IETF Logo Mail Archive

RE: Removing packet number gaps

Marcus Ihlar <marcus.ihlar@ericsson.com> Wed, 03 January 2018 10:37 UTC

Return-Path: <marcus.ihlar@ericsson.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065BE12D864 for <quic@ietfa.amsl.com>; Wed, 3 Jan 2018 02:37:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-M5QkLlixgP for <quic@ietfa.amsl.com>; Wed, 3 Jan 2018 02:37:21 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 084B2126579 for <quic@ietf.org>; Wed, 3 Jan 2018 02:37:20 -0800 (PST)
X-AuditID: c1b4fb25-48bff7000000341b-a5-5a4cb25e43b8
Received: from ESESSHC012.ericsson.se (Unknown_Domain [153.88.183.54]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 3A.D2.13339.E52BC4A5; Wed, 3 Jan 2018 11:37:18 +0100 (CET)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.54) with Microsoft SMTP Server (TLS) id 14.3.352.0; Wed, 3 Jan 2018 11:37:17 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Q2V7Wn4fPv1e7LIPgZqV7TqIY4rphAoCUj2mhInuMOQ=; b=koJWXfv3IxEMLIMJbD1tZhWyQ0HjqOoUtLQ2ul0JwBygB5hmBFz5eAtjNbQH49CJp0sYVTLNP4ruoAjW7JFL+HwdWaD7iP9BA6O306DBZKrG5kVcwqV0wKVDidWtZls5Ws6WoO3jv2Q3oa1yHh//y/Ke6T24I9y2996ziGRDjj8=
Received: from HE1PR07MB3242.eurprd07.prod.outlook.com (10.170.246.21) by HE1PR07MB0874.eurprd07.prod.outlook.com (10.162.24.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.386.4; Wed, 3 Jan 2018 10:37:15 +0000
Received: from HE1PR07MB3242.eurprd07.prod.outlook.com ([fe80::3869:27c2:9170:a94]) by HE1PR07MB3242.eurprd07.prod.outlook.com ([fe80::3869:27c2:9170:a94%13]) with mapi id 15.20.0386.005; Wed, 3 Jan 2018 10:37:15 +0000
From: Marcus Ihlar <marcus.ihlar@ericsson.com>
To: "roni.even@huawei.com" <roni.even@huawei.com>, "ilubashe@akamai.com" <ilubashe@akamai.com>, "martin.thomson@gmail.com" <martin.thomson@gmail.com>, "quic@ietf.org" <quic@ietf.org>
Subject: RE: Removing packet number gaps
Thread-Topic: Removing packet number gaps
Thread-Index: AQHTg20JC35thA3ROUS25Zv3cFsDDaNf2DsAgABCMoCAAduUQA==
Date: Wed, 03 Jan 2018 10:37:15 +0000
Message-ID: <HE1PR07MB324279ADA2AB8A0683E94BF5E21E0@HE1PR07MB3242.eurprd07.prod.outlook.com>
References: <CABkgnnW89B+5Qo0u_+Wr5K0wCRZ3Wp-+CTWJbHRGGwD06hn-zw@mail.gmail.com> <78d51955754d41f081561ffca6f23dee@usma1ex-dag1mb5.msg.corp.akamai.com> <6E58094ECC8D8344914996DAD28F1CCD85C616@DGGEMM506-MBX.china.huawei.com>
In-Reply-To: <6E58094ECC8D8344914996DAD28F1CCD85C616@DGGEMM506-MBX.china.huawei.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.176.1.95]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB0874; 7:DFRt2SgKDtNv3prMzd0zERLWQWpH5TLQHMz6U9KkPfgPdUzUSVACOevUa4yYZOARvWvTolEU1hbKbkAuaU/5ZFrjVTivZ/NoGRXWYXM+6WswQpLzD0AwxggWfbkzU+8RhOKv4Vqwth8/azgLG1dVklYAypuf+KNIIa3zZZGEawbwxKa6v2DrMmQCg4pYfFhPnkWNO0weVKTXfTjUa18EFQYRAngPo7u/mNsViLZTKPs91m0l1mYzBLlKKFT1s8AR
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 3dac8737-0579-4561-b9b4-08d55295f513
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020020)(5600026)(4604075)(3008032)(4534040)(4602075)(4627136)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:HE1PR07MB0874;
x-ms-traffictypediagnostic: HE1PR07MB0874:
x-microsoft-antispam-prvs: <HE1PR07MB0874808410270752E9A343AFE21E0@HE1PR07MB0874.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231023)(944501075)(6041268)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011); SRVR:HE1PR07MB0874; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:HE1PR07MB0874;
x-forefront-prvs: 0541031FF6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39380400002)(39860400002)(376002)(366004)(346002)(13464003)(51444003)(199004)(189003)(14454004)(6116002)(3660700001)(229853002)(3280700002)(106356001)(6246003)(478600001)(81156014)(105586002)(3480700004)(3846002)(110136005)(97736004)(39060400002)(8936002)(81166006)(25786009)(8676002)(316002)(74316002)(305945005)(5660300001)(55016002)(7736002)(68736007)(2201001)(102836004)(5250100002)(9686003)(6436002)(33656002)(2906002)(66066001)(7696005)(86362001)(59450400001)(99286004)(53546011)(2501003)(6506007)(76176011)(53936002)(2950100002)(2900100001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB0874; H:HE1PR07MB3242.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:3; LANG:en;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=marcus.ihlar@ericsson.com;
x-microsoft-antispam-message-info: 0yQyjKFm+os+Txlwtv2wyNnz+KtmRA8KBNsDuHEhOev6T6dJJnKFgBw6jHmhDCmv6DyPw7C79Scj/b4+WuE2IQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3dac8737-0579-4561-b9b4-08d55295f513
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2018 10:37:15.7796 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB0874
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SfyyUcRzH+97znHtcXX1dzGekuNXCciqtaamlGldpqVWzm+HkCTnH7pFF E4XhaCMy5xanGdGwxMJslW5MU6YaC+d35mcrs/yKusdzbf33/rxf732+n89nX4oQF/HtqEhV HK1WKZQSCyGpDXh11C2o3k9+8EnHHs8HKc8Iz96uDeSZo9/qudDeTZ4iZfkGPSFrLjYKZGmG eb6svHyF50/KhV5htDIynla7nwwRRmStPiJji5zvvNekEimoYL8GWVKAj8DyolagQUJKjN8h 0E01klzRgeD+UMkmIfFDAjoye/gcKeDBqr6a4IoRBD8XfxNsMwsshS5jtgULrHELgrH6/k2w EzvD/NenSIMoE3CBF+vnWdsan4bM/PzNCIn3QnqLgWAjIhwIfQv2rC3G4wgGX4aw2hJfhdqy KQGrEXaA4aUhktUEtoX+iVIetw+G8tZugtM2MD2+wee0I2S9mTNnHOBTaTZixwTcwIPq2WUz kEJj3jzi9EUoq/hGcqHXCFYW58xdXUFrbBewgwKOgsdDjpx9HKpmfvC5/HMCMtZaBRzYBRlf isyvTfJhVKPnc6vRUFmTjnKRtPi/LYpNfQnTjepa3DnbCQqyRwWsFmEr6NROkHpEViMbhmZC o8MPe0hpdeQNholRSVV0XD0y/Ze3DWv7mtDnOe82hCkk2SY6UeEnF/MV8UxCdBsCipBYi3xu mSxRmCIhkVbHBKtvK2mmDdlTpMRW1HlOJBfjcEUcHUXTsbT6H+VRlnYpKCTEKfJDzc3BXjen yvAdac108pm+3oyzzHp7UO2k+x+jWDcwm1PnnXjhSuF133tdB6aTZN+9tSMGD8X20LSl1t3J /XaLPoG5w0ELHkleH8ergnU9TYWhStsIqVW8y/yWy9dmLhnq8pDvrxHJWMlMlWogv1BXZncs 1faukcfzbwyQkEyE4pAroWYUfwHaHmw7KwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/NogaGM5-Z1XRMEfs8PBEJXRF90I>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2018 10:37:23 -0000

