RE: Packet number encryption

Praveen Balasubramanian <pravb@microsoft.com> Sat, 10 February 2018 18:22 UTC

From: Praveen Balasubramanian <pravb@microsoft.com>
To: "Salz, Rich" <rsalz@akamai.com>
CC: "quic@ietf.org" <quic@ietf.org>
Subject: RE: Packet number encryption
Thread-Topic: Packet number encryption
Thread-Index: AQHTmW31V+0GAWpR/E2VqOCVLx9SYqOMgUQAgABeoYCAAAgUAIAAd3KAgAA8YgCAACPEAIAAAiYAgAOBloCAALfdgIAACBkAgAEGGACAANx9AIAAn5KAgAB7w4CAADUigIAADBeAgADUsaCAAGk3gIAAEEgAgACizACAADhiAIAAHkiAgAADUYCAACdFAIAAVRYAgAAUZQCAAA5oAIAAD4fQgABGjACAAAGHQIAACNQAgAAAqaCAAAeBgIAAC4qAgACi02CAAe6PgIAACzgAgAARh3CAAEwGwIAAjJeAgAA5dnCAAAb3gIAAF6YAgABLbACAAAD8AA==
Date: Sat, 10 Feb 2018 18:22:42 +0000
Message-ID: <CY4PR21MB0133C5FB4961311E4C1523B5B6F10@CY4PR21MB0133.namprd21.prod.outlook.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com> <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <CABkgnnW4xr_YzpsvCxaJJgcQdBTuX=Yv735_sdd4VoMfji8mbA@mail.gmail.com> <CY4PR21MB0133C759D4A08A4988B641B2B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <bdf88936-8edc-d56e-ee59-c9d597058edd@huitema.net> <CY4PR21MB01337C8A700E58B49D90B712B6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <119b3276-5799-1cc3-8982-7479171bbf27@huitema.net> <CAOYVs2pi8-NVuS+crNMfjsP-n5upK3=5tPeQ8OSGpOvL6RTrjA@mail.gmail.com> <CY4PR21MB0133A1117B2733BBCF049C5FB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com> <MWHPR08MB24327A7BB5AE1AE70FE5CDB1DAF30@MWHPR08MB2432.namprd08.prod.outlook.com> <533a0a2e-3a87-b55f-84ce-c52bc03cd81c@huitema.net> <MWHPR21MB0144C68102972A668611E1FCB6F20@MWHPR21MB0144.namprd21.prod.outlook.com> <CY4PR21MB01332141C3563ABBA240C566B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <CABcZeBNeTT79nd+d7h-KFPpFYxpr5wt1KgwPY=M0_UQpCkKq1w@mail.gmail.com> <CY4PR21MB01337A5E81D8A8A1D7518D97B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <D3800B30-E1F5-4955-8F85-6FEF36AD2E23@akamai.com> <CY4PR21MB0133427E65B3587C7577A454B6F20@CY4PR21MB0133.namprd21.prod.outlook.com> <E002EFE4-5288-45B2-BAF4-D9CE0A9DBCC5@akamai.com>
In-Reply-To: <E002EFE4-5288-45B2-BAF4-D9CE0A9DBCC5@akamai.com>
Accept-Language: en-US
Content-Language: en-US
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0133C5FB4961311E4C1523B5B6F10CY4PR21MB0133namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e10b9b2-c3c6-4086-5973-08d570b3468e
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2018 18:22:42.6265 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0278
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/XUtro-7iPJYn9Ij_YXTjGU11J2M>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Feb 2018 18:22:47 -0000

>> a packet number *exactly* meets the requirements of an authenticated encrypted nonce. Not using it for that purpose is being wasteful for absolutely no good reason.
For better or worse we have chosen to tie the transport very tightly with TLS. This means extra work will be needed for unencrypted QUIC or QUIC over IPsec for example. Case in point transport parameters not being in the transport header but rather in the TLS header. In HTTPS over TCP, TLS will use its own sequence number for nonce and TCP will have its own sequence number. This is a clear separation of concerns. From what I can tell, since QUIC uses its own packet framing and the PN doesn’t repeat we have tried to optimize this by overloading it with the nonce.

