IETF Logo Mail Archive

Re: Hardware acceleration and packet number encryption

Eric Rescorla <ekr@rtfm.com> Sat, 24 March 2018 22:19 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 185F812025C for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 15:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFjklrCDKOpa for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 15:19:08 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA063124B0A for <quic@ietf.org>; Sat, 24 Mar 2018 15:19:07 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id e123-v6so10960493oih.13 for <quic@ietf.org>; Sat, 24 Mar 2018 15:19:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iC+E275YV8KQVI2ExOFfnEXpyu2xM+QVIT8fBy3dmhI=; b=I6rHQeUYMfTCNJqhNJTLA430l6K9ILDbJT0/zjriH3fHeYLv+dSqtyqAZEhODWmkOd 4PeUYfcpfrJXxmrwMWffI0r9xRW3lHYkfeqamuUCNqh3cNSkUkKweHmcmmMf5ryOA0uf IuRd9sGENFBK2b1Wjh3MfmSAgPWTq6Oqj+35oV0JG3mTlXLxAMOWr1b+HJAYGOXOWvJ6 ywSpvePVOUd3Ji0NpCfxQ184DDRm4d05kfCqH0YxZftYmTlzBQQWrAu4kvPp92hqIB06 M/8vPctTXbgNdsqYAe4jFNY1vWbJdYmh1pwHfIyK6w/cyw3mAwGodlpOCRGT4nQBqM5x 3+Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iC+E275YV8KQVI2ExOFfnEXpyu2xM+QVIT8fBy3dmhI=; b=bYu4fc6qU12dAVKFJ+11rw8rRleXpiQ8WIol+NzEIWsrD/PWgXP4V6yZqNlzTxxuPS bMlh0l7LyJs53Jpj8RbCH+U/z31pT1EEZYZflCystMJLlkK2bJ8sPt1UYG8CfepXbJ/f EfFwUZ1IIH3GOElYbW+LUVaWXXcanGC0Wl0fdNi+z0CBeeKVPExAOi82Y7JpEqznN3i9 vOyn4/E2H39hax4j5a7ON3OQbdAsvcRme4YVrWf7XZmlH1QqigdWkax72Fppf5rkxlyr CPQUCWdAjOSiJVv4ovyzSPAQpj9t88DumJ3QTxV2EyQU5TuSsJN2f5uaJYwjyZpZVtxX TYlA==
X-Gm-Message-State: AElRT7HVZwhO7JPCDJVX0kamkqQ6PcLpD1JNnknixnDAy3idnuu+kQct 1qWh6mdO8asq4YhemrQVrfWV1t4GQT/mHPxGEd1taA==
X-Google-Smtp-Source: AG47ELs5juE9q/2Ll/Y250eXf+5JhKuHIigaiEPh4HI2HYkeuDohnzRFVD2sB6/VataJrhAoEearIsgNTD9QZ3uN/MY=
X-Received: by 10.202.84.75 with SMTP id i72mr20101850oib.262.1521929946933; Sat, 24 Mar 2018 15:19:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.23.21 with HTTP; Sat, 24 Mar 2018 15:18:26 -0700 (PDT)
In-Reply-To: <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 24 Mar 2018 22:18:26 +0000
Message-ID: <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com>
Subject: Re: Hardware acceleration and packet number encryption
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: Kazuho Oku <kazuhooku@gmail.com>, "Deval, Manasi" <manasi.deval@intel.com>, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a113ac714dc44ea05682fedfb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/i1iIzynouyP1x3lJu157EiK0fdE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 22:19:10 -0000

On Sat, Mar 24, 2018 at 9:35 PM, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com
> wrote:

> AERO: I did not read all of it, but it does indeed sound esoteric.
> It can do two things of interest: reduce space used by packet numbers, and
> presumably fix the encryption issue.
>
> However, it has a W parameter which is the limit of reordering which is
> default 64 and recommended at most 255 for security reasons. This is way
> way too low (I would assume) if packet clusters take multiple transatlantic
> paths.
>

That's just a function of how the packet numbers are encoded. It's not
difficult to come up with a design that tolerates more reordering.

-Ekr


> If we accepted such a limit, I could very trivially come up with an
> efficient solution to PN encryption. Since we cover at most 64 packets, we
> only need a 5 bit packet number and reject false positives on AEAD tag. To
> simplify, make it 8 bits. The algorithm is to AES encrypt a counter similar
> to a typical AES based PRNG. Then, for each packet take one byte from the
> stream and use it as packet number. The receiver creates the same stream
> and maps the received byte to an index it has. It might occasionally have
> to try multiple packet numbers since the mapping is not unique. Longer
> packet numbers reduce this conflict ratio. To help with this detection some
> short trial decryption might be included. The PN size can be extended as
> needed.
>
> The cost of doing this is much lower than direct encryption for as
> proposes in PR because 1) a single encryption covers multiple packets, 2)
> the encryption can be parallelised resulting in a 4-5 fold performance
> increase. Combined this results in sub-nanosecond overhead for AES-NI.
>
> However, you have to deal with uncertainties which is why this isn’t a
> very good idea unless you have some very good knowledge of the traffic
> pattern. It also complicates HW offloading, but I don’t see why it couldn’t
> be done efficiently.
>
>
> Mikkel
>
>
> On 24 March 2018 at 17.26.47, Eric Rescorla (ekr@rtfm.com) wrote:
>
> 3. A more exotic solution like AERO (https://tools.ietf.org/html/
> draft-mcgrew-aero-00#ref-MF07)..
>
>

v2.23.0 | Report a Bug | By Email