IETF Logo Mail Archive

Re: Packet number encryption

Kazuho Oku <kazuhooku@gmail.com> Mon, 05 February 2018 13:35 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0839B12D77E for <quic@ietfa.amsl.com>; Mon, 5 Feb 2018 05:35:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzVt_MTr-ixj for <quic@ietfa.amsl.com>; Mon, 5 Feb 2018 05:35:33 -0800 (PST)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1501A12426E for <quic@ietf.org>; Mon, 5 Feb 2018 05:35:33 -0800 (PST)
Received: by mail-pg0-x233.google.com with SMTP id o13so18537428pgs.2 for <quic@ietf.org>; Mon, 05 Feb 2018 05:35:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UENHbzDbwoHGUmkEGXnXJxhcUPghSyGl9EoJbBya2AU=; b=PwFLwE7FI+0NGLLoyc9ig0HYi4+qzx0d8VE02UuTeVQhCgYBiXrBgiy+fqoWiIxR7W O4php29quYFqPs1xMz1SarfdhmQ3xsROhSVTZISDI6LvjsZ8PywDxG1wawvcjXly7uBS ger1PZM38MKZhYY9B0I7CdheuJL4BoZgtNTnvrhsTLxMdt5TMHw9OHvxtfvY9LfXbjLH qi0K+yrNkGPbTeE2BNyxYRc60Sy6OKeTRcSTGQZxpjKev+JTplqrpbYjbqQoXFoMON71 NWtIGlxkH3tWjtlaznxHV9Y8eqDiH63Qc2SG1YkN05RDWuIOwxVGQy4kkIfvjI7YluWI Pyag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UENHbzDbwoHGUmkEGXnXJxhcUPghSyGl9EoJbBya2AU=; b=kQ8C2HUGxlvqbS+65YbmyP79GpA10IMULaKXpdDclKB+7mrh5KdsZlzlCKy5Nbst67 kJnaOX3V3Bst6KVxO85qjhLS8vZTHUE8jSbzoNFKB2j3LXF4FmbUHFoU2E5oh/94Avc3 r6eE9AeB956KSctzufeh6hawF/hMmgqVRE9GjSvjGKGpJcUuZBVFdh4vahWUYwyRptVd ltH7tRZ4gC4elQoWn7fzpFbUht24JEfjKbMe+3YPqNNitALeI+oGKkw0LCCXUsNrPuz0 hsm/R8jZUP+13FQrvps8i/yqTDDZ+bVpiTNtqqF+Iw6C0mS0wGY+6zvY07ndNxUdulF6 GfPw==
X-Gm-Message-State: AKwxyte6zSP3OUalZD5NYEdc35kMyQL6aP/0IpVfaT0uTURhkY4FxS2e d6NdLYMxVtwJKOkxHGi3Mt/1smQ/L6ud6cYj2iw=
X-Google-Smtp-Source: AH8x224FEpqAi2KTzmgUKTLOyLtSjuwID4gCfPIxOd25Kcs7TG3tox7Xr4tkoBLaP3Ar+bQo99ygE7cnzraBhkZ0T7g=
X-Received: by 10.99.100.198 with SMTP id y189mr7544201pgb.277.1517837732409; Mon, 05 Feb 2018 05:35:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.156.11 with HTTP; Mon, 5 Feb 2018 05:35:31 -0800 (PST)
In-Reply-To: <EEB6849E-B358-49A3-A85D-F3F4A9C6B576@trammell.ch>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <EEB6849E-B358-49A3-A85D-F3F4A9C6B576@trammell.ch>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Mon, 05 Feb 2018 22:35:31 +0900
Message-ID: <CANatvzzAseF2FxhqNg+6EwqVGioB7v4ez1QNe+KqyAP8-0nS5w@mail.gmail.com>
Subject: Re: Packet number encryption
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: Jana Iyengar <jri@google.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, "Eggert, Lars" <lars@netapp.com>, Christian Huitema <huitema@huitema.net>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/OhlD6YeY1zOdFwAqczXMbHeOlh8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 13:35:36 -0000

