IETF Logo Mail Archive

Re: [Masque] Forwarded Mode infinite loops

Martin Duke <martin.h.duke@gmail.com> Fri, 20 October 2023 18:09 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81B37C14CE2B for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 11:09:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SkKvQQzz5jY for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 11:09:20 -0700 (PDT)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0DFC14CF1C for <masque@ietf.org>; Fri, 20 Oct 2023 11:09:20 -0700 (PDT)
Received: by mail-ua1-x936.google.com with SMTP id a1e0cc1a2514c-7ab4c86eeb0so464644241.2 for <masque@ietf.org>; Fri, 20 Oct 2023 11:09:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697825359; x=1698430159; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YPiFNbUf7yPpNFea0XPfojdVe/t8kH7UrXb22hSE2Hc=; b=OYsLhDGNPh+XmmUC6vplNf+NtO2LBqPm02p3eSQ+SZ6vHE8AP1Vs2o5wBR1cWP8JEC t6/E204QOTBhE9NcphE0jVSZFRrntVpZjrv0u+dULYd9v3pBap6mK7xfsRdUxLff598z 9fS8aDIaPmheqFPPJYZAAKNF4Xbn0I4LR9Ry/H29mQEezMaR8bFIhIvqlzVPBRPTD8cc yBYAjV/sD0astYgMtfwBmBlUaQx/LV6JenHTzI2Ynnh5PVX82QW9k9g6cufq/ZtK8Gii Rd+hPEmRzFYg2b6W3PQyPQLR1q0JJoSrvhcrUTnnU/3EVkneo6Zq4kAEBzH12I+rG0AF IoqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697825359; x=1698430159; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YPiFNbUf7yPpNFea0XPfojdVe/t8kH7UrXb22hSE2Hc=; b=QtmjUaoVt/X7gIzXutP05GVBb4Dq5BlnNUDhGe/Kghi0c7zh26UcRlupxOtA59DECD XG3hQ4Mrf+1/hmVkf0SM6pW6f3Ved80nK2oDK6o5pVZkLJRiMDJkdEye1pJC5H4UxSeL a1Cc4JxoCCgfX/Pgbx1T8gQrTqtIm/ZcE4sTtc0HlNV9LPg6I6XDqmUoJWhRfs/JnesL xihsg8z69k28o9+eTkV9FWo5I5kKZqfnzCwF6Z9aVWd0fasbI0Jg+1uxKZLSoH20bTRE vFBgIHDXfW3aSFG5n4gxYbluiPceJHl43q59mnogWgjxtxtT/F3dycF4HfvBb5WMo8ub t5Lw==
X-Gm-Message-State: AOJu0Yxn8EglkuK90m7VxcNuWJPS05mZXg0W8kl89UNjroN+hnFVPebt Xt4F0NeuRuDFjiLymfIR2/KTthCQ3UIUe/20Omw=
X-Google-Smtp-Source: AGHT+IHcW2PqqnGCLlGJp5obpby4n91aFgOgSbkdX37bTFvHu6RqFXrbJtJTxnE80VSnFFDP4X/xdr3o3MvqDjPQLxQ=
X-Received: by 2002:a67:ef50:0:b0:44e:8c20:a92d with SMTP id k16-20020a67ef50000000b0044e8c20a92dmr2872753vsr.7.1697825359362; Fri, 20 Oct 2023 11:09:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com> <BN8PR15MB3281FF073C549E3A39DD087BB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <B4EF24E9-20B9-4BFD-90B8-75B9A8EF733B@apple.com> <BN8PR15MB328118A7CE6C88D57825826AB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <B0D618B6-A6DD-4D94-AB20-2646C179B53A@apple.com>
In-Reply-To: <B0D618B6-A6DD-4D94-AB20-2646C179B53A@apple.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 20 Oct 2023 11:09:07 -0700
Message-ID: <CAM4esxSQAo4yYZA8oSMfv_z=+UBgKh6O0r9tiwt=7_eJBm_-GA@mail.gmail.com>
To: Eric Rosenberg <eric_rosenberg@apple.com>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006f806f060829c509"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/ErA_LV-fQmi-2YeYpfd9IsGm85s>
Subject: Re: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 18:09:24 -0000

Yes, if the forwarder's don't share a VIP, then the packets at P1 can be
distinguished by source IP address. I'm not sure if the draft requires that
today, but it is a simple mitigation.

If they share a VIP, the packet has no distinguishing features.

