IETF Logo Mail Archive

Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)

Martin Thomson <martin.thomson@gmail.com> Fri, 06 April 2018 02:34 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4918124F57 for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 19:34:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olBeAjBXlH_K for <quic@ietfa.amsl.com>; Thu, 5 Apr 2018 19:34:18 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2FCD124235 for <quic@ietf.org>; Thu, 5 Apr 2018 19:34:18 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id e123-v6so24277783oih.13 for <quic@ietf.org>; Thu, 05 Apr 2018 19:34:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=B4S2L7rOpGj8GK+anUr+P8KMtOnvYvr0pr1J2nScrg8=; b=SffIVPhEuvCYPfqgcHdwSZ65EpM5J/KGYOkyMIc5KLWZ26/qwmAWCA0Lad8loPLD4B cx4qHvE/4DJFENJcR8J4Ft03pbMLQbsixKJVwzM8EJQLcpOK/AnxJCuzk4JXV35c6KnT jYZrDHiRI7WIxTML3AIYGq1pDo0t2TbLwD8BD0HccEVpHBQRreNgzsd7lJaDCtD+Pl6f /QAs7XW+uEU6hRpdEJSwgJCvraVVxLO5P0I8QkglISZ2eXfLrd+2GZ4JdOO4Nrdwq1Sl jgDFwv/6WbvD2s9x5UhAgiVRr88+A0uiRC00zifBWCO7qiYaQyM/RtwSCMITJT1bCJOq vn4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=B4S2L7rOpGj8GK+anUr+P8KMtOnvYvr0pr1J2nScrg8=; b=mBdzJFvogdFujSPfYoU8c3UqKzb3uLd5Oh1Ykr9mP0CXMD+SRkvRPdCdMqCy/lYDe8 x3ZI/qqopI/71gQCNREWoDMWSziJlTfynNCzLsRBYLafF1tvmPurZe5BapT/OxCgfBoQ Qo73YYYXNz4qs+8jRkK1IskhXrL2OF5UW0IeSJCAEgb6+a9tlF28zEiqAi8xgnIvFm/P +zIReEopyFn8ZRAdv9dlS7M1FJPzYdvwX59c3HuuVZlRMs+YWtZ350KhKxUbl71Ai12Q 6RMy3eFR7Q/QCapluHAmXjyBafqb74o0VFh/v1lwXQc8Dxp1M7o6ZbJL4q15ktM5aSB5 xk+A==
X-Gm-Message-State: ALQs6tAzgm5R6C2xhrcSrRcFafS+nYLwh0D423rITylUmCGCRN55V+pp VCHv0hs8p04tp5OBDdFJJCf88hzT2oyUJpUQyGU=
X-Google-Smtp-Source: AIpwx4/0BpSF4UaZCUmPLB65E6vAoG4W2ZKwEeB+PmwL1uPhEzou7fXI+Dx36k4qyQmOH0u6JgZDQdGYfEp6+8ND1SE=
X-Received: by 2002:aca:4ac2:: with SMTP id x185-v6mr13275175oia.295.1522982058011; Thu, 05 Apr 2018 19:34:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:ac7:0:0:0:0:0 with HTTP; Thu, 5 Apr 2018 19:34:17 -0700 (PDT)
In-Reply-To: <CANatvzwKCqHQB1Mvp0K+Ref507s3YZCzV0xK=SgM9mAyA7s7yg@mail.gmail.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com> <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com> <d8e35569-e939-4064-9ec4-2cccfba2f341@huitema.net> <CACpbDccqKoF-Y1poHMN2cLOK9GOuvtMTPsF-QEen3b30kUo9bg@mail.gmail.com> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CAJGwveB=qs+J2iBQRs3d5jdGuP9yBWoAgv0t3mwD=Wrf6Q5g8g@mail.gmail.com> <F395D018-FFCA-405F-BBD5-1313C6F6DAF9@huitema.net> <CABkgnnWAgGJaKs8teKTURiNDRA61fRhN6pxYQuD1MbkPDqasKQ@mail.gmail.com> <CANatvzwKCqHQB1Mvp0K+Ref507s3YZCzV0xK=SgM9mAyA7s7yg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 06 Apr 2018 12:34:17 +1000
Message-ID: <CABkgnnWzoL47g3WcWhP549ssP8p65tQMMKQmBD0taymD1A4EfQ@mail.gmail.com>
Subject: Re: Privacy holes (was: Re: Getting to consensus on packet number encryption)
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Christian Huitema <huitema@huitema.net>, QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Frederick Kautz <fkautz@alumni.cmu.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/vGIycDttrEE203Aonj-n1Yqds3c>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2018 02:34:21 -0000

On Fri, Apr 6, 2018 at 12:06 PM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> If I understand correctly, Christian's concern is that some middleboxes
> might only create a hole if the first packet sent by a client (using a new
> port) looks like a Initial packet.

Oh, I didn't get the same impression, but it does seem like a valid
concern.  The idea I had was to have clients migrate often enough that
those middleboxes will see those migrations and not incorrectly assume
that flows have to start with Initial packets.

Of course, migrating often like this might not provide enough
incentive to avoid that practice because clients will likely make new
connections when the old one fails.  But given that this sort of
failure probably involves a timeout before the repair, it's probably
still noticeable enough to generate support tickets (and incentive to
allow the migration to pass).

Existing middleboxes that pass UDP will be fine, so we at least have
that in our favour.

> 1. frequent gratuitous migration by clients, so that middlebox vendors can
> notice that there design is wrong prior to shipping it

That is what this was angling for.  The question being how frequent.

> 3. mimic 0-RTT handshake when gratuitously switching to a new UDP flow
> (depends on #1262)
>
> 1 and 2 have been discussed on this thread. I haven't yet seen 3 being
> discussed.

It has been suggested a few times elsewhere.  The question is how far
you go: do you send Initial and Handshake packets that use the
handshake packet protection and carry apparently real ClientHello and
ServerHello messages?  Do you restrict the flow of packets to match
0-RTT?

> The concerns so far being raised for 1 is that NATs might run out of
> unassigned ports and that switching to a new path might trigger the restart
> of congestion control on large-scale NATs that use multiple public
> addresses.

That is possible, but it depends on how often you attempt this.  CGNAT
does try to keep IP addresses for the same device stable.  If not,
then a congestion controller reset for relatively infrequent
migrations isn't so bad if heuristics fail.  It's only when you have
very frequent migration that the resets becomes burdensome.

> The concern so far being raised for 2 is that stateless load balancers would
> be required to decrypt the type field (or the entire packet, depending on
> how we encrypt) to determine if a packet is trying to initiate a new
> connection.

Yeah, that's hard.  Having the load balancer hit the slow path for
every packet seems pretty fatal.

v2.23.0 | Report a Bug | By Email