IETF Logo Mail Archive

Re: Hardware acceleration and packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sat, 24 March 2018 12:57 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A8AD128959 for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 05:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m6GQHFKgQUa4 for <quic@ietfa.amsl.com>; Sat, 24 Mar 2018 05:57:48 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C1111201F2 for <quic@ietf.org>; Sat, 24 Mar 2018 05:57:47 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id e79so18193448ioi.7 for <quic@ietf.org>; Sat, 24 Mar 2018 05:57:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5c6vjnOMRmAKbAisN1de2ApNE8IWn2tH320BG4VeBVg=; b=sFZBcgYI2Boab7G9DRq5cdJAVt/6LlR6sQWg7lzfSAou65HFmdu97iaA6FWLbgEXZc SzSqQU0UonxYxriUI+gyBg6Wcel9fsXDs4sQ/DMJAEvibIWykcpv7OGVO+zIy2F32NQY wJQ84bL1uRSTaqqCPpDPaTWpTHD4bRZFhMIPQS69tz5HdNgj19Euk01Y8hV/E/oDdJJe AzsuqlA55GO1xE0K/DFABhVBIiNcq6mHIfBH63XGI/irFZOjhrDuZPGMtG4lArmA2A7i we1ZDB9+53dqGVKgC3r1lo9KPHETBTYz6Ivzgpdbf5Njwj+5udjztCFE6lB/ALhhpYAc m4dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5c6vjnOMRmAKbAisN1de2ApNE8IWn2tH320BG4VeBVg=; b=KrmR5itb3I4+XwDiDt1yUC8CXnbr1S2kTkDiJYCCGm9GYhkuQRfwmyNvj4z4s/1oi2 FPI2qn97yaP1O9H4ZUL19SaBqYXyXtgA5VlJ7I08+R1kiohjHbw50iPJlBjUiYBvhlm/ 0+HX2BpZ64cENAFgZvBJl6gmMkO8vCE4nHSP6pxqsu02ohZjIie2oWxy8U9ci39cZ4sr bLk5oRCEE8g3LSekegWsGJI/4yzjllkZnBVx6WZA/j2sAbl3kq4FMMmtYM3SqGTWbwIY 1heKjhAroMQW4LSo/56BSUyz8nKGdLrw+WSEHgosdAtWk2w7it2T8FYtq4Owgyo10LsF Nc+g==
X-Gm-Message-State: AElRT7EOE1UTJ6PNaYAbltqTxtlTT3V01fWnnytxcFwkGKXHWsBBuWZl Lo5BhI/GCy0XrAnYXTMBvWDifPfuYEX65LVEGBw=
X-Google-Smtp-Source: AG47ELsQNKkqZbqZeX/rDljAk27gnNAZn8hh9zw5rdMxwAA5AKZAR64gzxwCTUTwd0BXe29rDM4OIV4t5aVvCwImdQA=
X-Received: by 10.107.6.163 with SMTP id f35mr27691903ioi.165.1521896267365; Sat, 24 Mar 2018 05:57:47 -0700 (PDT)
MIME-Version: 1.0
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net>
In-Reply-To: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net>
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Date: Sat, 24 Mar 2018 12:57:36 +0000
Message-ID: <CAN1APde8cps+dt+87_naDc+LOc6Eyo8=d222a8fP8DqRW92+RA@mail.gmail.com>
Subject: Re: Hardware acceleration and packet number encryption
To: Christian Huitema <huitema@huitema.net>
Cc: IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>
Content-Type: multipart/alternative; boundary="001a113e06a266c398056828166a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ykzFvPJZ-4xOO4xa2naNmqBWKME>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 12:57:50 -0000

see reply below

On Sat, Mar 24, 2018 at 1:19 PM Christian Huitema <huitema@huitema.net>
wrote:
...

>  packet number encryption as specified would make
> acceleration of Quic difficult to implement on Intel's hardware. She was
> trying to convince us that privacy is an unattainable goal, and that we
> should just as well ditch the linkability requirement in order to
> facilitate hardware acceleration.


I also believe that privacy is a wild goose chase. There is no reason to
expose more
necessary, but we risk limiting the protocol design more than it is worth.

Even without HW accellaration, modifying a buffer in-place can affect CPU
cache
performance and synchronization on multi-core systems, and it adds latency
- which
might be small in todays typical use case, but not necessarily in special
cases or in the future.
Crypto might get faster, but possibly by adding parallelism with higher
latency and packet number
encryption cannot be parallized.


> Using separate packet number for each path would prevent linkability and
> facilitate acceleration, but it makes the protocol and the software
> significantly more complex. It requires using different keys or IV for
> different paths, and it also require management of several sequence
> number spaces.


This is largely what I have proposed in Segmented Packet Numbers
https://github.com/quicwg/base-drafts/issues/1105

The idea is that the packet number itself is larger than the wire
transmission. The high bits are hidden from the packet header
but are included internally and in ACK frames (using some varlen encoding).
This will naturally sort ACK's per path and give
a largest ACK'ed per path. There would be no total ordering which might be
a problem with some designs relying on
"everyting send before" such as new path id's. It wold allow for packet
numbers larger than 64 bit. In ACK only the first packet number in a block
is sent explicitly so there is a natural compression.

Yes, it complicates the design slighty but it gives you a lot of automatic
per path ACK RTT data and sidesteps the issue with encryption
and also provides easy monitoring to middleware - data that they could
infer less reliably on their own in most cases, so no loss of privacy.

I like the simplicity of packet number encryption but due to how it needs
to be implemented I'm no longer believing that this is a great idea.

Mikkel

v2.23.0 | Report a Bug | By Email