On Fri, Oct 20, 2023 at 11:02 AM Eric Rosenberg <eric_rosenberg@apple.com>
wrote:

> I think the loop Martin is describing is only possible when forwarders
> share a VIP - so not quite unrelated. There may be other loop attacks, but
> I believe this particular one would be mitigated if all proxies sharing a
> VIP constructed virtual client CIDs to guarantee no overlap.
>
> Eric
>
> On Oct 20, 2023, at 10:44, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
> wrote:
>
> They could, but AFAIK they aren't obligated to. If a client has access to
> several unrelated QUIC Forwarders, it could theoretically set up a loop
> among them unless they decide to generate long, un-collidable Connection
> IDs.
>
> --Ben
> ------------------------------
> *From:* Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org>
> *Sent:* Friday, October 20, 2023 1:15 PM
> *To:* Ben Schwartz <bemasc@meta.com>
> *Cc:* Martin Duke <martin.h.duke@gmail.com>; MASQUE <masque@ietf.org>
> *Subject:* Re: [Masque] Forwarded Mode infinite loops
>
> This Message Is From an External Sender
>
> Changing who chooses the Connection IDs could help, but proxy-chosen CIDs
> are not necessarily high entropy, so there's no clear guarantee.
>
>
> Do you mind elaborating here? If the proxy chooses the virtual client
> connection ID, P2 and P3 can pick virtual client connection IDs that don’t
> overlap. For example, they could do something like virtual client CID =
> {server_id}{random_bytes}.
>
> Eric Rosenberg
>
>
> On Oct 20, 2023, at 09:53, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
> wrote:
>
> Loops!  This is a fun attack.  It seems like there are probably lots of
> loopy configurations if you have access to two or more proxies.
>
> Most of the encryption discussion for forwarded mode has focused on
> unauthenticated encryption, which wouldn't help here.
>
> Changing who chooses the Connection IDs could help, but proxy-chosen CIDs
> are not necessarily high entropy, so there's no clear guarantee.
>
> Ultimately, I'm not sure this matters.  A hostile client can impose pretty
> much arbitrarily amplified load on the forwarder anyway, e.g. by
> downloading a large file and forging ACKs to dropped packets so that
> congestion control ramps up to infinity.  Forwarders will need defenses to
> rate-limit or cap abusive clients.  That said, it's probably worth fixing
> if there's an easy solution.
>
> --Ben
> ------------------------------
> *From:* Masque <masque-bounces@ietf.org> on behalf of Martin Duke <
> martin.h.duke@gmail.com>
> *Sent:* Wednesday, October 18, 2023 5:25 PM
> *To:* MASQUE <masque@ietf.org>
> *Subject:* [Masque] Forwarded Mode infinite loops
>
> Hello MASQUE,
>
> (with no hats on)
>
> I was playing with some annoying but manageable amplification attacks on
> CONNECT-UDP forwarding mode. Those will have to wait for another day,
> because the current draft has a fatal vulnerability, though one that we can
> fix pretty easily.
>
> If I've gotten something incorrect, please say so! It wouldn't be the
> first time.
>
> Recall that for forwarded mode, clients notify the proxy of the connection
> ID they are advertising to the target, and in the same capsule propose a
> "virtual connection ID" for use on the proxy-client path. (IIUC, this
> virtual CID is to prevent association of the packets on either end of the
> proxy).
>
> I reiterate that we are talking about the CLIENT connection ID and
> its virtual counterparts, not the target.
>
> Consider the following very stupid topology that a client C could
> construct to target T via various proxies. Crucially, P2 and P3 are from
> the same provider and share a VIP.* This wrinkle eliminates some really
> simple mitigations for what I'm about to describe.
>
> C -> P1 -> P2 -> P1 -> P3 ->  T
>
> An otherwise well-intentioned client would advertise client Connection ID
> CID0 to T, and via REGISTER_CLIENT_CID capsules might set up the rest like
> so:
>
> Nodes        C     P1     P2    P1    P3     T
> CID on wire    CID4   CID3  CID2  CID1   CID0
>
> So far, so good. A packet that leaves T will be destined for CID0. The
> destination CID will be rewritten in turn, arriving at C with CID4.
>
> However, a malicious client can register CIDs with the proxies as follows:
> Nodes        C     P1            P2      P1      P3     T
> CID on wire    CID4   CID3 / CID1    CID2    CID1   CID0
>
> The only change is that P2 is "incorrectly" configured by the client to
> rewrite incoming CID2 as CID1. As far as P2 is concerned, everything is
> seems legit unless it is sharing enormous amounts of CID state with its
> partner P3. Everything else is unchanged.
>
> Thus, a packet leaving T with CID0 will be rewritten to CID1 and routed to
> P1;  P1 will then route it to P2 with CID2. Then that gets routed back to
> P1 with CID1, and the P1-P2-P1 loop continues to infinity. The attacker can
> put as many proxy hops as it likes in that chain.
>
> There are a few pretty simple things that can break this doom loop.
> - Do encryption at each MASQUE hop, as previously proposed. This verifies
> the previous hop of the packet and drops those where the CID does not have
> the correct origin.
> - Have the proxy provide the virtual CID instead of the client. Client
> control is the root of these problems.
> - Eliminate virtual client CIDs and just take the L on linkability in that
> case
>
> Martin
>
> * Interestingly, this attack requires at least one proxy in the path (P1
> in this case) to not be load balanced or have an easily manipulated load
> balancer, so that two QUIC connection attempts can with high probability go
> to the same device.
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>
>
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>
>
>

v2.23.0 | Report a Bug | By Email