Re: Greasing more of QUIC
Martin Thomson <martin.thomson@gmail.com> Fri, 08 December 2017 00:31 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC4E120726 for <quic@ietfa.amsl.com>; Thu, 7 Dec 2017 16:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b21zQ5AQJST4 for <quic@ietfa.amsl.com>; Thu, 7 Dec 2017 16:31:08 -0800 (PST)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B90712871F for <quic@ietf.org>; Thu, 7 Dec 2017 16:31:08 -0800 (PST)
Received: by mail-oi0-x22f.google.com with SMTP id w131so6203829oiw.0 for <quic@ietf.org>; Thu, 07 Dec 2017 16:31:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=0Jkx8YaTYrLXuoUVcY+YRAL3MNazPq1gJvFCgFKWfnE=; b=mJRMkm+OGgTszXxrryqa79X8srolzfu5aweU+zRv/YpJOArn+WhUoRWz0WgsAjN5vJ X/D4cZvYK2CDQzgCHfFdV9taYuYmuJAk/CRWOnt/baXrYiCCx3xmrLo5nfrNslBWrrjz ENJVP1kPVzJ2N7nszc+kHJU8GRgEsS0yGA5gk0JM+dsi4k9kNdzpapLiUYBm6SL5BBH/ jvUByTCA9aVFGdd1C+FHlVUEiJy+wX028U7T9jnJjcdmtMUpYrLnjU46Xcu2K5l0h7Yb utXXXYI9zIzvSRB7wR/W9Iy9hRf9HE4EoHZsCnaX2JS3uzlV3p4GC41FLlMSWqtBSL1d 5aow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=0Jkx8YaTYrLXuoUVcY+YRAL3MNazPq1gJvFCgFKWfnE=; b=IH0MRZh8uIsX1BYRAY9fnGpX2KTEwfdrIzejdinKFibCZnjV+hLBlPixpoAInYCYyw 9GlRszgAXFel/Y8ktWUC0ZP/ElZk9JAGSXWL89BZ4wx4nmzFEaNJpejCDrDkLQ5qwWe1 3yfRbyBSSruuFP+V504hO/AbMn8a/665dKFlz/P3KlMp7A8i7jfB+NUOoznIFUwBCg9y XMqcPcHbDzxyzoQ6aTOi4upujQaLtPV4cKtaRvTHQSl24jrdhpt4KeRIC2ni0nSU5YYf 4HVI97L4jRIhYIBTPV67eT3NfXXRjsw40UQsUohzt1VR4Gb0/tI3Vath7CsD/H1OrPwD qOmw==
X-Gm-Message-State: AJaThX4Ms0IGsdh3h+OA/54FGrMMmB4nJAF4rdE8X3YzTf54U6QuHAfX wfxz9446Uvg62WOchKJpTm2QUu73sXmFmkSEwj0Ev+5qSAg=
X-Google-Smtp-Source: AGs4zMYHhAAYDr2sxbNKD2nHM7cONZTsWBrFnEC5fDgbz6PRKUPw2U4nhKnLhJuWUZ3SdCyGz0OG2J4dqNL1KnkhGng=
X-Received: by 10.202.166.206 with SMTP id t75mr24395134oij.28.1512693067214; Thu, 07 Dec 2017 16:31:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.8.11 with HTTP; Thu, 7 Dec 2017 16:31:06 -0800 (PST)
In-Reply-To: <68B6C3D7-243D-4E0A-B8D1-34AE5E08468A@trammell.ch>
References: <CABkgnnUxr3cAv81m5PfzRb+LWbiUq1qaASMnLkG+hEokHR714A@mail.gmail.com> <68B6C3D7-243D-4E0A-B8D1-34AE5E08468A@trammell.ch>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 08 Dec 2017 11:31:06 +1100
Message-ID: <CABkgnnXMj5EwgtKf3ytx3dLG4Vw9rTAE9+98Vv=MxMK-ecSaeQ@mail.gmail.com>
Subject: Re: Greasing more of QUIC
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/p7p9BhwEgZP-bMv8K7SQnN_jvzA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2017 00:31:10 -0000
On Thu, Dec 7, 2017 at 8:11 PM, Brian Trammell (IETF) <ietf@trammell.ch> wrote: > hi Martin, > >> On 7 Dec 2017, at 06:03, Martin Thomson <martin.thomson@gmail.com> wrote: >> >> I've sort of promised a few times, to a few people, that I'd write up >> the state of play regarding greasing. I just did that and it got >> somewhat lengthy. So I decided that I'd put the words in a draft. >> Sorry. That's what you get when publishing drafts gets easier... >> >> https://datatracker.ietf.org/doc/html/draft-thomson-quic-grease > > First, I'll note that draft focuses on runtime adaptations: how can we scramble the wire image to resist analysis by vendors who will implement the results of that analysis in ways that might break future QUIC versions by dropping packets? This is only part of the space of mitigations available to us. There are also design- and deployment-time adaptations: exercising the version negotiation mechanism, for instance, by making the V2 header beyond the invariants gratuitously incompatible with the V1 header and deploying it very, very soon after V1. Right. And I still think that's a better general defense. > When you said "this got lengthy", what I was hoping I'd see here, and didn't, is an explicit statement of the threat model the greasing we apply is meant to counter. "Ossification", yes, great, but in order to be able to