IETF Logo Mail Archive

RE: Packet number encryption

"Roni Even" <ron.even.tlv@gmail.com> Mon, 05 February 2018 04:58 UTC

Return-Path: <ron.even.tlv@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC84126CBF for <quic@ietfa.amsl.com>; Sun, 4 Feb 2018 20:58:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEI3qgB8FMPZ for <quic@ietfa.amsl.com>; Sun, 4 Feb 2018 20:58:25 -0800 (PST)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF21D1205D3 for <quic@ietf.org>; Sun, 4 Feb 2018 20:58:24 -0800 (PST)
Received: by mail-wm0-x22c.google.com with SMTP id b21so23220293wme.4 for <quic@ietf.org>; Sun, 04 Feb 2018 20:58:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-language:thread-index; bh=LQQvV+kNw8Gtj0ve9EydIljRRy0mw884b0psVsX4PL8=; b=We5xv1KFKvr6ELanmRnguB/UvXUtRpWQMgXub97murgrj9218p9vqYDQEFeO0e5fNc 1J1xnoPHkMoprb5Yjro+BoEvNzAQiZivHpeocmJy+Df+5nFZT3rhkQ3kG+/4vReFsujT Ur/ltiIU9VgyWtfZbptFoR2PLnhF1c/bjG8rarWDjsi9x1T8rYdyNBY76dJnJ4gGpm8E 0AiDnYg877h3Erqi3kPQt94ZiTTW6w3zNQd4ovfUXy1o7bE+8c7T5iDiwiP+ZmaNaos6 dxebNG85q42ZppEsnZ982A8PRKuwaG0MLoW8SnjiTkkcupQfk6/VqUr4Sk9vi2584uv5 YPWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-language:thread-index; bh=LQQvV+kNw8Gtj0ve9EydIljRRy0mw884b0psVsX4PL8=; b=LChZEn4QW+dOSxr3vUh01kw8UzB4lfIpzIIL/225P4UeI3ztiKhhhHOuM4+91oDwBt fxfgAV7LOlK1QkSXsPW1hpOvjtiEWt/fpq8rS/S0Bvgz6yE7ejQeLDwpKrnweYmAbWFV 8dCpZL4T9Q6BNurm5kuARGL4zT2M3BneF2Q1qLrDIBcwRkcIhupRbVF9lBoYEjKtHAzM zOU1oBwgMAHILlm3wBkNgtXj7C8X+4ibkcWRDJUvY5Hf4xr2vHMV3CyVmnLQkthpYoR1 Xf2hwj4HYLJfQ2fZHWGIJsl/1JcqmEYzKgK07M0QXEAQp9qWuxpyCTFJ/qqDZVvrtXWu dPHg==
X-Gm-Message-State: AKwxytfm2eg6de9N8uzccDvfg5cYwK9akGdnskNPHFDWcL2/csiHDtJR /+DdEL2Tf5JC0sXt7qSSoQc=
X-Google-Smtp-Source: AH8x226gmLqsb9fbiT8b/Z8UONpwWbSrBxZPnq1Xf40ZIv2dLbNMCOpY0ihsl1B/eJ6pCRA1PabARQ==
X-Received: by 10.28.32.15 with SMTP id g15mr31661275wmg.22.1517806703352; Sun, 04 Feb 2018 20:58:23 -0800 (PST)
Received: from RoniPC (bzq-79-183-153-245.red.bezeqint.net. [79.183.153.245]) by smtp.gmail.com with ESMTPSA id q131sm9235234wmg.18.2018.02.04.20.58.19 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Feb 2018 20:58:21 -0800 (PST)
From: Roni Even <ron.even.tlv@gmail.com>
To: 'Roberto Peon' <fenix@fb.com>, "'Roni Even (A)'" <roni.even@huawei.com>, 'Piotr Galecki' <piotr_galecki@affirmednetworks.com>, 'Jana Iyengar' <jri@google.com>, "'Fossati, Thomas (Nokia - GB/Cambridge, UK)'" <thomas.fossati@nokia.com>
Cc: 'Gorry Fairhust' <gorry@erg.abdn.ac.uk>, 'Eric Rescorla' <ekr@rtfm.com>, 'Christian Huitema' <huitema@huitema.net>, "'Eggert, Lars'" <lars@netapp.com>, 'Brian Trammell' <ietf@trammell.ch>, 'Mirja Kühlewind' <mirja.kuehlewind@tik.ee.ethz.ch>, 'QUIC WG' <quic@ietf.org>, 'Martin Thomson' <martin.thomson@gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com>, <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com>, <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <BY2PR15MB07758F932FBB87047ACB9D9ACDFE0@BY2PR15MB0775.namprd15.prod.outlook.com>
In-Reply-To: <BY2PR15MB07758F932FBB87047ACB9D9ACDFE0@BY2PR15MB0775.namprd15.prod.outlook.com>
Subject: RE: Packet number encryption
Date: Mon, 05 Feb 2018 06:58:17 +0200
Message-ID: <00f301d39e3d$f15bdf40$d4139dc0$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00F4_01D39E4E.B4E6F930"
X-Mailer: Microsoft Outlook 14.0
Content-Language: he
Thread-Index: AQGQ530rNkaVCPfLZBKkq0r1tERDAQJoUcKLAOqrdnUByCTDvwIyPa6oAhcWTWcBH9bDhAGpm2h4Ai0m8V0BYzTSYQJi/trAAYuplSEAg9HiIAJKr5A5o2bQ+lA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/f9wwm_P3-TrlS8HO3I9jgegZr0U>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 04:58:29 -0000

