IETF Logo Mail Archive

RE: Hardware acceleration and packet number encryption

"Swindells, Thomas (Nokia - GB/Cambridge)" <thomas.swindells@nokia.com> Mon, 26 March 2018 15:20 UTC

Return-Path: <thomas.swindells@nokia.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 02EC21277BB for <quic@ietfa.amsl.com>; Mon, 26 Mar 2018 08:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1522077652; bh=aJB+zPfV61/9UlgAASASHVoFBX7+R/LiP58iHLx8I4E=; h=From:CC:Subject:Date:References:In-Reply-To:To:To; b=Uom9aKjevx4DNG1TU48Up2AYyYb5RvuiOpDcB8yZsfQjp7+ZR2wreJpqsQ+vBKkSV GfNLb031eO7q2L3xwbBMYtDUzuZn/SnF5SsaNu3EEGmvk4ulR0iNeHpNsazp1QVKVf BWBAn8kK4TQxybLFxkeSfNyBbHZflnVcj4ruUDuc=
X-Mailbox-Line: From thomas.swindells@nokia.com Mon Mar 26 08:20:51 2018
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B62A5126C19; Mon, 26 Mar 2018 08:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1522077651; bh=aJB+zPfV61/9UlgAASASHVoFBX7+R/LiP58iHLx8I4E=; h=From:CC:Subject:Date:References:In-Reply-To:To:To; b=YIr2AYF7JvMzvtnCd93A9jUgDeSk94VarHKL6aSVOIT5agLn7V2/cP3z6YwufOVm+ pis59+/kV5hTvnbMBdhm2cbO5UmHuDKuq52ovnbZVXyvUXcw/dBKhiPbbdS7TXZLdV Vjrm0wJvrP3jVZbn5GOY2bxJ4AjK1nA1XZ0tJSCc=
X-Original-To: dmarc-reverse@ietfa.amsl.com
Delivered-To: dmarc-reverse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96F1E127775 for <dmarc-reverse@ietfa.amsl.com>; Mon, 26 Mar 2018 08:20:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lUT3pSZ__aT for <dmarc-reverse@ietfa.amsl.com>; Mon, 26 Mar 2018 08:20:47 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0701.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::701]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84949126C19 for <ianswett=40google.com@dmarc.ietf.org>; Mon, 26 Mar 2018 08:20:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=aJB+zPfV61/9UlgAASASHVoFBX7+R/LiP58iHLx8I4E=; b=oXVqZkhC/SkhQyKnOI30GN9IaVfBAm1ZFEJCx32XPnvOlsqCPyuljcVgPNw+l/FJs23Fn5ujdL48SJAsP7XLkSreVZCLSdyvN2725SQC2snZ4e1wIygVT/V6W2VImgtic79RrQmEUYKSbBxukwLMKNwYhy+0ceRwpAKCI5vKmyc=
Received: from HE1PR0702MB3611.eurprd07.prod.outlook.com (52.133.6.21) by HE1PR0702MB3562.eurprd07.prod.outlook.com (52.133.5.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.631.5; Mon, 26 Mar 2018 15:20:44 +0000
Received: from HE1PR0702MB3611.eurprd07.prod.outlook.com ([fe80::a09d:19e4:a13b:20e3]) by HE1PR0702MB3611.eurprd07.prod.outlook.com ([fe80::a09d:19e4:a13b:20e3%3]) with mapi id 15.20.0609.012; Mon, 26 Mar 2018 15:20:44 +0000
From: "Swindells, Thomas (Nokia - GB/Cambridge)" <thomas.swindells@nokia.com>
CC: Eric Rescorla <ekr@rtfm.com>, "Salz, Rich" <rsalz@akamai.com>, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>, Kazuho Oku <kazuhooku@gmail.com>
Subject: RE: Hardware acceleration and packet number encryption
Thread-Topic: Hardware acceleration and packet number encryption
Thread-Index: AQHTw2pS2/iMgBCWlkWEhwVLXq5EFKPfab+AgAAo/YCAAFZ6AIAADAQAgAAvsICAAAzVgIAB2cSAgABzBgCAAAxXAIAADMAAgAABk3A=
Date: Mon, 26 Mar 2018 15:20:44 +0000
Message-ID: <HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0@HE1PR0702MB3611.eurprd07.prod.outlook.com>