evaluate the tradeoffs (especially between XOR and FFX), we need to get a bit more specific about what that means. > > I can think of a couple of axes along which we can classify these models: > > (1) Adversary intent: what is the middlebox trying to do? I don't think that intent matters here. One of the things I've learned from TLS that attempting to discern intent is like trying to comprehend Lovecraft's Deep Ones. It's a short trip from there to an asylum. Your next two points I consider to be points on a spectrum. The biggest problem is the one you alluded to above. The middlebox is deployed and is inflexible. It can be perfectly capable, understanding everything there is to understand about the protocol short of getting session keys, but that doesn't mean that changing anything is possible. Even if the upgrade pace of the middlebox is rapid - and our experience with TLS suggests the opposite - nothing safeguards flexibility better than being flexible. As I said, I think that the best we can do within any single version of the protocol is to force middleboxes into stateful inspection if they intend to look at version-dependent traits. This is confounded by the fact that even if a middlebox does stateful inspection, they won't necessarily see the version due to the possibility of connection migration. That said, as long as the number of packets required to prime stateful inspection exceeds or equals the number of packets that are required to correctly recover the version, this could be successful. Ideally, learning version is a prerequisite for recovery. > Greasing is of most utility, IMO, when it is used to prevent lazy, somewhat-competent middlebox creators with access to but little interest in reading the specs from expanding the set of invariants beyond those which we prescribe, whether intentionally or unintentionally (indeed, a non-lazy adversary working to intentionally expand the set of invariants would just send a pull request on the invariants doc. :) ). That is more proactive than I'd look for. There's no business motivation for worrying about protocols that aren't deployed. Middlebox vendors definitely aren't stupid or lazy (notable exceptions aside). They implement what they need to, and read the specs as necessary. But what's deployed matters. That's where we get into trouble. The middlebox that has an "allow HTTPS" policy learns to examine flows more closely when people start using TLS over port 443 for other protocols to circumvent that policy. When they look too closely or too incautiously (see for example https://arxiv.org/pdf/1607.01639.pdf), we experience bizarre breakages. The point here is to increase the cost of the sort of casual, stateless inspection that can be destructive to the point that stateful inspection is more viable. Either that or encourage the use of techniques other than looking at packets. > Doing something to protect the ability to expand/change the location and semantics of the packet type switching mechanism and the packet number space and encoding in future versions seems like it's worth doing. Attempting to make these mechanisms resistant to analysis, though, doesn't seem like it has a benefit commensurate with effort and proneness to error. The only analysis I'm looking to guard against is correlation across migrations. Using an unpredictable key has that advantage. (It also removes a bunch of really ugly properties from the current mitigation.)
- Greasing more of QUIC Martin Thomson
- Re: Greasing more of QUIC Jana Iyengar
- Re: Greasing more of QUIC Brian Trammell (IETF)
- Re: Greasing more of QUIC Martin Thomson
- Re: Greasing more of QUIC Martin Thomson
- Re: Re: Greasing more of QUIC alexandre.ferrieux
- Re: Re: Greasing more of QUIC Mikkel Fahnøe Jørgensen
- Re: Greasing more of QUIC alexandre.ferrieux