IETF Logo Mail Archive

RE: Packet number encryption

Praveen Balasubramanian <pravb@microsoft.com> Sun, 04 February 2018 19:55 UTC

Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D8B129C59 for <quic@ietfa.amsl.com>; Sun, 4 Feb 2018 11:55:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.011
X-Spam-Level:
X-Spam-Status: No, score=-3.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vrQ_OpHqr4n2 for <quic@ietfa.amsl.com>; Sun, 4 Feb 2018 11:55:55 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0107.outbound.protection.outlook.com [104.47.40.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D80CE129C51 for <quic@ietf.org>; Sun, 4 Feb 2018 11:55:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=R7Cp8lAZU/emGWL0N9u/k8A918+n/ZQUWF4mEuEHVDc=; b=fH9gDTsYOa3n82YEgWsOBiuG8kM8EZIUqMY6NohrPQTwHj7YIG5Dq+CsNsUnXvbh4XS982cASGuXqy7vLtyn8qc/GygOtUN0lmox2pxfrz6ZVT2d/KP/Iy7aA9eiQIh+qRMRyqp3Sn2tDFxjBgXFs1+pwo+W82BKK20oUanA7ks=
Received: from CY4PR21MB0133.namprd21.prod.outlook.com (10.173.189.15) by CY4PR21MB0821.namprd21.prod.outlook.com (10.173.192.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.506.3; Sun, 4 Feb 2018 19:55:52 +0000
Received: from CY4PR21MB0133.namprd21.prod.outlook.com ([10.173.189.15]) by CY4PR21MB0133.namprd21.prod.outlook.com ([10.173.189.15]) with mapi id 15.20.0485.000; Sun, 4 Feb 2018 19:55:52 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: huitema <huitema@huitema.net>
CC: "quic@ietf.org" <quic@ietf.org>, Gorry Fairhust <gorry@erg.abdn.ac.uk>, Eric Rescorla <ekr@rtfm.com>, Brian Trammell <ietf@trammell.ch>, "Lubashev, Igor" <ilubashe@akamai.com>, Roberto Peon <fenix@fb.com>, "Fossati, Thomas (Nokia - GB/Cambridge, UK)" <thomas.fossati@nokia.com>, "Roni Even (A)" <roni.even@huawei.com>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Jana Iyengar <jri@google.com>, "Eggert, Lars" <lars@netapp.com>, Martin Thomson <martin.thomson@gmail.com>, Piotr Galecki <piotr_galecki@affirmednetworks.com>
Subject: RE: Packet number encryption
Thread-Topic: Packet number encryption
Thread-Index: AQHTmW31V+0GAWpR/E2VqOCVLx9SYqOMgUQAgABeoYCAAAgUAIAAd3KAgAA8YgCAACPEAIAAAiYAgAOBloCAALfdgIAACBkAgAEGGACAANx9AIAAn5KAgAAGR4CAAAydAIAAEZUggAAE3oCAAABVoA==
Date: Sun, 04 Feb 2018 19:55:52 +0000
Message-ID: <CY4PR21MB01339A0AD4FCF660365C4E54B6FF0@CY4PR21MB0133.namprd21.prod.outlook.com>
References: <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <888DE2C2-4EDA-445A-B08F-76DD016C9CA0@huitema.net> <20180204182550.GA19526@1wt.eu> <CY4PR21MB0133E20F8C20889A477CDB67B6FF0@CY4PR21MB0133.namprd21.prod.outlook.com> <938555E5-F328-41B0-B61F-09FC02B84397@huitema.net>
In-Reply-To: <938555E5-F328-41B0-B61F-09FC02B84397@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:5::712]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0821; 7:zxxUFRQLeB1lnfl+Qwfb2ZHyzuYAygMYDhxnATg/SyYFQrhqHQDu/WtFMC3rNab2fGckKqGam3WAc9X9d/tSVvgTTFIXLjzUVc6CotVVKsrFcOaRTcQhCVblXuI6vINI8a5TzbdK9BYChFU7Ab+TAfwHrs4N15xYQBVmtXt3PH/sxndWyhQ+nw1AR308jQdf54piKe/Gl5OqnX55I51aBypV22UGVjc8sRTC3TpjPHsqHGviay8WNgDjdWi1ZVLk
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: af4b4228-cc10-42a8-f055-08d56c094bf8
x-microsoft-antispam: UriScan:(130329453890623); BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:CY4PR21MB0821;
x-ms-traffictypediagnostic: CY4PR21MB0821:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <CY4PR21MB0821644D6EC6330D371827B1B6FF0@CY4PR21MB0821.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(72170088055959)(89211679590171)(192374486261705)(50582790962513)(82608151540597)(85827821059158)(67672495146484)(211936372134217)(153496737603132);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040501)(2401047)(8121501046)(5005006)(3002001)(3231101)(2400082)(944501161)(10201501046)(93006095)(93001095)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:CY4PR21MB0821; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0821;
x-forefront-prvs: 05739BA1B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39380400002)(376002)(39860400002)(396003)(13464003)(189003)(199004)(186003)(59450400001)(105586002)(478600001)(7736002)(86362001)(6246003)(53546011)(93886005)(6116002)(305945005)(316002)(76176011)(97736004)(8656006)(10090500001)(74316002)(3480700004)(99286004)(6346003)(102836004)(39060400002)(7696005)(2906002)(86612001)(7416002)(2950100002)(8936002)(6916009)(9686003)(3660700001)(8676002)(33656002)(5660300001)(2900100001)(4326008)(77096007)(81156014)(6436002)(81166006)(14454004)(106356001)(25786009)(6506007)(10290500003)(3280700002)(55016002)(22452003)(229853002)(8990500004)(68736007)(53936002)(7116003)(54906003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0821; H:CY4PR21MB0133.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-microsoft-antispam-message-info: jiEOOi7amHxvJDEgq6+lxpLtMh8lo1GhlOSR86Utk03YxLIJ2GERzaXCvfipy0NmVti8M8z1kDsgGxAtXihPZg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: af4b4228-cc10-42a8-f055-08d56c094bf8
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2018 19:55:52.6663 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0821
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/tdxAMxzWWM7n76i1brAHtObyYcY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Feb 2018 19:55:57 -0000

