IETF Logo Mail Archive

Re: Packet number encryption

"Brian Trammell (IETF)" <ietf@trammell.ch> Wed, 07 February 2018 13:34 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43CC3129C6C for <quic@ietfa.amsl.com>; Wed, 7 Feb 2018 05:34:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fU5uwNkYO5qB for <quic@ietfa.amsl.com>; Wed, 7 Feb 2018 05:34:46 -0800 (PST)
Received: from gozo.iway.ch (gozo.iway.ch [212.25.24.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D1612D775 for <quic@ietf.org>; Wed, 7 Feb 2018 05:34:42 -0800 (PST)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 8846B340E50; Wed, 7 Feb 2018 14:34:40 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/6597.20073); Wed, 7 Feb 2018 14:34:40 +0100 (CET)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Wed, 7 Feb 2018 14:34:40 +0100 (CET)
Received: from nb-10604.ethz.ch (account ietf@trammell.ch [82.130.102.91] verified) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 44640605; Wed, 07 Feb 2018 14:34:40 +0100
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
Message-Id: <AF8560AD-6923-46C0-A8C4-60D0FADF4DD6@trammell.ch>
Content-Type: multipart/signed; boundary="Apple-Mail=_C5AAB0A9-7BB8-4722-AE7D-2E11458FB174"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Re: Packet number encryption
Date: Wed, 07 Feb 2018 14:34:39 +0100
In-Reply-To: <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com>
Cc: QUIC WG <quic@ietf.org>
To: Jana Iyengar <jri@google.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <BY2PR15MB07754D83A1721F2BD742359BCDFE0@BY2PR15MB0775.namprd15.prod.outlook.com> <2CD9DC43-D69B-43F0-8474-DFE798850A52@akamai.com> <CAGD1bZaUuNxqpDkn62B0wWcFD8=mCUWrAwWGG-rAOxH7Mf1=cQ@mail.gmail.com> <CY4PR21MB01334E30C7AF6AE75F58EEFDB6FE0@CY4PR21MB0133.namprd21.prod.outlook.com> <CAGD1bZaxrqzdkk0wxRaULwOTgg6wnrSrXNBK31s4uxdozaACBA@mail.gmail.com> <CAGD1bZbOAaSBcQw4nVtGuwRunaAW8MYHq9yPxNN6DdKHzt5HtQ@mail.gmail.com> <2102BDC2-62C0-4A76-8ADE-8167437E2D07@trammell.ch> <CAN1APde6o6=aCXuWajPFSU=jXv-ERdVHk=uyjM71uQ_uU-oMTg@mail.gmail.com> <8e833029-68b5-2787-3897-a0f7818a259f@tik.ee.ethz.ch> <1de39727-eeec-0e7a-1e8b-5ed50433c5bd@cs.tcd.ie> <MWHPR08MB2432D0216BC8FE1B0D9E3690DAFD0@MWHPR08MB2432.namprd08.prod.outlook.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/eLzE3Uc6u5dbwyE5KRUuqUPVqnI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 13:34:49 -0000

hi Jana,

popping back up from the detailed engineering, thank you for this reframing.

I largely agree that this is the question; a few comments / friendly amendments on each point.

> On 7 Feb 2018, at 00:00, Jana Iyengar <jri@google.com> wrote:
> 
> I'm going to try a different attempt at moving towards convergence. Thinking about this some more, and picking up something that Mirja said way earlier in this thread, I think the following decomposition is useful.
> 
> 1. In the transport, all packet numbers start at 0, increasing monotonically. ACK frames carry these packet numbers, and therefore do not have to span large gaps and do not have to deal with increases in the size of the largest acked. Basically, no gaps are visible within the transport processing engine.
> 2. Before sending a packet on the wire, and before processing the packet, QUIC transforms the packet number with some function, replacing the visible packet number with the transformed value.
> 
> I think we can all agree that (1) is goodness.

Yep! (modulo the (completely separate and inconsequential for this discussion) question of whether packet numbers start at 0 or 1)

> A sender is also free to use packet numbers from non-contiguous spaces here FWIW, but that's entirely independent of what's visible on the wire. This helps me separate transport processing complexity from the rest of it, which I think is helpful.

+1.

> I think we are disagreeing on the precise properties we want from the transformation in (2). If we can agree on these properties, we can then figure out whether it's possible and how to construct such a transform. Here's a union of what folks are concerned about:
> 1. Packet number must be unlinkable across connection ID change (for migration.)

s/must/should endeavor to be/ -- true unlinkability is unattainable. The goal here is to make sure the packet number doesn't make it a lot easier.

> 2. Packet number must start at an arbitrary value, to avoid ossification of the first packet number.

Presuming that the model of ossification you're using here is "a middlebox vendor grabbing on to any bits it can find to distinguish quic from not-quic UDP traffic", then yes, this seems reasonable.

(There are an entirely different space of designs, which contains TCP, where the packet number itself is an implicit signal to prove to the path that a packet belongs to a flow beyond the five-tuple. In that case the arbitrary start would be necessary to have actual entropy for that signal. But we've abandoned this as a requirement in QUIC, in part due to the fundamental tension between avoiding linkability and proving things to devices on the path about the relationships among packets, i.e., "linkability" in other words.)

> 3. Some sequencing information -- a few bits of the packet number perhaps -- should be revealed (for monitoring. Number of bits TBD.)

This is the crux of the argument. On one side we have the risk of misuse and ossification (well, not ossification -- these bits are *meant* for the path -- rather the risk that we'll figure out later that we specified the wrong thing), on the other side we have the loss of visibility into how QUIC traffic interacts with the network as compared to TCP, with a side question of whether or not this visibility is really the transport layer's problem despite the evolution the practice of diagnostics and troubleshooting using TCP information.

If we can come to agreement on this question, everything else falls into place. I have my arguments here, but as you said, this subthread is not the place for them. :)

> 4. Any packet number transformation should not be compute intensive.

I'd say "should not have an inordinate marginal impact on performance", because otherwise you go down the rabbithole of relative complexity, but yeah.

Cheers,

Brian

v2.23.0 | Report a Bug | By Email