IETF Logo Mail Archive

RE: Packet number encryption

Praveen Balasubramanian <pravb@microsoft.com> Wed, 07 February 2018 02:04 UTC

Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B9AE12D0C3 for <quic@ietfa.amsl.com>; Tue, 6 Feb 2018 18:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LIdonMn3DTXm for <quic@ietfa.amsl.com>; Tue, 6 Feb 2018 18:04:13 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0114.outbound.protection.outlook.com [104.47.42.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AB2F12D859 for <quic@ietf.org>; Tue, 6 Feb 2018 18:04:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PbenjYuY3mRatT8o/Pvhiv9+oo6nAi20xUMfdYL7j6w=; b=RpmJPNPZC80Q8P3Tc5/NGTKWlzBj1oj2RKONmeuQ+I1xZ3YlruzZsx87XrXZSgAOwa4ScaqWzki3LSVqjXiJiZS5JuCWPQCAHGzRzw12VBvGNCStL2KU4pQT+lhGwmWJvycYvgr88UWZly4/w8qlu0EfgfJnj3MfRxVBzR81FJ0=
Received: from CY4PR21MB0133.namprd21.prod.outlook.com (10.173.189.15) by CY4PR21MB0471.namprd21.prod.outlook.com (10.172.121.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.506.4; Wed, 7 Feb 2018 02:04:10 +0000
Received: from CY4PR21MB0133.namprd21.prod.outlook.com ([10.173.189.15]) by CY4PR21MB0133.namprd21.prod.outlook.com ([10.173.189.15]) with mapi id 15.20.0485.000; Wed, 7 Feb 2018 02:04:10 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: Ian Swett <ianswett@google.com>, Eric Rescorla <ekr@rtfm.com>
CC: Jana Iyengar <jri@google.com>, QUIC WG <quic@ietf.org>, "Lubashev, Igor" <ilubashe@akamai.com>, Roberto Peon <fenix@fb.com>, Mike Bishop <mbishop@evequefou.be>, "Salz, Rich" <rsalz@akamai.com>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, "Brian Trammell (IETF)" <ietf@trammell.ch>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: RE: Packet number encryption
Thread-Topic: Packet number encryption
Thread-Index: AQHTmW31V+0GAWpR/E2VqOCVLx9SYqOMgUQAgABeoYCAAAgUAIAAd3KAgAA8YgCAACPEAIAAAiYAgAOBloCAALfdgIAACBkAgAEGGACAANx9AIAAn5KAgAB7w4CAADUigIAADBeAgADUsaCAAGk3gIAAEEgAgACizACAADhiAIAAHkiAgAADUYCAACdFAIAAVRYAgAAUZQCAAA5oAIAAD4fQ
Date: Wed, 07 Feb 2018 02:04:10 +0000
Message-ID: <CY4PR21MB0133CCAA6807469BA983D00BB6FC0@CY4PR21MB0133.namprd21.prod.outlook.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <BY2PR15MB07754D83A1721F2BD742359BCDFE0@BY2PR15MB0775.namprd15.prod.outlook.com> <2CD9DC43-D69B-43F0-8474-DFE798850A52@akamai.com> <CAGD1bZaUuNxqpDkn62B0wWcFD8=mCUWrAwWGG-rAOxH7Mf1=cQ@mail.gmail.com> <CY4PR21MB01334E30C7AF6AE75F58EEFDB6FE0@CY4PR21MB0133.namprd21.prod.outlook.com> <CAGD1bZaxrqzdkk0wxRaULwOTgg6wnrSrXNBK31s4uxdozaACBA@mail.gmail.com> <CAGD1bZbOAaSBcQw4nVtGuwRunaAW8MYHq9yPxNN6DdKHzt5HtQ@mail.gmail.com> <2102BDC2-62C0-4A76-8ADE-8167437E2D07@trammell.ch> <CAN1APde6o6=aCXuWajPFSU=jXv-ERdVHk=uyjM71uQ_uU-oMTg@mail.gmail.com> <8e833029-68b5-2787-3897-a0f7818a259f@tik.ee.ethz.ch> <1de39727-eeec-0e7a-1e8b-5ed50433c5bd@cs.tcd.ie> <MWHPR08MB2432D0216BC8FE1B0D9E3690DAFD0@MWHPR08MB2432.namprd08.prod.outlook.com> <CAGD1bZauKbucs_5n7RQbK8H2HiyfiqpGVEcKreGA6umhMBSFgg@mail.gmail.com> <CABcZeBPNrc-9vANSH02r++p53s6gN4pVB8DMd80nUxOhKTp3dA@mail.gmail.com> <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com>
In-Reply-To: <CAKcm_gMvHSBhpUvsQCCkV2_o+d_wchF3R3L6H8mp6nKNaaRmSw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:5::712]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0471; 7:4rem+73jq0chZ2XmUc12nhsIJbHakR9URmGsFrhvEya2NPhp7zJkqYQ55apH+MnhTH8Dzy+g31bTtis4w4utYnw0xR7KCfsbc85szeYNe6PFKsTgF1AkZ/ajUBQPQlY2Bn7/slI+Bj6nzlG5GB5WjAidtyqxNCgWWME8DqwO0y2U/DnOdHOAi4n7XoSfPGY1dLuaC0eEiS8dtx6LBu5zt/k67yQWyDhCdaUTJOoZH2QEySlDh/J3OscGsuI8sK1E
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5a9b8320-e5ca-4ea7-ff04-08d56dcf1416
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:CY4PR21MB0471;
x-ms-traffictypediagnostic: CY4PR21MB0471:
x-microsoft-antispam-prvs: <CY4PR21MB04713BFE9704B2F7C0BF9DF8B6FC0@CY4PR21MB0471.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(32856632585715)(158342451672863)(89211679590171)(85827821059158)(67672495146484)(211936372134217)(153496737603132)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(3231101)(2400082)(944501161)(10201501046)(6055026)(61426038)(61427038)(6041288)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:CY4PR21MB0471; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0471;
x-forefront-prvs: 0576145E86
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(396003)(366004)(39380400002)(376002)(189003)(199004)(13464003)(316002)(33656002)(8936002)(86362001)(8676002)(81156014)(81166006)(3480700004)(236005)(9686003)(54896002)(6306002)(8990500004)(55016002)(10090500001)(53936002)(6436002)(6116002)(790700001)(6246003)(2900100001)(2906002)(105586002)(99286004)(10290500003)(229853002)(478600001)(76176011)(7116003)(77096007)(186003)(86612001)(53546011)(102836004)(6506007)(6346003)(3280700002)(3660700001)(7696005)(68736007)(22452003)(19609705001)(14454004)(93886005)(106356001)(4326008)(97736004)(25786009)(110136005)(5660300001)(54906003)(39060400002)(74316002)(7416002)(561944003)(2950100002)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0471; H:CY4PR21MB0133.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-microsoft-antispam-message-info: XRpdddNZihwYz6bF98bFn4AwaI+Auerd7HI/JbnbGWLvkLluWJT8aLGEuWSZS8cdsHI7RHtIaT4q4QU1EUcm7A==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0133CCAA6807469BA983D00BB6FC0CY4PR21MB0133namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a9b8320-e5ca-4ea7-ff04-08d56dcf1416
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2018 02:04:10.4641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0471
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ybPsnv9rjKfmWESXAcwP0bCHAS4>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 02:04:16 -0000

