IETF Logo Mail Archive

Re: Getting to consensus on packet number encryption

Kazuho Oku <kazuhooku@gmail.com> Fri, 27 April 2018 06:38 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 419F212D95C for <quic@ietfa.amsl.com>; Thu, 26 Apr 2018 23:38:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O87A4Tl4vlnE for <quic@ietfa.amsl.com>; Thu, 26 Apr 2018 23:38:39 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28ED2120725 for <quic@ietf.org>; Thu, 26 Apr 2018 23:38:39 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id j5so755660pfh.2 for <quic@ietf.org>; Thu, 26 Apr 2018 23:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kGMzlSpaYSt1LZVv0lMnlQsfuwTN2EAxILPIOUTxHUg=; b=s27LhoS1YLZeb4AGRLrc01kUJ+MSkC/OiRrq8BEWGZeeaIxzSd5+Gdbo571bj3r4xV /m+GHtKL3b5XWM09yO7U7nOd6bcp+DmwAS3cQwwDIUlsSEHkrro+8zA/RZf8PM9aTGGo YDmFwcuJUoWfMN3ji60+Pp2OIZ/lSWAEYMSLIq1hhMGCbRXtRN62WF/08xv3v6AG47xq PAC/YnqOpNYPRrkpXwa2mUMMPiU1hWXd9vy32KvHwmYog5tZUZpjoGDgMGdUnVgzCstj ZxjGxICVon1gPMvLUXmolbDBtXIolCaNj1akdCPkwTjUl07d+Yn2jzHivQNZAjwq3+bO EI2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kGMzlSpaYSt1LZVv0lMnlQsfuwTN2EAxILPIOUTxHUg=; b=ITs4SLRKjSOWmqH/XblGCXQnQcWSzqdSuppK8NEJwa9dUzOsn5XqE2u+pHT5VS7fNH hSsZjZ6cEr8psTFwnqS+M/gl16zkLJIvcDbdgyEUUEE4Yhq+yJ55NMOjTZ7N/5ZGBDz1 JZWkzTeZwHe70W0xdGSgXwBjq4uIUwvq7FriQkSoG1hWbkLmWeg6WGFW1eLVbDPzkn7k FsuaoOPTKtBX70xaeU76ZeC6sWrrIIm8PPUXOCNKKR5Bfbh+FF1kYjOUpbSmFyj4E77J BN9TzyQx5XOLX32nz30Zdp5AcqvbBmLc8uDNUewvWYZXZdxxXO8p3eMFBQrz0K2LaHy1 /idA==
X-Gm-Message-State: ALQs6tD3SDRx+vQux2zsHBXAFXkvKz8F4eOn7bdnE+HIWN2QKh5eGL8d 7vl3St4U9IvyAUV+8HcRZMDu90A+YWqEiq1/tyM=
X-Google-Smtp-Source: AB8JxZp/uM0RHn8TZNWIUCNqySbIrxUSlSEHY/vDPopNjFHwXDWMF2RQUuKKD0BRIbsQymqa6c0qmDDdNtnWLV11Bzw=
X-Received: by 2002:a65:428b:: with SMTP id j11-v6mr1056288pgp.370.1524811118695; Thu, 26 Apr 2018 23:38:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.137 with HTTP; Thu, 26 Apr 2018 23:38:38 -0700 (PDT)
In-Reply-To: <d32ade7b56bf4651952659307c08893b@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <047d2ff0-ff8b-64c9-8983-0ecabeb9fea5@huitema.net> <B0F49097-F77A-4831-B68B-4266AA880A86@tik.ee.ethz.ch> <74E2F5C2-66AD-4902-8A4A-E481CC0A015C@fb.com> <75050158-3812-44F1-A01E-D70EED7FDFD6@tik.ee.ethz.ch> <BY2PR15MB0775B4ACF7DB9124E89016F0CDB00@BY2PR15MB0775.namprd15.prod.outlook.com> <c8e60ba4-d6be-c4fc-5bac-d569a28fb4e8@huitema.net> <56CE3592-EB1D-40A3-B1D2-965B238FA402@mnot.net> <ae7a63fe-0a32-893f-aa6b-e8d97b8ba87a@huitema.net> <1F436ED13A22A246A59CA374CBC543998B60C6DD@ORSMSX111.amr.corp.intel.com> <fc57394f-9516-04c0-0846-6d159b14bc9e@huitema.net> <SN1PR08MB1854FD2461597D81BEE31ED6DA8F0@SN1PR08MB1854.namprd08.prod.outlook.com> <CAKcm_gMRPXgCoZ958Oj4_Pnkvmc9a7PgNVS0iae0hCW7bLKqng@mail.gmail.com> <SN1PR08MB18545D0554DED1F83862EBFBDA8F0@SN1PR08MB1854.namprd08.prod.outlook.com> <CAKcm_gNMTQg-pV8vTXkMCTh48QPZ_ujyFSEKRYf+WurUFytaWw@mail.gmail.com> <CANatvzwCYrOZULG3iVmDFp97nr=M5=Gufo8TZjOGQVFUpsn0bQ@mail.gmail.com> <CAAedzxqDcPXJUE83KVnDiU23PvqDcTCrc6rRMw09FexjJA-Y6Q@mail.gmail.com> <CANatvzwjYE6EdvFtOXJMVQnutbVQ4YY+=XsQFzKwHzqWzZ4U+w@mail.gmail.com> <d32ade7b56bf4651952659307c08893b@usma1ex-dag1mb5.msg.corp.akamai.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 27 Apr 2018 15:38:38 +0900
Message-ID: <CANatvzwHtCn8rLB8npf3i7PGyYZhVDRd2uojh5hv3uxtFPEsSA@mail.gmail.com>
Subject: Re: Getting to consensus on packet number encryption
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Erik Kline <ek@google.com>, Mark Nottingham <mnot@mnot.net>, Mike Bishop <mbishop@evequefou.be>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/lm9jSlWSnfdawKFpvm4YEL0NAHA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Apr 2018 06:38:42 -0000

