IETF Logo Mail Archive

Re: Hardware acceleration and packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sat, 24 March 2018 21:58 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A26126BF7 for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 14:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBbJfUrYAGER for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 14:58:53 -0700 (PDT)
Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56CE4120721 for <quic@ietf.org>; Sat, 24 Mar 2018 14:58:53 -0700 (PDT)
Received: by mail-it0-x234.google.com with SMTP id j137-v6so6516295ita.1 for <quic@ietf.org>; Sat, 24 Mar 2018 14:58:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=rUHrrx91OYilrzr+6oQPc0bHQ7jxtTJmIYKDbhCfT+0=; b=nftrO83CfUhEA3YjRYggXYhQNg3GmJT74zW0HiAeiquuNAtP+MzEv84AuFU8H0Nw3I mDVKZss45oiESOOOO7g9E7KGkn5yzHAHOG6JCVgnCvVwHVqmRZ/MbBp9dKBdBH/ZEKdp wBGa89t083MpfRPmllfrWzQqbnymEdk8rSI6CLIOpm0murFFOt89RRfNpbqSmVOPeskC JSb3iENs+eYYUDbJAyyY9lumesE8oU1TEjuZ4066MHjZrK24xaoZNTb1ZgReHkrOEPH8 TqOYzBKFLQM68lJ324DFyqoZs9OJfgV6D/3Dxcqas2DleNh/SpJAnJlKQv2tN4IsXL/w tDGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=rUHrrx91OYilrzr+6oQPc0bHQ7jxtTJmIYKDbhCfT+0=; b=AzrQqRBOIMj7/s0m5YOme9fUYxV5YxEZa0wz2GMsfoI1s6SQS9odxUcWJKolQVdqwc UleWGp1ohutNFntCVE54EEg2XVyagNHWAfKz9hI93Pb/VJdppSEF/GxKKxvCvqTkQWjx gdjtXH8w677s6DsWLIf7jvQrZkuW16cvMJK1g2tWj1UHNGBQkZzUdqBLc2r4UZjoqEWT Ne7lj9L81lYYvFG1FyhspSDVsb8rtbvcBNcb/hbf/wGfCRmSpyWkNbadsZqr0L+NjP1l 0Hhv5gDU47A+EdLgVIQRWdGdVl1Jobo77uFnYnpwtG/h3eUkjeU5D70tx/wnkZs66hc8 jPag==
X-Gm-Message-State: AElRT7EViRR4rXcEwNLzselV41HbU0h0lpbEe+UIWRgTsGqRpuRsH9r7 2bYb5mqqbozEr3BVIaSvT4TiVylM4e+tWzpjhkA=
X-Google-Smtp-Source: AG47ELugKmS/dncOtx9g5lBQyCOEfLDXFM85T622gWgT2JhWDSLZG9ZJWdcKQ8EwWyfay7OgR3ctHVNaMKsnuRhLkfo=
X-Received: by 2002:a24:e085:: with SMTP id c127-v6mr17826519ith.25.1521928732632; Sat, 24 Mar 2018 14:58:52 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Sat, 24 Mar 2018 17:58:51 -0400
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Sat, 24 Mar 2018 17:58:51 -0400
Message-ID: <CAN1APdevcn6T=yLRO=qxiVx58WiANiXxisKGer2vS2wvOmYr+A@mail.gmail.com>
Subject: Re: Hardware acceleration and packet number encryption
To: Eric Rescorla <ekr@rtfm.com>, Kazuho Oku <kazuhooku@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>, Christian Huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="0000000000007b69ce05682fa567"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/aG6Pz1WyZk-CE2SLgAlZJSwbaq0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 21:58:56 -0000

Another approach that could be explored is carry-less multiplication in the
GF(2^n) domain. This could reduce the size of required bits to make a
mapping which would be non-trivial to break. GCM uses something along these
lines for hashing, but in a 128 bit domain. My math foo is not strong
enough to say if this is a good idea. If it could be done with a CLMUL
instruction the overhead would be low and where it isn’t supported, GCM
suffers too.

One could also be less ambitious and use a seeded hash and deal with the
odd conflict, for example:
Faster 64-bit universal hashing using carry-less multiplications
https://arxiv.org/pdf/1503.03465.pdf

But both of these potential approaches probably suffer when the packet
number length drops down to 8 or 16 bits. Which is why we are back the the
encryption of an AES block that overlaps with other content leading to so
called double buffering.

On 24 March 2018 at 22.35.26, Mikkel Fahnøe Jørgensen (mikkelfj@gmail.com)
wrote:

AERO: I did not read all of it, but it does indeed sound esoteric.
It can do two things of interest: reduce space used by packet numbers, and
presumably fix the encryption issue.

However, it has a W parameter which is the limit of reordering which is
default 64 and recommended at most 255 for security reasons. This is way
way too low (I would assume) if packet clusters take multiple transatlantic
paths.

If we accepted such a limit, I could very trivially come up with an
efficient solution to PN encryption. Since we cover at most 64 packets, we
only need a 5 bit packet number and reject false positives on AEAD tag. To
simplify, make it 8 bits. The algorithm is to AES encrypt a counter similar
to a typical AES based PRNG. Then, for each packet take one byte from the
stream and use it as packet number. The receiver creates the same stream
and maps the received byte to an index it has. It might occasionally have
to try multiple packet numbers since the mapping is not unique. Longer
packet numbers reduce this conflict ratio. To help with this detection some
short trial decryption might be included. The PN size can be extended as
needed.

The cost of doing this is much lower than direct encryption for as proposes
in PR because 1) a single encryption covers multiple packets, 2) the
encryption can be parallelised resulting in a 4-5 fold performance
increase. Combined this results in sub-nanosecond overhead for AES-NI.

However, you have to deal with uncertainties which is why this isn’t a very
good idea unless you have some very good knowledge of the traffic pattern.
It also complicates HW offloading, but I don’t see why it couldn’t be done
efficiently.


Mikkel


On 24 March 2018 at 17.26.47, Eric Rescorla (ekr@rtfm.com) wrote:

3. A more exotic solution like AERO (
https://tools.ietf.org/html/draft-mcgrew-aero-00#ref-MF07)..

v2.23.0 | Report a Bug | By Email