Does not it mean that the network need to identify packets  that are from
the same quic connection to make such wrapping?

Roni

 

From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Roberto Peon
Sent: Monday, February 05, 2018 2:38 AM
To: Roni Even (A); Piotr Galecki; Jana Iyengar; Fossati, Thomas (Nokia -
GB/Cambridge, UK)
Cc: Gorry Fairhust; Eric Rescorla; Christian Huitema; Eggert, Lars; Brian
Trammell; Mirja Kühlewind; QUIC WG; Martin Thomson
Subject: Re: Packet number encryption

 

A network could carry whatever protocol it wished to, i.e. by wrapping
any/all packets on ingress to the network, and then un-wrapping when
forwarding to another network. This would allow a network to record and
track whatever it wanted to without placing constraints on layers which
should be above it. 


If the network placed a sequence number on incoming packets, it could detect
reordering across all flows. If it do so on a 5-tuple basis, it could detect
reordering/duplication/loss across any 5-tuple.

 

-=R

  _____  

From: Roni Even (A) <roni.even@huawei.com>
Sent: Saturday, February 3, 2018 11:47:06 PM
To: Roberto Peon; Piotr Galecki; Jana Iyengar; Fossati, Thomas (Nokia -
GB/Cambridge, UK)
Cc: Gorry Fairhust; Eric Rescorla; Mirja Kühlewind; Eggert, Lars; Brian
Trammell; Christian Huitema; QUIC WG; Martin Thomson
Subject: RE: Packet number encryption 

 

Hi,

Network monitoring:

Networks may always wrap the packet(s) they have received with whatever data
they wish, and unwrap before forwarding. This can allow any network to
understand ordering,  loss, etc within its boundaries.

 

RE- so you are saying that we can for example  leverage  RTP and define RTP
payload for QUIC that will carry QUIC packets, we will just need to resolve
the MTU size.

Roni

 

 

From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Roberto Peon
Sent: Saturday, February 03, 2018 8:38 PM
To: Piotr Galecki; Jana Iyengar; Fossati, Thomas (Nokia - GB/Cambridge, UK)
Cc: Gorry Fairhust; Eric Rescorla; Mirja Kühlewind; Eggert, Lars; Brian
Trammell; Christian Huitema; QUIC WG; Martin Thomson
Subject: Re: Packet number encryption

 

Ossification:

In the past tcp middleboxes expected in-order, monotonically increasing
offsets and tried to fix reordering before forwarding. This middlebox
behavior, predicated on observable flows, prevented deployment of things
which would have made tcp more efficient.

 

 This is the kind of non-theoretical ossification that drove the creation of
QUIC in the first place.

 

Network monitoring:

Networks may always wrap the packet(s) they have received with whatever data
they wish, and unwrap before forwarding. This can allow any network to
understand ordering,  loss, etc within its boundaries.

 

Debugging:

Debugging of flows can still happen for flows that wish to be debugged-- the
QUIC connection's key material(s) can be shared manually and used by the
debugging tool. This is how one debugs http2, https, etc. already today.

 

-=R

 

 

 

-------- Original message --------

From: Piotr Galecki <piotr_galecki@affirmednetworks.com> 

Date: 2/2/18 7:00 PM (GMT-08:00) 

To: Jana Iyengar <jri@google.com>, "Fossati, Thomas (Nokia - GB/Cambridge,
UK)" <thomas.fossati@nokia.com> 

Cc: Gorry Fairhust <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>,
Christian Huitema <huitema@huitema.net>, "Eggert, Lars" <lars@netapp.com>,
Brian Trammell <ietf@trammell.ch>, Mirja Kühlewind
<mirja.kuehlewind@tik.ee.ethz.ch>, QUIC WG <quic@ietf.org>, Martin Thomson
<martin.thomson@gmail.com> 

Subject: RE: Packet number encryption 

 

What is the group’s proposal for allowing network monitoring tools to detect
packet retransmission or packet reordering ?

