IETF Logo Mail Archive

Re: Getting to consensus on packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Wed, 25 April 2018 11:53 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78721126D74 for <quic@ietfa.amsl.com>; Wed, 25 Apr 2018 04:53:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugXJOiEgnjYW for <quic@ietfa.amsl.com>; Wed, 25 Apr 2018 04:53:33 -0700 (PDT)
Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5664127522 for <quic@ietf.org>; Wed, 25 Apr 2018 04:53:31 -0700 (PDT)
Received: by mail-io0-x242.google.com with SMTP id y128-v6so26457791iod.4 for <quic@ietf.org>; Wed, 25 Apr 2018 04:53:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=DcW7pZ+GoEFzJPQyCYgetbNb6Sf8rM3cw2fK+5BNfRc=; b=uSg2RymrqNhixB60kX6IoCX9S7CXvlK0/4JjQ/bNjwBofCKxEiOmRFi/UyA01h4NuZ CTOauKdkW7HnJ7ErMlaI45PqtIQBN7uKBKt4l8AY0izPSp3xACcwaUI+lETxgk4AMbME owkIePgGdl3/WsLsT021gsX0DsJmwvmm6P55IBZ95rDdplSY3mG8tlWtNm0zIRmNkWDS I58k2VbUd2R4UArjEdofeLa0gPYlGmtnVbr341ZXjuYvwx/u57aYNL+C8c6GGp9Y6mA0 vGHeRMurJvj06Ce4+4nXXB6ofFj13s6vHhTJpaNrI7fXxhuLUnBdOpfwsZD3So/WRx5p 0a8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=DcW7pZ+GoEFzJPQyCYgetbNb6Sf8rM3cw2fK+5BNfRc=; b=M66l31ZUyO+ZmATeVngEZWDFxc6Q1Adx1Ey0HMl2KhxUL2iaTJhcBrYs0X8+pJY/xf DEOG9ocdwxKjYhVxZa03+73Wuoxuk4UarZ9cR6Fvfrbfmor3iU0Xwm1odyBU/oaK+niI DpHnlBz5CHw+CmZUwwI6w96oVHA3oCsPzeeFPYiHX649eZwSOAgTFgkA5+FcuxhHj1jE clqRDGNRP+RR3tijQGKz4joU85hVbfHRrjzzXykCbJ0LkZ8MbYAnVsAss4UcKPTtEBw9 7kPZpl2sf4hvZXhGu2Pl0xT7jq50APZUyP35/aVJi+rTZs2La4/SI4hb0AeBlMgsito+ 2rnA==
X-Gm-Message-State: ALQs6tBYDTC6toxLK7c3oS6csGt2wbJONfoxBOp8gigGLqez5k3B3BTU q77tUrGOtDjKwrbqmZzGwZli1YjEJ02ZcngUgek=
X-Google-Smtp-Source: AB8JxZpQIzNR/01ZVFtXSwunH4uhhChmNv41U7eAriguUC6pAEay0aXq+NASdvWHrYgB+dFAk6kX6gsVBivwih86E2U=
X-Received: by 2002:a6b:5010:: with SMTP id e16-v6mr22737398iob.274.1524657211195; Wed, 25 Apr 2018 04:53:31 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 25 Apr 2018 07:53:29 -0400
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <fc57394f-9516-04c0-0846-6d159b14bc9e@huitema.net>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <047d2ff0-ff8b-64c9-8983-0ecabeb9fea5@huitema.net> <B0F49097-F77A-4831-B68B-4266AA880A86@tik.ee.ethz.ch> <74E2F5C2-66AD-4902-8A4A-E481CC0A015C@fb.com> <75050158-3812-44F1-A01E-D70EED7FDFD6@tik.ee.ethz.ch> <BY2PR15MB0775B4ACF7DB9124E89016F0CDB00@BY2PR15MB0775.namprd15.prod.outlook.com> <c8e60ba4-d6be-c4fc-5bac-d569a28fb4e8@huitema.net> <56CE3592-EB1D-40A3-B1D2-965B238FA402@mnot.net> <ae7a63fe-0a32-893f-aa6b-e8d97b8ba87a@huitema.net> <1F436ED13A22A246A59CA374CBC543998B60C6DD@ORSMSX111.amr.corp.intel.com> <fc57394f-9516-04c0-0846-6d159b14bc9e@huitema.net>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Wed, 25 Apr 2018 07:53:29 -0400
Message-ID: <CAN1APdej4UTCyHs-n1xvKkCAPuw71jTvVegs8497Qgx9taRbxg@mail.gmail.com>
Subject: Re: Getting to consensus on packet number encryption
To: Mark Nottingham <mnot@mnot.net>, Christian Huitema <huitema@huitema.net>, "Deval, Manasi" <manasi.deval@intel.com>
Cc: "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007a47e1056aaaebe5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/r83KI5EsrQF-sNImjTGw8xO_JPA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2018 11:53:35 -0000

Another observation point:

If there are so many concurrent paths in the host system that PNE matters,
then the cost of an additional keyed lookup is likely higher than PNE. You
can’t do much better than 40ns per lookup under ideal circumstances where a
minimum number of cache lines are hit, unless your working set is small.
Red-Black tree easily gets up to 2-400ns with current hardware. PNE is
below 30ns estimated - iff the decryption context is readily available.

The question is then, would avoiding PNE lead to additional lookups that
would not otherwise be required. Or, on the contrary would PNE lead to
additional lookups due to a separate encryption context. Lookup broadly
means fetching cache lines not otherwise required.


Kind Regards,
Mikkel Fahnøe Jørgensen


On 25 April 2018 at 12.14.35, Christian Huitema (huitema@huitema.net) wrote:

On 4/23/2018 6:55 PM, Deval, Manasi wrote:

> I had brought up the issue with PNE several weeks ago as a barrier to
hardware offload. After further review, it looks like a hardware offload
can implement the PNE at a small cost.
>
> The implementation can modify current HW crypto accelerators to support
encrypting a buffer in the first pass and then encrypting packet number in
the 2nd pass as already discussed on this thread. The exact requirement
(header checksum, packet length encoding) is still in flux so there may be
some small variations depending on the accelerator and final algorithm
chosen for PNE. Future offload designs can do more to further reduce the
overhead.

Thanks for the information, Manasi. I have modified the wiki page
describing the PNE issues and alternatives to reflect this new data:
https://github.com/quicwg/base-drafts/wiki/Summary-of-the-PN-encryption-issues-and-alternatives.

With that new information, it appears that PR #1079 is superior to every
other alternative.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email