IETF Logo Mail Archive

RE: A better way to do conn id?

"Lubashev, Igor" <ilubashe@akamai.com> Wed, 24 January 2018 16:33 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAC00126DD9 for <quic@ietfa.amsl.com>; Wed, 24 Jan 2018 08:33:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlaMHcmqAJZX for <quic@ietfa.amsl.com>; Wed, 24 Jan 2018 08:33:30 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 736D8126C26 for <quic@ietf.org>; Wed, 24 Jan 2018 08:33:30 -0800 (PST)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0OGX7fx006639; Wed, 24 Jan 2018 16:33:29 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=yFvjLPiLdJtlwKq1lvNGnaKvfeEPYSKP2LuQAviuGk0=; b=cBtRDBg4VBMCiQ7XGGH7YVSMuE3cG7PgAuEOvx/P4INUut9R+G7Jhc6iRdbv6MbGS7l2 OpdJV7awdgdxU8NsHKS6cwjlC91tSCv5D+7nRT5nbpfGq6VitW9Aj0i4HOzGTw9B2SAE K9+EfERehMw4Zfnjr7BpTCGkT69Xkr+G2wz6hC+cvWodt/7fz6jozFQi9ji2nmXLoWey 7FRA9cn915CC9t7RJ7jq+KFASo0XyKJohHVB7PirramB4R2IQh6hETd662IHF/EAkQKX iu6AruRFm/W6qh7QUSv64eQwjq9ugdPtPauVlZFUjcsb8h1uMQa8+FtNpyBAfraZ0hlC qg==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by mx0b-00190b01.pphosted.com with ESMTP id 2fkxa1xfxu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 24 Jan 2018 16:33:28 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w0OGURkL030337; Wed, 24 Jan 2018 11:33:28 -0500
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint2.akamai.com with ESMTP id 2fm1yyp22w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 24 Jan 2018 11:33:27 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 24 Jan 2018 11:33:26 -0500
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com ([172.27.123.105]) by usma1ex-dag1mb5.msg.corp.akamai.com ([172.27.123.105]) with mapi id 15.00.1263.000; Wed, 24 Jan 2018 11:33:26 -0500
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: Kazuho Oku <kazuhooku@gmail.com>
CC: Martin Duke <martin.h.duke@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, IETF QUIC WG <quic@ietf.org>
Subject: RE: A better way to do conn id?
Thread-Topic: A better way to do conn id?
Thread-Index: AQHTlNFo0y0NS2zYe0mRyyv7KOC+e6OC0AuAgAAAc4D//60wMIAA6W4A///MjIA=
Date: Wed, 24 Jan 2018 16:33:26 +0000
Message-ID: <8303973f738a41e88d834a32fe1692ee@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <CAM4esxS4TDf1QwsdrQM1J7NBvTCjNaM0oi3Qm2i6oL0F9b5cnA@mail.gmail.com> <CABkgnnVfKGd9QYhUnJ0Tva5odNzRDvZCSU4ASN27bQFsAiUvPw@mail.gmail.com> <CAM4esxQtrZgQuqh=eeMR1BgKpx5SyDk2+7V0GBZJX9ak_H8yeg@mail.gmail.com> <6d7331bfb9e041e4a712f3edf99a3001@usma1ex-dag1mb5.msg.corp.akamai.com> <CANatvzxa-20_iAoiq1Ja2XGMxh4Wx-+UO6tKEYY0q1_3ha0uyA@mail.gmail.com>
In-Reply-To: <CANatvzxa-20_iAoiq1Ja2XGMxh4Wx-+UO6tKEYY0q1_3ha0uyA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.33.239]
Content-Type: multipart/alternative; boundary="_000_8303973f738a41e88d834a32fe1692eeusma1exdag1mb5msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-24_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801240219
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-24_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801240220
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/lHR2jdbCkLy1foca6FCrAOVwBm8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 16:33:34 -0000

Thanks for pointing out the hazard of key rotation frequency vs connection duration.


  *   Do we want to bake such restriction into the protocol?

The extra codepoint proposal is a helpful common-case optimization, in case the frequency of key rotation is sufficiently low.  It is definitely not a solution for all possible use cases.  However, there is nothing to prevent a server with more frequent key rotations to do something else.  The “something else” could be:

  1.  Encode additional bit(s) in the connection ID
  2.  Before expiring key A, create state on the load balancers for the few very long-lasting connections still using A.
  3.  Something else


Your idea of having a mechanism to force a switch to the new connection ID is an interesting and separate idea.  I am in favor of this, as it may give us more flexibility.  Don’t see that this must be a v1 feature.


  *   Igor


From: Kazuho Oku [mailto:kazuhooku@gmail.com]
Sent: Wednesday, January 24, 2018 9:20 AM
To: Lubashev, Igor <ilubashe@akamai.com>
Cc: Martin Duke <martin.h.duke@gmail.com>; Martin Thomson <martin.thomson@gmail.com>; IETF QUIC WG <quic@ietf.org>
Subject: Re: A better way to do conn id?



