Re: [Masque] Forwarded Mode infinite loops
Martin Duke <martin.h.duke@gmail.com> Fri, 20 October 2023 18:09 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81B37C14CE2B for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 11:09:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SkKvQQzz5jY for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 11:09:20 -0700 (PDT)
Received: from mail-ua1-x936.google.com (mail-ua1-x936.google.com [IPv6:2607:f8b0:4864:20::936]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0DFC14CF1C for <masque@ietf.org>; Fri, 20 Oct 2023 11:09:20 -0700 (PDT)
Received: by mail-ua1-x936.google.com with SMTP id a1e0cc1a2514c-7ab4c86eeb0so464644241.2 for <masque@ietf.org>; Fri, 20 Oct 2023 11:09:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697825359; x=1698430159; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YPiFNbUf7yPpNFea0XPfojdVe/t8kH7UrXb22hSE2Hc=; b=OYsLhDGNPh+XmmUC6vplNf+NtO2LBqPm02p3eSQ+SZ6vHE8AP1Vs2o5wBR1cWP8JEC t6/E204QOTBhE9NcphE0jVSZFRrntVpZjrv0u+dULYd9v3pBap6mK7xfsRdUxLff598z 9fS8aDIaPmheqFPPJYZAAKNF4Xbn0I4LR9Ry/H29mQEezMaR8bFIhIvqlzVPBRPTD8cc yBYAjV/sD0astYgMtfwBmBlUaQx/LV6JenHTzI2Ynnh5PVX82QW9k9g6cufq/ZtK8Gii Rd+hPEmRzFYg2b6W3PQyPQLR1q0JJoSrvhcrUTnnU/3EVkneo6Zq4kAEBzH12I+rG0AF IoqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697825359; x=1698430159; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YPiFNbUf7yPpNFea0XPfojdVe/t8kH7UrXb22hSE2Hc=; b=QtmjUaoVt/X7gIzXutP05GVBb4Dq5BlnNUDhGe/Kghi0c7zh26UcRlupxOtA59DECD XG3hQ4Mrf+1/hmVkf0SM6pW6f3Ved80nK2oDK6o5pVZkLJRiMDJkdEye1pJC5H4UxSeL a1Cc4JxoCCgfX/Pgbx1T8gQrTqtIm/ZcE4sTtc0HlNV9LPg6I6XDqmUoJWhRfs/JnesL xihsg8z69k28o9+eTkV9FWo5I5kKZqfnzCwF6Z9aVWd0fasbI0Jg+1uxKZLSoH20bTRE vFBgIHDXfW3aSFG5n4gxYbluiPceJHl43q59mnogWgjxtxtT/F3dycF4HfvBb5WMo8ub t5Lw==
X-Gm-Message-State: AOJu0Yxn8EglkuK90m7VxcNuWJPS05mZXg0W8kl89UNjroN+hnFVPebt Xt4F0NeuRuDFjiLymfIR2/KTthCQ3UIUe/20Omw=
X-Google-Smtp-Source: AGHT+IHcW2PqqnGCLlGJp5obpby4n91aFgOgSbkdX37bTFvHu6RqFXrbJtJTxnE80VSnFFDP4X/xdr3o3MvqDjPQLxQ=
X-Received: by 2002:a67:ef50:0:b0:44e:8c20:a92d with SMTP id k16-20020a67ef50000000b0044e8c20a92dmr2872753vsr.7.1697825359362; Fri, 20 Oct 2023 11:09:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com> <BN8PR15MB3281FF073C549E3A39DD087BB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <B4EF24E9-20B9-4BFD-90B8-75B9A8EF733B@apple.com> <BN8PR15MB328118A7CE6C88D57825826AB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <B0D618B6-A6DD-4D94-AB20-2646C179B53A@apple.com>
In-Reply-To: <B0D618B6-A6DD-4D94-AB20-2646C179B53A@apple.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 20 Oct 2023 11:09:07 -0700
Message-ID: <CAM4esxSQAo4yYZA8oSMfv_z=+UBgKh6O0r9tiwt=7_eJBm_-GA@mail.gmail.com>
To: Eric Rosenberg <eric_rosenberg@apple.com>
Cc: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>, Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006f806f060829c509"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/ErA_LV-fQmi-2YeYpfd9IsGm85s>
Subject: Re: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 18:09:24 -0000
Yes, if the forwarder's don't share a VIP, then the packets at P1 can be distinguished by source IP address. I'm not sure if the draft requires that today, but it is a simple mitigation. If they share a VIP, the packet has no distinguishing features. On Fri, Oct 20, 2023 at 11:02 AM Eric Rosenberg <eric_rosenberg@apple.com> wrote: > I think the loop Martin is describing is only possible when forwarders > share a VIP - so not quite unrelated. There may be other loop attacks, but > I believe this particular one would be mitigated if all proxies sharing a > VIP constructed virtual client CIDs to guarantee no overlap. > > Eric > > On Oct 20, 2023, at 10:44, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> > wrote: > > They could, but AFAIK they aren't obligated to. If a client has access to > several unrelated QUIC Forwarders, it could theoretically set up a loop > among them unless they decide to generate long, un-collidable Connection > IDs. > > --Ben > ------------------------------ > *From:* Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org> > *Sent:* Friday, October 20, 2023 1:15 PM > *To:* Ben Schwartz <bemasc@meta.com> > *Cc:* Martin Duke <martin.h.duke@gmail.com>; MASQUE <masque@ietf.org> > *Subject:* Re: [Masque] Forwarded Mode infinite loops > > This Message Is From an External Sender > > Changing who chooses the Connection IDs could help, but proxy-chosen CIDs > are not necessarily high entropy, so there's no clear guarantee. > > > Do you mind elaborating here? If the proxy chooses the virtual client > connection ID, P2 and P3 can pick virtual client connection IDs that don’t > overlap. For example, they could do something like virtual client CID = > {server_id}{random_bytes}. > > Eric