Get rid of Block Cipher CIDs

[martinduke]

There has quietly been some work on tightening up the QUIC-LB specification. At the moment, we are still short on implementations but I am hearing something might happen soon.

Anyway, Christian Huitema has made substantial contributions to the security properties of Stream Cipher CID, which allows smallish CIDs, by making it a three-pass algorithm. We still have the "Block Cipher CID option" which requires CIDs of at least 17 bytes; AFAICT the only advantage at this point is that it can be decoded with 1 block encryption operation instead of three.

In principle, QUIC-LB load balancers can be run with no per-connection state, in which case this would be a per-packet operation. I strongly suspect that real LBs will keep some per-4tuple state, as they do today; if so, this crypto operation only needs to occur once per packet where the 4-tuple is new. If so, the CPU impact is vanishingly small except in a storm of garbage packets.

So AFAICT, the use case for Block Cipher is as follows:

• Willing to run one crypto operation per packet/new 4-tuple
• Not OK with doing three crypto operations
• satisfied with 17B + CIDs

I strongly suspect this does not describe a real implementer, and am inclined to simply delete this in my effort to simplify the design. Nevertheless, I'm taking this to the list in case someone thinks this is an important use case.

[huitema]

I am pretty confident about the properties of the stream cipher, but I am not a cryptographer ™
Should we ask a review from the CFRG?

[tatsuhiro-t]

I implemented block cipher cid in my proxy server. It is a bit sad to hear that it is going to be removed from the spec, but I have no strong opinion to against that. If it is removed I'll just remove the reference to quic lb spec and call it our own.
The good thing of block cipher cid is that its implementation is quite easy. 17 bytes cid has good entropy for random bits to manage several cid per connection.

[martinduke]

@tatsuhiro-t It's not gone yet! At the very least, we're going to do the crypto review.

[kazuho]

FWIW, h2o also uses 17-byte CID backed by AES-ECB.

Our server-id is 64-bit. While that might sound a bit large, it is good to have some additional space that can be used for detecting broken packets carrying bogus CIDs. Also, we do not retain 4-tuple state for each connection, because we do not want to retain connection state for all the server cluster. Instead, we decrypt CID of each packet.

Our format is different from what is in QUIC-LB (our design predates the first revision of the draft), so we do not mind support for block ciphers getting removed from the document. I'm just pointing out that there are use cases where block ciphers are sufficient.

[martinduke]

@kazuho thanks for the field report. While you're not conforming to the standard today, I hope you'll consider h2o servers eventually supporting the standard (at last optionally) so they can be used with migration with commodity load balancers.

Would the lack of a block cipher make a meaningful difference in your willingness to do so?

[martinduke]

I implemented block cipher cid in my proxy server. It is a bit sad to hear that it is going to be removed from the spec, but I have no strong opinion to against that. If it is removed I'll just remove the reference to quic lb spec and call it our own. The good thing of block cipher cid is that its implementation is quite easy. 17 bytes cid has good entropy for random bits to manage several cid per connection.

if you've implemented this, please join the #quic-lb channel and we should do interop once the spec settles down

[kazuho]

@martinduke Implementing the Stream Cipher CID algorithm is easy for the backend servers.

IMO the practical concerns are related to load balancers.

Each of the three-pass AES-ECB operation has dependency on earlier passes. That means that it is impossible to run these passes in parallel. My napkin calculation tells me that the CPU cycles required for running Stream Cipher CID algorithm on each full-sized packet would cost like 30% of decrypting a full-sized packet.

There would be at least two ways to mitigate this problem. One is process multiple packets in parallel. The other is cache information, as you've suggested in this issue.

If the load balancer developers are happy to accept this complexity (for saving few bytes of CID), then I do not think I have a reason to argue against.

[huitema]

Please don't make decisions now about the cost of three passes. The CFRG review might very well ask us to increase the number of passes, especially if the nonce is something like a counter instead of a random number. Consider for example the usage pattern in which after a key rotation all servers in the cluster set their nonce to exactly 1. In effect, that means we are almost down to two passes, and that may arguably be too few. Or maybe not. Review will tell.

If I look at the literature, 3 passes is the absolute minimum for achieving an acceptable level of mixing, but there are papers recommending 5, 6 or even 12 passes.

[kazuho]

@huitema thank you for the caution.

Then I wonder if we need to decide the fate of block cipher CIDs, before the design of stream cipher CIDs become more stable.

[martinduke]

@huitema thank you for the caution.

Then I wonder if we need to decide the fate of block cipher CIDs, before the design of stream cipher CIDs become more stable.

I am not resolving this issue until the crypto review is complete.

[Neo-ZK]

I strongly suspect that real LBs will keep some per-4tuple state, as they do today; if so, this crypto operation only needs to occur once per packet where the 4-tuple is new

It's unfortunately that routing by per-4tuple state will meet some problems, image this scenario:

1. client A setup a connection with quic-server through quic-lb, and a `4tuple state` was set up in quic-lb
2. client A close connection, and `4tuple state` in quic-lb won't be remove immediately
3. A connection migrate happens in client B, and client B use the same ip/port as clientA
4. If quic-lb route packets of client B through `4tuple state`, then connection migration of client B would failed 

The right way SHOULD be that quic-lb route all packets through CID, then the cpu cost can't be avoid, but I still
approve the usage of stream cipher, from a safety point of view.

[martinduke]

Good point, I'll consider this when I resolve #140.

[martinduke]

#155 reduced the Block CID (now "single-pass encryption") to the special case where nonce_len + sid_len == 16.

[martinduke]

Given the work in #155, I'm disinclined to remove this special case. Closing.