2018-01-24 16:34 GMT+11:00 Lubashev, Igor <ilubashe@akamai.com<mailto:ilubashe@akamai.com>>:
The two alternatives to allow for key rotation to “avoid” going over 16 octets are:


  1.  (Victor voiced this today) Steal a code point from the packet type: have 2 bits that represent:
0-byte connection id;
8-byte connection id;
16-byte connection id (key a);
16-byte connection id (key b)


  1.  “Trial Encryption” : Steal a bit from your 128 bit connection ID

Your bit 0 of your Connection ID will represent the key used for encryption.
Since you have entropy in your Connection ID, keep generating new entropy and encrypting, until bit 0 comes out just the way you want it.  On average, you will do 0.75 extra encryption operations.

Thank you for summarizing the two approaches.

What I am bit afraid of using the bits in the packet type is that the approach hardcodes the relation between the frequency of key rotation and the maximum lifetime of a QUIC connection.

Consider the case where you want to switch from key A to key B. Correct me if I am wrong, but IIUC there is no way for a server to enforce the client to switch to a new connection ID. Therefore, the server will be enforced to shutdown all the connections using the IDs generated by using key A before the key gets retired.

For example, if you plan to do the rollover from key A to key B in 24 hours, the minimum maximum of the lifetime of a connection will be restricted to 24 hours.

Do we want to bake such restriction into the protocol?

If we use trial encryption, the issue between the sped of key rotation and the minimum maximum of a QUIC connection would be left to each server-side implementation, though you might end up being required to do more "mining" (i.e., find a connection ID that can survive _multiple_ generations of key rotations).

Or, should we introduce a mechanism that allows a server to _enforce_ connection ID migration, considering the fact that the issue exists in both approaches?




  *   Igor

From: Martin Duke [mailto:martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>]
Sent: Wednesday, January 24, 2018 12:21 AM
To: Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>>
Cc: IETF QUIC WG <quic@ietf.org<mailto:quic@ietf.org>>
Subject: Re: A better way to do conn id?

Very well, replace 16 with whatever number you guys come up with.

On Wed, Jan 24, 2018 at 4:19 PM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:
We have already concluded that if you want to do sane crypto, plus
some sort of key identification, then you need MORE than 16 octets
(though not much more).  That makes things more complicated.  ekr has
an outcome that he will write up.

On Wed, Jan 24, 2018 at 4:08 PM, Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>> wrote:
> Today's variable-length connection ID discussion made me realize some
> problems with the current architecture, while the new architecture doesn't
> fix some of them and creates whole new ones. Issues:
>
> - The client desires unlinkability, but I suspect the market will provide no
> incentives for servers to work very hard to be unlinkable. There were
> conflicting "layer 9" arguments that variable conn ID makes this problem
> worse or better.
>
> - 16 Bytes is more overhead than 8 bytes.
>
> - The severity of this remains to be seen, but variable length conn ids will
> introduce more complexity in parsers and anything that utilizes the conn id
> (e.g. handshake key generation). It might make the invariants more complex
> as well. The whole thing, frankly, makes my head hurt.
>
> I humbly suggest the following proposal might avoid or mitigate some of
> these problems:
>
> 1. Every connection has a long-lived Client-generated Connection ID (CGCID)
> and Server-generated Connection ID (SGCID). The CGCID is 8 bytes and the
> SGCID is 16 bytes.
>
> 2. The CGCID is used to derive the handshake key. (unchanged from status
> quo)
>
> 3. The initial packet uses the CGCID.  All other handshake packets use the
> SGCID. This is unchanged from the status quo.
>
> 4. All 1-RTT packets by sent by the client use the SGCID. All 1-RTT packets
> sent by the server use the CGCID. This has two important properties:
>            a) The server gets the 16 Bytes of entropy the load balancer
> needs
>            b) The server->client direction, which in the usual case has most
> of the data, has a lower-overhead CID.
>
> 5. The algorithm that generates SGCID MUST have different output given a
> different CGCID. [We might strengthen this language further: you wouldn't
> want to simply add the NEW_CONN_ID sequence number to the existing SGCID,
> for instance].
>
> 6. In advance of migration, the client sends a NEW_CONN_ID frame to provide
> a new CGCID (possibly omitting the stateless reset token). The server MUST
> respond with a NEW_CONN_ID that provides a new SGCID derived from the new
> CGCID. All packets on the new path use these CIDs.
>
> If people like this, I can generate a PR. I am very open to various tweaks
> to the general approach as well. I wanted to get this out there before the
> variable-length CID team gets deep in the weeds.
>
> Martin Duke
>
>




--
Kazuho Oku

v2.23.0 | Report a Bug | By Email