IETF Logo Mail Archive

Re: What to do about multipath in QUIC

Florentin Rochet <florentin.rochet@uclouvain.be> Mon, 16 November 2020 16:47 UTC

Return-Path: <florentin.rochet@uclouvain.be>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A0F3A12A8 for <quic@ietfa.amsl.com>; Mon, 16 Nov 2020 08:47:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.9
X-Spam-Level:
X-Spam-Status: No, score=-0.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=uclouvain.be
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EuXnRvFWok6n for <quic@ietfa.amsl.com>; Mon, 16 Nov 2020 08:46:58 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2138.outbound.protection.outlook.com [40.107.22.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7E853A12A3 for <quic@ietf.org>; Mon, 16 Nov 2020 08:46:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W/wr+ov6CH8KjJNJRY1zJgRzF1bIJ+8K08gFcMRXsYkAOyNcuxe8VciQ33LyLDYZGPgb0ekgwPKw4msGkWM//2mj3oi7M09g7lxVW4aA3aY+ebx4oy+4lpeCpqKrsrl3l6SYjgKX6kOGzaPRAAsrAlwTppVWjP/uT0VfPD6AbbFfnje/BnfnNgUizK+iPl7dF999b3CAtVdoKIgmXn78aRIxwLIccVGnywzj5ymcyo/iR98adV8lzyHsyaVbgY6VI6U2d7gJumFmgigqOtD1bRI4abEubIH77/rlJOruBPoZbrtms076gBVwQe+ibLZjiZdLmgZ+97Za+9kzSPxajg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P241ulGvJ1ewbQgXtCndBANLOGcr61TvNd/A2Fw5V10=; b=hmy+ooUeklTpYOQ0+zqrpXv5uGdnA3X58MdzlbWzhfX8i6dOQxYl16UqxBgMUNUQtX4y4L3AYVnW+IFHvBfeTkBSSlDtNsne5VhQqgbAvJdCSTBfAWDeLIJWxwoiXyUulSAZ1EZ2fpUPp/vQCr70KCgHPHRHsDscwXa8Bm4Am77SjZ6qVpio+mkRVjqJnWv0rAsJp3yD3nZmxo8ByQG4Mq/sXFP8BZQRgeMvi6W72OZNLT4/FGsW7qX4QXB/d2YV7Hio4pEKBw+IMF4ndFZrweyKakayMjaS7OReu5/2jLtDwM49J35WfR0aM1ruIZZkjOjWMRGQLCLToMDBUOhl2A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uclouvain.be; dmarc=pass action=none header.from=uclouvain.be; dkim=pass header.d=uclouvain.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uclouvain.be; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P241ulGvJ1ewbQgXtCndBANLOGcr61TvNd/A2Fw5V10=; b=JugaFDpMePSN6tJbByn15Gbv3ZAE1Me5L4EiZoCgT7nDOxYaqmBbPcveiyoxCHLnguD76iStLfFC+cJonLXISayL+7gcxTgBabi8V9HcrVO7Vr8OBFb10+foqZ3Dtj1asx8msOIwIj+kAxfmpUP/FZAxmIoXRLsQzpU9p+7dJgo=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=uclouvain.be;
Received: from DB6PR03MB3142.eurprd03.prod.outlook.com (2603:10a6:6:35::15) by DB7PR03MB4124.eurprd03.prod.outlook.com (2603:10a6:5:3c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.28; Mon, 16 Nov 2020 16:46:51 +0000
Received: from DB6PR03MB3142.eurprd03.prod.outlook.com ([fe80::d18b:8c7b:6925:2a2]) by DB6PR03MB3142.eurprd03.prod.outlook.com ([fe80::d18b:8c7b:6925:2a2%4]) with mapi id 15.20.3564.028; Mon, 16 Nov 2020 16:46:50 +0000
Subject: Re: What to do about multipath in QUIC
To: quic@ietf.org
References: <538215d1-3b9e-4784-920d-03be4c3a503a.miaoji.lym@alibaba-inc.com> <CAN1APddB4JDo281L0USsU7FSiQxRNi-LaB8ZS0a9kLAgeNJwrw@mail.gmail.com> <54510017-fa91-555f-0219-0859d6686b74@huitema.net> <CAMDWRAaSeC9Yd1DqzM9o5_CS5Kct0aNS_LUzty5YPO_5fBf4qw@mail.gmail.com> <CANatvzyEfkRqgCArC8sXaS1-1DckxjspBLqLyLNdHx-RDKjT_Q@mail.gmail.com> <CAHgerOGGyAkE=TbCSuTO=T6HK9EM_+m+ASwPRm=o33HBrx7p3Q@mail.gmail.com> <CANatvzz_KSBws_upnx00P7JK=MbgyDRrR5n2VJcr1_=y=P6dfQ@mail.gmail.com>
From: Florentin Rochet <florentin.rochet@uclouvain.be>
Message-ID: <062fe812-8afb-d946-8336-1f4dc5ebeaaf@uclouvain.be>
Date: Mon, 16 Nov 2020 17:46:49 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <CANatvzz_KSBws_upnx00P7JK=MbgyDRrR5n2VJcr1_=y=P6dfQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7D35A375CE1A2BA8E58D774A"
