IETF Logo Mail Archive

RE: Getting to consensus on packet number encryption

Praveen Balasubramanian <pravb@microsoft.com> Wed, 04 April 2018 19:15 UTC

Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF9312E051 for <quic@ietfa.amsl.com>; Wed, 4 Apr 2018 12:15:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGN31CDcGOm0 for <quic@ietfa.amsl.com>; Wed, 4 Apr 2018 12:15:20 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on070b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe49::70b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E77812E8A9 for <quic@ietf.org>; Wed, 4 Apr 2018 12:15:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HxVShu+2oUbxzKFfRpWhkkq8UYcJy8J2UXR/ERIWY2A=; b=Ddj0p7Fg/R0YwDg7FLbUcWhjq39qXEi7LS5HwCIgijk4yKlN07dmiSbhRFRG9WvwfWkTqyVOT02NjACE3PBbW320f7jVo2dECmrfahsVWhG4lH1kPdWGkA7PBJRBB0IOfCYPWaxh8r1JIrqI50DKH9DKmzOE8bybBL6VF7qDAU4=
Received: from CY4PR21MB0630.namprd21.prod.outlook.com (10.175.115.20) by CY4PR21MB0742.namprd21.prod.outlook.com (10.173.189.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.675.1; Wed, 4 Apr 2018 19:15:17 +0000
Received: from CY4PR21MB0630.namprd21.prod.outlook.com ([fe80::de:ba33:4748:51da]) by CY4PR21MB0630.namprd21.prod.outlook.com ([fe80::de:ba33:4748:51da%6]) with mapi id 15.20.0675.003; Wed, 4 Apr 2018 19:15:17 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Mark Nottingham <mnot@mnot.net>
CC: Lars Eggert <lars@eggert.org>, IETF QUIC WG <quic@ietf.org>
Subject: RE: Getting to consensus on packet number encryption
Thread-Topic: Getting to consensus on packet number encryption
Thread-Index: AQHTy9GYaiUVNrU6h0aiyBQtEo3l9KPwZ0sAgAB4hlA=
Date: Wed, 04 Apr 2018 19:15:17 +0000
Message-ID: <CY4PR21MB0630528B6B7113AE652E8CE7B6A40@CY4PR21MB0630.namprd21.prod.outlook.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com> <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CCEFD@ORSMSX111.amr.corp.intel.com> <CABcZeBNfPsJtLErBn1=iGKuLjJMo=jEB5OLxDuU7FxjJv=+b=A@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CDAD4@ORSMSX111.amr.corp.intel.com> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch>
In-Reply-To: <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:a::712]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0742; 7:tUsHCTR3Un8wsafrKfaIVLABmf8+lXJk76PaRjfhF9d07bV+LwwCPL4+8Jsu0pGWrVSIEYiBBCG82n4VyeWgR/19r/MC8FdiSSydCDGvpx/ZWPqu2c4VqjzAUfW/CrcgicB2WZ5U9jWQGF6jXcfeErjCIcM49C2PByphu4zgaZ8pZE05O0maX702cPUZWy3IdTxYQyoLuuafVF7OGk31+yMPcjJPg5OxEFSetJEknh3YW9Jc1lsxZkIzTjFlqwW2; 20:IXKXT8hhsk+7y867fSj3/FFYqZ3eJm7AkCsfaYi+qRekh+8CjPqAMz/J0uTJ83SC/DbTLHMC9zNHSd5W/VdcxaQ+FhFx0njorotBPdvDVbBBNZHjzGWC/m7WSBa4bVcBJ7HKiyn3GI8BAxqi5w5JGEChGJLDz8YpPAkCwnP+8Fk=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 56d3003b-a167-4d76-1e69-08d59a60670c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:CY4PR21MB0742;
x-ms-traffictypediagnostic: CY4PR21MB0742:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-microsoft-antispam-prvs: <CY4PR21MB0742E5303ABB6DEBE12844D6B6A40@CY4PR21MB0742.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(189930954265078)(85827821059158)(100405760836317)(219752817060721)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231221)(944501327)(52105095)(93006095)(93001095)(6055026)(61426038)(61427038)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(6072148)(201708071742011); SRVR:CY4PR21MB0742; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0742;
x-forefront-prvs: 0632519F33
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39380400002)(39860400002)(376002)(346002)(396003)(199004)(189003)(13464003)(53754006)(51914003)(22452003)(8676002)(5660300001)(561944003)(11346002)(81166006)(8936002)(446003)(46003)(10090500001)(33656002)(76176011)(6506007)(2906002)(7736002)(476003)(6116002)(93886005)(81156014)(59450400001)(7696005)(86362001)(486006)(53546011)(305945005)(575784001)(97736004)(54906003)(478600001)(110136005)(68736007)(316002)(3280700002)(74316002)(99286004)(8990500004)(106356001)(86612001)(3660700001)(102836004)(25786009)(186003)(4326008)(10290500003)(14454004)(966005)(5250100002)(105586002)(6436002)(6306002)(229853002)(55016002)(2900100001)(9686003)(6246003)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0742; H:CY4PR21MB0630.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: bokwcsRjotSNAOQOQGk8BxjPKVQDg/JdO0elg4pskyainwHcbL9vNlX6bHETWPSA6gbPrsj2sECP+xnZ7yjVJ3cHVG9EgFY4pmRwl4LVCrUEdZ+sB4S0xY7ElZkGXOzP+PRdiTmU3Nl2nPYJIuVHhES5/yTRi9xBT8Xfa26ppRrNJjwnZDeCgcJq7bLPR4DnVDkV2DcYkOGApuzYyr8Dg8/tq77O8cb2Xqy9ubCg8im2spXZJR7LFj7u8jtlSHHEaFn4z9dz6vg3ZGn5CAd0eA7gpzwu1gsRcTVo9KsoZwNSr79QA+LXjhTvOVqApJdJ1yOG2Y2toB614HQi7XqQ0BBpInao+7GKppYGiluYaEh903E3g65/BS1M9qCS6kU5c80JZxwRlWjew5LNyjdtSpT2aVookLezaAw1f3fk6XQ=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56d3003b-a167-4d76-1e69-08d59a60670c
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Apr 2018 19:15:17.7627 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0742
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Yeg_5I78CSmMKqHut2V98-5t6XM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 19:15:23 -0000

