IETF Logo Mail Archive

RE: Privacy holes (was: Re: Getting to consensus on packet number encryption)

Mike Bishop <mbishop@evequefou.be> Fri, 13 April 2018 16:31 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D71C112D88A for <quic@ietfa.amsl.com>; Fri, 13 Apr 2018 09:31:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dvyk9RBmr_x for <quic@ietfa.amsl.com>; Fri, 13 Apr 2018 09:31:48 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0096.outbound.protection.outlook.com [104.47.41.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74E2C12DA00 for <quic@ietf.org>; Fri, 13 Apr 2018 09:31:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=SnI+z+V2cdJV66NzGBlNujpdAx0LlqAp16zt8Pmgjsk=; b=ln2weuy7v9t19HguqrMfXbYipvjzdqkyJLEpTvsHzV5za7MxlnHrvlTGRLauJUhMVUfZ+PTFTiUjCyOF/Uv97vibg7/mH4QOh6Bd0lbFYgzRSV1SnNKEPcJ2zXdFhSBe5R0fsc6UtOu8g/jbyRRUz/fTrWY9mIk96qL6zXQ26Wg=
Received: from SN1PR08MB1854.namprd08.prod.outlook.com (10.169.39.8) by SN1PR08MB1469.namprd08.prod.outlook.com (10.162.2.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.675.14; Fri, 13 Apr 2018 16:31:44 +0000
Received: from SN1PR08MB1854.namprd08.prod.outlook.com ([fe80::e9d8:1358:e716:ba77]) by SN1PR08MB1854.namprd08.prod.outlook.com ([fe80::e9d8:1358:e716:ba77%13]) with mapi id 15.20.0653.015; Fri, 13 Apr 2018 16:31:44 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Martin Thomson <martin.thomson@gmail.com>, Kazuho Oku <kazuhooku@gmail.com>
CC: Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org>, IETF QUIC WG <quic@ietf.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Subject: RE: Privacy holes (was: Re: Getting to consensus on packet number encryption)
Thread-Topic: Privacy holes (was: Re: Getting to consensus on packet number encryption)
Thread-Index: AQHTzPOeIdtMxyMgr0ikidMd5Tq1W6P6QG/QgAAFTQCAACClkIADbdCAgAAPtoCAAAo0AIABAYXQ
Date: Fri, 13 Apr 2018 16:31:44 +0000
Message-ID: <SN1PR08MB185469F410BAFB682F47223BDAB30@SN1PR08MB1854.namprd08.prod.outlook.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <B0F49097-F77A-4831-B68B-4266AA880A86@tik.ee.ethz.ch> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CY4PR21MB063098C907E732B0384B2824B6BE0@CY4PR21MB0630.namprd21.prod.outlook.com> <DM5PR2101MB0901E6C75EDCFDA209714D89B3BE0@DM5PR2101MB0901.namprd21.prod.outlook.com> <CY4PR21MB0630A6C5D63C175F390CC650B6BD0@CY4PR21MB0630.namprd21.prod.outlook.com> <CAKcm_gNW7QsWKfa6x_6ua+63RPtTtxfhYTF9LAODyNw8CjVojA@mail.gmail.com> <CANatvzz2-o9VBRb-b_hGMoDTaSVpZkyEKXpgULZOJhHF5+xv2w@mail.gmail.com> <CABkgnnUQSR6a5+=XQNZ=7nBC0OKLTmA1L0XuMd2rL--NAcSP2Q@mail.gmail.com>
In-Reply-To: <CABkgnnUQSR6a5+=XQNZ=7nBC0OKLTmA1L0XuMd2rL--NAcSP2Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [38.134.241.6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1PR08MB1469; 7:wPE8DJaomijqmdNhIgJHU6a2uy7qVe/YdDTzp1iuCfivnlT5v6G6526Gsk0SuE5S/6EhsuC5hB4wgF4f9Hta6B3ORrrjFZpvTiAUFgNW23dmzcE4E7tjyMlE+okeRqWztF+diN7yhHLYDEQtjCIluebh1O3QUVEJcDvnkzPyM05GQUO+UVCGBfje+tyHPJhEv96zAUeAevulzBk3oHK/GH1vI+3qlT/XSXuqrC9cPS470hC67cpTe/8rH3cvNPle
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(7193020); SRVR:SN1PR08MB1469;
x-ms-traffictypediagnostic: SN1PR08MB1469:
x-microsoft-antispam-prvs: <SN1PR08MB1469CF79AA744BC6364D90EEDAB30@SN1PR08MB1469.namprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(131327999870524)(85827821059158)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231232)(944501327)(52105095)(3002001)(10201501046)(6041310)(20161123558120)(20161123560045)(20161123564045)(20161123562045)(2016111802025)(6072148)(6043046)(201708071742011); SRVR:SN1PR08MB1469; BCL:0; PCL:0; RULEID:; SRVR:SN1PR08MB1469;
x-forefront-prvs: 0641678E68
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(396003)(346002)(376002)(366004)(39830400003)(377424004)(189003)(199004)(13464003)(6116002)(3846002)(476003)(446003)(11346002)(33656002)(74482002)(2900100001)(53936002)(99286004)(3660700001)(93886005)(59450400001)(97736004)(5250100002)(86362001)(14454004)(486006)(316002)(7696005)(478600001)(8676002)(2906002)(186003)(966005)(81156014)(81166006)(66066001)(4326008)(54906003)(110136005)(7736002)(76176011)(39060400002)(5660300001)(305945005)(74316002)(26005)(105586002)(6306002)(55016002)(9686003)(102836004)(6436002)(8936002)(25786009)(53546011)(6246003)(106356001)(3280700002)(6506007)(229853002)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR08MB1469; H:SN1PR08MB1854.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-antispam-message-info: qmo9j++I993o4oW9wM1Hi7JeLYGzwV7Qb5kXqXDMD3Jpb3YMHDwxDG2bQbyDzqqa9WFCRTBbC983fs5RET2HQYBk6KSF7xR2JeXlVuhN9hXMFCfE5CEwXvT+RuAj+slJWxyPyUakGnoqFQxycG/3CkvEOJjGTnYrcfGSabG0bei9bFApaUL1p0h0Zi1G20Ch
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: de428eee-ca9c-4124-77cd-08d5a15c0b91
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: de428eee-ca9c-4124-77cd-08d5a15c0b91
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Apr 2018 16:31:44.2970 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR08MB1469
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ToWx-A72kt6rGk-mXYZ2k6MSa3U>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 16:31:57 -0000

