IETF Logo Mail Archive

Re: Packet number encryption negotiation

Michael Eriksson <michael.eriksson@ericsson.com> Wed, 08 March 2023 12:54 UTC

Return-Path: <michael.eriksson@ericsson.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54504C151532 for <quic@ietfa.amsl.com>; Wed, 8 Mar 2023 04:54:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_dgTDLeRMze for <quic@ietfa.amsl.com>; Wed, 8 Mar 2023 04:54:12 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0613.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::613]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF164C15152D for <quic@ietf.org>; Wed, 8 Mar 2023 04:54:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wf+4Xqw+85/KeRA/zSJiM++A/Yuueyr07jKmEXfEwAtUgSAXpSwuX7up4N2p3Zam4bMBurJGjlmEtPmlIe74L/TxO/mA+yjyWiqVWB3Hdh9/h4fhKrSXo7XHbT9yKxHzzGCNOXf67j+ScsAGAghMATYB8hjBo28HXs3rtZ2zGcaKP2p3beTsT/X4Mh97rOv/utLLY3d0kx/3rILhDiMYSUqGZkFOsEZZyxnAE76zDxU2EAAoq1uqKZWUhW8J1ZbQeb6tyz+05W5Uf18ryiGEP9KvTqf4A8dwyUh7d8kQeNptnEshUNEj6pBcBwOODfxKPu7VTQLmhbf9WTrRCBgkSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nh9d/W1gqz1LlFheUs7gsu7u72V2X6rvtx4K0VaW+1E=; b=WEeIijG7+bjBNVEvyb5x7uhG5mcpN0AIK+EJexvknASFOh5Y7WEfd3ikhs1ZxE94y5Utmlxu9tl6X7kOSu2JWL6Rtl7Qd+PLHA9GbYOL1+9c4PNUEZKbh+kmPsNEhoeWpwT15z4eK8Xifa5YFZ/Sx22TR7doDeb7eHirMCP/mBjTZCm8XTnk1RKBVLCEICMnlzuLaz65VDZVnPa3oYj8fd93Z9fWAUIFMyfuG3HPKR08XswVPT6UlXq5s3KGx7dF5Az9hq3+6SBtgDdkJv5o4a67tURFJ00tqZuk7Wh+bLp50UKz4u+nUCDUZDSkmo+y5GwH37EamOg0J2I3JskbEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nh9d/W1gqz1LlFheUs7gsu7u72V2X6rvtx4K0VaW+1E=; b=Cz2sMd6ilwsSLxvbQxbcQdyDzSqbd8GE07UfW3WV466XujSt/WbZwubqexMGX/OO2X3bCRJ2Qxh6PHDvU3KqIIf9lDmFzY0C6Bl9Or+ndnKTbxPzTnGoiPyn2pFapHsDxHLC+f/UK/uLX3hZZhEyB8f1t16w9EOe3cUNIEnbP4o=
Received: from DU2PR07MB8077.eurprd07.prod.outlook.com (2603:10a6:10:2b6::6) by DB8PR07MB6348.eurprd07.prod.outlook.com (2603:10a6:10:13d::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.17; Wed, 8 Mar 2023 12:54:05 +0000
Received: from DU2PR07MB8077.eurprd07.prod.outlook.com ([fe80::5a4c:a370:466a:5024]) by DU2PR07MB8077.eurprd07.prod.outlook.com ([fe80::5a4c:a370:466a:5024%9]) with mapi id 15.20.6156.029; Wed, 8 Mar 2023 12:54:05 +0000
From: Michael Eriksson <michael.eriksson@ericsson.com>
To: Boris Pismenny <borispismenny@gmail.com>
