if we find
>>> one) at any moment; e.g., during the standardization of QUICv1, or as
>>> an extension to v1, or part of vX.
>> 
>> Until this came up, I hadn't considered the use of an extension/transport parameter to negotiate a new scheme, but it's obvious.  This fits best with my view of things.
>> 
>> If that means that we get the DC-QUIC option that turns the packet number encryption function into identity or some cheaper function, then I think that's an OK outcome.  We should stop pretending that one size fits all is achievable; it's not been the case for years already.
>> 
>> FWIW, what I got from the info that Praveen and Ian have shared is that there are enough problems to solve with UDP that worrying about the performance hit from encryption is premature.
>> 
> 
> --
> Mark Nottingham   https://www.mnot.net/
>

v2.23.0 | Report a Bug | By Email