+1
Consecutive packet numbers are important for spin bit observers.

/Marcus
-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Roni Even (A)
Sent: den 2 januari 2018 07:12
To: Lubashev, Igor <ilubashe@akamai.com>; Martin Thomson <martin.thomson@gmail.com>; QUIC WG <quic@ietf.org>
Subject: RE: Removing packet number gaps

+1
Roni

-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Lubashev, Igor
Sent: Tuesday, January 02, 2018 4:15 AM
To: Martin Thomson; QUIC WG
Subject: RE: Removing packet number gaps

Could we use PLUS instead of XOR?  My understanding is that there is little cryptographic difference between XOR and PLUS, and it is nicer to have consecutive packet numbers on the wire...

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com]
Sent: Monday, January 01, 2018 8:57 PM
To: QUIC WG <quic@ietf.org>
Subject: Removing packet number gaps

There are number of problems with packet number gaps that I think we need to address.  Most are minor.  For instance, the initial packet number is not close to zero, which inflates the size of ACK frames from the very beginning of a connection.

However, Christian just identified one that I think makes this more important to address: when using a new connection ID, the gap is the same size on both client and server.  This makes flows linkable.  The gaps between the last packet on the old flow and the first packet on the new flow can be calculated in both directions.  Flows can be linked by finding flows where client-to-server packets have the same (or very close) gaps as server-to-client packets.

With a few small tweaks to the current design, I think that we get a much better solution.  Here is what I propose:

Firstly, packet numbers start at zero and always increase monotonically, with no gaps.  A side benefit of this is that the first ACK frame will have a small encoding for largest_acknowledged (1 octet rather than 8 in most cases).

Packet numbers are never encoded directly onto the wire, they are XORed with a masking value.  This value will change for different packet protection keys, and for different connection IDs.  Client and server will use different values so that gaps are hard to detect.

Thus, we will have a third key derivation:

   key = QHKDF-Expand(S, "key", key_length)
   iv  = QHKDF-Expand(S, "iv", iv_length)
   pnmask = QHKDF-Expand(S, "pnmask", 4)

To make this work seamlessly, I'm proposing a tweak to QHKDF-Expand that includes the connection ID.  For that, the "Context" field that we currently do not use seems like a good choice.

This will mean changes to the other uses of QHKDF-Expand:

* the handshake secret can be changed to be a fixed rather than a derived value, so that we don't need to use the function (connection ID will be added during expansion into the separate keys)

* during a key update, a zero-length or fixed connection ID will need to be used so that there is no confusion about which connection ID was in use at the time the update was made (editorially, I'm not certain how to manage this one, I might just go back to using HKDF-Expand-Label directly for that)

Finally, we need to be very clear that even if the connection ID is omitted, those packets still use the implied connection ID in key derivation.  We will probably want to recommend that endpoints include a connection ID if they intend to support NEW_CONNECTION_ID or any of the related functions, at least around the time when a connection ID change is in place or the recipient of their packets could have difficulty picking the right keys.  This is already a problem of course, but this change would make it worse.

v2.23.0 | Report a Bug | By Email