Re: A better way to do conn id?
Kazuho Oku <kazuhooku@gmail.com> Wed, 24 January 2018 14:20 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC9D12422F for <quic@ietfa.amsl.com>; Wed, 24 Jan 2018 06:20:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sf_ccWUgZG6y for <quic@ietfa.amsl.com>; Wed, 24 Jan 2018 06:20:23 -0800 (PST)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 450AD1243F6 for <quic@ietf.org>; Wed, 24 Jan 2018 06:20:23 -0800 (PST)
Received: by mail-pg0-x229.google.com with SMTP id w17so2788626pgv.6 for <quic@ietf.org>; Wed, 24 Jan 2018 06:20:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kQt5dd49/9yFsHVoNGO+walXXMQhSD2ACjDvNfzoicY=; b=Zy3fHNXZlGM6Ww4/5HQhYC4kNmyVeoZuqoJTNzMcPodthevVolylaGWdVxofrwGe4R hFX/f/pkpT96HWNfUcD946kfp76FnGcRlVfXEUZUjmopk4lNRgfNPJhe4V6JBphN/GZF XqlhQwW9bBueqVb7ZvkjPoCBggbQaDtG9Z5xN5wta00Z+P6JxrFTFemUbAGmxh5cJEnF A+BiXna7naqjwNvsQvieVw14GNyIYgcuX+wpdL0vLihH2bTtcf7kdCuz8NYEGcqEMJLD KSZ29r/56uPJmNvl5pyVqKvDminx/Eh5KpRAWmY6z/9gQIc21uU18AgCx8Dgu/w6jgNT a5vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kQt5dd49/9yFsHVoNGO+walXXMQhSD2ACjDvNfzoicY=; b=KXkPcaBP3FgUzmjvXWKlmIht40Iy2mup6o5pNdP3izVU8yAhcvKxZWoXKb0JF6X73Z NDZseclU2MTOmbNd0hEHSkfJLtPqlEOTsMkTm6teMoU2hfBKPlAitLE+6oS6elDqBmKe pS3OoQ8RCeIhl6tjBw7Z/lZdMLHWXGqnIV+ik1ksNcURSfw6JNq8MkxS/vjUds/mzbiL UQWGlEhuPomC4zBAYYXZr0Pa8BY8cpxyoTBew2RSMycDy/VdcCvy4EV5u3MiTl4i7NPQ GvY8vZ/a/+XbLfosPuj3Ggsd3e7bXXEf5IKj/52DJgGW2+2xdW3C+NWg26wwvZZ/OVd6 hjkQ==
X-Gm-Message-State: AKwxytemS4Ocr4VThR/bH1MkoFh59dW59IW/9ANhs9ZGC2hCDra9p7S1 nGd6T5mtfHlCQHUMYBWZDYz9BIXfK7mWIJLVraY=
X-Google-Smtp-Source: AH8x225JV7rZjvnNCRepLzFBnlxntE1Q+QsS9ceZd9w7YEylQ1CexobKcVEub695Ka+Ijtgm1G1jI3QGydJ7+ZIHYn0=
X-Received: by 2002:a17:902:d217:: with SMTP id t23-v6mr8527397ply.303.1516803622499; Wed, 24 Jan 2018 06:20:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.156.11 with HTTP; Wed, 24 Jan 2018 06:20:20 -0800 (PST)
In-Reply-To: <6d7331bfb9e041e4a712f3edf99a3001@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <CAM4esxS4TDf1QwsdrQM1J7NBvTCjNaM0oi3Qm2i6oL0F9b5cnA@mail.gmail.com> <CABkgnnVfKGd9QYhUnJ0Tva5odNzRDvZCSU4ASN27bQFsAiUvPw@mail.gmail.com> <CAM4esxQtrZgQuqh=eeMR1BgKpx5SyDk2+7V0GBZJX9ak_H8yeg@mail.gmail.com> <6d7331bfb9e041e4a712f3edf99a3001@usma1ex-dag1mb5.msg.corp.akamai.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 25 Jan 2018 01:20:20 +1100
Message-ID: <CANatvzxa-20_iAoiq1Ja2XGMxh4Wx-+UO6tKEYY0q1_3ha0uyA@mail.gmail.com>
Subject: Re: A better way to do conn id?
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Martin Duke <martin.h.duke@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001cfa620563865df2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/acvktDnRi5lcLNwT7YYngbrw2vk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 14:20:25 -0000
2018-01-24 16:34 GMT+11:00 Lubashev, Igor <ilubashe@akamai.com>: > The two alternatives to allow for key rotation to “avoid” going over 16 > octets are: > > > > 1. (Victor voiced this today) Steal a code point from the packet type: > have 2 bits that represent: > > 0-byte connection id; > > 8-byte connection id; > > 16-byte connection id (key a); > > 16-byte connection id (key b) > > > > 1. “Trial Encryption” : Steal a bit from your 128 bit connection ID > > Your bit 0 of your Connection ID will represent the key used for > encryption. > Since you have entropy in your Connection ID, keep generating new entropy > and encrypting, until bit 0 comes out just the way you want it. On > average, you will do 0.75 extra encryption operations. > Thank you for summarizing the two approaches. What I am bit afraid of using the bits in the packet type is that the approach hardcodes the relation between the frequency of key rotation and the maximum lifetime of a QUIC connection. Consider the case where you want to switch from key A to key B. Correct me if I am wrong, but IIUC there is no way for a server to enforce the client to switch to a new connection ID. Therefore, the server will be enforced to shutdown all the connections using the IDs generated by using key A before the key gets retired. For example, if you plan to do the rollover from key A to key B in 24 hours, the minimum maximum of the lifetime of a connection will be restricted to 24 hours. Do we want to bake such restriction into the protocol? If we use trial encryption, the issue between the sped of key rotation and the minimum maximum of a QUIC connection would be left to each server-side implementation, though you might end up being required to do more "mining" (i.e., find a connection ID that can survive _multiple_ generations of key rotations). Or, should we introduce a mechanism that allows a server to _enforce_ connection ID migration, considering the fact that the issue exists in both approaches? > > - Igor > > > > *From:* Martin Duke [mailto:martin.h.duke@gmail.com] > *Sent:* Wednesday, January 24, 2018 12:21 AM > *To:* Martin Thomson <martin.thomson@gmail.com> > *Cc:* IETF QUIC WG <quic@ietf.org> > *Subject:* Re: A better way to do conn id? > > > > Very well, replace 16 with whatever number you guys come up with. > > > > On Wed, Jan 24, 2018 at 4:19 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > > We have already concluded that if you want to do sane crypto, plus > some sort of key identification, then you need MORE than 16 octets > (though not much more). That makes things more complicated. ekr has > an outcome that he will write up. > > > On Wed, Jan 24, 2018 at 4:08 PM, Martin Duke <martin.h.duke@gmail.com> > wrote: > > Today's variable-length connection ID discussion made me realize some > > problems with the current architecture, while the new architecture > doesn't > > fix some of them and creates whole new ones. Issues: > > > > - The client desires unlinkability, but I suspect the market will > provide no > > incentives for servers to work very hard to be unlinkable. There were > > conflicting "layer 9" arguments that variable conn ID makes this problem > > worse or better. > > > > - 16 Bytes is more overhead than 8 bytes. > > > > - The severity of this remains to be seen, but variable length conn ids > will > > introduce more complexity in parsers and anything that utilizes the conn > id > > (e.g. handshake key generation). It might make the invariants more > complex > > as well. The whole thing, frankly, makes my head hurt. > > > > I humbly suggest the following proposal might avoid or mitigate some of > > these problems: > > > > 1. Every connection has a long-lived Client-generated Connection ID > (CGCID) > > and Server-generated Connection ID (SGCID). The CGCID is 8 bytes and the > > SGCID is 16 bytes. > > > > 2. The CGCID is used to derive the handshake key. (unchanged from status > > quo) > > > > 3. The initial packet uses the CGCID. All other handshake packets use > the > > SGCID. This is unchanged from the status quo. > > > > 4. All 1-RTT packets by sent by the client use the SGCID. All 1-RTT > packets > > sent by the server use the CGCID. This has two important properties: > > a) The server gets the 16 Bytes of entropy the load balancer > > needs > > b) The server->client direction, which in the usual case has > most > > of the data, has a lower-overhead CID. > > > > 5. The algorithm that generates SGCID MUST have different output given a > > different CGCID. [We might strengthen this language further: you wouldn't > > want to simply add the NEW_CONN_ID sequence number to the existing SGCID, > > for instance]. > > > > 6. In advance of migration, the client sends a NEW_CONN_ID frame to > provide > > a new CGCID (possibly omitting the stateless reset token). The server > MUST > > respond with a NEW_CONN_ID that provides a new SGCID derived from the new > > CGCID. All packets on the new path use these CIDs. > > > > If people like this, I can generate a PR. I am very open to various > tweaks > > to the general approach as well. I wanted to get this out there before > the > > variable-length CID team gets deep in the weeds. > > > > Martin Duke > > > > > > > -- Kazuho Oku
- A better way to do conn id? Martin Duke
- Re: A better way to do conn id? Martin Thomson
- Re: A better way to do conn id? Martin Duke
- RE: A better way to do conn id? Lubashev, Igor
- Re: A better way to do conn id? Subodh Iyengar
- RE: A better way to do conn id? Lubashev, Igor
- Re: A better way to do conn id? Fossati, Thomas (Nokia - GB/Cambridge, UK)
- Re: A better way to do conn id? Kazuho Oku
- RE: A better way to do conn id? Lubashev, Igor
- RE: A better way to do conn id? Hannes Tschofenig