IETF Logo Mail Archive

Re: Getting to consensus on packet number encryption

Kazuho Oku <kazuhooku@gmail.com> Tue, 24 April 2018 02:53 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E0B612E040 for <quic@ietfa.amsl.com>; Mon, 23 Apr 2018 19:53:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lFi8u4aUkTGn for <quic@ietfa.amsl.com>; Mon, 23 Apr 2018 19:53:41 -0700 (PDT)
Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 098F612706D for <quic@ietf.org>; Mon, 23 Apr 2018 19:53:40 -0700 (PDT)
Received: by mail-pg0-x241.google.com with SMTP id e9so9741765pgr.7 for <quic@ietf.org>; Mon, 23 Apr 2018 19:53:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HmyNFDkQT+jb2aCwrmfYr8LX3Bi7yy1XNsLk+E6aTos=; b=YoMhS3Agr2m5f+3cp3KD8bGWXGGRhNURXGBKIkoU8SYGnTSvpigkeZdKDTHNkeew8i Y/rjsB1TcN0WIsJvaF0X5zPGxPyCjfRi4Ab4jFixnSrXC3d4D8+bX1h62nJw3cVb5/ih tGFpmpE3zaWTTu5AA4c/p4dfnZLranCG7FkGixInH6ZPMoO3CgbpUWF9eFKvhkYLUQl2 aDGJ66VoDAcOt3W3Kw6LaVPbzvEUMyty5t8QsLxL/cQgaS4mF+kNLFfTMdW8iVihJpIL Okfuet9SQkIqa8A1l/jwZtrcGHw6Gxby8feIcrOeSOfw4BKXobQ6XXVMoxTcfDk3r+pw XG3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HmyNFDkQT+jb2aCwrmfYr8LX3Bi7yy1XNsLk+E6aTos=; b=C1Chd4RaPjnERKT5Y/3Rj1aUcQJCbKgfTWj24MX4xSM5FHWbjDU6jXHANagRNGNDq3 vGkgbOM+Fw8vBUd7sbRCP5QaE/Hg/EhwJMbFkGGdlbA9wrWur+mDQwYBzC4A9B1nLj7E KDFc2nPWR2YvBe1Z9JkGfEoHwx1JjDrgO2Km+KEqz+sNNBi6q8PeF/rnalWAukk8Ym1d 08zfflbHyj+XJ9kzZ6KRjNxaH3xGDKZh8DsjJjZVTQPsvEPQpolIcZN6KLTHLRRgVnvg Dvn/g6lYi2ZodA39hhUrbEhaKJPfCurFQAIjzQ//WuPDfMvJuUo0A0kp5nX/TyBToVpy 8WAg==
X-Gm-Message-State: ALQs6tBL+DJ8oMUVy0EJ/XijQtDtFSl6rqLUf9GkL2lpSqHeefYeOZAO 6hZEYBIj7QU17CI6RAfxq2vmtdhbfQJczlk+gLs=
X-Google-Smtp-Source: AIpwx498SnApOvj3mbioHUCNmMnZWI4cuNRVW3CpYKT/g4rNIDaB5Jl4JR9XVz1j+w1554XaiAvwFC4XGklafybaXDE=
X-Received: by 2002:a17:902:14cb:: with SMTP id y11-v6mr23135569plg.23.1524538420257; Mon, 23 Apr 2018 19:53:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.130 with HTTP; Mon, 23 Apr 2018 19:53:39 -0700 (PDT)
In-Reply-To: <CAKcm_gNRsxDVF4jGYbaHuvfq1uxEUy08DX_YMD2SQ--NepU2ag@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <047d2ff0-ff8b-64c9-8983-0ecabeb9fea5@huitema.net> <B0F49097-F77A-4831-B68B-4266AA880A86@tik.ee.ethz.ch> <74E2F5C2-66AD-4902-8A4A-E481CC0A015C@fb.com> <75050158-3812-44F1-A01E-D70EED7FDFD6@tik.ee.ethz.ch> <BY2PR15MB0775B4ACF7DB9124E89016F0CDB00@BY2PR15MB0775.namprd15.prod.outlook.com> <c8e60ba4-d6be-c4fc-5bac-d569a28fb4e8@huitema.net> <56CE3592-EB1D-40A3-B1D2-965B238FA402@mnot.net> <ae7a63fe-0a32-893f-aa6b-e8d97b8ba87a@huitema.net> <1F436ED13A22A246A59CA374CBC543998B60C6DD@ORSMSX111.amr.corp.intel.com> <CACpbDccOiELKrC1Dfs2tmC02T8awete8TcMgDEU5s_eQS8igOw@mail.gmail.com> <CAKcm_gNRsxDVF4jGYbaHuvfq1uxEUy08DX_YMD2SQ--NepU2ag@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Tue, 24 Apr 2018 11:53:39 +0900
Message-ID: <CANatvzzNzGFS3D7tBNe2AivC9bSYFFGPdnumn9Jc9GKmm05SMA@mail.gmail.com>
Subject: Re: Getting to consensus on packet number encryption
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Cc: Jana Iyengar <jri.ietf@gmail.com>, Mark Nottingham <mnot@mnot.net>, IETF QUIC WG <quic@ietf.org>, Christian Huitema <huitema@huitema.net>, "Deval, Manasi" <manasi.deval@intel.com>, antoine@delignat-lavaud.fr
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/nYzx0PLtvQ9DD6Dp-3Ande9psZw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 02:53:43 -0000