Great framing of the problem.

Proposal: Transform = Add a secure and fixed random offset to the actual packet number for the lifetime of one path. Transport level packet numbers start at 0. On wire packet number start at the offset. Client and server pick the offsets independently. Each side communicates this offset number in an encrypted frame until the first ACK. Other side subtracts the offset to figure out actual packet number and uses that to maintain receiver state and generate ACKs.


  1.  Packet number must be unlinkable across connection ID change (for migration.)
Each path gets a new secure random increment so maintains unlikability


  1.  Packet number must start at an arbitrary value, to avoid ossification of the first packet number.
True by definition for on wire packet number


  1.  Some sequencing information -- a few bits of the packet number perhaps -- should be revealed (for monitoring. Number of bits TBD.)
All of the bits are revealed on the wire and in sequence


  1.  Any packet number transformation should not be compute intensive.
Not at all compute intensive

From: Ian Swett [mailto:ianswett@google.com]
Sent: Tuesday, February 6, 2018 5:05 PM
To: Eric Rescorla <ekr@rtfm.com>
Cc: Jana Iyengar <jri@google.com>; QUIC WG <quic@ietf.org>; Praveen Balasubramanian <pravb@microsoft.com>; Lubashev, Igor <ilubashe@akamai.com>; Roberto Peon <fenix@fb.com>; Mike Bishop <mbishop@evequefou.be>; Salz, Rich <rsalz@akamai.com>; Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>; Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>; Brian Trammell (IETF) <ietf@trammell.ch>; Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: Packet number encryption

Thanks Jana, I think this is a nice framing of the problem and discussion.

