Re: QUIC-LB update: Eliminate block ciphers?

Ian Swett <ianswett@google.com> Wed, 06 October 2021 09:58 UTC

Return-Path: <ianswett@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E4F3A19C5 for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 02:58:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.097
X-Spam-Level:
X-Spam-Status: No, score=-18.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QyQEFgBEGQb5 for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 02:57:56 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B34553A19C4 for <quic@ietf.org>; Wed, 6 Oct 2021 02:57:56 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id s64so4013523yba.11 for <quic@ietf.org>; Wed, 06 Oct 2021 02:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MssrzmkD1l5tvIENaRyQ0tV1E+TofZdDPNJ4kesrhJ4=; b=ZtRUCxUojCnQKhkLfJIkv0+W8+tgWA7X5U/zN5p+uJ6hgompHjC/oHP1+A2s4EPt6R 5tkDnnrSXrQ/7gMxbTMUoSZLaaknabieKetKcPondozcIoqpSYVsfmPt3jOJbxT8/xL+ FrsvoNjC1Qk09Znz4nRvVph6MGrN6f6Iyjf9YIPLdGTEtytAeBx/0YQ1ZJt6efCPSOAP esxfkqQbW0hWG8d+VY4eADESsdV7m4bHHDO+NVzfRMDSeusYyv/GuP4Bgy6QVykx4qlW /LSaH+bYU11MgmF1///d1HCUeMnvMLSdgr+tXOrSjg8+AF7L0hh7XJbxssHV+6BDNNyn gvAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MssrzmkD1l5tvIENaRyQ0tV1E+TofZdDPNJ4kesrhJ4=; b=oeEbeTuR5OaQPbGYKHTyqje7FPgf0qqo1xoVWUuR8xNroTtkBGK5gwhpnKNcsdHX3c Ieu4cdtkj8YZO5XvciXnK3wQyE0geWEzBhJcu2aZvKVMROxGPW1SXwY7lureZpKe01rs lFr6XOCvELe6FqOHll43WvN2i/mRmJdINylJdaJlVBXfmpNlRSwGjW4bYh7EfXPR+s6h STGP3oUqrw13TBFahucKf3rG9nqfQsM5inuGdXXsSzo9GrPsiE9WJNLFuXa3Ry4YSqtX v0g1P5FQZq5uvAhARY+MEZ1bElO8yPZvn0/iYi7FgSIGimZV+OXQbKA8l5pskIIXxJ3u WV9Q==
X-Gm-Message-State: AOAM5300xaoNaPMu81af+619sGuqZh1zuT94/oM8JPe3qW+vluoNxj+F n6cs48+Yf2ElOXkAxFfnhrFVnQWgT4FG+qNPgzhCGurJ9pQ=
X-Google-Smtp-Source: ABdhPJwlBv1bE5j7Lvvyh/dAwdiKqTN0RtMug5zKukKvavfS0lKa4zKGsyygC5nUqN/Q8x3FWfbgOwPpjvlUjZ2X13w=
X-Received: by 2002:a25:2cc6:: with SMTP id s189mr26560066ybs.82.1633514275477; Wed, 06 Oct 2021 02:57:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxT=QrJBaPsmK-6dXV+WUYn+tiHUEk_PpJu9L_agdU4EtQ@mail.gmail.com> <6f4f125359b247f588c8a74eb7ebfa1a@huawei.com>
In-Reply-To: <6f4f125359b247f588c8a74eb7ebfa1a@huawei.com>
From: Ian Swett <ianswett@google.com>
Date: Wed, 6 Oct 2021 05:57:44 -0400
Message-ID: <CAKcm_gNRmKEDninEbHd6L_Jf7qJRBOvh5q2VyQT4FFabnDKL6g@mail.gmail.com>
Subject: Re: QUIC-LB update: Eliminate block ciphers?
To: Antoine FRESSANCOURT <antoine.fressancourt@huawei.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002070c105cdac2e5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/l_C4im1dhkTGm0K4LK-RlWZT5ig>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 09:58:02 -0000

I agree that the Block Cipher is not that likely to be deployed, and
removing it simplifies the draft.

On Wed, Oct 6, 2021 at 5:26 AM Antoine FRESSANCOURT <
antoine.fressancourt@huawei.com> wrote:

> Hello,
>
>
>
> A side remark on the Stream cipher and block cipher CID sections. As I was
> reading both sections, I struggled a bit with understanding which keys were
> used in each cryptographic operation. The block cipher section tells that
> the key is generated by the configuration agent and distributed to the LB,
> but there is no such mention for the stream cipher section.
>
>
>
> As I don’t have a clear view about how keys are created and managed, I
> would love to see those concerns answered in the draft (and unfortunately I
> would only be able to push misinformation myself)
>
>
>
> Thanks,
>
>
>
> Antoine Fressancourt
>
>
>
> *From:* QUIC [mailto:quic-bounces@ietf.org] *On Behalf Of *Martin Duke
> *Sent:* Monday, October 4, 2021 10:21 PM
> *To:* IETF QUIC WG <quic@ietf.org>
> *Subject:* QUIC-LB update: Eliminate block ciphers?
>
>
>
> Hello QUICWG,
>
>
>
> There has quietly been some recent work on tightening up the QUIC-LB
> specification. At the moment, we are still short on implementations but I
> am hearing something might happen soon.
>
>
>
> Anyway, Christian Huitema has made substantial contributions to the
> security properties of Stream Cipher CID, which allows smallish CIDs, by
> making it a three-pass algorithm. We still have the "Block Cipher CID
> option" which requires CIDs of at least 17 bytes; AFAICT the only advantage
> at this point is that it can be decoded with 1 block encryption operation
> instead of three.
>
>
>
> In principle, QUIC-LB load balancers can be run with no per-connection
> state, in which case this would be a per-packet operation. I strongly
> suspect that real LBs will keep some per-4tuple state, as they do today; if
> so, this crypto operation only needs to occur once per packet where the
> 4-tuple is new. If so, the CPU impact is vanishingly small except in a
> storm of garbage packets.
>
>
>
> So AFAICT, the use case for Block Cipher is as follows:
>
> - Willing to run one crypto operation per packet/new 4-tuple
>
> - Not OK with doing three crypto operations
>
> - satisfied with 17B + CIDs
>
>
>
> I strongly suspect this does not describe a real implementer, and am
> inclined to simply delete this option in my effort to simplify the design.
> Nevertheless, I'm taking this to the list in case someone thinks this is an
> important use case.
>
>
>
> This is Issue 138 in Github
> <https://github.com/quicwg/load-balancers/issues/138>.
>
>
>
> Thanks,
>
> Martin
>
>
>