2018-04-27 1:51 GMT+09:00 Lubashev, Igor <ilubashe@akamai.com>:
>> if some middleboxes decide to pass QUIC without PNE but block QUIC with PNE, we might be incentivized to use QUIC without PNE.
>
> If a middlebox really dislikes PNE, it can just block QUIC altogether, forcing a TCP fallback.  Is TCP better than QUIC-without-PNE from any POV in that situation?  (And if so, this should be the recommendation to QUIC stacks with negotiable PNE -- fallback to TCP, if path is blocking PNE.)

The argument here is that if we define PNE as an option turned on by
default and see some middleboxes blocking PNE, we might be
incentivized to turn off PNE for *all* connections, because detecting
blockade and then falling back to a less secure protocol is hard and
time consuming.

> - Igor
>
> -----Original Message-----
> From: Kazuho Oku [mailto:kazuhooku@gmail.com]
> Sent: Wednesday, April 25, 2018 10:25 PM
> To: Erik Kline <ek@google.com>
> Cc: Mark Nottingham <mnot@mnot.net>; Mike Bishop <mbishop@evequefou.be>; Ian Swett <ianswett=40google.com@dmarc.ietf.org>; Christian Huitema <huitema@huitema.net>; IETF QUIC WG <quic@ietf.org>; Deval, Manasi <manasi.deval@intel.com>
> Subject: Re: Getting to consensus on packet number encryption
>
> 2018-04-26 10:46 GMT+09:00 Erik Kline <ek@google.com>:
>> Couldn't a middlebox have a policy where it permits QUIC sessions w/o
>> PNE but blocks sessions with PNE?  Then implementations would be
>> forced to choose how adapt: break altogether, maybe try TCP, or
>> disable PNE and carry on.
>
> There are two ways of negotiating the use (or non-use) of PNE. One is use Transport Parameters and the other is to use a different QUIC version.
>
> Use of Transport Parameters is secure because it is part of the TLS handshake. Version negotiation has it's own protection against downgrade (or upgrade) attacks (see https://quicwg.github.io/base-drafts/draft-ietf-quic-transport.html#rfc.section.6.4.4).
>
> So I would assume that a middlebox trying to intervene in the negotiation of PNE use can be detected.
>
> That said, I do see your point that if some middleboxes decide to pass QUIC without PNE but block QUIC with PNE, we might be incentivized to use QUIC without PNE. In such case, we might end up having privacy leaks & ossification.
>
> I think that is a good argument for always having PNE turned on.
>
>>
>> On 26 April 2018 at 01:22, Kazuho Oku <kazuhooku@gmail.com> wrote:
>>> 2018-04-26 9:21 GMT+09:00 Ian Swett <ianswett=40google.com@dmarc.ietf.org>:
>>>> It has been, and I'm personally supportive of it, because I believe
>>>> it'll be useful for datacenter QUIC use cases.
>>>>
>>>> But the WG has to decide:
>>>>  1) Is it allowable to disable PNE?
>>>
>>> There are two concerns that PNE is trying to address: ossification and privacy.
>>>
>>> I won't mind if some portion of QUIC-like traffic has no mechanism to
>>> prevent ossification. This is because we can train the middleboxes to
>>> not ossify the PN field by having PNE in the majority of the traffic
>>> that they will see.
>>>
>>> OTOH, I would be worried of privacy implications. Once you define a
>>> protocol, it is hard to control how it is going to be used.
>>>
>>> But with that said, I think we might better wait to see if somebody
>>> still thinks he/she *needs* QUIC without PNE.