Manasi, thank you for the update.

In addition to the points that Jana and Ian made, it would be great if
you could provide us some estimation on if using different keys for PN
encryption and payload encryption affects HW offload performance /
portion of existing hardware that can support this form of encryption.

On https://github.com/quicwg/base-drafts/pull/1079#issuecomment-382007477,
Antoine has recently suggested that the PNE scheme proposed in #1079
can be tweaked to use the same key for encrypting the PN and the
payload (they will use same key but different nonces).

This is minor to the points made by Jana and Ian, but I think it would
be something good to know to make a decision.

2018-04-24 8:22 GMT+09:00 Ian Swett <ianswett=40google.com@dmarc.ietf.org>:
> Yes, thanks for the update.
>
> Can you estimate the portion of existing hardware(that supports TCP crypto
> offload) which could support crypto offload for QUIC with PNE vs without
> PNE?
>
> On Mon, Apr 23, 2018 at 6:49 PM Jana Iyengar <jri.ietf@gmail.com> wrote:
>>
>> Thanks for the update, Manasi. In practice, can you state what this small
>> cost is? Is it the second crypto pass, or are there other deployment costs
>> that you are thinking about?
>>
>> On Mon, Apr 23, 2018 at 10:55 AM, Deval, Manasi <manasi.deval@intel.com>
>> wrote:
>>>
>>> Hi All,
>>>
>>> I had brought up the issue with PNE several weeks ago as a barrier to
>>> hardware offload. After further review, it looks like a hardware offload can
>>> implement the PNE at a small cost.
>>>
>>> The implementation can modify current HW crypto accelerators to support
>>> encrypting a buffer in the first pass and then encrypting packet number in
>>> the 2nd pass as already discussed on this thread. The exact requirement
>>> (header checksum, packet length encoding) is still in flux so there may be
>>> some small variations depending on the accelerator and final algorithm
>>> chosen for PNE. Future offload designs can do more to further reduce the
>>> overhead.
>>>
>>> This re-opens the issue of crypto offload in the context of other
>>> offloads. There is another thread talking about the offload in context of
>>> segmentation. I'll respond to that thread separately.
>>>
>>> Thanks,
>>> Manasi
>>>
>>>
>>> -----Original Message-----
>>> From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Christian Huitema
>>> Sent: Wednesday, April 18, 2018 9:38 AM
>>> To: Mark Nottingham <mnot@mnot.net>
>>> Cc: quic@ietf.org
>>> Subject: Re: Getting to consensus on packet number encryption
>>>
>>>
>>>
>>> On 4/18/2018 1:09 AM, Mark Nottingham wrote:
>>> > Thanks Christian; that's extremely helpful (and considering that I was
>>> > about to embark on the same task, but do a much worse job, I'm especially
>>> > appreciative).
>>> >
>>> > Everyone please have a read and direct your comments back here.
>>> >
>>> > One aspect that still hasn't been made clear AFAICT -- you say:
>>> >
>>> > """The process requires two passes, fetching some output of the
>>> > encryption to seed the PN encryption. This is problematic for hardware
>>> > implementations that typically don't buffer the output for further
>>> > access."""
>>> >
>>> > .... and then later:
>>> >
>>> > """Single pass, thus mostly implementable in hardware if we assume that
>>> > the PN encryption/decryption can be done in software."""
>>> >
>>> > Having a bit more context about the hardware implementation limitations
>>> > here would be extremely helpful. Specifically, is "problematic" one of:
>>> >
>>> > * "More difficult for existing hardware (e.g., without firmware
>>> > updates, etc.)"
>>> > * "Impossible for existing hardware, but possible for bespoke hardware"
>>> > * "Impossible in any hardware"
>>> > * Prohibitively expensive for current/future hardware
>>> > * Something else?
>>>
>>> I tried to express the issue in my own words, based on discussions in
>>> this list. But as I said, this is a Wiki. People with more hands-on
>>> experience on hardware acceleration would be welcome to add a small section
>>> describing the issue with hardware implementations.
>>>
>>> -- Christian Huitema
>>>
>>
>



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email