I too disagree with the assessment of the situation. +1 to everything Mirja said.

>> there is no *requirement* that we produce a protocol that is able to be accelerated by hardware.
It is however a requirement for deployment that we be able to offload QUIC. A large part of work we do in TCP is acceleration in software and hardware. If QUIC has to evolve from experiment to broad deployment performance is a key goal. This is brought up several times in TCP working group where we see proposals that wouldn’t work with widely deployed software and hardware accelerations. 

Whether we like it or not performance is a key requirement for QUIC on servers and for datacenter scenarios. Even Ian mentioned before that he'd not want to do PNE within DC and I agree. Most connections will also not be doing migration or using multi path so why pay the extra overhead in the common case for no benefit?

Since PNE doesn’t affect the invariants (its simply an extra step post packetization and pre parsing), please explain why it would block progress on other fronts? What is the list of things that get blocked?

Please let us not rush into a design that impacts per packet processing costs with no clear articulation of the problem and the benefits. 

From what I can tell there is wide disagreement in the group and nothing resembling consensus. The fact that we have poor representation from hardware developers and public cloud providers is further skewing the perception. 

My recommendations:
1. Leave the current draft as is. Make sure we have some provision for greasing the PN to prevent ossification.
2. Explore multiple PN spaces for connection migration (and eventually multipath).
3. Make PNE an optional negotiated extension for implementations that want to do connection migration in V1 with the caveat that we will revisit this for V2 when we do multipath.
4. Solicit more feedback on the protocol from hardware vendors and public and private cloud providers. I can try to loop in more folks but others should too.

-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Mirja Kühlewind
Sent: Wednesday, April 4, 2018 3:27 AM
To: Mark Nottingham <mnot@mnot.net>
Cc: Lars Eggert <lars@eggert.org>; IETF QUIC WG <quic@ietf.org>
Subject: Re: Getting to consensus on packet number encryption

Hi Mark,

without intending to state a technical opinion, I think I need to disagree with your assessment of the situation. Please see below.

> Am 04.04.2018 um 06:58 schrieb Mark Nottingham <mnot@mnot.net>:
> 
> Hi everyone,
> 
> The editors have told your chairs that this issue is starting to block progress on other aspects of QUIC. Coming to consensus on it soon (i.e., before Stockholm, if possible) would be good.
> 
> It looks like this thread has come to a natural pause. Reading through it, I think we agree there are some unpleasant tradeoffs here, but so far we have only one concrete proposal -- PR#1079.

The other proposal is to use a random offset that can/should be changed when the connection ID is changed. Which is mostly inline with what the draft currently says.
> 
> My AU$.05 - While we're chartered to produce a protocol that's encrypted as much as operational concerns allow,

I don’t think this is what the charter say. The charter says "Providing always-secure transport, using TLS 1.3 by default.“ plus another paragraph that talks about TLS1.3. It does not spell out the desire of some individual to „encrypt as much as possible“. 

> and that privacy is a natural extension of that (especially in light of RFC7258 and RFC6973), there is no *requirement* that we produce a protocol that is able to be accelerated by hardware.

Not there is no requirement that the protocol need to be accelerated by hardware. However, not all requirement are listed in the charter. We as a group have to define the requirement. However, there is of course an implicit requirement for all work in the IEFT that is must be deployable and serve the needs of those people who want to deploy it.

> 
> That being the case, I think we need to ask ourselves if we believe that inclusion of PR#1079 will significantly inhibit deployment of the protocol. Based on the discussion so far, that doesn't seem to be the case, but I'd be interested to hear what others think.

