IETF Logo Mail Archive

Re: Getting to consensus on packet number encryption

Willy Tarreau <w@1wt.eu> Thu, 05 April 2018 06:10 UTC

Return-Path: <w@1wt.eu>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62EA2124207 for <quic@ietfa.amsl.com>; Wed, 4 Apr 2018 23:10:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7abMSC904mg for <quic@ietfa.amsl.com>; Wed, 4 Apr 2018 23:10:20 -0700 (PDT)
Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id DEB6D1200FC for <quic@ietf.org>; Wed, 4 Apr 2018 23:10:19 -0700 (PDT)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id w356ACN4023820; Thu, 5 Apr 2018 08:10:12 +0200
Date: Thu, 05 Apr 2018 08:10:12 +0200
From: Willy Tarreau <w@1wt.eu>
To: Mark Nottingham <mnot@mnot.net>
Cc: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Lars Eggert <lars@eggert.org>, IETF QUIC WG <quic@ietf.org>
Subject: Re: Getting to consensus on packet number encryption
Message-ID: <20180405061012.GA23708@1wt.eu>
References: <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net>
User-Agent: Mutt/1.6.1 (2016-04-27)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/WmXsIRGig-Ihwrc4bR0A4xm6df0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 06:10:22 -0000

On Thu, Apr 05, 2018 at 07:28:10AM +1000, Mark Nottingham wrote:
> Overall, I do not think it is a goal of QUIC to be deployable on any system
> for any purpose; if we try to design it for all purposes, we're going to
> fail. The question, then, is how much deployment / implementation / adoption
> we need to make it succeed -- and to design for that.

I totally agree with you here. It's also why my -1 is a weak one (rather a
warning than a -1 in fact because I consider that robustness is more important
than prevention against linkability). we know that whatever we'll produce,
solutions will adapt if they want to adopt it, and if the the risks are too
high for adopters (such as increased sensitivity do DDoS), adopters will
simply roll back for the time it takes to find a solution.

> That said -- One way to prove that PNE hurts deployability is to try it;
> implementers have a very strong incentive to make sure their code can be
> deployed, so if those who have concerns are correct, it's probably the
> easiest way for them to be proven right.

I disagree on this approach. That's exactly what led us to release HPACK
with an inefficient encoding and with unsorted header fields. We all know
that deployment speed varies a lot between participants, and that those
with most concerns are also those with less ability to prove their concerns.
Specifically, single-ended implementations often face less issues than
intermediaries and are much easier to implement. And once the least concerned
ones consider that it works well enough for them, the protocol is locked and
it's forbidden to improve or even it. We need not to repeat our mistakes.

I think that the direction taken in this thread is more pragmatic : technical
and philosophical concerns are exchanged, weighted and the decision will be
taken based on this. Regarding the performance issues, several of us noted
that there are options by adopting negociable algorithms, or as I proposed,
to use a single AES round instead of all of them, which will be reasonably
cheap on modern systems.

Cheers,
Willy

v2.23.0 | Report a Bug | By Email