IETF Logo Mail Archive

Re: Hardware acceleration and packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sat, 24 March 2018 13:29 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21ED11201F8 for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 06:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mecL8I7WP7xu for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 06:29:25 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF4B81201F2 for <quic@ietf.org>; Sat, 24 Mar 2018 06:29:24 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id r18so18254303ioa.1 for <quic@ietf.org>; Sat, 24 Mar 2018 06:29:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5H+tj4zFyzCUxnXzE4XecewYM1Kbj5p6RJnYrdXCECA=; b=jr21FFsbv8aTzORDjU7uWsW2O3kOti1LC9dVMb5305mKfrSbcAAVN4cETDfsa5bsGf mHiRZejuIh5gsbX2VJzTZzj+xmA61RF2nkzA4DaRcqRoWeAA33zlMNkcgySnyWUS3vnK 8ZSWVC4ozZZ6SRB4zVQFCBoTj3vw44mdvjcRzZa1o6Au5dPJOm8ZRNRS+vMdqp38FQ+a olhkP+AlUbFY+w/T769qdEi1RLcKNUVyukhyQZEn6gxYW7cTzfD2c7A42jKUyVwqfkxi OEbZn9UG9TC1x/VBbGgXx/b4TO4HnhHtK0d3hMIMl2LxsHCe+LgKR6mIpQJjAjPjhQjc K8HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5H+tj4zFyzCUxnXzE4XecewYM1Kbj5p6RJnYrdXCECA=; b=IDCBcqfQVwp/21SyJfTIfwYiJMuULab+5RBP18sWnsA4foD/oiZs2+LO0VoWod5UZX 6BEpqc95FIVQfvmvH+MgPziCclKI5PuAiQFm3yZ13pnOY4yvSzG/ztV0va/SYh5mtgs2 kGYwsT/voryvvNlMMB4GnEZeqEQkR1qyvQPOAAm087Spb+nE+zliJfeZPbOL0xY8R4Ac ++fKMAzQnfwL0kikOkWw5OnCjVVCz6FR9FGK2E88eOc9JF7C5wXT3WYPgqraNgXSpbiB tqkJk/Cx4bcAHJgSXGP2H33Qu0Bto0cYAmiiTt/ZXJQEkLtsUg0REvqa9FDE1txap8cG VmIg==
X-Gm-Message-State: AElRT7GQ14bIGIFfu6Ar7kQ3sYHcLBpS9tLk+IOKsvWXR3vLt63dm4Eh SDD0ghY2dWnPYA8hXhhUD95PTguZkG0FlxHP+6Q=
X-Google-Smtp-Source: AG47ELuw2ED7bTQGZYvhCsheAO7x2s6tTP1C8mA38pXrWe3AbH34f06V63gI0BlVKbP1Gz32ICFXjUIV0H0I8Itni/Y=
X-Received: by 10.107.6.163 with SMTP id f35mr27796291ioi.165.1521898164300; Sat, 24 Mar 2018 06:29:24 -0700 (PDT)
MIME-Version: 1.0
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <CAN1APde8cps+dt+87_naDc+LOc6Eyo8=d222a8fP8DqRW92+RA@mail.gmail.com>
In-Reply-To: <CAN1APde8cps+dt+87_naDc+LOc6Eyo8=d222a8fP8DqRW92+RA@mail.gmail.com>
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Date: Sat, 24 Mar 2018 13:29:13 +0000
Message-ID: <CAN1APddex7bOBK9NJ-eYH+c3rLQdif=4z8x+TG_Vhu6OcfVh0Q@mail.gmail.com>
Subject: Re: Hardware acceleration and packet number encryption
To: Christian Huitema <huitema@huitema.net>
Cc: IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>
Content-Type: multipart/alternative; boundary="001a113e06a277b7f80568288746"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/szM4ymBBDPkIyHelSyKhIGmpJqA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 13:29:27 -0000

BTW: segmented packet numbers also provides convenient support for
multi-core packet generation because each core could have its own segment,
even on the same path. It can encrypt without conflict with peer cores on
the same connection and without inducing false packet reordering. As
mention in the github issue a sender can also alternate between segments to
defend against optimistic ACK without introducing packet gaps. Thus, all
gaps are losses or reodering.

On Sat, Mar 24, 2018 at 1:57 PM Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
wrote:

>
> see reply below
>
> On Sat, Mar 24, 2018 at 1:19 PM Christian Huitema <huitema@huitema.net>
> wrote:
> ...
>
>>  packet number encryption as specified would make
>> acceleration of Quic difficult to implement on Intel's hardware. She was
>> trying to convince us that privacy is an unattainable goal, and that we
>> should just as well ditch the linkability requirement in order to
>> facilitate hardware acceleration.
>
>
> I also believe that privacy is a wild goose chase. There is no reason to
> expose more
> necessary, but we risk limiting the protocol design more than it is worth.
>
> Even without HW accellaration, modifying a buffer in-place can affect CPU
> cache
> performance and synchronization on multi-core systems, and it adds latency
> - which
> might be small in todays typical use case, but not necessarily in special
> cases or in the future.
> Crypto might get faster, but possibly by adding parallelism with higher
> latency and packet number
> encryption cannot be parallized.
>
>
>> Using separate packet number for each path would prevent linkability and
>> facilitate acceleration, but it makes the protocol and the software
>> significantly more complex. It requires using different keys or IV for
>> different paths, and it also require management of several sequence
>> number spaces.
>
>
> This is largely what I have proposed in Segmented Packet Numbers
> https://github.com/quicwg/base-drafts/issues/1105
>
> The idea is that the packet number itself is larger than the wire
> transmission. The high bits are hidden from the packet header
> but are included internally and in ACK frames (using some varlen
> encoding). This will naturally sort ACK's per path and give
> a largest ACK'ed per path. There would be no total ordering which might be
> a problem with some designs relying on
> "everyting send before" such as new path id's. It wold allow for packet
> numbers larger than 64 bit. In ACK only the first packet number in a block
> is sent explicitly so there is a natural compression.
>
> Yes, it complicates the design slighty but it gives you a lot of automatic
> per path ACK RTT data and sidesteps the issue with encryption
> and also provides easy monitoring to middleware - data that they could
> infer less reliably on their own in most cases, so no loss of privacy.
>
> I like the simplicity of packet number encryption but due to how it needs
> to be implemented I'm no longer believing that this is a great idea.
>
> Mikkel
>

v2.23.0 | Report a Bug | By Email