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <F9FCC213-62B9-437C-ADF9-1277E6090317@gmail.com> <CABcZeBM3PfPkqVxPMcWM-Noyk=M2eCFWZw2Eq-XytbHM=0T9Uw@mail.gmail.com> <CAN1APdfjuvd1eBWCYedsbpi1mx9_+Xa6VvZ3aq_Bhhc+HN67ug@mail.gmail.com> <CABcZeBMtQBwsAF85i=xHmWN3PuGRkJEci+_PjS3LDXi7NgHyYg@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CCEFD@ORSMSX111.amr.corp.intel.com> <CABcZeBNfPsJtLErBn1=iGKuLjJMo=jEB5OLxDuU7FxjJv=+b=A@mail.gmail.com> <1F436ED13A22A246A59CA374CBC543998B5CDAD4@ORSMSX111.amr.corp.intel.com> <BBB8D1DE-25F8-4F3D-B274-C317848DE872@akamai.com> <CAN1APdd=47b2eXkvMg+Q_+P254xo4vo-Tu-YQu6XoUGMByO_eQ@mail.gmail.com> <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com>
In-Reply-To: <CAKcm_gMpz4MpdmrHLtC8MvTf5uO9LjD915jM-i2LfpKY384O2w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [81.134.152.4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0702MB3562; 7:9B5Fr104dt6rggkzFQEZNVOF738rJAW3XHX2Nd64lLWAfe6X1/Hs/qu5/w5E+j7GhY+XO42dRXQXYzN/z4f/Z6KjBCxx5r7qunmadWY99cV6OGkRqNqwe/her3qTvzhJ6T6uUzHV7I5aClsj3jVwIpVZumnhZybRrj1XJqmWhu7GhY0S8DVFGf9KwyhjuqpHbsJEFIAb1CnObQ+ibqirsI0LAuoW3x15jQYnx8f+5ePkqgwWBxdTQFzVjBnEdKIW
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0def3b56-2c28-4e57-aebd-08d5932d24c7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:HE1PR0702MB3562;
x-ms-traffictypediagnostic: HE1PR0702MB3562:
x-microsoft-antispam-prvs: <HE1PR0702MB3562334C5DE935190AF8961484AD0@HE1PR0702MB3562.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(166708455590820)(85827821059158)(21748063052155)(228905959029699);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231221)(11241501184)(806099)(944501327)(52105095)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123564045)(6072148)(201708071742011); SRVR:HE1PR0702MB3562; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0702MB3562;
x-forefront-prvs: 06237E4555
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(376002)(39380400002)(366004)(189003)(199004)(55016002)(966005)(6436002)(76176011)(8676002)(9686003)(81166006)(14454004)(53936002)(6306002)(6246003)(236005)(2900100001)(39060400002)(81156014)(54896002)(33656002)(59450400001)(606006)(6506007)(53546011)(790700001)(3846002)(6116002)(478600001)(7736002)(99286004)(486005)(476003)(486005)(3660700001)(5660300001)(105586002)(229853002)(4326008)(74316002)(3280700002)(97736004)(106356001)(68736007)(7696005)(66066001)(25786009)(8936002)(5250100002)(86362001)(2906002)(93886005)(26005)(11346002)(316002)(102836004)(446003)(6346003)(54906003)(186003)(110136005)(557034004); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0702MB3562; H:HE1PR0702MB3611.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=thomas.swindells@nokia.com;
x-microsoft-antispam-message-info: 0QKzIQHQlei1vgEoeR2vKRy9QDKDEmMIIrlCEihmcBVmYj7XANymO+PfZzKW8XrYFZzvRnL9M/QhL3ZTO+iiGez+T5YmgFZHsAbd0GH+6nkXsVEeMLToOnQ+r5VYvfnW522CmUOdWRXF8igjiZR6FL965ZiYNQO9JkjCnT5yZRUywMPgn3APMOkxpQXTyYTpXRDzVvJ8cgzLb8o8NzqyAI7lIunCtDkQfBPl6zeLbRrRxGdYxgxJZ2aRK7kUXl9flzDl102BRbEA5HufYdGfDiWoc5SaPsrBiAPTv68vNTLYNESKBq5tL/FrYl0fLEG23oFCdEqJPOFJVGC9icZB9hTjQO9YOO12bHTbQG8XVwIpCcYgCPk8LFn+0/kA0Fb3
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0702MB3611A67E764EE1C7D1644FAD84AD0HE1PR0702MB3611_"
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0def3b56-2c28-4e57-aebd-08d5932d24c7
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2018 15:20:44.1579 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3562
To: Ian Swett <ianswett@google.com>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/z-P1kahW9kk6iWEJ8KwhLCAtWNU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 15:20:52 -0000

