Re: [Last-Call] Secdir last call review of draft-ietf-quic-version-negotiation-10
David Schinazi <dschinazi.ietf@gmail.com> Wed, 05 October 2022 22:54 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5014BC1522A9; Wed, 5 Oct 2022 15:54:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aldzsyk5F6pu; Wed, 5 Oct 2022 15:54:08 -0700 (PDT)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB3EC14CF09; Wed, 5 Oct 2022 15:54:08 -0700 (PDT)
Received: by mail-ua1-x932.google.com with SMTP id h25so49075uao.13; Wed, 05 Oct 2022 15:54:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=h3jgdjES1VC5F+PvJ4i/jMdth0dFcl4rtIXJ0pKCPkw=; b=UD6tLJabJOHreweHLpOJzyVqXKaQ09VXhxnM/CZRNgV9T4wedg9yAcB0sYozDoI8aJ iQL90yKEVnpOrt99k9lkqd6F4QwH885yb523bkAj9RUsGw5FCrthPnwuIHOZE1nOTQT9 Ghi5tsv3KenYRnNAXbdbI8L01ZjXjAw+j2i3BelOrrEjbRh1waFLOZT593eyR2LrDDCx vCdLmksZOwZp/tll1+UOQGJe/y81ZZznV9GkL6iP4816/471XFvmoBpFbixbx9c7IOwm 7HtuzBkTc+K+r01QU7/CTfYWfDsZkt4ZZlusq/CFpO5f358LH6lJUmlbfEWFbHTNW+9w pY7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=h3jgdjES1VC5F+PvJ4i/jMdth0dFcl4rtIXJ0pKCPkw=; b=OTcTc/vbPAqgD0u/nFiUtXwCKhBhyIeoByK9WPuJyTaoxT9yWnIvD5V52GA0NoHPSY fGwN9iVMBNdSVVEvJmFhhdbCTFR6mmSOy+A6Qsu+w70vuSCT+AAC3hz6LY4c2BKNgdzf 5Bah43YZAvbjM0QOz7yUEGGtdqCJAwvHuvpjVrCGsglFHpXT/Wj80Qtr5Rq0SnksOCkM DDOSaSqn/R/+8EFTfWdh2L/kCdCHk5+oGntXx1dqZK1zFdEE33QzQ2IdzDOchTM8luxN Pzetd1zBBJRXwkVbZTajsW/1VOFTmgJNdi+hLt2udkggr1sabyTfVE5FX4GDSWhWKzK+ HYKQ==
X-Gm-Message-State: ACrzQf0mf/HIYVret7vcETbxA2W8a3JfPXGJganjgyoUw1l8OtDnEH2X O8efin+d+8fh8jk3yGxvsSTYF+CZ+4YIk79tXro=
X-Google-Smtp-Source: AMsMyM6uA06AUNCsaURfygI5oX+1LVdfvrdxz1J3KD9liliuhYsd1q0plgoOf+pmOWbweqXc/x7BWY+rlFJ6yQzBW3E=
X-Received: by 2002:ab0:634a:0:b0:3d7:495b:88fd with SMTP id f10-20020ab0634a000000b003d7495b88fdmr1082013uap.108.1665010447364; Wed, 05 Oct 2022 15:54:07 -0700 (PDT)
MIME-Version: 1.0
References: <166499081267.34369.266654217493565817@ietfa.amsl.com>
In-Reply-To: <166499081267.34369.266654217493565817@ietfa.amsl.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Wed, 05 Oct 2022 15:53:56 -0700
Message-ID: <CAPDSy+5gPL+wQRAc0tT3PKCJSrgAe=9VDgc_FMY0o_6CX6q=5g@mail.gmail.com>
To: Joey Salazar <joeygsal@gmail.com>
Cc: secdir@ietf.org, draft-ietf-quic-version-negotiation.all@ietf.org, last-call@ietf.org, quic@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004337bb05ea51743b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/LKC0nEL8HbKJ5RIoURZc59QD9hk>
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-quic-version-negotiation-10
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2022 22:54:09 -0000
Hi Joey, and thanks for your review. I've pushed a commit that addresses some of your comments. More detailed responses inline. https://github.com/quicwg/version-negotiation/commit/3fee2873545dcc2cae20f070b86f844dae6a5558 On Wed, Oct 5, 2022 at 10:26 AM Joey Salazar via Datatracker < noreply@ietf.org> wrote: > Reviewer: Joey Salazar > Review result: Has Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Document: draft-ietf-quic-version-negotiation-10 > Reviewer: Joey Salazar > The summary of the review is: Ready with nits > > Major Concerns: None > > Minor Concerns: None > > Nits: > > Section 2.1: "it SHALL select a mutually supported version and sends[…]" > s/sends/send/ > Fixed Section 2.4: This section states "the connection attempt prior to receiving > the > Version Negotiation packet is distinct from the connection with the > incompatible version that follows". According to text in Section 2.1 "it > SHALL > select a mutually supported version and sends a new first flight with that > version - this version is now the negotiated version", Section 2.4 could > say > "from the connection with the negotiated version that follows" instead. > I find the current text clearer. Section 7: s/Since at the time of writing QUIC version 1/Since, at the time > of > writing, QUIC version 1/ > Fixed Section 8: For clarity of reading, this section could be placed after > Section > 4. Version Downgrade Prevention > I find the current placement clearer. Section 9: The security of the mechanism relying on the security of the > weakest > common version seems clear, yet a bit more description on "but more > analysis is > still needed here" would be good, perhaps pointing to what other > vulnerabilities could be expected/analyzed, or whether cross-protocol > attacks > could still take place. > If anyone performs this analysis, I'll be happy to include it. But I'd rather not delay publication waiting for this analysis.
- [Last-Call] Secdir last call review of draft-ietf… Joey Salazar via Datatracker
- Re: [Last-Call] Secdir last call review of draft-… David Schinazi