
Making QUIC Quicker with NIC Offload - ederlf
https://dl.acm.org/doi/abs/10.1145/3405796.3405827
======
secondcoming
> We find that the kernel to userspace communication, ... often the cause of
> application performance degradation

Assuming they're talking about Linux here, I wonder if they used io_uring.

~~~
muststopmyths
>Lesson #1: Data copy between user and kernel space costs around 50% of total
CPU usage. This can be avoided by using kernel-bypass techniques as adopted in
Quant.

>Lesson #2: In the presence of a kernel-bypass optimization, crypto operations
become the new most expensive operation, requiring up to 40% of CPU resources
per connection.

I suppose they did an equivalent optimization ? I have no experience with
io_uring, but I assume the gains are similar to kernel bypass optimizations.

------
dsimms
This gets reinvented as a system matures, I think.

IBM mainframes had TCP offload in the early 90's at least. (The NIC in that
case was a PC running PS/2 plus some routing software. Worked great.)

~~~
dsimms
and they surely weren't the first to do that either, I assume now.

~~~
Cyphase
FYI, it's possible to edit comments to add further thoughts. :)

~~~
salawat
Only for two hours.

As it turns out, my average time to return from distraction to proofread is a
little bit more than two hours.

~~~
Cyphase
Indeed, that does seem to happen often. Though in GGP's case the reply was
posted within a minute of the original comment.

------
exabrial
Have we addressed the privacy issues with QUIC?

~~~
10000truths
What do you mean by privacy issues with QUIC? As I understand it, it’s just
another application layer protocol.

~~~
exabrial
Iirc, Brave browser began disabling QUIC because the connected server was able
to fingerprint the connecting party, and they deemed it an intentional part of
the protocol design. Essentially connecting anonymously to a server is not
possible. I'll try and dig up the blog post.

~~~
salawat
This one?

[https://content.sciendo.com/configurable/contentpage/journal...](https://content.sciendo.com/configurable/contentpage/journals$002fpopets$002f2019$002f3$002farticle-p255.xml)

------
gojomo
Hmm, researchers with the 'National University of Defense Technology' propound
on the benefits of offloading encryption/decryption to a separate
processor/FPGA on the Network Interface Card. Just for speed, I'm sure!

~~~
trasz
This has been done for years, eg with Chelsio NICs, and indeed it can speed
things up quite a bit.

~~~
sbierwagen
Wiretapping has been done for years, yes. NOBUS encryption compromise has a
long history, and speeds things up a lot. (for the NSA)

~~~
aseipp
How do you imagine this wiretapping works? This NIC is installed in your
servers, and is fed AEAD keys that are derived from key exchange with a client
by your TLS stack (and so private keys exist on the host, not on the NIC).
This allows the NIC to decrypt/encrypt flows that pass through it and free up
CPU cycles. QUIC requires forward secrecy for key exchange, so every flow will
use a different AEAD key already, meaning any snooped key can only be used to
decrypt the current flow, not any others. Every modern offload NIC uses this
basic design, more or less. Where's the wiretap? Is the NIC going to somehow
store every intermediate AEAD keys and escrow it to the NSA somehow? What does
NOBUS have to do with any of this? And why wouldn't they just backdoor the
motherboard/OS/CPU itself to acquire private keys directly?

~~~
takeda
Since NIC is used to encrypt the traffic, it can purposefully have
vulnerability that NSA knows about?

Fixing NIC is not as easy as fixing software.

~~~
aseipp
Okay, but I'm asking what does it look like? What kind of vulnerability? They
presumably aren't using SuperDuper Secret Wifi to mirror data wirelessly to
the moon, right? There are a limited number of outcomes at some point. They
can't exactly change the encryption algorithms, otherwise clients fail to
connect, and modern TLS (and QUIC) are designed to reduce algorithm agility in
the name of preventing downgrade attacks and insecure suites. And they can't
just break AES with an alien computer, because if so, why bother with the NIC
at all? And again: How do they _escrow the data_ they want out of the network,
considering the extremely variable (and potentially secured, unknown, hostile)
network conditions? If they can do that with some kind of host exploit or
whatever, why not just take private keys in the first place? They could just
snip ground cables then and be done with it, which is exactly how they got
Google. (The most realistic case I can think of is somehow compromising
entropy generation, perhaps.)

And finally, why do _any_ of this when you can almost definitely just issue a
gag order to a legal council, or behind-the-door threats to a foreign
government agency to tow the line, or any number of things? You're dealing
with governments who have immense global influence, not scrappy hackers who
only have their wits and old laptops about them.

I'm not saying agencies don't have exploits, or they don't use them, or they
don't spy on a lot of data, or that even some backdoors aren't real. But if
you're looking a NIC offload device, immediately claim "Wiretapping", and
can't actually explain how it wiretaps anything or what the attack model is,
it's really just random speculation and fear mongering.

~~~
predakanga
While I don't think it's likely, it's not hard to conceive a scenario where
the NIC purposely weakens the security for attackers in the know.

Purely theoretical (and I'm not a crypto guy, so please do correct me if this
is nonsense), but imagine a scheme whereby the IV is chosen to be the first
few bytes of the private key xor the port tuple.

This could reduce the difficulty of brute forcing the key, and no extra
traffic need be generated - we already know that the NSA operates passive
observers, and has even placed such systems inside corporate networks in the
past.

EDIT: As to why they'd do this instead of getting a gag order - because they
can? Because there's less oversight? Safest to assume that any technical
capability will be abused sooner or later.

~~~
aseipp
> but imagine a scheme whereby the IV is chosen to be the first few bytes of
> the private key xor the port tuple.

Again, the NIC doesn't choose the IV. It is given an IV by the host system,
which is derived from key exchange in software, and that IV must match what
the other side of the link derives from its own key exchange operation. It has
no choice but to use the IV given. Otherwise, the two parties can't
communicate. So the NIC would have to attack the host system somehow to engage
in this attack, but then it could just steal a private key anyway and get all
communications forever. This is basic Diffie-Hellman/TLS 101.

This kind of "I'm not an expert, but let me make up a scenario completely
divorced from reality..." thing is what I'm talking about when I say
speculation/FUD. It sounds sufficiently "techie smart" to pass a trivial smell
test but otherwise instantly falls apart.

> As to why they'd do this instead of getting a gag order - because they can?
> Because there's less oversight? Safest to assume that any technical
> capability will be abused sooner or later.

Any person in your life that you know could suddenly commit a horrible crime,
just "because they can." Do you think they will? Is that reason to _assume_
they will? "Because they can" ignores a basic aspect of how decisions are
made, which is understanding their motivations and reasoning.

And less oversight from what? These gag orders are already enforced in secret
courts. Governments exert pressure on each other, behind closed doors and
through agreements like trade sanctions, to force other governments to comply.
Theres's _already_ "no oversight" in the process, by design it avoids
oversight. Spooks can literally walk into your datacenter and pull a rack out
of the cage and there's nothing you can do about it unless you want to get
thrown in a dark hole for 500 years. Even if they had to resort to techie
tricks, why is the scenario you imagine any more plausible than a thousand
simpler, alternative options? Multi-million dollar corporations get
ransomware'd all the time, and it's not like the culprits need hardware
backdoors to do it.

Again: these agencies have exploits, and for a reason. They certainly use
them. They have backdoors. That doesn't mean we just get to turn our brains
off the instant something we don't understand mildly spooks us and assign
complete impossibilities as the culprit. You're not far from just doing high-
brow "lizard people control society" stuff at that point.

