IETF Logo Mail Archive

Re: Packet number encryption

Patrick McManus <pmcmanus@mozilla.com> Sat, 03 February 2018 14:04 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 673A612DA07 for <quic@ietfa.amsl.com>; Sat, 3 Feb 2018 06:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujtj99Ni5m34 for <quic@ietfa.amsl.com>; Sat, 3 Feb 2018 06:04:22 -0800 (PST)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC6112D886 for <quic@ietf.org>; Sat, 3 Feb 2018 06:04:22 -0800 (PST)
Received: from mail-ot0-f180.google.com (mail-ot0-f180.google.com [74.125.82.180]) by linode64.ducksong.com (Postfix) with ESMTPSA id 0F6723A092 for <quic@ietf.org>; Sat, 3 Feb 2018 09:04:21 -0500 (EST)
Received: by mail-ot0-f180.google.com with SMTP id r23so21515611ote.8 for <quic@ietf.org>; Sat, 03 Feb 2018 06:04:21 -0800 (PST)
X-Gm-Message-State: AKwxytevRsufF1TJ7PQGE4cWm4N/3/9Kabl6SQCYr+udCqszvlBtcrF3 WsjTPvkUNHhOcJUDMIWqQL00T+7p8PhPgXcwJCA=
X-Google-Smtp-Source: AH8x226u2wHqE639zMk/nmV8+l7P8Ncfai4BkaHh3ysXKsV3VBYM7IVpoJGpONr0R747sNbyL+VQB8GN5ZIpBXOVBmo=
X-Received: by 10.157.3.193 with SMTP id f59mr14511089otf.146.1517666660675; Sat, 03 Feb 2018 06:04:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.74.95.80 with HTTP; Sat, 3 Feb 2018 06:04:20 -0800 (PST)
In-Reply-To: <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Sat, 03 Feb 2018 09:04:20 -0500
X-Gmail-Original-Message-ID: <CAOdDvNqerT-ibRB0h2qSHCTSqEqdCNSXBwOxFAy3Om5z0BSnVw@mail.gmail.com>
Message-ID: <CAOdDvNqerT-ibRB0h2qSHCTSqEqdCNSXBwOxFAy3Om5z0BSnVw@mail.gmail.com>
Subject: Re: Packet number encryption
To: Piotr Galecki <piotr_galecki@affirmednetworks.com>
Cc: Jana Iyengar <jri@google.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>, Gorry Fairhust <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>, Christian Huitema <huitema@huitema.net>, "Eggert, Lars" <lars@netapp.com>, Brian Trammell <ietf@trammell.ch>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c08ca8032778605644f4e6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/elCx0UnSNUSKp4vnfGbaw9JjJ_A>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Feb 2018 14:04:26 -0000

On Fri, Feb 2, 2018 at 9:59 PM, Piotr Galecki <
piotr_galecki@affirmednetworks.com> wrote:

> What is the group’s proposal for allowing network monitoring tools to
> detect packet retransmission or packet reordering ?
>

quic retransmits data, it does not retransmit packets. I'm not trying to be
pedantic - that's the answer to your question because obviously data needs
keys. Cooperating parties need to cooperate to share keying material...
this is something wireshark and tls have worked out in the past.



> These metrics are pretty straightforward to measure for TCP flows.
>
> Tools like Wireshark can analyze packets and spot issues.
>
> How can the network tools perform this kind of measurements for QUIC flows
> if PN field is encrypted?
>
>
>
>
>
> *From:* QUIC [mailto:quic-bounces@ietf.org] *On Behalf Of *Jana Iyengar
> *Sent:* Friday, February 02, 2018 9:31 PM
> *To:* Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com
> >
> *Cc:* Gorry Fairhust <gorry@erg.abdn.ac.uk>; Eric Rescorla <ekr@rtfm.com>;
> Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>; Christian Huitema <
> huitema@huitema.net>; Brian Trammell <ietf@trammell.ch>; Eggert, Lars <
> lars@netapp.com>; QUIC WG <quic@ietf.org>; Martin Thomson <
> martin.thomson@gmail.com>
> *Subject:* Re: Packet number encryption
>
>
>
> A few points as I catch up on this thread.
>
>
>
> First, I'll remind folks that QUIC is an encrypted transport. I say this
> because the cost of this operation is trivial in the context of encrypting
> every packet. The cost is borne at the servers and not at middleboxes, so
> the additional crypto cost is basically trivial.
>
>
>
> Second, this simplifies and increases robustness of implementation.
> Avoiding random PN jumps, as Kazuho points out, makes special-casing of
> code unnecessary. Special code that is exercised occasionally is a strong
> bug attractor, and I would strongly argue for as few of those as possible
> in implementation.
>
>
>
> Third, yes, ossification is a real concern. A simple example: using
> increasing packet numbers as a signature for detecting QUIC. Even if you
> argue against this example, there are innovative ways in which ossification
> will happen. This is based on a true story: We had no idea how GQUIC's
> flags field could get ossified, the value that was being used commonly
> became used as a signature for QUIC traffic (see Section 7.5 in the SIGCOMM
> QUIC paper
> <https://static.googleusercontent.com/media/research.google.com/en/pubs/archive/46403.pdf>
> ).
>
>
>
> There's a win here in terms of implementation complexity and several
> implementers have said so. There's a win in terms of ossification and our
> experience says so. There's a potential loss of manageability, in being
> able to detect reordering. This is the trade-off, and I am still in favor
> of encrypting packet numbers.
>
>
>
> On Fri, Feb 2, 2018 at 7:32 AM, Fossati, Thomas (Nokia - GB/Cambridge, UK)
> <thomas.fossati@nokia.com> wrote:
>
> On 31/01/2018, 10:06, "QUIC on behalf of Eggert, Lars" <
> quic-bounces@ietf.org on behalf of lars@netapp.com> wrote:
> > On 2018-1-31, at 10:52, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
> > > +1 - Simply: This *is* complicated and seems to add little.
> >
> > So as an implementor (chair hat off), this adds very little to the
> > overall complexity of the protocol.
>
> This doesn't sound great.  It's a bit like saying that adding the Higgs
> mechanism to the standard model's lagrangian doesn't make it much more
> complicate :-)  (*)
>
> More seriously though, I'd like to point out that it is not just about
> implementation complexity, it's also the energy cost per packet that is
> quite crucial.  I haven't done the math but ISTM that bringing in
> another batch of non-optional crypto computation on a per packet basis
> is not going to move the needle in the right direction for stacks that
> run on low power (IoT).
>
> This is not a catastrophe - we have CoAP and a (D)TLS profile - but
> neither it's ideal, since cutting off the small things from the wider
> ecosystem creates an artificial gap which then will need a middlebox to
> bridge.  (Sure, we have specified the behaviour of a similar box
> already, but it'd be really better if the extra translation logic could
> be avoided in the first place.)
>
> I guess what I'm saying is that PN encryption being a core mechanism
> that can't be negotiated at handshake time reduces our ability to later
> profile QUIC for the IoT, which would be a bit unlucky.
>
> So the question is: would it be possible to make this property a
> configurable knob instead?
>
> (*) https://www.symmetrymagazine.org/article/the-deconstructed-
> standard-model-equation
>
>
>

v2.23.0 | Report a Bug | By Email