IETF Logo Mail Archive

RE: Privacy holes (was: Re: Getting to consensus on packet number encryption)

"Lubashev, Igor" <ilubashe@akamai.com> Fri, 06 April 2018 03:48 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC1912E87D for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 20:48:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jh2fZTyHVCvl for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 20:48:53 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B71312420B for <quic@ietf.org>; Thu, 5 Apr 2018 20:48:53 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w363l6BP008109; Fri, 6 Apr 2018 04:48:42 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=Q1Q0TiFHONaIDk+QIYd6QeizMmxvMz62PSGpd/CF6Ig=; b=W8ksehe9QviaTvD/kzfp+SRzPO7Zht2ehABfC5Ff/vdV5KcmRwndtv+UZQsTmX/6FtCQ KLsuOl6oLLXvH2DHfBHl+S42eJEzmIwBaHK8/YCGlgx03+SIv5Hx1xBJ5HTV8W9EajND F4YXBceqZ2ZFd8vWQVtnLmoYTIINNfTdE4IVdhg7y4RWHzeeWdcxAXQOebkzPhzHuJZX 71VcXIYzaptPaeDIFJM0oID6Vd4n93do111R1q7i8hMw02UZc6Ek5X9I4qbxX/6h9nN4 vqTBGjxks6gEX6x3+UWO0NzcnFawo/uwJ58NYuLNcKo9t+mC0t7wVQ9J8j6PUNmvf4Wy VQ==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050093.ppops.net-00190b01. with ESMTP id 2h4r0x5vtu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 06 Apr 2018 04:48:42 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w363l9LW003165; Thu, 5 Apr 2018 23:48:41 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint1.akamai.com with ESMTP id 2h25nvw0t0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 05 Apr 2018 23:48:41 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 5 Apr 2018 23:48:40 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1365.000; Thu, 5 Apr 2018 23:48:40 -0400
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "martin.thomson@gmail.com" <martin.thomson@gmail.com>, "kazuhooku@gmail.com" <kazuhooku@gmail.com>
CC: "quic@ietf.org" <quic@ietf.org>, "mirja.kuehlewind@tik.ee.ethz.ch" <mirja.kuehlewind@tik.ee.ethz.ch>, "huitema@huitema.net" <huitema@huitema.net>, "fkautz@alumni.cmu.edu" <fkautz@alumni.cmu.edu>
Subject: RE: Privacy holes (was: Re: Getting to consensus on packet number encryption)
Thread-Topic: Privacy holes (was: Re: Getting to consensus on packet number encryption)
Thread-Index: AQHTzPOeCspMmk/31UumuO1CInS8X6PylyoAgAACsQCAAI6AAIAAGGkAgAAH54CAAAZCgP//y3hU
Date: Fri, 06 Apr 2018 03:48:39 +0000
Message-ID: <65cf3a3009944ca288a0cd6768d09339@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CAJGwveB=qs+J2iBQRs3d5jdGuP9yBWoAgv0t3mwD=Wrf6Q5g8g@mail.gmail.com> <F395D018-FFCA-405F-BBD5-1313C6F6DAF9@huitema.net> <CABkgnnWAgGJaKs8teKTURiNDRA61fRhN6pxYQuD1MbkPDqasKQ@mail.gmail.com> <CANatvzwKCqHQB1Mvp0K+Ref507s3YZCzV0xK=SgM9mAyA7s7yg@mail.gmail.com> <CABkgnnWzoL47g3WcWhP549ssP8p65tQMMKQmBD0taymD1A4EfQ@mail.gmail.com>, <CANatvzykQLWtNk4VPwkoe4n1nY2K0pdhai=NJeRszK1AM5xU=Q@mail.gmail.com>
In-Reply-To: <CANatvzykQLWtNk4VPwkoe4n1nY2K0pdhai=NJeRszK1AM5xU=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_65cf3a3009944ca288a0cd6768d09339usma1exdag1mb5msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-04-06_02:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804060037
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-04-06_02:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1804060037
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QutxEdhhP6AYx-ShTwpsEwGcMyk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2018 03:48:55 -0000

> The length of DCID can be a signal to the stateless load balancers.