Content-Language: en-US
X-Originating-IP: [79.132.236.78]
X-ClientProxiedBy: AM0PR10CA0101.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:e6::18) To DB6PR03MB3142.eurprd03.prod.outlook.com (2603:10a6:6:35::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.178.37] (79.132.236.78) by AM0PR10CA0101.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:e6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.25 via Frontend Transport; Mon, 16 Nov 2020 16:46:50 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 34f5b9c1-6fe7-4b7e-332f-08d88a4f3731
X-MS-TrafficTypeDiagnostic: DB7PR03MB4124:
X-Microsoft-Antispam-PRVS: <DB7PR03MB412411DA316087565648E866E5E30@DB7PR03MB4124.eurprd03.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1LlIL/Jf8B9hKdXUCybTu8bSvJJ1G1Ml29JvDtWqYtU4Tn2686Jlg4bjes3GiY8A+vSW2m7BzqsFk4wmbHQ9fsm3Ps7nSKJUavaZS1pbyBk4WwWkzNrh3gOu1GvYalqYyNhs8+ZFR62iGOYHjX2GXNLGXyQX22HDGxWGsc1jZq7scLYAq+tSLWn2dA0/wtlWIU0qbEyeRNYdu3weqPeunlYAR6GMyYzOEIO0vF0DaIzEW5e9bgZTRTLbAIO82ZCsYwd5BgB9JduDKSf6b9M/KTrbHgN6T1/C82NleqTXN46d8xhUhqGaOMOucrUBeq3+bYGP7RnNRiXLpHgtGd8r11gfhWBTrb+zBmo2XSXTmX1Wl4hm+iuaBw3L5z7TcGntvR4gNxskjUptaPQGduih5S7GsimgwPaF7h19pePeetKZTV/201QifwBUuEez4nMa1O7tTQgLakepKEpR4XB3Yg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB6PR03MB3142.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(376002)(39860400002)(346002)(136003)(6486002)(966005)(83380400001)(8676002)(166002)(52116002)(31696002)(36756003)(478600001)(66574015)(86362001)(8936002)(31686004)(16576012)(16526019)(5660300002)(30864003)(2616005)(956004)(33964004)(26005)(66946007)(44832011)(66476007)(66556008)(53546011)(2906002)(786003)(6916009)(186003)(316002)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: +2ZNqcks2cAnB7o76ThUrXXzJckocrkXgIhqOUocX0Sx5gfoKDi2vh+eT70TPKiB/5Zp7NaZ1weijJFKDodNO0fnlQc2MAaRF6Cezow0umxGkia865Tp/4LZM2qgXk7zRlgSnAa3KWKVCLdMGtzoo3Dbz2ZsH0l/D+Uqfn/FqIM/92bO4eN9JCsIMFNom7nE7Dd4va9Vw/tkYjklS+LxHSjRxGDW34l5lQicgjarI0813j88wBTRuijFN0NEetAKOloJIw7a9ozNOFSDG9jO74sBKndtheg34p1aXx9QUKk2wI96bQDBx/UOwS0VvVj+MtwyritQEfwJFoFiHWosOFILZZfTc7ffEYa3cVnlBQlqAZ7iCoW3+GvHMVRCzvxIkZjwaaA/bC6a/+njM17x3NIKAT/xspaGl1EkkdqPcxuVCV50gy9SDvFWs9Fur0y7Lfd700ZjK6CDpQtffw0ihNFLxogpgXS2kcrMqtrTPCknEJoNyJj9PctJZALWy0kfVscBV0hejGJcB/IJd6CSmSg+Q41d/n+H9FuTdtZpbFI/4FuNvEPAaIeedO00Q1umrt4gCWtAQK05QccKHxZp8FmAL8qz9lcOTIdwnNBSzprIg3T588EO2zorAeABptaHZPCsB2saT8GlnJOe9dsMBj8ym3JWOD0nzg9OSF7hnfHy3ePGg47V7YoaZyg9YRODHe3aCc+fHui7dRqlOXJ+pxoW3J+5I/eYmFXeRRuM5+jeCJ+O29jBPQTuHzG2cmHm43Aa8AI+csLuI2p2n/ZMoBuk/82rBq4WHlWMhzOXCqDpK8mnfXZPAE1kfsRZkaN2RczS1PFzmUsl9Rj47t4on6hb5mK+NpKLQhUbYXSGrksoYHsxtbOEiFDExjN49UUL9Lv/b6AvEDavQFhTQCqe7g==
X-OriginatorOrg: uclouvain.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 34f5b9c1-6fe7-4b7e-332f-08d88a4f3731
X-MS-Exchange-CrossTenant-AuthSource: DB6PR03MB3142.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Nov 2020 16:46:50.8754 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 7ab090d4-fa2e-4ecf-bc7c-4127b4d582ec
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: mJnBINoQ3Mmm1lHHGH9o9P/IIGPnnNEtCMPwCDavcBpqbHyrLzAHTbzQfsjf3mRJC7lsIu7SvSojLw1ZN60MG44qlg/cRNI+92mZ2DnfZbk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR03MB4124
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/yd2mkN7Wgm4Srxs8rzX-_02izVk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 16:47:02 -0000

