IETF Logo Mail Archive

RE: Amplification window, initial congestion window, initial RTT and new post-quantum signature implications

"Kampanakis, Panos" <kpanos@amazon.com> Mon, 08 January 2024 16:25 UTC

Return-Path: <prvs=730104c19=kpanos@amazon.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5ABC14CE39 for <quic@ietfa.amsl.com>; Mon, 8 Jan 2024 08:25:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.102
X-Spam-Level:
X-Spam-Status: No, score=-7.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qv2qnbwKgxqF for <quic@ietfa.amsl.com>; Mon, 8 Jan 2024 08:24:57 -0800 (PST)
Received: from smtp-fw-52005.amazon.com (smtp-fw-52005.amazon.com [52.119.213.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5701BC151984 for <quic@ietf.org>; Mon, 8 Jan 2024 08:24:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1704731097; x=1736267097; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=uc7r7XVA+AtOw9dR2fvXHtDLi4zcOpLcbCwT6hpUl9Q=; b=Nh4XfsE7inNe3R/QaRO75w9PS/6devsy7VmmQPAKpxnKffGZTe53t17i DYLfNCoAR/3nEq+mVgTryXUZXWZoDGW/n5IC4O7/Gal9kSTs9ppURwPAw s1IS1+VBDO8M1X69+bzgwumE3ORCxPKpMtObPg28WWXnnBBceV5XRxW5E U=;
X-IronPort-AV: E=Sophos;i="6.04,180,1695686400"; d="scan'208,217";a="626365962"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-6e7a78d7.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-52005.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jan 2024 16:24:54 +0000
Received: from smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev (iad7-ws-svc-p70-lb3-vlan2.iad.amazon.com [10.32.235.34]) by email-inbound-relay-iad-1e-m6i4x-6e7a78d7.us-east-1.amazon.com (Postfix) with ESMTPS id 6FAF180809; Mon, 8 Jan 2024 16:24:54 +0000 (UTC)
Received: from EX19MTAUWA001.ant.amazon.com [10.0.38.20:6304] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.57.88:2525] with esmtp (Farcaster) id 957ad98d-5dd7-4379-b1a2-aad453e5f326; Mon, 8 Jan 2024 16:24:53 +0000 (UTC)
X-Farcaster-Flow-ID: 957ad98d-5dd7-4379-b1a2-aad453e5f326
Received: from EX19D001ANA004.ant.amazon.com (10.37.240.187) by EX19MTAUWA001.ant.amazon.com (10.250.64.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Mon, 8 Jan 2024 16:24:52 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA004.ant.amazon.com (10.37.240.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.40; Mon, 8 Jan 2024 16:24:50 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1118.040; Mon, 8 Jan 2024 16:24:50 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: "quic@ietf.org" <quic@ietf.org>, Martin Thomson <mt@lowentropy.net>
Subject: RE: Amplification window, initial congestion window, initial RTT and new post-quantum signature implications
Thread-Topic: Amplification window, initial congestion window, initial RTT and new post-quantum signature implications
Thread-Index: Adoy+Sh38KvzpbxzT5OIdcsjhB7gIAPU+qLA
Date: Mon, 08 Jan 2024 16:24:50 +0000
Message-ID: <ab61f92a887a4bfc8cae4071d7ef7ea7@amazon.com>
References: <f0360f9abbd6435b9dbf269e7f5bce65@amazon.com>
In-Reply-To: <f0360f9abbd6435b9dbf269e7f5bce65@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.106.178.8]
Content-Type: multipart/alternative; boundary="_000_ab61f92a887a4bfc8cae4071d7ef7ea7amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/peISmymLLbvgNMWqyQphmkdnRDA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2024 16:25:02 -0000

Thanks for the reaction Martin.

Amplification protection is unique to QUIC, DTLS. I don't think it could be addressed in TLS.

Regarding the kinitRTT=333, it comes (I think) from RFC6298's initial RTO of 1s. That RTO tries to be large to cover common network RTTs and small to allow for recovery. So, I could see the RTO being a TCP update issue, not so much a TLS issue.

About the initial congestion window, I think that would be a TCP issue as well. Hard to do globally as it happened with the initcwnd=3 to initcwnd=12 jump. But I believe many CDNs already use large initcwnd's anyway, so this may be lower priority to do.

In other words, I think amplification is still something to consider in QUIC. The other two are probably more suitable for TCP.

-----

> During the development of QUIC we were aware of the possibility of having a larger handshake and so most implementations are tested for compatibility.
>
> What we did not do is tune the handshake parameters (RTT and amplification limit) to allow for higher performance under these conditions.  The exact sizes of messages was not knowable at the time and so we couldn't make firm decisions.
>
> That all said, increasing amplification by a factor of 3-5 over our existing value (3x) seems unwise.
>
> The TLS WG is probably the right place to continue this discussion as - while QUIC might be able to adjust these parameters - the primary changes need to occur in the TLS stack.  I'm aware of several attempts to change TLS, each of which might motivate a different adaptation in QUIC.

_____________________________________________
From: Kampanakis, Panos
Sent: Tuesday, December 19, 2023 11:11 PM
To: 'quic@ietf.org' <quic@ietf.org>
Subject: Amplification window, initial congestion window, initial RTT and new post-quantum signature implications


Hi all,

I was wondering if there have been any discussion about new quantum-resistant algorithms and their impact on QUIC. Looking back in the list archive I could only find https://mailarchive.ietf.org/arch/msg/quic/cA_azemZvSQadc9FvWnMfN-malQ/  which brought up the initial congestion and the amplification window issues which could introduce an RTT each to the handshake due to the large "post-quantum auth data" from the server. I don't think that discussion converged to any actionable items.

Recently published https://www.nccoe.nist.gov/sites/default/files/2023-12/pqc-migration-nist-sp-1800-38c-preliminary-draft.pdf  (Section 7.3, Figure 5) also showed that packet pacing can introduce >RTT time to each handshake. kInitialRtt=333 is a "SHOULD" in RFC9002 so it could be adjusted, but I am not sure that should be left to the implementer.

Tweaking the amplification window to 10-15x as the new signature algos would require, increases the amplification risk. Validation tokens could alleviate the issue especially for clients that keep coming to the same servers, but it is not a general solution.

Increasing the initial congestion window is already done by CDNs, but I am not sure it is the norm for most QUIC uses.

So, has the WG generally considered options to address these issues?

v2.37.1 | Report a Bug | By Email | System Status