These metrics are pretty straightforward to measure for TCP flows.

Tools like Wireshark can analyze packets and spot issues.

How can the network tools perform this kind of measurements for QUIC flows
if PN field is encrypted?

 

 

From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Jana Iyengar
Sent: Friday, February 02, 2018 9:31 PM
To: Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com>
Cc: Gorry Fairhust <gorry@erg.abdn.ac.uk>; Eric Rescorla <ekr@rtfm.com>;
Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>; Christian Huitema
<huitema@huitema.net>; Brian Trammell <ietf@trammell.ch>; Eggert, Lars
<lars@netapp.com>; QUIC WG <quic@ietf.org>; Martin Thomson
<martin.thomson@gmail.com>
Subject: Re: Packet number encryption

 

A few points as I catch up on this thread.

 

First, I'll remind folks that QUIC is an encrypted transport. I say this
because the cost of this operation is trivial in the context of encrypting
every packet. The cost is borne at the servers and not at middleboxes, so
the additional crypto cost is basically trivial.

 

Second, this simplifies and increases robustness of implementation. Avoiding
random PN jumps, as Kazuho points out, makes special-casing of code
unnecessary. Special code that is exercised occasionally is a strong bug
attractor, and I would strongly argue for as few of those as possible in
implementation.

 

Third, yes, ossification is a real concern. A simple example: using
increasing packet numbers as a signature for detecting QUIC. Even if you
argue against this example, there are innovative ways in which ossification
will happen. This is based on a true story: We had no idea how GQUIC's flags
field could get ossified, the value that was being used commonly became used
as a signature for QUIC traffic (see Section 7.5 in the SIGCOMM QUIC paper
<https://urldefense.proofpoint.com/v2/url?u=https-3A__static.googleuserconte
nt.com_media_research.google.com_en_pubs_archive_46403.pdf&d=DwMGaQ&c=5VD0RT
tNlTh3ycd41b3MUw&r=C0sUo-LFNBaYfyoaCsf6TA&m=SY87I4v_IqTCGOds-j5NCOwkQ0cJcYHG
yKdXmMIVn6I&s=U9o6dI-dwzKwvXHvvmv7WtVm84puvxhaP0cN2of3VvA&e=> ).

 

There's a win here in terms of implementation complexity and several
implementers have said so. There's a win in terms of ossification and our
experience says so. There's a potential loss of manageability, in being able
to detect reordering. This is the trade-off, and I am still in favor of
encrypting packet numbers.

 

On Fri, Feb 2, 2018 at 7:32 AM, Fossati, Thomas (Nokia - GB/Cambridge, UK)
<thomas.fossati@nokia.com> wrote:

On 31/01/2018, 10:06, "QUIC on behalf of Eggert, Lars"
<quic-bounces@ietf.org on behalf of lars@netapp.com> wrote:
> On 2018-1-31, at 10:52, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
> > +1 - Simply: This *is* complicated and seems to add little.
>
> So as an implementor (chair hat off), this adds very little to the
> overall complexity of the protocol.

This doesn't sound great.  It's a bit like saying that adding the Higgs
mechanism to the standard model's lagrangian doesn't make it much more
complicate :-)  (*)

More seriously though, I'd like to point out that it is not just about
implementation complexity, it's also the energy cost per packet that is
quite crucial.  I haven't done the math but ISTM that bringing in
another batch of non-optional crypto computation on a per packet basis
is not going to move the needle in the right direction for stacks that
run on low power (IoT).

This is not a catastrophe - we have CoAP and a (D)TLS profile - but
neither it's ideal, since cutting off the small things from the wider
ecosystem creates an artificial gap which then will need a middlebox to
bridge.  (Sure, we have specified the behaviour of a similar box
already, but it'd be really better if the extra translation logic could
be avoided in the first place.)

I guess what I'm saying is that PN encryption being a core mechanism
that can't be negotiated at handshake time reduces our ability to later
profile QUIC for the IoT, which would be a bit unlucky.

So the question is: would it be possible to make this property a
configurable knob instead?

(*)
https://www.symmetrymagazine.org/article/the-deconstructed-standard-model-eq
uation
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.symmetrymagazine.o
rg_article_the-2Ddeconstructed-2Dstandard-2Dmodel-2Dequation&d=DwMGaQ&c=5VD0
RTtNlTh3ycd41b3MUw&r=C0sUo-LFNBaYfyoaCsf6TA&m=SY87I4v_IqTCGOds-j5NCOwkQ0cJcY
HGyKdXmMIVn6I&s=etIO0AUHiJm8zucsWaTgo-XULFisCMoG2iDvwC69s9Q&e=>

v2.23.0 | Report a Bug | By Email