Hello,

I have suggested a similar idea than Kazuho in Quentin Deconinck's draft:

https://tools.ietf.org/html/draft-deconinck-quic-multipath-06#section-8.1

Playing with the IV allows the endpoints to do an implicit derivation of 
the new crypto material for the new paths (using the same key). Besides, 
a multi-key settings makes a security degradation [0], so it might be 
better to avoid it if it's easy enough :-)

Best,

Florentin

[0] https://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf  Section 1.3

Le 16/11/20 à 08:53, Kazuho Oku a écrit :
>
>
> 2020年11月16日(月) 16:32 Yunfei Ma <yfmascgy@gmail.com 
> <mailto:yfmascgy@gmail.com>>:
>
>     Dear Kazuho,
>
>     Thanks for providing this alternative solution. I think it's
>     great, but please correct me if I am wrong. In the quic-tls-32
>     section 5.3., it reads:
>
>     _"The exclusive OR of the padded packet number and the IV forms
>     the AEAD nonce."_
>
>     __
>
>     So my question is: if we want to embed the sequence number of the
>     connection ID into the AEAD nonce, don't we need to incorporate
>     this method into section 5.3.?
>
>
> That's true. AEAD takes three inputs: secret, IV,  nonce.
>
> In order to avoid reuse, we need to make either of the three a 
> per-path variable. My point is that changing the definition of nonce 
> is the easiest, because it is a value that is calculated for each 
> encrypt / decrypt operation, and because we have space to incorporate 
> the path identifier (being the sequence number included in the 
> NEW_CONNECTION_ID frame).
>
> That's going to be a small enough change that can be made in the 
> multipath extension.
>
>     Thanks,
>
>     Yunfei
>
>
>     On Sun, Nov 15, 2020 at 9:19 PM Kazuho Oku <kazuhooku@gmail.com
>     <mailto:kazuhooku@gmail.com>> wrote:
>
>
>
>         2020年11月16日(月) 8:25 Yanmei Liu <healing4d@gmail.com
>         <mailto:healing4d@gmail.com>>:
>
>             Hi Christian and Lucas,
>
>             Thanks a lot for the advice :-)
>
>             > The use of AEAD is only safe if the same packet number
>             is not reused twice with the same key. If we use multiple
>             packet number contexts, AEAD is only safe if these
>             contexts use different encryption keys. This requires
>             adding a key derivation procedure for the "sub
>             connection", and also adding ways to identify the relevant
>             key in the incoming packets. This gets complicated very
>             quickly, especially if we want to keep the possibility of
>             using zero-length connection identifiers on the client side.
>             > I use a concept very similar to the sub-connection, but
>             only as a way to manipulate paths, so the client can
>             instruct the server when paths ought to be abandoned.
>             Otherwise, I just keep track of which PN maps to which path.
>
>             We have tried to use the same packet number space in all
>             the paths (or sub-connections) before, and have found that
>             it brought much complexity in implementation for loss
>             recovery.
>             In the meanwhile, the AEAD security problem mentioned
>             above should be solved. Another way to solve this problem
>             is using different keys in different paths, but it also
>             brings much complexity in key derivation as you have
>             mentioned.
>
>             We have found a third solution in
>             https://tools.ietf.org/id/draft-huitema-quic-mpath-req-01.txt
>             : create nonces by mixing the IV with both the path
>             specific connection ID and the packet sequence number.
>             If we can mix Destination Connection ID in for each
>             packet's AEAD nonce, then it will be safe to use the same
>             key in all the paths with different packet number spaces.
>
>
>         Or as an alternative, we can encode the sequence number of the
>         connection ID directly in the unused part of AEAD nonce (size
>         of nonce is 96 bits in AES-GCM, 128 bits in chacha20-poly1305,
>         but we only use 62 bits). The benefit of such an approach is
>         that endpoints would not be required to have additional state
