RE: Packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sun, 04 February 2018 20:31 UTC

From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CY4PR21MB01339A0AD4FCF660365C4E54B6FF0@CY4PR21MB0133.namprd21.prod.outlook.com>
References: <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <888DE2C2-4EDA-445A-B08F-76DD016C9CA0@huitema.net> <20180204182550.GA19526@1wt.eu> <CY4PR21MB0133E20F8C20889A477CDB67B6FF0@CY4PR21MB0133.namprd21.prod.outlook.com> <938555E5-F328-41B0-B61F-09FC02B84397@huitema.net> <CY4PR21MB01339A0AD4FCF660365C4E54B6FF0@CY4PR21MB0133.namprd21.prod.outlook.com>
MIME-Version: 1.0
Date: Sun, 04 Feb 2018 12:31:55 -0800
Message-ID: <CAN1APdeL5exUA0ceW3cLvo9L+xC=O7JDkX13aLXRnO0TPJ_TVg@mail.gmail.com>
Subject: RE: Packet number encryption
To: huitema <huitema@huitema.net>, Praveen Balasubramanian <pravb@microsoft.com>
Cc: "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Gorry Fairhust <gorry@erg.abdn.ac.uk>, Piotr Galecki <piotr_galecki@affirmednetworks.com>, "quic@ietf.org" <quic@ietf.org>, "Eggert, Lars" <lars@netapp.com>, Brian Trammell <ietf@trammell.ch>, Martin Thomson <martin.thomson@gmail.com>, Roberto Peon <fenix@fb.com>, Jana Iyengar <jri@google.com>, Eric Rescorla <ekr@rtfm.com>, "Lubashev, Igor" <ilubashe@akamai.com>, "Roni Even (A)" <roni.even@huawei.com>
Content-Type: multipart/alternative; boundary="001a114a9d82326d05056468d631"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/hFNomCAaciIW_rR6C8XDNcqrjo0>
Precedence: list

One aspect of randomised gaps that might be overlooked is that packet
numbers are only sent with the lower 4 bytes at most. This means that a
randomised gap on a new connection ID is not different from a new packet
number that starts at a random offset because you cannot tell if it rolled
over without knowing more about the connection.

However, if migration does not look like a new connection, at least a
0-RTT, it is all a mood point because the sudden appearance of data on a
new connection ID combined with the silence of another ID, and probably
also characteristic changes in packet delays and sizes during migration,
along with GeoIP, are all fingerprinting the connection.

On monitoring packets inside a network, there are probably many new
unexplored possibilities to track reordering of encrypted packet numbers.
For example, one could create a bloom filter to record the packet numbers
seen in a block of N packets, for example syncing wherever the lower packet
number bits are all 0, or something. Packet loss would show up as fewer
matches when comparing filters at different nodes. Or the lower 8 bits of
each packet number in a block could be concatenated to a string and
compared with levenshtein edit distance - even just the lower two bits of
each packet might suffice. The fact the packet numbers are random could be
used pro-actively to simplify hashing.

While the above has some statistical uncertainties, and they do require a
bit more data and time, they also possibly look at longer sequences and
thereby give an overall better quality of understanding than just looking
for out of sequence numbers. After developing good hashes that somehow
encode ordering relations, a neural network might be trained to identify
abnormal traffic patterns efficiently.

Mikkel

On 4 February 2018 at 20.55.59, Praveen Balasubramanian (pravb@microsoft.com)
wrote:

Ok this answers my question that this is targeted at the migration
scenario.

If jumps are random and cryptographically seeded I don't understand why
there would be a pattern. We already use this type of mechanism for TCP ISN
and IP header Identification fields. The adversary could also use the side
channel timing attack of just observing the sending and receiving
application rate for correlation between the two paths (after factoring in
the RTT).

If independent sequence space (with randomization) can work just as well
I'd rather pick that over encryption for efficiency reasons. It should
solve ossification but I am not a privacy expert.