Short headers do not have an explicit CID length, so we are back to validating the integrity of CID, no? What am I missing?

-----Original Message-----
From: Kazuho Oku [kazuhooku@gmail.com]
Received: Thursday, 05 Apr 2018, 10:56PM
To: Martin Thomson [martin.thomson@gmail.com]
CC: Mirja Kühlewind [mirja.kuehlewind@tik.ee.ethz.ch]; QUIC WG [quic@ietf.org]; Christian Huitema [huitema@huitema.net]; Frederick Kautz [fkautz@alumni.cmu.edu]
Subject: Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)

Hi Martin,

Thank you for the response.. My comments inline.

2018-04-06 11:34 GMT+09:00 Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>>:
On Fri, Apr 6, 2018 at 12:06 PM, Kazuho Oku <kazuhooku@gmail.com<mailto:kazuhooku@gmail.com>> wrote:
> If I understand correctly, Christian's concern is that some middleboxes
> might only create a hole if the first packet sent by a client (using a new
> port) looks like a Initial packet.

Oh, I didn't get the same impression, but it does seem like a valid
concern.  The idea I had was to have clients migrate often enough that
those middleboxes will see those migrations and not incorrectly assume
that flows have to start with Initial packets.

Of course, migrating often like this might not provide enough
incentive to avoid that practice because clients will likely make new
connections when the old one fails.  But given that this sort of
failure probably involves a timeout before the repair, it's probably
still noticeable enough to generate support tickets (and incentive to
allow the migration to pass).

Existing middleboxes that pass UDP will be fine, so we at least have
that in our favour.

> 1. frequent gratuitous migration by clients, so that middlebox vendors can
> notice that there design is wrong prior to shipping it

That is what this was angling for.  The question being how frequent.

> 3. mimic 0-RTT handshake when gratuitously switching to a new UDP flow
> (depends on #1262)
>
> 1 and 2 have been discussed on this thread. I haven't yet seen 3 being
> discussed.

It has been suggested a few times elsewhere.  The question is how far
you go: do you send Initial and Handshake packets that use the
handshake packet protection and carry apparently real ClientHello and
ServerHello messages?  Do you restrict the flow of packets to match
0-RTT?

> The concerns so far being raised for 1 is that NATs might run out of
> unassigned ports and that switching to a new path might trigger the restart
> of congestion control on large-scale NATs that use multiple public
> addresses.

That is possible, but it depends on how often you attempt this.  CGNAT
does try to keep IP addresses for the same device stable.  If not,
then a congestion controller reset for relatively infrequent
migrations isn't so bad if heuristics fail.  It's only when you have
very frequent migration that the resets becomes burdensome.

How frequent is the issue here.

If it's too frequent, some NATs could run out of unassigned ports, and if depending on their eviction algorithm, shutdown UDP-based flows running other protocols that do not do gratuitous switching. Other NATs could start assigning new public addresses as they run out of unassigned ports.

If it's too infrequent, then the chance of seeing misimplemented middlebox becomes higher.


> The concern so far being raised for 2 is that stateless load balancers would
> be required to decrypt the type field (or the entire packet, depending on
> how we encrypt) to determine if a packet is trying to initiate a new
> connection.

Yeah, that's hard.  Having the load balancer hit the slow path for
every packet seems pretty fatal.

That was my understanding until I started to consider the impact of symmetric CIDs.

The length of DCID can be a signal to the stateless load balancers for distinguishing an initial packet. If people interested in using that type of load balancer can agree that they will be using CID other than 8 octets, the length can be used as the signal by them.

More detail about using DCID can be found on https://www.ietf.org/mail-archive/web/quic/current/msg03809.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_quic_current_msg03809.html&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=Djn3bQ5uNJDPM_2skfL3rW1tzcIxyjUZdn_m55KPmlo&m=WsJaFd1M4_j4sdAutwoZzcMiZ8Ut8mmyHO9Jn0FAQOI&s=gTP2rfuzpXp0_GdcmG8aA_N4hlvaYnhj6H_CVyXBK10&e=>.

--
Kazuho Oku

v2.23.0 | Report a Bug | By Email