Re: Greasing more of QUIC
Jana Iyengar <jri@google.com> Thu, 07 December 2017 07:38 UTC
Return-Path: <jri@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A29F91292CE for <quic@ietfa.amsl.com>; Wed, 6 Dec 2017 23:38:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WGXeinEnl2ic for <quic@ietfa.amsl.com>; Wed, 6 Dec 2017 23:38:35 -0800 (PST)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 989DC1292AE for <quic@ietf.org>; Wed, 6 Dec 2017 23:38:35 -0800 (PST)
Received: by mail-yb0-x231.google.com with SMTP id 5so2621189ybp.4 for <quic@ietf.org>; Wed, 06 Dec 2017 23:38:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UxOVzKipo27o7YsMqR235XQtfep54HecRFddeU1UAK8=; b=Ye8K4MpcTz43ptLcOC2KnHhHDJVnqOXaQyFYXrHU63U6uQWYptcAFevZYBjmGaULfD KewHgVAiWxUx3d1oXgsEBMdcCkK6aBKkyKzhlu4uuf4gWOpLyvv+6gt3WVsbX5mVb6aw uOhIHujbWxALBXB3cYgA94YxUgn77z0vX6i5EmkKRyjAhwj/sH67tfchnOY+26fY1xSI U2mM3Tw8RkUq/YbKniJ4yOQoV3Bsrw1qOD3++LRl9/zdja8yHLl14+7+9p48sfjsw3AI fr0TEDBN892pcxWeUY+DsDWA5Kb7A01skpL7JeUgnIdYPEyxdvKgQBqqcxHcvE2KucVi 2CPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UxOVzKipo27o7YsMqR235XQtfep54HecRFddeU1UAK8=; b=XZoE5LcaiPw+FOZLHaCJOqqh3dfIg0Rj9bl40d7Udkp2Dd3VfDqQt6cXHijDBH2tO4 bmAJG61hS+AkA/5HtaPzYjh17cIkoycitNdqyugoUwkJsSUN7kcxEq1yomyr4sMRQvtT dttM8C/U11iEisB+8pg/6djynI8KrmaaYY9qhXNsX5Qtx4l8kJrlQKYbC7UaB0h7ZM8t rDwR0fWSF1KcCXVYxIxPmpILb/rif558iBRMs4uTJI3Yc3bYJ0twOeelcyI4REtqfOnG ZwY2ajgIm8kJ214c3jGHjfUc7dflS/CaK4VHfYKZncUclnpp/xL0duY9SkEvTCw2MjRe GfSA==
X-Gm-Message-State: AKGB3mJQWcbWbAe46UQbvUvSHrOzIBEd94fxY+5lIB0p/K6eqC18w4Yx Y1rz/EUns91XluMaoO7oE2NH9mrZd7gHxe4wiumcsg==
X-Google-Smtp-Source: AGs4zMZbLyNU+KYe5Foi44EmET+SaG+ZP/qSba0ZyZN9WqEbTsQCWXRU/3EcomA1S+6JK668w2fYK9n/uHL1DVv8sG8=
X-Received: by 10.37.230.216 with SMTP id d207mr2941433ybh.290.1512632314316; Wed, 06 Dec 2017 23:38:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.42.78 with HTTP; Wed, 6 Dec 2017 23:38:33 -0800 (PST)
In-Reply-To: <CABkgnnUxr3cAv81m5PfzRb+LWbiUq1qaASMnLkG+hEokHR714A@mail.gmail.com>
References: <CABkgnnUxr3cAv81m5PfzRb+LWbiUq1qaASMnLkG+hEokHR714A@mail.gmail.com>
From: Jana Iyengar <jri@google.com>
Date: Wed, 06 Dec 2017 23:38:33 -0800
Message-ID: <CAGD1bZZfvQ_6Phs5Gtw4Q5rqHFNBeGGytoxMFrafLeEewGjnMg@mail.gmail.com>
Subject: Re: Greasing more of QUIC
To: Martin Thomson <martin.thomson@gmail.com>
Cc: QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0a7faac5d4ed055fbb279a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/yQs099JBh0tQBvLSNQqZmhwDcLg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Dec 2017 07:38:38 -0000
Martin, Thanks for writing this up! One main thought as I read the draft. I suspect the mechanisms here are a bit heavyweight for the greasing model I had in mind. The model I had in mind was that a middlebox that cared to read the spec would be able to interpret the packet types, but it couldn't from simply looking on the wire. I don't think we want to use a per-connection key, as load balancers will want to know the packet type and won't have the connection keys. Visibility for middleboxes is the reason we didn't encrypt the packet types in the first place. If you wanted to do a PRP based on this weaker model you'd end up using a known key per version, documented in the draft. Of course, the problem here is that you don't grease any values since the same permutation is used for a given version, and the permuted packet types remain fixed for the version. You could combine the version-specific key with something from the packet, perhaps the packet number (not the entire 64-bit number, only the visible part on the wire, for stateless middlebox operation), to permute the packet type, giving you more useful greasing. Alternatively, for this model of greasing I have in mind, all you need is to cover the entire space of possible types, not encrypt the packet type. A simple method would be, for instance, to use the result of (packet number % packet type). This has the unfortunate property that the packet type will basically start at a random point in its space but increment by one during the bulk of the connection, since most packets will use a single packet type (short header with 2-byte packet number). We can fix that somewhat by adding a random additive, also documented per version, after the mod operation: (packet number % packet type + random additive). This has the property that for consequent packets with the same packet type but increasing packet number, the resulting packet type will start at a random value per connection (since initial packet number is random) , and will increase by a fixed value for any given version. This is just me thinking off the top of my head, but that's roughly what I had in mind. It obviously assumes a weaker form of greasing than the ones in your draft is desirable. Thoughts? - jana On Wed, Dec 6, 2017 at 9:03 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > I've sort of promised a few times, to a few people, that I'd write up > the state of play regarding greasing. I just did that and it got > somewhat lengthy. So I decided that I'd put the words in a draft. > Sorry. That's what you get when publishing drafts gets easier... > > https://datatracker.ietf.org/doc/html/draft-thomson-quic-grease > > Based on this, I'm a little more enthusiastic about protecting packet > numbers, mainly for the secondary benefits that come with it. But > I'll let others reach their own conclusions about that. > >
- Greasing more of QUIC Martin Thomson
- Re: Greasing more of QUIC Jana Iyengar
- Re: Greasing more of QUIC Brian Trammell (IETF)
- Re: Greasing more of QUIC Martin Thomson
- Re: Greasing more of QUIC Martin Thomson
- Re: Re: Greasing more of QUIC alexandre.ferrieux
- Re: Re: Greasing more of QUIC Mikkel Fahnøe Jørgensen
- Re: Greasing more of QUIC alexandre.ferrieux