Re: QUIC-LB update: Eliminate block ciphers?
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 06 October 2021 20:16 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62E403A0883 for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 13:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g9GcAkevotf2 for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 13:16:34 -0700 (PDT)
Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99B3F3A0880 for <quic@ietf.org>; Wed, 6 Oct 2021 13:16:34 -0700 (PDT)
Received: by mail-yb1-f178.google.com with SMTP id n65so8197848ybb.7 for <quic@ietf.org>; Wed, 06 Oct 2021 13:16:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Yaj2V+Hx484yUkUK+hqKQVmRdVnfprCRg5nWwNu3AIo=; b=QfPyEPeuOz4vAT5/GfQ6CZmd4T8ks/5j+o2yXm6kpcqSoa8Xc4joL8IWy/JNkvXJzg 9c3L4udzJPaC8pOO2VbqOSyb5Mzz/afEdYm8HE8HR3rJ1aS4Poy44mqGzljIDxnRFIdR JUn+4s7HqWU1eWjqRxZyG0YDQDKSWT/fu9O65iToGp3cyjZxTMa+YPA3mBVGMMmWsRse sZ9AHM5PfActLqr7gWfXUa+9MOMMZ9sICak50zn5bjS0XWVP6pvk79puuSqKr0N20iFK LYkF5dMycvPMFYZFZragUWjo3rFtJGmIi+08ZEvlJlcOec45da2UUylkvWraabm/WX9g sdKA==
X-Gm-Message-State: AOAM532Zrlxv6DSr0CUH1IHGQYZKBFFCqiV6uCa0zfGf2ay0CsVBsmC9 /+t5zFMG2yzm5/9MvP985rgO5xdqsnVld4gbOr4=
X-Google-Smtp-Source: ABdhPJzSMprmnb9SGdWm/Ju7bqay8zUJALJVNBJ3R4EicP38UIomNlWrkiBD/5b2c35hIDVOVxtMezeEOWb+nX0f/jM=
X-Received: by 2002:a25:4cc3:: with SMTP id z186mr200982yba.212.1633551393763; Wed, 06 Oct 2021 13:16:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxT=QrJBaPsmK-6dXV+WUYn+tiHUEk_PpJu9L_agdU4EtQ@mail.gmail.com> <6f4f125359b247f588c8a74eb7ebfa1a@huawei.com> <CAKcm_gNRmKEDninEbHd6L_Jf7qJRBOvh5q2VyQT4FFabnDKL6g@mail.gmail.com> <CAM4esxQ7oUb2k3HKs21gUy15FxDr3wMDPH4EyR8FkX8q+a9A3Q@mail.gmail.com> <CAMm+Lwg2Ds=MdKXcry-ukRjc3nSjXy4XHXFdBU8eJP9S9xOchg@mail.gmail.com> <4c53f268-3d1b-562c-da5b-9973737464dc@huitema.net>
In-Reply-To: <4c53f268-3d1b-562c-da5b-9973737464dc@huitema.net>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 06 Oct 2021 16:16:23 -0400
Message-ID: <CAMm+LwgpfQvc0hE=0AoD_V=P5XP+WGJsGiVT=XW5-uCxofHfXg@mail.gmail.com>
Subject: Re: QUIC-LB update: Eliminate block ciphers?
To: Christian Huitema <huitema@huitema.net>
Cc: Martin Duke <martin.h.duke@gmail.com>, Antoine FRESSANCOURT <antoine.fressancourt@huawei.com>, IETF QUIC WG <quic@ietf.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c377c05cdb4d266"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/mOPYI6jn16OqrWARw3O99F0H62s>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 20:16:40 -0000
That sounds good, but if it isn't a stream cipher, I would change the name. I will take a look as soon as I have context dumped on my current stack. I have been one bug away from a release for 2 months. On Wed, Oct 6, 2021 at 4:02 PM Christian Huitema <huitema@huitema.net> wrote: > Phil, > > What we have in the current LB spec is called a "stream cipher", but > that's a misnomer. What we have in the spec is actually a variable size > block cipher, derived from AES-ECB using a construct similar to FFX. > Your review of that algorithm would be appreciated. > > -- Christian Huitema > > On 10/6/2021 11:13 AM, Phillip Hallam-Baker wrote: > > I came up against the same issue in a different spec. Stream ciphers > appear > > to be the solution but open up a large attack surface. Stream ciphers are > > really difficult to get right and formal methods don't always help. There > > is a tendency to reduce the problem to what can be proved. If you use a > > stream cipher, you have to rekey for each encryption operation. > > > > Block ciphers are more expensive but they are really hard to mess up. > > > > One option is to use a shorter block cipher. I put out a request for > > shorter block cipher on the Cryptography list and we had a discussion > there > > if people are interested in that approach. > > > > Yet another approach is to just use DES which has a short block. Which is > > obviously insecure for data encryption but this application has weaker > > requirements. > > > > > > > > > > On Wed, Oct 6, 2021 at 12:33 PM Martin Duke <martin.h.duke@gmail.com> > wrote: > > > >> Hi Antoine, > >> > >> Yes, the configuration agent generates the key in