>         related to AEAD. Endpoints already have the mapping between
>         connection IDs and their sequence numbers, all they need to do
>         is pass that sequence number as part of the AEAD nonce.
>
>             But since QUIC-TLS has been in the last-call period, would
>             it be able to add this modification into QUIC-TLS?
>
>
>         I do not think we have to, especially if we embed the sequence
>         number of the connection ID into the AEAD nonce.
>
>
>
>             Thanks,
>             Yanmei
>
>
>
>
>             On Fri, 13 Nov 2020 at 01:04, Christian Huitema
>             <huitema@huitema.net <mailto:huitema@huitema.net>> wrote:
>
>
>                 On 11/12/2020 3:10 AM, Mikkel Fahnøe Jørgensen wrote:
>>                   1. We think QUICv1 has already laid down the foundation to build a general-purpose multi-path since migration can be viewed as a special type of multi-path. Therefore, we think one should reuse the design of migration in QUIC-v1 as much as possible, along with the features such as PATH_CHALLENGE/PATH_RESPONSE for path challenge and address validation, and NEW_CONNECTION_ID/RETIRE_CONNECTION_ID for CID renegotiation of new path(which is called Sub-connection in our draft). Reusing these features of QUIC-v1 with small extensions has enabled us to get general-purpose multi-path features with very little efforts in
>>                 Alibaba’s XQUIC(an implementation of QUIC-v1).
>
>                 Yes. That's a major investment in QUIC V1, and we
>                 should keep it.
>
>>                   2. We find that the simplest way to add a second path is to use a sub-connection. The concept of sub-connection is directly inherited from connection in QUIC-transport, defined as the logic session of each physical path. Similar to a connection, each sub-connection has its own packet number space for the purpose of loss detection and recovery.
>>
>
>                 I did not want to do that in my own draft for a couple
>                 of reasons. The main one is the interaction with
>                 encryption.
>
>                 The use of AEAD is only safe if the same packet number
>                 is not reused twice with the same key. If we use
>                 multiple packet number contexts, AEAD is only safe if
>                 these contexts use different encryption keys. This
>                 requires adding a key derivation procedure for the
>                 "sub connection", and also adding ways to identify the
>                 relevant key in the incoming packets. This gets
>                 complicated very quickly, especially if we want to
>                 keep the possibility of using zero-length connection
>                 identifiers on the client side.
>
>                 I use a concept very similar to the sub-connection,
>                 but only as a way to manipulate paths, so the client
>                 can instruct the server when paths ought to be
>                 abandoned. Otherwise, I just keep track of which PN
>                 maps to which path.
>
>>                   3. To merge the gap between migration and the general-purpose multi-path, several new features need to be supported:
>>
>>                   - (1) how to manage the lifecycles of individual sub-connections.
>>
>>                   - (2) how to distinguish packets coming from different sub-connections.
>>
>>                   - (3) how to co-operate with a multi-path scheduler.
>>
>>                 We would appreciate hearing any thoughts, comments and suggestions.
>
>
>                 I think we need more work on the
>                 "multi-path scheduler". We have heard of three
>                 application scenarios: maintaining the lowest RTT when
>                 sending voice segments (Apple Siri), avoiding
>                 buffering delays when playing music (Apple Music), and
>                 using two available links with equal preference (Ali
>                 Baba "high speed train"). I wish that we could
>                 distillate that into a couple of simple concepts.
>
>                 -- Christian Huitema
>
>
>
>         -- 
>         Kazuho Oku
>
>
>
> -- 
> Kazuho Oku

v2.23.0 | Report a Bug | By Email