Rosenberg > > > On Oct 20, 2023, at 09:53, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> > wrote: > > Loops! This is a fun attack. It seems like there are probably lots of > loopy configurations if you have access to two or more proxies. > > Most of the encryption discussion for forwarded mode has focused on > unauthenticated encryption, which wouldn't help here. > > Changing who chooses the Connection IDs could help, but proxy-chosen CIDs > are not necessarily high entropy, so there's no clear guarantee. > > Ultimately, I'm not sure this matters. A hostile client can impose pretty > much arbitrarily amplified load on the forwarder anyway, e.g. by > downloading a large file and forging ACKs to dropped packets so that > congestion control ramps up to infinity. Forwarders will need defenses to > rate-limit or cap abusive clients. That said, it's probably worth fixing > if there's an easy solution. > > --Ben > ------------------------------ > *From:* Masque <masque-bounces@ietf.org> on behalf of Martin Duke < > martin.h.duke@gmail.com> > *Sent:* Wednesday, October 18, 2023 5:25 PM > *To:* MASQUE <masque@ietf.org> > *Subject:* [Masque] Forwarded Mode infinite loops > > Hello MASQUE, > > (with no hats on) > > I was playing with some annoying but manageable amplification attacks on > CONNECT-UDP forwarding mode. Those will have to wait for another day, > because the current draft has a fatal vulnerability, though one that we can > fix pretty easily. > > If I've gotten something incorrect, please say so! It wouldn't be the > first time. > > Recall that for forwarded mode, clients notify the proxy of the connection > ID they are advertising to the target, and in the same capsule propose a > "virtual connection ID" for use on the proxy-client path. (IIUC, this > virtual CID is to prevent association of the packets on either end of the > proxy). > > I reiterate that we are talking about the CLIENT connection ID and > its virtual counterparts, not the target. > > Consider the following very stupid topology that a client C could > construct to target T via various proxies. Crucially, P2 and P3 are from > the same provider and share a VIP.* This wrinkle eliminates some really > simple mitigations for what I'm about to describe. > > C -> P1 -> P2 -> P1 -> P3 -> T > > An otherwise well-intentioned client would advertise client Connection ID > CID0 to T, and via REGISTER_CLIENT_CID capsules might set up the rest like > so: > > Nodes C P1 P2 P1 P3 T > CID on wire CID4 CID3 CID2 CID1 CID0 > > So far, so good. A packet that leaves T will be destined for CID0. The > destination CID will be rewritten in turn, arriving at C with CID4. > > However, a malicious client can register CIDs with the proxies as follows: > Nodes C P1 P2 P1 P3 T > CID on wire CID4 CID3 / CID1 CID2 CID1 CID0 > > The only change is that P2 is "incorrectly" configured by the client to > rewrite incoming CID2 as CID1. As far as P2 is concerned, everything is > seems legit unless it is sharing enormous amounts of CID state with its > partner P3. Everything else is unchanged. > > Thus, a packet leaving T with CID0 will be rewritten to CID1 and routed to > P1; P1 will then route it to P2 with CID2. Then that gets routed back to > P1 with CID1, and the P1-P2-P1 loop continues to infinity. The attacker can > put as many proxy hops as it likes in that chain. > > There are a few pretty simple things that can break this doom loop. > - Do encryption at each MASQUE hop, as previously proposed. This verifies > the previous hop of the packet and drops those where the CID does not have > the correct origin. > - Have the proxy provide the virtual CID instead of the client. Client > control is the root of these problems. > - Eliminate virtual client CIDs and just take the L on linkability in that > case > > Martin > > * Interestingly, this attack requires at least one proxy in the path (P1 > in this case) to not be load balanced or have an easily manipulated load > balancer, so that two QUIC connection attempts can with high probability go > to the same device. > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque > > > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque > > >
- [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Eric Rosenberg
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Eric Rosenberg
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops David Schinazi
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Tommy Pauly
- Re: [Masque] Forwarded Mode infinite loops Ian Swett
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Tommy Pauly
- Re: [Masque] Forwarded Mode infinite loops David Schinazi
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Alex Chernyakhovsky
- Re: [Masque] Forwarded Mode infinite loops Martin Duke