IETF Logo Mail Archive

Re: Hardware acceleration and packet number encryption

Watson Ladd <watsonbladd@gmail.com> Thu, 29 March 2018 01:54 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D5398129502 for <quic@ietfa.amsl.com>; Wed, 28 Mar 2018 18:54:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1522288460; bh=ZgN5klHR8vTD5SuBDt66dmXs+aSXt8pZUs1aFlO8mec=; h=In-Reply-To:References:From:Date:Subject:Cc:To; b=UbB3M7nNe0fx8kmQFthZuWnkHqbuld3ftYxdR9iPHeTBXK3pplJ/b5BeIpORd7/bB 677++toZgDpPSdugoO00W2/XtmtcB5p75VbLPt9IRsv/TLVNN5T/vRxmOj5Cq/r5BV sW3zd8yTMtkbCl26MNvOY4jFxoyZjxbS37J3XhHo=
X-Mailbox-Line: From watsonbladd@gmail.com Wed Mar 28 18:54:20 2018
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB6A128C0A; Wed, 28 Mar 2018 18:54:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1522288460; bh=ZgN5klHR8vTD5SuBDt66dmXs+aSXt8pZUs1aFlO8mec=; h=In-Reply-To:References:From:Date:Subject:Cc:To; b=UbB3M7nNe0fx8kmQFthZuWnkHqbuld3ftYxdR9iPHeTBXK3pplJ/b5BeIpORd7/bB 677++toZgDpPSdugoO00W2/XtmtcB5p75VbLPt9IRsv/TLVNN5T/vRxmOj5Cq/r5BV sW3zd8yTMtkbCl26MNvOY4jFxoyZjxbS37J3XhHo=
X-Original-To: dmarc-reverse@ietfa.amsl.com
Delivered-To: dmarc-reverse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8F112946D for <dmarc-reverse@ietfa.amsl.com>; Wed, 28 Mar 2018 18:54:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTE_1wbsmNMu for <dmarc-reverse@ietfa.amsl.com>; Wed, 28 Mar 2018 18:54:18 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA815128C0A for <ianswett=40google.com@dmarc.ietf.org>; Wed, 28 Mar 2018 18:54:17 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id o5so4512674qki.11 for <ianswett=40google.com@dmarc.ietf.org>; Wed, 28 Mar 2018 18:54:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NTjBU9yYO3X/XjwMQqag1YyIWK/qlqdtkyHyXonIkrY=; b=DBChTX9opqv3uMUW7f4ae5Uj6oWnmdys79Ar03i9q1nfJkwQG+uyXdXS4yrhI9m0Xw 1hjBaKmLVh5s4jNOHYj+Ox4vHAWDLYg6GAeB+ZrjhFG//DWfcmwZ76Brp4src5LflqQ4 pPQs/EMjKNhefZ91pNiES1PREkg9u+G3b9PLvfPx25EkJxg8ip/PBoKRaUh5cKmDzRwm LRYWUrXYkWHXObUt+alxC/D5Nv3WGyM+aGJwdIu3P3HLFY/XrTR0oNth28H2iSguCtJt XuBcet81qsrbPOTKkwXhotMQI+0WR5KS6RMzEBkPE42sCU/x7vWVr1isvHEcDEgKBj3+ OlBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NTjBU9yYO3X/XjwMQqag1YyIWK/qlqdtkyHyXonIkrY=; b=Tzfu/r6YwIcnDfk3SJ9H11BMqoQjyH5VvlyfOe8Q6tK66Powq9eJe2wqucedVhcfeR PWa5JpY7ikm/lxUAFghDkEv5drZTaHartPU2QzkTzAqlKDB95v1I6DYdUI/OPZYw1g/U 0WTMqgBTyRiCw5GQaG7XgVDRe1yFNeN8/gNQvakKwEfQajGLTWYXS7McoFG6dk9zAAqo V+KnIv7LojPCZNFxWynXtHAdxB78FaCTRq5TFHtHPjAeWuAy8u9upqKkwsdQxV5vGCIk AZOBVIRBrOYlLZ+hAHc5fAXaOt3GDL+rcLu4kmiRfEXg3BmfYkrzjFQsVPrRYm+kPAhZ rDlA==
X-Gm-Message-State: AElRT7G+7FVrTXy6Fa3mDIlR/dYq+nNRQ1ONxxG5Qqlylq0wwKqzzFhs /0FiunaN032C34VzabRpuYhp2O/JzOysaZRuJm5/kw==
X-Google-Smtp-Source: AIpwx49D7YU4ssFtBMxw/lcreoZnIG/y/FIkcGrT9NJVQxrz3yavDQVJhGNKfeDT4F5TPx7LprMDn6ney5SWI9zpeaY=
X-Received: by 10.55.146.1 with SMTP id u1mr8576852qkd.327.1522288456651; Wed, 28 Mar 2018 18:54:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.152.225 with HTTP; Wed, 28 Mar 2018 18:54:15 -0700 (PDT)
In-Reply-To: <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com> <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CCEFD@ORSMSX111.amr.corp.intel.com> <CABcZeBNfPsJtLErBn1=iGKuLjJMo=jEB5OLxDuU7FxjJv=+b=A@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CDAD4@ORSMSX111.amr.corp.intel.com> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 28 Mar 2018 18:54:15 -0700
Message-ID: <CACsn0ckbthsn6V+0ccqZG=PF6BY74rAg-+Wwa7h=4tavOzCs+A@mail.gmail.com>
Subject: Re: Hardware acceleration and packet number encryption
Cc: Jana Iyengar <jri.ietf@gmail.com>, IETF QUIC WG <quic@ietf.org>, Christian Huitema <huitema@huitema.net>
Content-Type: text/plain; charset="UTF-8"
To: Ian Swett <ianswett@google.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/PPJRnUikzGOlk4tac0nLZc3ES0M>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 01:54:21 -0000

