Hello QUICWG, There has quietly been some recent work on tightening up the QUIC-LB specification. At the moment, we are still short on implementations but I am hearing something might happen soon.
Anyway, Christian Huitema has made substantial contributions to the security properties of Stream Cipher CID, which allows smallish CIDs, by making it a three-pass algorithm. We still have the "Block Cipher CID option" which requires CIDs of at least 17 bytes; AFAICT the only advantage at this point is that it can be decoded with 1 block encryption operation instead of three. In principle, QUIC-LB load balancers can be run with no per-connection state, in which case this would be a per-packet operation. I strongly suspect that real LBs will keep some per-4tuple state, as they do today; if so, this crypto operation only needs to occur once per packet where the 4-tuple is new. If so, the CPU impact is vanishingly small except in a storm of garbage packets. So AFAICT, the use case for Block Cipher is as follows: - Willing to run one crypto operation per packet/new 4-tuple - Not OK with doing three crypto operations - satisfied with 17B + CIDs I strongly suspect this does not describe a real implementer, and am inclined to simply delete this option in my effort to simplify the design. Nevertheless, I'm taking this to the list in case someone thinks this is an important use case. This is Issue 138 in Github <https://github.com/quicwg/load-balancers/issues/138>. Thanks, Martin