CC: IETF QUIC WG <quic@ietf.org>
Subject: Re: Packet number encryption negotiation
Thread-Topic: Packet number encryption negotiation
Thread-Index: AQHZSok3lKiyrLGzjkmW1esP1BfOhq7w5Q0A
Date: Wed, 08 Mar 2023 12:54:05 +0000
Message-ID: <b53ca341-2ff7-c5f9-758e-cc94fba923d7@ericsson.com>
References: <CAKJMo+ttNyyTOhKg99k9HEgFCCZfR-yY_GeQ-ot6_09U1T3LPw@mail.gmail.com> <2b54d5c1-e094-d128-5c37-88ed63a0a0d8@ericsson.com> <CAKJMo+u=OZtNAmwYhSOXnrxNKTFFfup6k_W14=sos00gvqeP6g@mail.gmail.com>
In-Reply-To: <CAKJMo+u=OZtNAmwYhSOXnrxNKTFFfup6k_W14=sos00gvqeP6g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU2PR07MB8077:EE_|DB8PR07MB6348:EE_
x-ms-office365-filtering-correlation-id: 2a9e16fa-a365-455a-c6d3-08db1fd4330a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GpsMvGtMqU+INU66Uc8lkYtPq2qqQKApfNLaj80IaQNr9zk0jK+wRwABemxWlOdufy7OzDQ6KqD01ZRbdPKSqBSqv77BYSAgIwb5HKSi5BSLi1B3rFoStmMbbWpoQvCgbFqjDPdlXF+lBqnfKLLvPWTSTGW3ABIUZ5kr8G8U+91eCOlR6pNKkv2CYJ4U+rdOWB8MZK3C1ZqIT9lzXwLaQ5YWdoL2QrjsIQWsXPAO4LkegLRV8sMZf15Git0IVk3GdLaXV1H8unQqJtdMBlGDasTslKrue48ltJtlId7o19TB0Cn5WMFsG3AEhBlEsg93oAVev6wCEvAMuLtIcdMiOFbCqa44n+Mlx1XGgTd8O8UFraKpmtUicYVzikOgQcB5JRH3GFpu3guB7TbyFKMZGoj1/ZdQyk9f5H+70sROuMQX9Iy6yXY9FxyMbc2kinkdHJ//8i1qBtUTZ0//M8NlwjZjFnArSrISg+DH/GS8O50r03NWQjEw6QEZu6g+VDDCWtgzAt/qdiigcYxoUBs2CHU1iDWHt+ImXf6Z+okn5vuxVjnb0JxcG93qzRGBoEwak1ijVxCYSaMwLJVCYXPtnlHwdds0TwH2nTVo3+pQ9NYaMgnBUk81E5ODMFITvByfnDz3oEkSYCGm4F9kRFtJ/YRvbYXoUnMpUdvo+WvJj1F5+VIJFqRX0dc7IWihLwd6YfNEXyqMkvwsY2RtKk28F2R1XaRNsV94LNTdy2KgAFriW0byyb79+PRj7vYJY8id2BhS7snX5ywbcJBJlQV3WPhdxKb7+Omx5Iyw2gF/NLjyoUH0y5ZdlrJtiiz6UXn4OFbJ8vaWpBEYF3xtzPg+ZA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU2PR07MB8077.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(396003)(39860400002)(376002)(136003)(346002)(366004)(451199018)(2906002)(31686004)(38070700005)(44832011)(5660300002)(26005)(36756003)(8936002)(66476007)(66946007)(41300700001)(64756008)(31696002)(66446008)(4326008)(76116006)(66556008)(8676002)(6916009)(86362001)(316002)(71200400001)(478600001)(166002)(6486002)(966005)(45080400002)(82960400001)(122000001)(38100700002)(91956017)(6512007)(53546011)(6506007)(186003)(3480700007)(2616005)(83380400001)(45980500001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FvnTvGYzWvhhBdWiHFVmaI/7L8vDrAXE7abK5