+1.  There are too many sharp corners on trying to make migration look like 0-RTT, while still enabling the recipient to know which Initial/0-RTT packets are really Initial/0-RTT with consistency.

-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Martin Thomson
Sent: Thursday, April 12, 2018 6:09 PM
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org>; IETF QUIC WG <quic@ietf.org>; Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Subject: Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)

This is also my preference, in full realization of the downsides of that.  Trying to make migration look like a handshake is also really hard to get right.

On Fri, Apr 13, 2018 at 10:32 AM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> 2018-04-13 8:36 GMT+09:00 Ian Swett <ianswett=40google.com@dmarc.ietf.org>:
>> Yes, for a powerful adversary, this seems fairly tractable..
>>
>> Making connection migration look like a new connection would likely 
>> help a lot.
>
> I am not sure if that is the right path.
>
> We have three ways in which a new set of 5-tuple starts getting used.
>
> * new connection
> * voluntary migration
> * involuntary migration (i.e. NAT rebinding)
>
> For the involuntary migration case, the first packet will always be a 
> short header packet.
>
> If we make voluntary migration look like a new connection, the chance 
> of involuntary migration getting blocked by a middlebox becomes higher 
> (as we have seen gateways blocking the TLS 1.3 records, or the '07'
> case).
>
> Therefore, my preference goes to making all the three cases 
> indistinguishable (which is ideal but hard), or keeping voluntary and 
> non-voluntary migration look the same (as we do now) at the same time 
> making sure that the middlebox developers understand migration happens 
> [1].
>
> [1] https://www.ietf.org/mail-archive/web/quic/current/msg03820.html
>
>> On Wed, Apr 11, 2018 at 3:18 PM Praveen Balasubramanian 
>> <pravb=40microsoft.com@dmarc.ietf.org> wrote:
>>>
>>> Going back to Christian's original question on privacy holes, there 
>>> is an attack for linking IP addresses in the voluntary migration case.
>>>
>>> Let's consider the parking lot problem or in general case losing one 
>>> network and roaming to another network. This is the primary use case 
>>> for connection migration. In this case all active QUIC connections 
>>> that can migrate, will do so. When these connections migrate they 
>>> can change the CID, the local port number and packet numbers. 
>>> However do notice that only the local 2-tuple changes for each 
>>> connection, the server's 2-tuple remains the same.
>>>
>>> Let's assume a powerful adversary can collect a network sniff of all 
>>> this traffic and builds a massive dataset. The adversary can then 
>>> run a machine learning algorithm to identify time instants where a 
>>> bunch of connections change their local 2-tuple at near the same 
>>> time instant but continue going to the same server side 2-tuples. 
>>> This will allow the adversary to link two IP addresses. The more 
>>> times the user roams between networks back and forth the richer the 
>>> correlation. The more open connections to different servers, the 
>>> richer the correlation. Geolocation information can minimize the number of addresses the adversary needs to correlate.
>>>
>>> The fundamental problem seems to be that the substrate is UDP/IP and 
>>> it is in the clear and allows linkability.
>>>
>>> -----Original Message-----
>>> From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian 
>>> Huitema
>>> Sent: Thursday, April 5, 2018 8:34 AM
>>> To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
>>> Cc: quic@ietf.org
>>> Subject: Privacy holes (was: Re: Getting to consensus on packet 
>>> number
>>> encryption)
>>>
>>>
>>>
>>> > On Apr 5, 2018, at 2:26 AM, Mirja Kühlewind 
>>> > <mirja.kuehlewind@tik.ee..ethz.ch> wrote:
>>> > ...
>>> > Timing doesn’t help here either because you still have the same 
>>> > destination IP, both port numbers and the fact that a migrated 
>>> > connection does not have a handshake. If we want to address the 
>>> > linkability problem, we would need to do much more, probably baring more hits on performance.
>>>
>>> Mirja,
>>>
>>> You rightly point out that the connection ID and the Packet Number 
>>> are not the only elements that provide linkability. There is also of 
>>> course the UDP source port. That one is not much of an issue for 
>>> servers, but it is an issue for clients. We are not spelling that 
>>> out in the draft. We should, because clients can trivially close that hole when doing migration.
>>>
>>> I am not sure that the absence of negotiation divulges much data. It 
>>> marks the path as originating from a migration, but it does not tell from where.
>>> But there might be an ossification issue. We will get that 
>>> ossification if we train middleboxes to believe that connection 
>>> always start with an observable negotiation. So maybe we should explore ways to grease that.
>>>
>>> Any other privacy hole that we should fix?
>>>
>>> -- Christian Huitema
>
>
>
> --
> Kazuho Oku
>

v2.23.0 | Report a Bug | By Email