IETF Logo Mail Archive

Re: Packet number encryption

Ted Hardie <ted.ietf@gmail.com> Thu, 01 February 2018 00:33 UTC

Return-Path: <ted.ietf@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB3BD12E037 for <quic@ietfa.amsl.com>; Wed, 31 Jan 2018 16:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pi1qXncnMH8w for <quic@ietfa.amsl.com>; Wed, 31 Jan 2018 16:33:10 -0800 (PST)
Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5D1A12D835 for <quic@ietf.org>; Wed, 31 Jan 2018 16:33:09 -0800 (PST)
Received: by mail-ot0-x22f.google.com with SMTP id a2so3860609otf.2 for <quic@ietf.org>; Wed, 31 Jan 2018 16:33:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lY31CdCIaN97IldnCkaIZBM9diCOdcUUb8Pd/P2QdHQ=; b=FMCD3UnqZ1WBsbImOp4vLHAe3+K4c74WmuR76gULVepW49MAEi8ptgxQ+tsZy2xplq l5zUIFIk0FVt49+fu90P/pLDIJgY9yIFxhEzsB2x7gf99RCONDq9EdE50F7/RV7LFIdE IEqKrxeqglYVFErweegnGdvYrJf588Q1+qx7zSic9HswYKxsIGDWh2+h3k9qO7iE7FCN IzswI8CwTMtmXWqwDb/AbpnzbJgXowbuvSoSwrAK1LTnj9H3lNsF8L834JnbM+hb7PVo FdEEFDl1WDx0dT763ONHoSn+OeWPT07JHbryvoiBOOi+crLoXJOxN0Ns0SGxCneFEYix SSyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lY31CdCIaN97IldnCkaIZBM9diCOdcUUb8Pd/P2QdHQ=; b=Y7YNWoq2H1j0NJv4qeTErjwR/XpRrT7saOyClbiIUEXsAT+lccQltYA0jaUnHOkM6q 6X1/KcoYsQ3w+jYy6dqXxQkoh/S/g+gDByYX4Gdk3AgJccY/keMv8pc3KcfhPRewrFsr YEaNUtHSDn/6M6FFavHL6XLbzVEFdmjBD9N8/6GuRSwsHCbTZy0r+KMKPzr7AJ+U8igt P6zGrJHMu4+QmW7VBxH22ars1yT1lhWVZT3wNqL5JSPk3aZLyeS1lzgmaEtV9pKciZeZ 8J4SoVHuBL87/f4Etff6KSzFj7MiBjWtjLwmQCz7BbbxMSLM186Rav2Uqj8hvIuHUi9n Vz2w==
X-Gm-Message-State: AKwxytcc/NCO3aRR7Y+HntOuS7tweG8mzTAvwUpMX1Db87CzxkHHRYVn CWLIk2080C4+uI5qMBk4Yw1EY3V2uWguJktfyeE=
X-Google-Smtp-Source: AH8x226CcUjFhZn7Lav2s96NdKgnOJIElzmifFtt8916vcZput/v8coB7TBT+VszYaM0AzAUegXrkoNWavsbIgDKw4M=
X-Received: by 10.157.31.47 with SMTP id x44mr1007761otd.165.1517445189087; Wed, 31 Jan 2018 16:33:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.3.71 with HTTP; Wed, 31 Jan 2018 16:32:38 -0800 (PST)
In-Reply-To: <CABkgnnUD5CfhNiRhB897pjbi2MQMbcar89SKEgEJepgOsuUc2A@mail.gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <827BA6F8-5CA8-420A-B18B-60D8BC134A46@fb.com> <CABkgnnUD5CfhNiRhB897pjbi2MQMbcar89SKEgEJepgOsuUc2A@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Wed, 31 Jan 2018 16:32:38 -0800
Message-ID: <CA+9kkMCU2VuaOesXjqa44A48KyLV-KRGhV6uXrtmMkpLpJyiBA@mail.gmail.com>
Subject: Re: Packet number encryption
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Roberto Peon <fenix@fb.com>, Brian Trammell <ietf@trammell.ch>, Eric Rescorla <ekr@rtfm.com>, QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Christian Huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="001a113e2b3076362405641bbdeb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/PBUNRM7Hdew20CWyy5scPOcPnCg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 00:33:13 -0000