Cl0FlSQgsaDPNWFzApbZjEbkUOwIToXy7600aJ6UO47jAo8Xh6HZ+Hep07T+v1twxi+9/0UXVKSRGsEk2Q4RJTQxtM+iniSXNIl0fGj8DGzXpLxyZuzNso5hXqNCVn4KieYGOumwtVBGtb6Uy8EegsAQH3BMOPNyvpJoahgAy3foLEeGUmWUmVuitQFn/GUKgIHUVx06Kc7LN6jsdAzCJLvIjIaLDB2Qb8xMvSHIBh+VJKc1Oj5SvFQUJIFPh23L+D4vqhxz7CmZ41ZtgB3z9i3NTzMWCrOpRvR8UkAjj20mTKMGyqkyO2a4Gr+7qDfDRoOW2tpoS5rb0tNohEEBi6nnSygFj/WCeJsMYvgy2HYX+nXsVKMHqnZIMsycwBEpJDpRlFVnPkJp4WE8V3iEOue6QS+PPl7WDLwTAbCp7q9M3As+0bd9rHH5Rjhk/jcdBq0adORkigRRsPxd0YCJ6QVcbQG4qgBT57UV5ZPe2xQ15yEWjMH7XTS3294v/XxKnoybTmKlIsRmirvF4tevJL5aAeDoGclh0FwERHYrqkxE7r3r4aIvETxMlUuYgFt2BbUxfjW8fs7pdBJUq8Kkt9qSWRjlRYO4XF1N+H8yVdqbtcBB9nbiobJpMzxmULBbrdeVoNX98MG6bRdspi03Hn7AQWBiS1RCJM1q+wz4bvT8wOg9j5gij0en4miJaonv8WijHTCFlFcJkoXzzlvq4rNIxN9MlBSB45wTjGSujcSfZ+9W1FUzpSE9f4XS0P9OnB38MsHWjrp9aualFHCwO12tMd0lJEdVXOrl9jtZ8Ducacum3VlJAtpLlhxVgtzJJ2QpDBQ1PqTCsATje4AHYMYfdcIS+12G6sMPA5jhG8gcbj3eFVW3Ppbw0pxFOMQufqCA3ImjDhcB+NguC2wRX+Utr4AWdaWFGKH329nihZhn6eIjG3WyjUo/uYmKrQNINNhcEfxaQ5geuVQ5JEFXiR1xaa9cGN2AEH3hEwp+/UJqV9VwijJm52CTMJBhI63gItrg+/2MHZWK4pL4aEr2EIdhLMA7BodWH8ZTiumeHaZzL7Rkf4L8WyRaaY8lsLUDt70/T6bJ8hRHeui2VaHmq6v71LmPYdd8RpTiHZfgPoV2I5JttrlUPqUMZlDJYitsDuDVVQYlD/hG6383baY55V59+jco0oCTwvj4N2ukLi2fdAjW5BgQVWmTyFtLqGyPnP4AYgcC70wmtfqj7Baiw15AFsmMZzwfBaRqoe2sBA8Lis7OozII2v7UknKCBKX4cMm+WLdCd6VSYCS1YNdSCh4FoIW5eX1nEzB6vaEuVcZBRVepPQmMLHjkK+BrNAaFClUV6NLUyANY4bNN9tDUZPgJmma2yQNDXfqtY51LIh/VVT1G6wC6De3k427gWQDxw0a1AVkIME9zOqDaIY0dzqiQwhctET6+SPqlC3CB2Q70nkYD3KV7QC8pEl8Gz2bBepH44fOW8om/OthAPctS1RIUdmC7Pu/BWSdNlv7Xd0t7QWcUgbzyWfVLZeJyBpvRra9rSx1cvKCjkRoN/hRE/JT73Qg2nS/k8A6Y5G6lnCIVRrZ+VuiiwUOvy2LeeDgYwmssbY=
Content-Type: multipart/alternative; boundary="_000_b53ca3412ff7c5f9758ecc94fba923d7ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU2PR07MB8077.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a9e16fa-a365-455a-c6d3-08db1fd4330a
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2023 12:54:05.2460 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: XxNNUD+31PNeJZKcTccY8R95jpaKm4FHqGCX33aSN4ghsRrCy3/9W3pWVqboTTac6nDEkKTzvAIpBnI6Wm1uQJ2Do7sfM1muz2ejUQAvpg0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR07MB6348
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/R6bgFdXjHEhreZWRDVKbRlBnWdM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2023 12:54:16 -0000