Ok this answers my question that this is targeted at the migration scenario. 

If jumps are random and cryptographically seeded I don't understand why there would be a pattern. We already use this type of mechanism for TCP ISN and IP header Identification fields. The adversary could also use the side channel timing attack of just observing the sending and receiving application rate for correlation between the two paths (after factoring in the RTT). 

If independent sequence space (with randomization) can work just as well I'd rather pick that over encryption for efficiency reasons. It should solve ossification but I am not a privacy expert.

-----Original Message-----
From: Christian Huitema [mailto:huitema@huitema.net] 
Sent: Sunday, February 4, 2018 11:46 AM
To: Praveen Balasubramanian <pravb@microsoft.com>
Cc: quic@ietf.org; Gorry Fairhust <gorry@erg.abdn.ac.uk>; Eric Rescorla <ekr@rtfm.com>; Brian Trammell <ietf@trammell.ch>; Lubashev, Igor <ilubashe@akamai.com>; Roberto Peon <fenix@fb.com>; Fossati, Thomas (Nokia - GB/Cambridge, UK) <thomas.fossati@nokia.com>; Roni Even (A) <roni.even@huawei.com>; Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>; Jana Iyengar <jri@google.com>; Eggert, Lars <lars@netapp.com>; Martin Thomson <martin.thomson@gmail.com>; Piotr Galecki <piotr_galecki@affirmednetworks.com>
Subject: Re: Packet number encryption



> On Feb 4, 2018, at 9:31 AM, Praveen Balasubramanian <pravb@microsoft.com> wrote:
> 
> From the charter "This work will ensure that QUIC has security and privacy properties that are at least as good as a stack composed of TLS 1.3  using TCP (or MPTCP when using multipath)."
> 
> Is the discussion mainly focused on connection migration which is not present in TCP? There seem to be bigger privacy problems due to DNS and TLS SNI extension so in real deployments will packet number encryption add value other than preventing ossification? 

Yes, we need to fix the SNI issue. Clear text ALPN too. But should not prevent us from fixing everything else.

> 
> Is a cryptographically secure random initial packet number and random (forward) jumps in packet number not good enough to prevent ossification? The missing packet number range due to the forward jump could be communicated in the encrypted payload so the receiver knows they are not missing.
> 

No, random jumps are not enough. It turns out that during migration packets are often sent simultaneously on both paths. The pattern of increases and holes is enough to correlate the two paths.

In practice there are two possible designs: packet number encryption as currently documented; or, independent sequence number space and encryption context for each path. Both work. The one we have is significantly easier to implement. The other exposes the sequence number, which may ease network monitoring but also could drive ossification.

Now is a good time to have this discussion.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email