On Wed, Mar 28, 2018 at 5:39 PM, Ian Swett
<ianswett=40google.com@dmarc.ietf.org> wrote:
> Thanks for the nice summary Jana.
>
> As much as I'd love to have easier crypto HW acceleration, I've ended up
> arriving at the same conclusion.  I don't want to bite off the work to do
> proper multipath in QUIC v1, which I think is the only other reasonable
> option of those Christian outlined.
>
> If someone comes up with a way to transform packet number to make it
> non-linkable, but doesn't have the downside of making hardware offload
> difficult, then I'm open to it.  But we've been talking about this for 2
> months without any notable improvements over Martin's PR.
>
> Given we never talk about any issue only once in QUIC, I'm sure this will
> come up again, but for the time being I think #1079 is the best option we
> have.

I am not so sure this is right. Some proposals I've seen upthread:
- Use a 64 bit blockcipher to encrypt the sequence number
- Various online modes that may or may not be a good idea

And another idea I just had:
-Put the encrypted packet number last in the buffer so it gets
outputed at the right time for transmitting hardware, and then have
the receiving hardware copy the bytes to the front before passing it
through the decryptor.

Admittedly I don't understand the constraints on hardware that might
be a problem for these approaches, but I don't think we are quite
licked yet.

Sincerely,
Watson
>
>
>
> On Wed, Mar 28, 2018 at 8:03 PM Jana Iyengar <jri.ietf@gmail.com> wrote:
>>
>> A few quick thoughts as I catch up on this thread.
>>
>> I spent some time last week working through a design using multiple PN
>> spaces, and it is quite doable. I suspect we'll head towards multiple PN
>> spaces as we consider multipath in the future. That said, there is
>> complexity (as Christian notes). This complexity may be warranted when doing
>> multipath in v2 or later, but I'm not convinced that this is necessary as a
>> design primitive for QUICv1.
>>
>> We may want to creatively use the PN bits in v2, say to encode a path ID
>> and a PN, for multipath. We want to retain flexibility in these bits going
>> into v2. We've used encryption to ensure that we don't lose flexibility
>> elsewhere in the header, and it follows that we should use PNE to retain
>> flexibility in these bits as well. (Simplicity of design is the other value
>> in using PNE, since handling migration linkability is non-trivial without
>> it.)
>>
>> This leaves the question of HW acceleration being at loggerheads with the
>> design in PR #1079. First, I expect that the primary benefit of acceleration
>> will be in DC environments. Yes, there are some gains to be had in serving
>> the public Internet as well, but I'm unconvinced that this is the driving
>> use case for hardware acceleration. I understand that others may disagree
>> with me here.
>>
>> AFAIK, QUIC has not been used in DC environments yet. I expect there are
>> other things in the protocol that we'd want to change as we gain experience
>> deploying QUIC in DCs. Spinning up a new version to try QUIC within DCs is
>> not only appropriate, I would recommend it. This allows for rapid iterations
>> internally, and the experience can drive subsequent changes to QUIC. It's
>> what *I* would do if I was to deploy QUIC inside a DC.
>>
>> So, in short, I think we should go ahead with PR# 1079. This ensures that
>> future versions are guaranteed the flexibility to change the PN bits for
>> better support of HW acceleration or multipath or what-have-you.
>>
>> - jana
>>
>> On Mar 26, 2018 9:41 AM, "Christian Huitema" <huitema@huitema.net> wrote:
>>
>>
>> On 3/26/2018 8:20 AM, Swindells, Thomas (Nokia - GB/Cambridge) wrote:
>>
>> Looking at
>> https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture
>> it seems to imply a large range of server, desktop and mobile chips all have
>> a CPU instruction set available to do AES acceleration and other similar
>> operations (other instruction sets are also available).
>>
>> If we are considering the AES instructions then it looks like it is (or at
>> least will be in the near future) a sizeable proportion of the public
>> internet have it to be used.
>>
>>
>> Certainly, but that's not the current debate. PR #1079 is fully compatible
>> with use of the AES instructions. The issue of the debate is that the
>> mechanism in PR #1079 required double buffering, first encrypt the payload,
>> then use the result of the encryption to encrypt the PN. This is not an
>> issue in a software implementation that can readily access all bytes of the
>> packet from memory, but it may be an issue in some hardware implementations
>> that are designed to do just one pass over the data.
>>
>>
>> -- Christian Huitema
>>
>>
>>
>



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email