>>>
>>>>  2) What the mechanism is?  ie: Unilateral via TransportParams or
>>>> negotiated via an extension or ?
>>>>
>>>> On Wed, Apr 25, 2018 at 6:01 PM Mike Bishop <mbishop@evequefou.be> wrote:
>>>>>
>>>>> I think that’s been suggested before, though we’d need to sort out
>>>>> the details of what that looks like.  I don’t have a particular design in mind.
>>>>>
>>>>>
>>>>>
>>>>> From: Ian Swett [mailto:ianswett@google.com]
>>>>> Sent: Wednesday, April 25, 2018 12:57 PM
>>>>> To: Mike Bishop <mbishop@evequefou.be>
>>>>> Cc: Christian Huitema <huitema@huitema.net>; Deval, Manasi
>>>>> <manasi.deval@intel.com>; Mark Nottingham <mnot@mnot.net>; IETF
>>>>> QUIC WG <quic@ietf.org>
>>>>> Subject: Re: Getting to consensus on packet number encryption
>>>>>
>>>>>
>>>>>
>>>>> Hi Mike,
>>>>>
>>>>>
>>>>>
>>>>> To clarify, are you suggesting adding a way to disable packet
>>>>> number encryption via negotiation in the v1 spec as well as
>>>>> adopting #1079?  Or would the choice of whether PNE is to be used
>>>>> unilateral, such as a transport param?
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Apr 25, 2018 at 3:54 PM Mike Bishop <mbishop@evequefou.be> wrote:
>>>>>
>>>>> Yes -- it seems that the biggest objection to #1079 was the
>>>>> difficulty in hardware implementation.  If we're hearing that
>>>>> hardware implementation is feasible at a reasonable cost, then I think we might have a winner.
>>>>>
>>>>> The CPU cost for a software implementation is still worth
>>>>> considering, and an option to not encrypt is probably reasonable to
>>>>> limit that burden for implementations / use cases that don't care.
>>>>>
>>>>> -----Original Message-----
>>>>> From: QUIC <quic-bounces@ietf.org> On Behalf Of Christian Huitema
>>>>> Sent: Wednesday, April 25, 2018 3:14 AM
>>>>> To: Deval, Manasi <manasi.deval@intel.com>; Mark Nottingham
>>>>> <mnot@mnot.net>
>>>>> Cc: quic@ietf.org
>>>>> Subject: Re: Getting to consensus on packet number encryption
>>>>>
>>>>> On 4/23/2018 6:55 PM, Deval, Manasi wrote:
>>>>>
>>>>> > I had brought up the issue with PNE several weeks ago as a
>>>>> > barrier to hardware offload. After further review, it looks like
>>>>> > a hardware offload can implement the PNE at a small cost.
>>>>> >
>>>>> > The implementation can modify current HW crypto accelerators to
>>>>> > support encrypting a buffer in the first pass and then encrypting
>>>>> > packet number in the 2nd pass as already discussed on this
>>>>> > thread. The exact requirement (header checksum, packet length
>>>>> > encoding) is still in flux so there may be some small variations
>>>>> > depending on the accelerator and final algorithm chosen for PNE.
>>>>> > Future offload designs can do more to further reduce the overhead.
>>>>>
>>>>> Thanks for the information, Manasi. I have modified the wiki page
>>>>> describing the PNE issues and alternatives to reflect this new data:
>>>>>
>>>>> https://github.com/quicwg/base-drafts/wiki/Summary-of-the-PN-encryption-issues-and-alternatives..
>>>>> With that new information, it appears that PR #1079 is superior to
>>>>> every other alternative.
>>>>>
>>>>> -- Christian Huitema
>>>
>>>
>>>
>>> --
>>> Kazuho Oku
>>>
>
>
>
> --
> Kazuho Oku
>



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email