Here my assessment is also different. There are multiple people that have raised concerns that this could hinder deployment.
> 
> If we can get to consensus to incorporate the PR, and folks come back later with a more hardware-friendly replacement that doesn't change the Invariants or increase linkability, I suspect the WG will be amenable to that.

I don’t think to just go with what we have even though there are concerns, is the right approach and definitely not the approach that was chosen for other proposals. In the sake of getting version v1 out quickly, I would think that not incorporating another change that does not have consensus is the proposer approach.

Mirja



> 
> What do folks think?
> 
> Cheers,
> 
> 
>> On 29 Mar 2018, at 11:39 am, Ian Swett <ianswett=40google.com@dmarc.ietf.org> wrote:
>> 
>> Thanks for the nice summary Jana.
>> 
>> As much as I'd love to have easier crypto HW acceleration, I've ended up arriving at the same conclusion.  I don't want to bite off the work to do proper multipath in QUIC v1, which I think is the only other reasonable option of those Christian outlined.
>> 
>> If someone comes up with a way to transform packet number to make it non-linkable, but doesn't have the downside of making hardware offload difficult, then I'm open to it.  But we've been talking about this for 2 months without any notable improvements over Martin's PR.
>> 
>> Given we never talk about any issue only once in QUIC, I'm sure this will come up again, but for the time being I think #1079 is the best option we have.
>> 
>> 
>> 
>> On Wed, Mar 28, 2018 at 8:03 PM Jana Iyengar <jri.ietf@gmail.com> wrote:
>> A few quick thoughts as I catch up on this thread.
>> 
>> I spent some time last week working through a design using multiple PN spaces, and it is quite doable. I suspect we'll head towards multiple PN spaces as we consider multipath in the future. That said, there is complexity (as Christian notes). This complexity may be warranted when doing multipath in v2 or later, but I'm not convinced that this is necessary as a design primitive for QUICv1. 
>> 
>> We may want to creatively use the PN bits in v2, say to encode a path ID and a PN, for multipath. We want to retain flexibility in these bits going into v2. We've used encryption to ensure that we don't lose flexibility elsewhere in the header, and it follows that we should use PNE to retain flexibility in these bits as well. (Simplicity of design is the other value in using PNE, since handling migration linkability is non-trivial without it.)
>> 
>> This leaves the question of HW acceleration being at loggerheads with the design in PR #1079. First, I expect that the primary benefit of acceleration will be in DC environments. Yes, there are some gains to be had in serving the public Internet as well, but I'm unconvinced that this is the driving use case for hardware acceleration. I understand that others may disagree with me here.
>> 
>> AFAIK, QUIC has not been used in DC environments yet. I expect there are other things in the protocol that we'd want to change as we gain experience deploying QUIC in DCs. Spinning up a new version to try QUIC within DCs is not only appropriate, I would recommend it. This allows for rapid iterations internally, and the experience can drive subsequent changes to QUIC. It's what *I* would do if I was to deploy QUIC inside a DC.
>> 
>> So, in short, I think we should go ahead with PR# 1079. This ensures that future versions are guaranteed the flexibility to change the PN bits for better support of HW acceleration or multipath or what-have-you.
>> 
>> - jana
>> 
>> On Mar 26, 2018 9:41 AM, "Christian Huitema" <huitema@huitema.net> wrote:
>> 
>> On 3/26/2018 8:20 AM, Swindells, Thomas (Nokia - GB/Cambridge) wrote:
>>> Looking at https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAES_instruction_set%23Intel_and_AMD_x86_architecture&data=02%7C01%7Cpravb%40microsoft.com%7C14f278ab3769469a44f908d59a16a2d6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636584344383959765&sdata=aOHc7FZoIBCE1OlqmNpvdMM0ntLerZ3FpqESVj85zfE%3D&reserved=0 it seems to imply a large range of server, desktop and mobile chips all have a CPU instruction set available to do AES acceleration and other similar operations (other instruction sets are also available).
>>> 
>>> If we are considering the AES instructions then it looks like it is (or at least will be in the near future) a sizeable proportion of the public internet have it to be used.
>>> 
>> 
>> Certainly, but that's not the current debate. PR #1079 is fully compatible with use of the AES instructions. The issue of the debate is that the mechanism in PR #1079 required double buffering, first encrypt the payload, then use the result of the encryption to encrypt the PN. This is not an issue in a software implementation that can readily access all bytes of the packet from memory, but it may be an issue in some hardware implementations that are designed to do just one pass over the data.
>> 
>> 
>> -- Christian Huitema
>> 
>> 
>> 
> 
> --
> Mark Nottingham   https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnot.net%2F&data=02%7C01%7Cpravb%40microsoft.com%7C14f278ab3769469a44f908d59a16a2d6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636584344383959765&sdata=RXba2TyvYz6otecEHoLCT4tZ2I7EodxDiyPxWrn%2FnAw%3D&reserved=0
>

v2.23.0 | Report a Bug | By Email