-----Original Message-----
From: Christian Huitema [mailto:huitema@huitema.net]
Sent: Sunday, February 4, 2018 11:46 AM
To: Praveen Balasubramanian <pravb@microsoft.com>
Cc: quic@ietf.org; Gorry Fairhust <gorry@erg.abdn.ac.uk>; Eric Rescorla <
ekr@rtfm.com>; Brian Trammell <ietf@trammell.ch>; Lubashev, Igor <
ilubashe@akamai.com>; Roberto Peon <fenix@fb.com>; Fossati, Thomas (Nokia -
GB/Cambridge, UK) <thomas.fossati@nokia.com>; Roni Even (A) <
roni.even@huawei.com>; Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>;
Jana Iyengar <jri@google.com>; Eggert, Lars <lars@netapp.com>; Martin
Thomson <martin.thomson@gmail.com>; Piotr Galecki <
piotr_galecki@affirmednetworks.com>
Subject: Re: Packet number encryption

> On Feb 4, 2018, at 9:31 AM, Praveen Balasubramanian <pravb@microsoft.com>
wrote:
>
> From the charter "This work will ensure that QUIC has security and
privacy properties that are at least as good as a stack composed of TLS 1.3
using TCP (or MPTCP when using multipath)."
>
> Is the discussion mainly focused on connection migration which is not
present in TCP? There seem to be bigger privacy problems due to DNS and TLS
SNI extension so in real deployments will packet number encryption add
value other than preventing ossification?

Yes, we need to fix the SNI issue. Clear text ALPN too. But should not
prevent us from fixing everything else.

>
> Is a cryptographically secure random initial packet number and random
(forward) jumps in packet number not good enough to prevent ossification?
The missing packet number range due to the forward jump could be
communicated in the encrypted payload so the receiver knows they are not
missing.
>

No, random jumps are not enough. It turns out that during migration packets
are often sent simultaneously on both paths. The pattern of increases and
holes is enough to correlate the two paths.

In practice there are two possible designs: packet number encryption as
currently documented; or, independent sequence number space and encryption
context for each path. Both work. The one we have is significantly easier
to implement. The other exposes the sequence number, which may ease network
monitoring but also could drive ossification.

Now is a good time to have this discussion.

-- Christian Huitema

Packet number encryption Martin Thomson
Re: Packet number encryption Ian Swett
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Eggert, Lars
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Ted Hardie
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Martin Duke
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Dmitri Tikhonov
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge, UK)
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Piotr Galecki
Re: Re: Packet number encryption alexandre.ferrieux
Re: Packet number encryption Patrick McManus
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Roberto Peon
RE: Packet number encryption Piotr Galecki
RE: Packet number encryption Roni Even (A)
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Lubashev, Igor
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Lubashev, Igor
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Fossati, Thomas (Nokia - GB/Cambridge)
Re: Packet number encryption Stephen Farrell
Re: Packet number encryption Willy Tarreau
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Brian Trammell (IETF)
Reducing ossification through protocol design (wa… Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Roberto Peon
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Jana Iyengar
RE: Packet number encryption Roni Even
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Roberto Peon
Re: Reducing ossification through protocol design… Gorry Fairhurst
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
RE: Packet number encryption Roni Even (A)
Re: Reducing ossification through protocol design… Mirja Kühlewind
Re: Reducing ossification through protocol design… Salz, Rich
Re: Reducing ossification through protocol design… Mirja Kühlewind
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Reducing ossification through protocol design… Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Jana Iyengar
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Ted Hardie
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Marten Seemann
RE: Packet number encryption Roni Even (A)
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Brian Trammell (IETF)
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Gorry Fairhurst
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
Explicit measurability in the QUIC wire image (wa… Brian Trammell (IETF)
RE: Explicit measurability in the QUIC wire image… Roni Even (A)
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Stephen Farrell
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Jana Iyengar
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Martin Thomson
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Christian Huitema
Re: Packet number encryption Marten Seemann
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Martin Thomson
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mirja Kühlewind
Re: Explicit measurability in the QUIC wire image… Mikkel Fahnøe Jørgensen
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Brian Trammell (IETF)
RE: Packet number encryption Praveen Balasubramanian
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Christian Huitema
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Explicit measurability in the QUIC wire image… Kazuho Oku
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
Re: Packet number encryption Christian Huitema
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mike Bishop
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Eric Rescorla
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
Re: Packet number encryption Ian Swett
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption David Benjamin
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Deval, Manasi
RE: Packet number encryption Deval, Manasi
Re: Packet number encryption Victor Vasiliev
RE: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Ian Swett
Re: Packet number encryption Ian Swett
Re: Packet number encryption Martin Thomson
Re: Packet number encryption Mikkel Fahnøe Jørgensen
RE: Packet number encryption Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
Re: Packet number encryption Salz, Rich
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: hardware offload (was: Packet number encrypti… Christian Huitema
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: hardware offload (was: Packet number encrypti… Eggert, Lars
RE: Packet number encryption Praveen Balasubramanian
RE: hardware offload (was: Packet number encrypti… Praveen Balasubramanian
RE: Packet number encryption Praveen Balasubramanian
RE: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Victor Vasiliev
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Kazuho Oku
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen
Re: Packet number encryption Mikkel Fahnøe Jørgensen