IETF Logo Mail Archive

[TLS] Re: draft-ietf-tls-key-share-prediction next steps

"Kampanakis, Panos" <kpanos@amazon.com> Sun, 15 September 2024 18:56 UTC

Return-Path: <prvs=981eece8d=kpanos@amazon.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99308C1516E0 for <tls@ietfa.amsl.com>; Sun, 15 Sep 2024 11:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level:
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQWQMk7LIZRX for <tls@ietfa.amsl.com>; Sun, 15 Sep 2024 11:56:17 -0700 (PDT)
Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.190.10]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F093C14F5E6 for <tls@ietf.org>; Sun, 15 Sep 2024 11:56:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1726426577; x=1757962577; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=i3e44bevK/QJDtkdIwzj+phaCzplKoExOtNDQwLXucE=; b=guUs/w7yuQOBb5FAz7OZraNjCKRFqM8X0Ju5elHjRJsrN6f9dnWknb9N 9r5FFQjlsa3q/PIL/GdfkK1nJG5VOW7mLhD1tHhoOdwp4R+spvXzJrBvM JnnNMoJx+BlZ2O14HBg1wUitv1i3yiCH4++cMQEQbHsgUIOd79gTKKYBR 0=;
X-IronPort-AV: E=Sophos;i="6.10,231,1719878400"; d="scan'208,217";a="368252351"
Thread-Topic: [TLS] Re: draft-ietf-tls-key-share-prediction next steps
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-33001.sea14.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Sep 2024 18:56:11 +0000
Received: from EX19MTAUWA001.ant.amazon.com [10.0.21.151:14816] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.55.195:2525] with esmtp (Farcaster) id 28f17b61-b588-4fcc-a848-e56bfc7dd587; Sun, 15 Sep 2024 18:56:10 +0000 (UTC)
X-Farcaster-Flow-ID: 28f17b61-b588-4fcc-a848-e56bfc7dd587
Received: from EX19D001ANA002.ant.amazon.com (10.37.240.136) by EX19MTAUWA001.ant.amazon.com (10.250.64.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Sun, 15 Sep 2024 18:56:10 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA002.ant.amazon.com (10.37.240.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.35; Sun, 15 Sep 2024 18:56:08 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1258.035; Sun, 15 Sep 2024 18:56:08 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: David Adrian <davadria@umich.edu>
Thread-Index: AQHbBBH4DF8cMklY0keirYGehOgkRLJSOC8AgACYLQCAAcGBEIAACdyAgAADooA=
Date: Sun, 15 Sep 2024 18:56:08 +0000
Message-ID: <11fdbc58609141709c0f032d58dbab2c@amazon.com>
References: <CAF8qwaAU+cRapAc3xnySXiq2nOTXAFvLQYdWNC6rXdFj8iA39w@mail.gmail.com> <CAOp4FwTySAHKtwKv4ade9qm19GCvag-PAJxmDndxG5CYsDPvkw@mail.gmail.com> <ZuFNRD6UWgkhAbdl@LK-Perkele-VII2.locald> <CAF8qwaBmyZR4ky_sMZNbk4ZiKbZche8uXLhbPkLzU-xau77Ciw@mail.gmail.com> <cc1e576c70f24659b220945b1e53f26f@amazon.com> <CACf5n79nvEXJM3tPLNRBFfZa3z_VUPTJASMqO2FaBbh4cH02tA@mail.gmail.com>
In-Reply-To: <CACf5n79nvEXJM3tPLNRBFfZa3z_VUPTJASMqO2FaBbh4cH02tA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.200]
Content-Type: multipart/alternative; boundary="_000_11fdbc58609141709c0f032d58dbab2camazoncom_"
MIME-Version: 1.0
Message-ID-Hash: P7W7HLHLCMOHO5VXUNEYFLMD4KHPQLMP
X-Message-ID-Hash: P7W7HLHLCMOHO5VXUNEYFLMD4KHPQLMP
X-MailFrom: prvs=981eece8d=kpanos@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "<tls@ietf.org>" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: draft-ietf-tls-key-share-prediction next steps
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tJmHFyS-Wv13BeEkFtWbe2E6M1I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Thx Adrian for the reaction.