On Tue, Feb 6, 2018 at 7:13 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:


On Tue, Feb 6, 2018 at 3:00 PM, Jana Iyengar <jri@google.com<mailto:jri@google.com>> wrote:
I'm going to try a different attempt at moving towards convergence. Thinking about this some more, and picking up something that Mirja said way earlier in this thread, I think the following decomposition is useful.

1. In the transport, all packet numbers start at 0, increasing monotonically. ACK frames carry these packet numbers, and therefore do not have to span large gaps and do not have to deal with increases in the size of the largest acked. Basically, no gaps are visible within the transport processing engine.
2. Before sending a packet on the wire, and before processing the packet, QUIC transforms the packet number with some function, replacing the visible packet number with the transformed value.

I think we can all agree that (1) is goodness. A sender is also free to use packet numbers from non-contiguous spaces here FWIW, but that's entirely independent of what's visible on the wire. This helps me separate transport processing complexity from the rest of it, which I think is helpful.

I think we are disagreeing on the precise properties we want from the transformation in (2). If we can agree on these properties, we can then figure out whether it's possible and how to construct such a transform. Here's a union of what folks are concerned about:
1. Packet number must be unlinkable across connection ID change (for migration.)
2. Packet number must start at an arbitrary value, to avoid ossification of the first packet number.
3. Some sequencing information -- a few bits of the packet number perhaps -- should be revealed (for monitoring. Number of bits TBD.)

I'm not sure I am persuaded of this point

Yes, I think this seems like the largest point of contention, and #4 is the second largest concern.  Given that, I think it makes sense to try to resolve #3, if that is possible.


-Ekr

4. Any packet number transformation should not be compute intensive.

I'm not looking for a construction, but I'd like to agree on the problem first. Does this sound like the set of properties we want? Or is there a contradiction among these properties that I'm not seeing?

On Tue, Feb 6, 2018 at 9:56 AM, Mike Bishop <mbishop@evequefou.be<mailto:mbishop@evequefou.be>> wrote:
Packet number encryption *does* improve linkability equivalently to random jumps, but without the fragmentation of the ACK packet which those jumps otherwise cause.  So I'm with Stephen, we don't yet have agreement on that assertion.

-----Original Message-----
From: QUIC [mailto:quic-bounces@ietf.org<mailto:quic-bounces@ietf.org>] On Behalf Of Stephen Farrell
Sent: Tuesday, February 6, 2018 7:35 AM
To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch<mailto:mirja.kuehlewind@tik.ee.ethz.ch>>; Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com<mailto:mikkelfj@gmail.com>>; Brian Trammell (IETF) <ietf@trammell.ch<mailto:ietf@trammell.ch>>; Jana Iyengar <jri@google.com<mailto:jri@google.com>>
Cc: Praveen Balasubramanian <pravb@microsoft.com<mailto:pravb@microsoft.com>>; QUIC WG <quic@ietf.org<mailto:quic@ietf.org>>; Roberto Peon <fenix@fb.com<mailto:fenix@fb.com>>; Lubashev, Igor <ilubashe@akamai.com<mailto:ilubashe@akamai.com>>; Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>>
Subject: Re: Packet number encryption


On 06/02/18 15:23, Mirja Kühlewind wrote:
>
> It's also my understanding that we do agree that packet number
> encryption does not help likability (and thereby privacy) a lot, or at
> least that the benefits we might get (or not) do not justify the
> additional complexity.

FWIW, which isn't much, I don't (yet) agree to the above.
I reckon it'll be a while before we know how linkability pans out. I do agree that packet number encryption is not a panacea for unlinkability, but it may help, or may even end up being required, to do a good job wrt linkability.

I also heard people say it was less complex for them so "additional complexity" may also not be quite right. (I guess "differently complex" is correct though.)

S.

--
PGP key change time for me.
New-ID 7B172BEA; old-ID 805F8DA2 expires Jan 24 2018.
NewWithOld sigs in keyservers.
Sorry if that mucks something up;-)

v2.23.0 | Report a Bug | By Email