On Wed, Jan 31, 2018 at 4:00 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> Roberto makes a point I keep forgetting.  This would allow clients to
> alternate between connection IDs in a way that the protocol currently
> cannot support.
>
> And that reminds me of another thing: Jana/Eric's connection migration
> design depends on something like this.  Simpler designs that use a gap
> or randomized offset for each connection ID make linkability trivial
> if you are alternating between paths in the same way that alternating
> between connection IDs might.
>
> If you are using a standard pattern to probe for path availability before
immediate switching, a timing based correlation will work in many cases.
If you can break that linkage, what you need is the ability to use packet
numbers on each path that do not directly correlate in a way visible to the
non-cooperating path elements.   If you only care about the
make-before-break case of probing, you can achieve that much more simply,
but having probe packets use a designated packet number space that doesn't
overlap with the actual connection's packet number space until the
connection is confirmed, and then does random offset.  If you want to use
both paths at the same time, then you have the same problem MPTCP sees with
sequence number offsets in TCP.  That's where I think hiding the packet
numbers actually helps, but we haven't gotten any where close to that
design in the protocol, and there are other ways to achieve the same thing.

I still like this design, but I think we have to be careful in how we
describe its benefits; it's not going to break all linkability and it's not
going to make connection migration or multipath that much easier.  I think
that means we should take Mirja's comments on the implementation costs
seriously.  Ekr has already given an estimate, and I would appreciate
estimates from other groups as well.

Ted


> On Thu, Feb 1, 2018 at 10:25 AM, Roberto Peon <fenix@fb.com> wrote:
> > There are two obvious goals/benefits:
> > 1) Slow/prevent ossification.
> > 2) Raise the barrier higher for tracking/flow correlating.
> >
> > If we have multiple CIDs (which are valid on more than one 5-tuple) and
> “multipath” (one could imagine switching between a bunch of IPv6 addresses
> which go to the same hosts) we can require a higher storage baseline before
> traffic can be correlated. This is where I believe #2 really comes into
> play.
> >
> > #1 is nothing to sneeze at: experience with TCP has shown very real harm
> from having things which allow sequencing of packets in the clear (unable
> to roll out changes which should have been compatible). To me, this is the
> primary use-case: maintaining future flexibility.
> >
> > -=R
> >
> > On 1/30/18, 11:45 PM, "QUIC on behalf of Mirja Kühlewind" <
> quic-bounces@ietf.org on behalf of mirja.kuehlewind@tik.ee.ethz.ch> wrote:
> >
> >
> >
> >     > Am 31.01.2018 um 04:08 schrieb Martin Thomson <
> martin.thomson@gmail.com>:
> >     >
> >     > On Wed, Jan 31, 2018 at 8:00 AM, Christian Huitema <
> huitema@huitema.net> wrote:
> >     >>> (1) An unprivileged on-path device that sees a packet from a
> flow that is
> >     >>> migrated on purpose by an endpoint (i.e., due to connection
> migration or
> >     >>> multipath) should not be able to associate that packet to the
> prior flow.
> >     >>
> >     >> Yes.
> >     >
> >     > Agreed.  This remains the primary target.  I don't think that there
> >     > are any negatives with this design with respect to this use case
> (or
> >     > at least I found nothing in Brian's email on this point).
> >
> >     If that is the goal, I think the complexity of the proposed solution
> is not justified. Just select a new random offset when you migrate but
> increase the packet number monotonously otherwise to support manageability.
> >
> >     I’m really concerned about complexity here. Even though this scheme
> is not very complex, any complexity is a potential source for future
> implementation errors which can also led to restrictions in what changes
> can be deploy with future versions. Making a protocol as simple as possible
> and thereby the spec as easy understandable as possible is also key for
> deployment. If we add complexity here without making it clear what the goal
> or additional benefit is of the complexity, I think that is just wrong.
> >
> >     My 2c.
> >     Mirja
> >
> >
> >
>
>

v2.23.0 | Report a Bug | By Email