> There is a considerable difference between loading large amounts of data for a single site, which is a decision that is controllable by a site, and adding a fixed amount of latency to _all_ connections to all sites to defend against a computer that does not exist [3].

Fair. And draft-ietf-tls-key-share-prediction tries to address that. I like the draft. Btw, I have some disagreements to your “PQC Signatures damn too big” blog referenced in [3], but these are more or less similar to the ones I am sharing below.

> Adding Kyber to the TLS handshake increased TLS handshake latency by 4% on desktop [1] and 9% on Android at P50, and considerably higher at P95. In general, Cloudflare found that every 1K of additional data added to the server response caused median HTTPS handshake latency increase by around 1.5% [2].

I have seen these arguments, but I am still skeptical. Your points focus on the TLS handshake which is not necessarily directly tied to Web experience. According to https://firefox-source-docs.mozilla.org/testing/perfdocs/perf-sheriffing.html , even the 4% (>2%) regression for Desktops would be unacceptable. So, why is 4% in the handshake acceptable, but 9% is not?

If I am sending 100KB of data over the conn, 1 extra packet in the CH will not matter even for these mobile clients. We tried to make the point in https://www.ndss-symposium.org/ndss-paper/auto-draft-484/ . Ideally we should have proven it by measuring web metrics too (other than just the TTLB) but that requires more work.

I am arguing that 5% or 10% or even 20% of TLS handshake slowdown does not equate to the same slowdown in the CrUX / web metrics. For example, the TLS handshake should not affect the INP or CLS metrics at all. The LCP or the FCP will not be affected be an extra packet if the server sends 50+ packets per connection. https://httparchive.org/reports/state-of-the-web says that each mobile connection transfers about 200KB. This means 150+ packets. Will an extra CH packet really show up in this connection’s performance impact? I doubt it. Another data point,  https://httparchive.org/reports/loading-speed#fcp says that the median FCP and TTI for mobile is 3 and 16 seconds respectively. Will an extra packet in the CH really affect the multisecond FCP or TTI even in a slow connection at 1Kbps? That is questionable as well.

So, respectfully, is your assertion that ML-KEM768 will have noticeable impact for mobile based on measurable web metric data, or is it just based on an intuition which is focusing on the TLS handshake and could be overestimating the impact on real web metrics?


From: David Adrian <davadria@umich.edu>
Sent: Thursday, September 12, 2024 11:26 PM
To: Kampanakis, Panos <kpanos@amazon.com>
Cc: David Benjamin <davidben@chromium.org>; <tls@ietf.org> <tls@ietf.org>
Subject: RE: [EXTERNAL] [TLS] Re: draft-ietf-tls-key-share-prediction next steps


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


> Any numbers you have to showcase the regression and the relevant affected web metrics?

Adding Kyber to the TLS handshake increased TLS handshake latency by 4% on desktop [1] and 9% on Android at P50, and considerably higher at P95. In general, Cloudflare found that every 1K of additional data added to the server response caused median HTTPS handshake latency increase by around 1.5% [2].

> I have seen this claim before and, respectfully, I don’t fully buy it. A mobile client that suffers with two packet CHs is probably already crawling for hundreds of KBs of web content per conn.

There is a considerable difference between loading large amounts of data for a single site, which is a decision that is controllable by a site, and adding a fixed amount of latency to _all_ connections to all sites to defend against a computer that does not exist [3].

[1]: https://blog.chromium.org/2024/05/advancing-our-amazing-bet-on-asymmetric.html
[2]: https://blog.cloudflare.com/pq-2024/
[3]: https://dadrian.io/blog/posts/pqc-not-plaintext/

v2.39.1 | Report a Bug | By Email | System Status