On 2023-02-27 09:55, Boris Pismenny wrote:
Hi Michael,

On Fri, Feb 24, 2023 at 1:19 PM Michael Eriksson <michael.eriksson@ericsson.com<mailto:michael.eriksson@ericsson.com>> wrote:
Hi Boris,

It's nice to see that you are working on hardware support for QUIC encryption. (BTW, I supervised Rebecka Alfredsson's master thesis project last year, where she used an NVIDIA BlueField 2 DPU for QUIC crypto offload.)

Thanks, sounds like a cool project. It's worth saying that what we have in mind with crypto offload is based on an ASIC with limited promability, so any change to the AEAD is critical. This particular change to the AEAD doesn't seem to be a problem---IIUC, software associates CIDs with the corresponding path-ID and nonce, which can be even XORed together ahead of time to use the same hardware processing flow as single path QUIC.

Yep, the path ID could be XORed into the nonce in advance but then you need separate encryption HW state for each path. Another way is to attach the Path ID as packet metadata and only have one copy of the connection keys etc. Or maybe minimal per-path state that references common connection-level state such as the keys -- there are definitely different ways to do this.



What I want to add is that you should consider multipath QUIC when you design your hardware. It affects the AEAD nonce generation.

Regular, unipath, QUIC sets the top 34 bits of the packet number to zero when generating the nonce. In the upcoming multipath extension, the top 32 bits can be set to non-zero values.

https://www.rfc-editor.org/rfc/rfc9001.html#name-aead-usage
https://www.ietf.org/archive/id/draft-ietf-quic-multipath-03.html#name-packet-protection-for-quic-

Thanks for the pointers, I've encountered multi-path QUIC on another discussion about QUIC offload (https://github.com/microsoft/quic-offloads/issues/9#issuecomment-1305823308<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-88d69ea0099e1120&q=1&e=e27b5977-1b4e-4703-957b-3236511a2976&u=https%3A%2F%2Fgithub.com%2Fmicrosoft%2Fquic-offloads%2Fissues%2F9%23issuecomment-1305823308>). IIUC, the main challenge with multipath will be to synchronize receive side NIC offloads when two NICs are being used in parallel to carry the same flow's packet number space.

There will only be separate packet number spaces for each path in the upcoming version of the multipath draft. Then I guess you will not have the problem you mention above. If you still would, why is this not a problem with regular unipath QUIC?

/me


________________________________
From: Boris Pismenny <borispismenny@gmail.com><mailto:borispismenny@gmail.com>
To: mailing-lists.ietf.quic
Subject: Packet number encryption negotiation
Date: Wed, 8 Feb 2023 09:25:07 +0100 (Central European Standard Time)


Hello,

I work on NIC hardware acceleration for NVIDIA, and we are looking into QUIC and DTLS1.3 acceleration. QUIC and DTLS employ packet number encryption (PNE) which increases security. At the same time, PNE significantly encumbers hardware acceleration as I’ll explain next.

For hardware to encrypt the packet numbers, there are two options:

  1.  Feed the header back into the encryption machine after data has been encrypted. This means storing and forwarding data, higher implementation complexity, and greater bandwidth requirements on the single encryption machine.

  2.  Adding an additional unique pipeline stage dedicated for header encryption.

As you may already know, this is not hardware friendly and for this reason many vendors will likely refuse to pay the cost of supporting this. But suppose a vendor does implement this feature, one problem still remains. PNE will still cause noticeable latency and performance degradation for high speed networks (think >400Gbps).

Now, in certain use-cases, such as high performance computing, cloud computing, or data-center clusters—the security benefits of encrypting headers are marginal compared to the latency imposed by PNE. Would it be possible to consider letting these users negotiate to disable PNE and by doing so benefit (more) from encryption acceleration?

Best regards,

Boris

v2.23.0 | Report a Bug | By Email