2018-02-05 6:31 GMT+09:00 Brian Trammell (IETF) <ietf@trammell.ch>:
> hi Jana,
>
>> On 3 Feb 2018, at 03:30, Jana Iyengar <jri@google.com> wrote:
>>
>> A few points as I catch up on this thread.
>>
>> First, I'll remind folks that QUIC is an encrypted transport. I say this because the cost of this operation is trivial in the context of encrypting every packet. The cost is borne at the servers and not at middleboxes, so the additional crypto cost is basically trivial.
>
> After having worked my way through the PR again (and essentially rewriting it from the receiver's point of view, which I believe would be useful text to have in the final document, should we end up doing this), I buy this.
>
>> Second, this simplifies and increases robustness of implementation. Avoiding random PN jumps, as Kazuho points out, makes special-casing of code unnecessary. Special code that is exercised occasionally is a strong bug attractor, and I would strongly argue for as few of those as possible in implementation.
>
> Agree completely. Packet number jumps are a bad idea, and there seems to be a (not explicitly examined) consensus that attempting to make linkability difficult is worth the effort.
>
>> Third, yes, ossification is a real concern. A simple example: using increasing packet numbers as a signature for detecting QUIC. Even if you argue against this example, there are innovative ways in which ossification will happen. This is based on a true story: We had no idea how GQUIC's flags field could get ossified, the value that was being used commonly became used as a signature for QUIC traffic (see Section 7.5 in the SIGCOMM QUIC paper).
>
> There's an overgeneralization of experience from ossification of single static fields (as in the TLS greasing and GUIC flags cases) to functions over the time series of these fields which has not yet been shown to be valid IMO in the case of integrity-protected wire images -- will expand on this in my next message, replying to Roberto.
>
>> There's a win here in terms of implementation complexity and several implementers have said so.
>
> Compared to packet number jumps, absolutely. Compared to the state two revs of the draft ago, it's a *little* more complex but at least it doesn't add completely new operations at the sender or the receiver.
>
>> There's a win in terms of ossification and our experience says so.
>
> That experience is IMO overgeneralized.
>
>> There's a potential loss of manageability, in being able to detect reordering.
>
> Well, upstream loss and upstream reordering.
>
> As Christian suggested at the start of this thread, if we simultaneously add back a signal that would allow on-path loss and reordering detection, that would make this a usable-information-content-neutral change to the wire image, and everyone could leave the table happy.

+1

There are two parties with different interests. Endpoint developers
want something more straightforward to implement and also is safe from
ossification. Operators want a tool for diagnosis.

In TCP, both parties have used the same signal for their tasks.

In QUIC, we can split the signal into two, which can be tailored for
each use-case.

The split would help the protocol evolve (as fit from endpoint
developers' perspective). At the same time, it could also help
operators, since the signal they use can become more stable or evolve
in a different pace (since the changes to the encrypted part of the
protocol will not affect what the operators will see, or vice-versa).

Note also that even in the current unencrypted form, packet numbers of
QUIC is not as easy to use compared to TCP (from operators' viewpoint)
since the numbers monotonically increase and since ACKs are encrypted.
So there's a chance to make the signal more useful by splitting the
signals. Spin bit is a good example.

> The only problem with this is that the most obvious place to put this signal -- the four bits we get back from the short header type field (assuming we add the spin bit) aren't really enough to track the loss and reordering patterns we care about with a naive counter.
>
> There are lots of other options in this space (e.g. decide we care about latency more than reordering, and that we don't care about loss at all, and use a two-bit spin to protect the latency signal from reordering, and so on), but that seems like a third thread we should start.
>
> Cheers,
>
> Brian
>
>> This is the trade-off, and I am still in favor of encrypting packet numbers.
>>
>> On Fri, Feb 2, 2018 at 7:32 AM, Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com> wrote:
>> On 31/01/2018, 10:06, "QUIC on behalf of Eggert, Lars" <quic-bounces@ietf.org on behalf of lars@netapp.com> wrote:
>> > On 2018-1-31, at 10:52, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
>> > > +1 - Simply: This *is* complicated and seems to add little.
>> >
>> > So as an implementor (chair hat off), this adds very little to the
>> > overall complexity of the protocol.
>>
>> This doesn't sound great.  It's a bit like saying that adding the Higgs
>> mechanism to the standard model's lagrangian doesn't make it much more
>> complicate :-)  (*)
>>
>> More seriously though, I'd like to point out that it is not just about
>> implementation complexity, it's also the energy cost per packet that is
>> quite crucial.  I haven't done the math but ISTM that bringing in
>> another batch of non-optional crypto computation on a per packet basis
>> is not going to move the needle in the right direction for stacks that
>> run on low power (IoT).
>>
>> This is not a catastrophe - we have CoAP and a (D)TLS profile - but
>> neither it's ideal, since cutting off the small things from the wider
>> ecosystem creates an artificial gap which then will need a middlebox to
>> bridge.  (Sure, we have specified the behaviour of a similar box
>> already, but it'd be really better if the extra translation logic could
>> be avoided in the first place.)
>>
>> I guess what I'm saying is that PN encryption being a core mechanism
>> that can't be negotiated at handshake time reduces our ability to later
>> profile QUIC for the IoT, which would be a bit unlucky.
>>
>> So the question is: would it be possible to make this property a
>> configurable knob instead?
>>
>> (*) https://www.symmetrymagazine.org/article/the-deconstructed-standard-model-equation
>>
>>
>



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email