That said nothing prevents an implementation from using the packet number as the nonce. By separating concerns one can pick whatever one wants for the nonce, the receiver doesn’t care about the nonce value other than for decryption i.e. no impact on transport logic. We can use a VLE field or other methods to reduce the extra space needed for the PN.

>> and then encrypting the nonce
You don’t have to but you can . The only functional requirement for the nonce is non-repeatability. Encryption is only being considered for ossification and unlinkability concerns. For connections that don’t care about unlinkability (no migration, no multi path) the overhead is not worth it. Ossification can be avoided by a random initial value and jumps in between since this is a form of greasing.

>> Do you have a non-authenticated crypto mechanism we should consider?
I am not a crypto expert. I don’t know what future crypto will look like. Making the nonce field optional or larger size when needed (but not variable for given connection) allows the transport protocol to be more future proof. Forcing the PN to be the nonce makes things more inflexible. I care much less about the nonce getting ossified compared to the PN.

From: Salz, Rich [mailto:rsalz@akamai.com]
Sent: Friday, February 9, 2018 3:37 PM
To: Praveen Balasubramanian <pravb@microsoft.com>
Cc: quic@ietf.org
Subject: Re: Packet number encryption

> Clear separation of concerns results if we don’t overload the packet number as the nonce. Connection migration and multi-path are optional features and we pay no extra compute cost for most connections that are not impacted by unlnkability. Nonce field becomes optional for crypto that doesn’t need it and can grow to larger size as needed for bulk transfers to prevent frequent key rollovers (say in datacenter scenarios).

David already replied pretty definitively, but for those not on his level …

It seems highly unlikely that we will want to use non-authenticated crypto – ie., AEAD or similar.  TLS 1.3 is all and only authenticated encryption.  The difference in cost is a few extra bytes of encryption, as opposed to bigger packets for plaintext and then encrypting the nonce, right?  That difference should be hard to notice.

If we assume it’s all authenticated crypto, and therefore we need a nonce, then separation of concerns becomes a non-issue. In fact, as David pointed out, a packet number *exactly* meets the requirements of an authenticated encrypted nonce. Not using it for that purpose is being wasteful for absolutely no good reason.

Do you have a non-authenticated crypto mechanism we should consider?

Packet number encryption Martin Thomson
Re: Packet number encryption Ian Swett
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eggert, Lars
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Duke
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Dmitri Tikhonov
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge, UK)
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Piotr Galecki
Re: Re: Packet number encryption alexandre.ferrieux
Re: Packet number encryption Patrick McManus
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Roberto Peon
RE: Packet number encryption Piotr Galecki
RE: Packet number encryption Roni Even (A)
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Lubashev, Igor
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Willy Tarreau
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Reducing ossification through protocol design (wa… Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Roberto Peon
Re: Reducing ossification through protocol design… Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
RE: Packet number encryption Roni Even (A)
Re: Reducing ossification through protocol design… Mirja Kühlewind
Re: Reducing ossification through protocol design… Salz, Rich
Re: Reducing ossification through protocol design… Mirja Kühlewind
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Reducing ossification through protocol design… Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Marten Seemann
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Gorry Fairhurst
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
RE: Explicit measurability in the QUIC wire image… Roni Even (A)
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Stephen Farrell
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Martin Thomson
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Martin Thomson
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption David Benjamin
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Deval, Manasi
RE: Packet number encryption Deval, Manasi
Re: Packet number encryption Victor Vasiliev
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Ian Swett
Re: Packet number encryption Ian Swett
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: hardware offload (was: Packet number encrypti… Christian Huitema
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Eggert, Lars
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen