IETF Logo Mail Archive

Re: Packet number encryption negotiation

Boris Pismenny <borispismenny@gmail.com> Mon, 27 February 2023 08:55 UTC

Return-Path: <borispismenny@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2249CC15154E for <quic@ietfa.amsl.com>; Mon, 27 Feb 2023 00:55:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id twI8KOhpK4so for <quic@ietfa.amsl.com>; Mon, 27 Feb 2023 00:55:17 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57626C15154A for <quic@ietf.org>; Mon, 27 Feb 2023 00:55:17 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id d30so22616741eda.4 for <quic@ietf.org>; Mon, 27 Feb 2023 00:55:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eKTLyXqJJew09vFjvMrfHqZI1CRnxdGPSXzXSdfb93M=; b=XGMfI7LHxER+fzDY/M2CR3TdTOAy5SNoeznvMgcZFoRgO7HXPh9EchhdIUpG7eP2dJ jkBK5uWMQZrqhrP1PxTaaM1/q42Wb4vV73EJq8MD3dgZUO1hXG7uQ3tzEJGTaexhbwm3 hUf/c1dnGcD/wz5ZygrRQo4tBWtlo6BGCVAZ1l5zfaeHJnFQ0ShJj97NJRK6dnJSNsQm 30IfW/IkovoxqJyc2s6n4c2xx2+iqcMsl4Q3TDe8K22LKU2BSAtSyvLEl6P0ORBKYXAN hRk4odxDojzDQGjD4o0ST8HagrcwnfQyront5Qg0Jv1Xjsz+OdhT7dqEtI44UqkoM81C EMKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eKTLyXqJJew09vFjvMrfHqZI1CRnxdGPSXzXSdfb93M=; b=xHyhx18Kj7O9paFo/6VAIMgbn4TU/XYf5ZJqn9lvLKC080aIabLcyD2OeSQahMk9qG ZJP7RY3jaeyG3LpL8rzLJysHrAiR/fGHFDiuZrzBgXGmJ561l6ePKvu4EwzilTQMYEd4 tu1dHhtcrYU9wgcANvlBkEZ2sBhnyZp9WaH0oPkBSerHGdCj401NGfmohpd+0gzB01i3 fZH9EgSWVcMKfSsQchb5mEtfNNpPnUTYfnKfV7N27P75u7EYwL7rVLO3FxdEkJOgChCv F6HazVQ9gGLsOHYP1Fk0e16Rk3hPNoxWqw/MwvpYMDD9m3KZdA+47LbEkmxlSPNT+Qi8 +l4A==
X-Gm-Message-State: AO0yUKUo0bnn+jrdP2D1tRoOHh4Ap9nEnOYgBFlCEeDOPjcH4lKXSM64 8PX2OsMc2JHqNk28eEDlI1DYB42UoZ20wN/GuxO1gzqGQ/M=
X-Google-Smtp-Source: AK7set+DvmivzqwTSsig6l2ul2P9MT+FHO11LXhZ7hVhqQz43vXf+XflYlfatrQSOWjgiAzPpNRNPldL+srqZpYjbHc=
X-Received: by 2002:a50:f68e:0:b0:4af:5779:ac6d with SMTP id d14-20020a50f68e000000b004af5779ac6dmr10589213edn.3.1677488115346; Mon, 27 Feb 2023 00:55:15 -0800 (PST)
MIME-Version: 1.0
References: <CAKJMo+ttNyyTOhKg99k9HEgFCCZfR-yY_GeQ-ot6_09U1T3LPw@mail.gmail.com> <2b54d5c1-e094-d128-5c37-88ed63a0a0d8@ericsson.com>
In-Reply-To: <2b54d5c1-e094-d128-5c37-88ed63a0a0d8@ericsson.com>
From: Boris Pismenny <borispismenny@gmail.com>
Date: Mon, 27 Feb 2023 09:55:19 +0100
Message-ID: <CAKJMo+u=OZtNAmwYhSOXnrxNKTFFfup6k_W14=sos00gvqeP6g@mail.gmail.com>
Subject: Re: Packet number encryption negotiation
To: Michael Eriksson <michael.eriksson@ericsson.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003af15905f5aaa38e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/e3_v1Z115WgmEZgTboOc3IbmmZM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 08:55:21 -0000

Hi Michael,

On Fri, Feb 24, 2023 at 1:19 PM Michael Eriksson <
michael.eriksson@ericsson.com> wrote:

> Hi Boris,
>
> It's nice to see that you are working on hardware support for QUIC
> encryption. (BTW, I supervised Rebecka Alfredsson's master thesis project
> last year, where she used an NVIDIA BlueField 2 DPU for QUIC crypto
> offload.)
>

Thanks, sounds like a cool project. It's worth saying that what we have in
mind with crypto offload is based on an ASIC with limited promability, so
any change to the AEAD is critical. This particular change to the AEAD
doesn't seem to be a problem---IIUC, software associates CIDs with the
corresponding path-ID and nonce, which can be even XORed together ahead of
time to use the same hardware processing flow as single path QUIC.


>
> What I want to add is that you should consider multipath QUIC when you
> design your hardware. It affects the AEAD nonce generation.
>
> Regular, unipath, QUIC sets the top 34 bits of the packet number to zero
> when generating the nonce. In the upcoming multipath extension, the top 32
> bits can be set to non-zero values.
>
> https://www.rfc-editor.org/rfc/rfc9001.html#name-aead-usage
>
> https://www.ietf.org/archive/id/draft-ietf-quic-multipath-03.html#name-packet-protection-for-quic
> -
>

Thanks for the pointers, I've encountered multi-path QUIC on another
discussion about QUIC offload (
https://github.com/microsoft/quic-offloads/issues/9#issuecomment-1305823308).
IIUC, the main challenge with multipath will be to synchronize receive side
NIC offloads when two NICs are being used in parallel to carry the same
flow's packet number space.


>
> Best regards,
> Michael Eriksson
>
> ------------------------------
> *From:* Boris Pismenny <borispismenny@gmail.com> <borispismenny@gmail.com>
> *To:* mailing-lists.ietf.quic
> *Subject:* Packet number encryption negotiation
> *Date:* Wed, 8 Feb 2023 09:25:07 +0100 (Central European Standard Time)
>
> Hello,
>
> I work on NIC hardware acceleration for NVIDIA, and we are looking into
> QUIC and DTLS1.3 acceleration. QUIC and DTLS employ packet number
> encryption (PNE) which increases security. At the same time, PNE
> significantly encumbers hardware acceleration as I’ll explain next.
>
> For hardware to encrypt the packet numbers, there are two options:
>
>    1.
>
>    Feed the header back into the encryption machine after data has been
>    encrypted. This means storing and forwarding data, higher implementation
>    complexity, and greater bandwidth requirements on the single encryption
>    machine.
>    2.
>
>    Adding an additional unique pipeline stage dedicated for header
>    encryption.
>
> As you may already know, this is not hardware friendly and for this reason
> many vendors will likely refuse to pay the cost of supporting this. But
> suppose a vendor does implement this feature, one problem still remains.
> PNE will still cause noticeable latency and performance degradation for
> high speed networks (think >400Gbps).
>
> Now, in certain use-cases, such as high performance computing, cloud
> computing, or data-center clusters—the security benefits of encrypting
> headers are marginal compared to the latency imposed by PNE. Would it be
> possible to consider letting these users negotiate to disable PNE and by
> doing so benefit (more) from encryption acceleration?
>
> Best regards,
>
> Boris
>
>
>

v2.23.0 | Report a Bug | By Email