When you say ‘have this’ what exactly are you referring to dedicated hardware accelerator cards? Or were you counting processors with optimized CPU instructions?

Looking at https://en.wikipedia.org/wiki/AES_instruction_set#Intel_and_AMD_x86_architecture it seems to imply a large range of server, desktop and mobile chips all have a CPU instruction set available to do AES acceleration and other similar operations (other instruction sets are also available).

If we are considering the AES instructions then it looks like it is (or at least will be in the near future) a sizeable proportion of the public internet have it to be used.

I think it is useful for people who specialize in hardware to give expert guidance on the implication of design decisions, particularly as performance (or power efficiency) are important considerations for many people. There are three possible responses to that advice:

  1.  A different mechanism is found that gives better potential performance whilst also keeping the potential privacy benefits
  2.  The potential performance benefits are chosen with a risk that privacy guarantees may potentially be reduced
  3.  The potential privacy benefits are chosen with a risk of reduced performance compared to other protocols

What will influence the discussion is of course how big an impact is actually felt in each direction in the long run. For instance, it may turns out that regardless of how we encrypt the packet numbers there are still effective privacy breaching attacks in which case performance may have been the better thing to go for. Unfortunately in the short run people can only guess or estimate the factors – unless research is available showing this attacks already.

My personal view is that I’m not currently convinced that packet number encryption will actually bring a significant long lasting benefit compared to the costs it appears to have; and that in particular various timing and side channel attacks will allow correlation of sessions with a good degree of accuracy even without access to the packet numbers.

Of course the best result would be to have a solution which is response 1 – preserves both privacy and maintaining encryption acceleration.

Thomas

From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Ian Swett
Sent: Monday, March 26, 2018 3:32 PM
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>; Salz, Rich <rsalz@akamai.com>; Christian Huitema <huitema@huitema.net>; IETF QUIC WG <quic@ietf.org>; Deval, Manasi <manasi.deval@intel.com>; Kazuho Oku <kazuhooku@gmail.com>
Subject: Re: Hardware acceleration and packet number encryption

Good question Rich.

I'd estimate almost no clients would have this, unless a client is actually another machine in a datacenter.

I can imagine 50% of servers may have this, but that's certainly an estimate.  Today, based on talking to many organizations who operate servers, I think this number is <10% on the public internet.  Datacenters may be higher, I'm not sure.

I would much rather do #1079 than add extra bytes in the header to make crypto offload easier.

Because the current PR uses the front of the encrypted payload as input to the PN encryption, one could encrypt the front of the packet(ie: 2 AES-GCM operations), then encrypt the packet number, then discard the front of the payload and do everything with bulk offload or start encrypting after the beginning of the packet.  This may cause an implementation to put padding into the beginning of the packet if they want offload and have nothing useful to send, but that seems better than forcing everyone to waste bytes and add more unencrypted bytes to the header.


On Mon, Mar 26, 2018 at 9:46 AM Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com<mailto:mikkelfj@gmail..com>> wrote:
I added some comments to PR related to my previously suggested changes to the encryption scheme
https://github.com/quicwg/base-drafts/pull/1079


Mikkel


On 26 March 2018 at 15.02.30, Salz, Rich (rsalz@akamai.com<mailto:rsalz@akamai.com>) wrote:
What percentage of QUIC clients and servers are likely to have this hardware offload, and under what timetable?  And are those claims true for *all* hardware acceleration?

I appreciate that this is really asking to guess and predict the future, *But* a hardware vendor is making the team inclined to give up privacy for a performance gain. That’s not the right trade-off for us to be making at this point in time.

-1

v2.23.0 | Report a Bug | By Email