Re: Getting to consensus on packet number encryption

[Kazuho Oku <kazuhooku@gmail.com>]

I support adoption of #1079 for three reasons.

One reason is that privacy is a required feature as Patrick has
suggested. The other reason is simplicity as others have pointed out.

The third reason is that without PNE there is a certain risk of QUIC
failing to reach one of the chartered goals: preventing head-of-line
blocking.

In TCP, we have seen middleboxes trying to do clever things using the
way sequence number increases, including packet reordering.

Unless we encrypt PN in QUIC, there is fair chance that middleboxes
would start doing the same. A middlebox reordering (or queuing) the
QUIC packets by observing PN *is* causing head-of-line blocking since
it prevents (or delays) packets being processed in different order at
the receiver at the earliest possible moment.

Note that middlebox vendors are known to make certain assumptions
based on what they see on the wire rather than what is written down in
the specification. Therefore, stating that middlebox should not do
that is not a solution here.

It is true that #1079 has issues with hardware crypto offload. I am
happy to support switching to a better encryption scheme (if we find
one) at any moment; e.g., during the standardization of QUICv1, or as
an extension to v1, or part of vX.

But as stated, I think that PNE is a MUST for us. That makes me prefer
adopting #1079 and then, if possible, swaping it with a better
solution.

2018-04-04 21:54 GMT+09:00 Patrick McManus <pmcmanus@mozilla.com>:
> I think its time to move forward with 1079.
>
> btw I think its wrong to characterize this as perf vs privacy - its cpu vs
> bandwidth, the privacy is a must have.
>
> 1079 costs cpu (both in hw and sw) and in my mind it really competes with
> either a multipath-pn-scheme (which we'll table for v2) or a one pass scheme
> with a new nonce rather than making the packet number do double duty. The
> latter is bandwidth tax and I'd rather pay the cpu cost.
>
> The only serious alternative to me is to take the timeline hit and work out
> multiple packet number spaces for v1 (which are likely part of multipath
> anyhow).
>
> -P
>
>
> On Wed, Apr 4, 2018 at 12:58 AM, Mark Nottingham <mnot@mnot.net> wrote:
>>
>> Hi everyone,
>>
>> The editors have told your chairs that this issue is starting to block
>> progress on other aspects of QUIC. Coming to consensus on it soon (i.e.,
>> before Stockholm, if possible) would be good.
>>
>> It looks like this thread has come to a natural pause. Reading through it,
>> I think we agree there are some unpleasant tradeoffs here, but so far we
>> have only one concrete proposal -- PR#1079.
>>
>> My AU$.05 - While we're chartered to produce a protocol that's encrypted
>> as much as operational concerns allow, and that privacy is a natural
>> extension of that (especially in light of RFC7258 and RFC6973), there is no
>> *requirement* that we produce a protocol that is able to be accelerated by
>> hardware.
>>
>> That being the case, I think we need to ask ourselves if we believe that
>> inclusion of PR#1079 will significantly inhibit deployment of the protocol.
>> Based on the discussion so far, that doesn't seem to be the case, but I'd be
>> interested to hear what others think.
>>
>> If we can get to consensus to incorporate the PR, and folks come back
>> later with a more hardware-friendly replacement that doesn't change the
>> Invariants or increase linkability, I suspect the WG will be amenable to
>> that.
>>
>> What do folks think?
>>
>> Cheers,
>>
>>
>> > On 29 Mar 2018, at 11:39 am, Ian Swett
>> > <ianswett=40google.com@dmarc.ietf.org> wrote:
>> >
>> > Thanks for the nice summary Jana.
>> >
>> > As much as I'd love to have easier crypto HW acceleration, I've ended up
>> > arriving at the same conclusion.  I don't want to bite off the work to do
>> > proper multipath in QUIC v1, which I think is the only other reasonable
>> > option of those Christian outlined.
>> >
>> > If someone comes up with a way to transform packet number to make it
>> > non-linkable, but doesn't have the downside of making hardware offload
>> > difficult, then I'm open to it.  But we've been talking about this for 2
>> > months without any notable improvements over Martin's PR.
>> >
>> > Given we never talk about any issue only once in QUIC, I'm sure this
>> > will come up again, but for the time being I think #1079 is the best option
>> > we have.
>> >
>> >
>> >
>> > On Wed, Mar 28, 2018 at 8:03 PM Jana Iyengar <jri.ietf@gmail.com> wrote:
>> > A few quick thoughts as I catch up on this thread.
>> >
>> > I spent some time last week working through a design using multiple PN
>> > spaces, and it is quite doable. I suspect we'll head towards multiple PN
>> > spaces as we consider multipath in the future. That said, there is
>> > complexity (as Christian notes). This complexity may be warranted when doing
>> > multipath in v2 or later, but I'm not convinced that this is necessary as a
>> > design primitive for QUICv1.
>> >
>> > We may want to creatively use the PN bits in v2, say to encode a path ID
>> > and a PN, for multipath. We want to retain flexibility in these bits going
>> > into v2. We've used encryption to ensure that we don't lose flexibility
>> > elsewhere in the header, and it follows that we should use PNE to retain
>> > flexibility in these bits as well. (Simplicity of design is the other value
>> > in using PNE, since handling migration linkability is non-trivial without
>> > it.)
>> >
>> > This leaves the question of HW acceleration being at loggerheads with
>> > the design in PR #1079. First, I expect that the primary benefit of
>> > acceleration will be in DC environments. Yes, there are some gains to be had
>> > in serving the public Internet as well, but I'm unconvinced that this is the
>> > driving use case for hardware acceleration. I understand that others may
>> > disagree with me here.
>> >
>> > AFAIK, QUIC has not been used in DC environments yet. I expect there are
>> > other things in the protocol that we'd want to change as we gain experience
>> > deploying QUIC in DCs. Spinning up a new version to try QUIC within DCs is
>> > not only appropriate, I would recommend it. This allows for rapid iterations
>> > internally, and the experience can drive subsequent changes to QUIC. It's
>> > what *I* would do if I was to deploy QUIC inside a DC.
>> >
>> > So, in short, I think we should go ahead with PR# 1079. This ensures
>> > that future versions are guaranteed the flexibility to change the PN bits
>> > for better support of HW acceleration or multipath or what-have-you.
>> >
>> > - jana
>> >
>> > On Mar 26, 2018 9:41 AM, "Christian Huitema" <huitema@huitema.net>
>> > wrote:
>> >
>> > On 3/26/2018 8:20 AM, Swindells, Thomas (Nokia - GB/Cambridge) wrote:
>> >> Looking at
>> >> https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture
>> >> it seems to imply a large range of server, desktop and mobile chips all have
>> >> a CPU instruction set available to do AES acceleration and other similar
>> >> operations (other instruction sets are also available).
>> >>
>> >> If we are considering the AES instructions then it looks like it is (or
>> >> at least will be in the near future) a sizeable proportion of the public
>> >> internet have it to be used.
>> >>
>> >
>> > Certainly, but that's not the current debate. PR #1079 is fully
>> > compatible with use of the AES instructions. The issue of the debate is that
>> > the mechanism in PR #1079 required double buffering, first encrypt the
>> > payload, then use the result of the encryption to encrypt the PN. This is
>> > not an issue in a software implementation that can readily access all bytes
>> > of the packet from memory, but it may be an issue in some hardware
>> > implementations that are designed to do just one pass over the data.
>> >
>> >
>> > -- Christian Huitema
>> >
>> >
>> >
>>
>> --
>> Mark Nottingham   https://www.mnot.net/
>>
>



-- 
Kazuho Oku