both cases. Sorry this > >> is confusing; if the block cipher goes away, the entire section will > need a > >> deep editorial rewrite that will hopefully remove the confusion. > >> > >> Martin > >> > >> On Wed, Oct 6, 2021 at 2:58 AM Ian Swett <ianswett= > >> 40google.com@dmarc.ietf.org> wrote: > >> > >>> I agree that the Block Cipher is not that likely to be deployed, and > >>> removing it simplifies the draft. > >>> > >>> On Wed, Oct 6, 2021 at 5:26 AM Antoine FRESSANCOURT < > >>> antoine.fressancourt@huawei.com> wrote: > >>> > >>>> Hello, > >>>> > >>>> > >>>> > >>>> A side remark on the Stream cipher and block cipher CID sections. As I > >>>> was reading both sections, I struggled a bit with understanding which > keys > >>>> were used in each cryptographic operation. The block cipher section > tells > >>>> that the key is generated by the configuration agent and distributed > to the > >>>> LB, but there is no such mention for the stream cipher section. > >>>> > >>>> > >>>> > >>>> As I don’t have a clear view about how keys are created and managed, I > >>>> would love to see those concerns answered in the draft (and > unfortunately I > >>>> would only be able to push misinformation myself) > >>>> > >>>> > >>>> > >>>> Thanks, > >>>> > >>>> > >>>> > >>>> Antoine Fressancourt > >>>> > >>>> > >>>> > >>>> *From:* QUIC [mailto:quic-bounces@ietf.org] *On Behalf Of *Martin > Duke > >>>> *Sent:* Monday, October 4, 2021 10:21 PM > >>>> *To:* IETF QUIC WG <quic@ietf.org> > >>>> *Subject:* QUIC-LB update: Eliminate block ciphers? > >>>> > >>>> > >>>> > >>>> Hello QUICWG, > >>>> > >>>> > >>>> > >>>> There has quietly been some recent work on tightening up the QUIC-LB > >>>> specification. At the moment, we are still short on implementations > but I > >>>> am hearing something might happen soon. > >>>> > >>>> > >>>> > >>>> Anyway, Christian Huitema has made substantial contributions to the > >>>> security properties of Stream Cipher CID, which allows smallish CIDs, > by > >>>> making it a three-pass algorithm. We still have the "Block Cipher CID > >>>> option" which requires CIDs of at least 17 bytes; AFAICT the only > advantage > >>>> at this point is that it can be decoded with 1 block encryption > operation > >>>> instead of three. > >>>> > >>>> > >>>> > >>>> In principle, QUIC-LB load balancers can be run with no per-connection > >>>> state, in which case this would be a per-packet operation. I strongly > >>>> suspect that real LBs will keep some per-4tuple state, as they do > today; if > >>>> so, this crypto operation only needs to occur once per packet where > the > >>>> 4-tuple is new. If so, the CPU impact is vanishingly small except in a > >>>> storm of garbage packets. > >>>> > >>>> > >>>> > >>>> So AFAICT, the use case for Block Cipher is as follows: > >>>> > >>>> - Willing to run one crypto operation per packet/new 4-tuple > >>>> > >>>> - Not OK with doing three crypto operations > >>>> > >>>> - satisfied with 17B + CIDs > >>>> > >>>> > >>>> > >>>> I strongly suspect this does not describe a real implementer, and am > >>>> inclined to simply delete this option in my effort to simplify the > design. > >>>> Nevertheless, I'm taking this to the list in case someone thinks this > is an > >>>> important use case. > >>>> > >>>> > >>>> > >>>> This is Issue 138 in Github > >>>> <https://github.com/quicwg/load-balancers/issues/138>. > >>>> > >>>> > >>>> > >>>> Thanks, > >>>> > >>>> Martin > >>>> > >>>> > >>>> >
- QUIC-LB update: Eliminate block ciphers? Martin Duke
- RE: QUIC-LB update: Eliminate block ciphers? Antoine FRESSANCOURT
- Re: QUIC-LB update: Eliminate block ciphers? Ian Swett
- Re: QUIC-LB update: Eliminate block ciphers? Martin Duke
- Re: QUIC-LB update: Eliminate block ciphers? Phillip Hallam-Baker
- Re: QUIC-LB update: Eliminate block ciphers? Christian Huitema
- Re: QUIC-LB update: Eliminate block ciphers? Phillip Hallam-Baker
- Re: QUIC-LB update: Eliminate block ciphers? Martin Thomson
- Re: QUIC-LB update: Eliminate block ciphers? Phillip Hallam-Baker
- Re: QUIC-LB update: Eliminate block ciphers? Martin Duke
- Re: QUIC-LB update: Eliminate block ciphers? Christian Huitema