IETF Logo Mail Archive

Re: [Masque] Forwarded Mode infinite loops

Martin Duke <martin.h.duke@gmail.com> Tue, 24 October 2023 19:37 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A617C151985 for <masque@ietfa.amsl.com>; Tue, 24 Oct 2023 12:37:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdlljBayDZ2j for <masque@ietfa.amsl.com>; Tue, 24 Oct 2023 12:37:05 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C78BC1519B2 for <masque@ietf.org>; Tue, 24 Oct 2023 12:37:05 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id ada2fe7eead31-457e5dec94dso1954298137.3 for <masque@ietf.org>; Tue, 24 Oct 2023 12:37:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698176224; x=1698781024; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8Ki4dBF8BaWDNMrmPwUFVeFWMPnUYpqJL8ferYULPZk=; b=gFMaC9YWA/uys6bj+dE7XdpAeF9iXSa7XVCToDii95ilwETVjb8oCqzTLWXXX7xSUE IHzj68apnreWByu9dWm+lBhC8+XkwlDt2MonJCTLnh055CXQHoQwnKaJD8867xLQYR2t cvB5c4e/yzGRnhbWgokGsGzBW4CryzT3NHpZYsw+x7ctThwvVWKRpXohXq+4pajcQx7u D0pmuUb5APXGO+41ZceaDFq+HjRnWzilUYUcd6L2kbIeKwmtaHuYpqZVN0+WRxjAqn1w so/xQXuvTk1+C1qZpAbqC2ndPqKpmoCjd98OFH1W5TaWNbMz6SbC4a2daLPsJShX8jgs GWiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698176224; x=1698781024; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8Ki4dBF8BaWDNMrmPwUFVeFWMPnUYpqJL8ferYULPZk=; b=VTTmZVnrMt1YoLnVAb7THy5qdSZXofbF2z+cA4rQAp2Ks/g+xgeJ8lkmtX/4Drk3uw nFXpMK4DGeoYXxONNCJRStfv4BARhDEuktYVSKuOBiUK8lQ6uh52g8wNEJLufuee+Yk5 ubqKhOyulqcAT4rNvJ13B0O4dMKaVsaly8LI9xKDES8Pn4r5fioVyhH1JwRh2EBhsWgK TIqc27gHvAny3cFWOoTJ0OpVhGrUdoAZ2ypPjpYJl/f+KjgcovM9pYjRrC8pL1DN5quA 5Z2PoN3tGJ0SzO+ZTq0uE94uk4cRoO0Dhc09IpS1Y8pY1CUu5pr7bC7Ho16AGTsFB3CA g1jw==
X-Gm-Message-State: AOJu0YzPkRe0B4fhr6Sr9Hpr6RJ6F8Al/Kiql7hqFvCpy7mgpNtTXT4l L9pOypIqCT/6BBghh7BiR7S312u6fx9IEFC8Xz7ksQtrRv0=
X-Google-Smtp-Source: AGHT+IFwvCN1l579ZNOivCdozArxuZ1z+h4JI/h+0v3X9oHm5Xh6GTEWpAtN4IlVzl2BHEz5fPDWwGt/VNCjULyQz4A=
X-Received: by 2002:a67:c10e:0:b0:457:c9d2:4624 with SMTP id d14-20020a67c10e000000b00457c9d24624mr12130187vsj.31.1698176224041; Tue, 24 Oct 2023 12:37:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com> <BN8PR15MB3281FF073C549E3A39DD087BB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAM4esxRKTNdGBpiO5_s33UikPnSG54K1dNKYua6_ca3f4jE2=A@mail.gmail.com> <BN8PR15MB32817A645AB33154DE9ACFFEB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAM4esxSMEtExuW0WewKCjz3Xc+_pe7czdx_gRcqe7uqZJ8B8Rw@mail.gmail.com> <CAM4esxQf6T7G8TWLcKsF0=cEyvndN2HHK+D4s8EvOF+Z=gXbMQ@mail.gmail.com> <CAM4esxTwkE1wHwFuLDLx8h5qzRtWTFhfQgWgteWPSoTeEuQQuA@mail.gmail.com> <CAPDSy+7cPETw-CEd910AodgV3ADJuFsfDRi3FAxyY=pYVRoc-Q@mail.gmail.com> <CAM4esxShEYAgZ-LhVSPtdaajiAhRx99tj0ef-t+AmJGBiHMOOA@mail.gmail.com> <34F58C3B-7677-4974-8AB9-CDF011EABA1B@apple.com> <CAKcm_gNUriekTx7WdmD4yjrRABecvXLvyqr+wPdfOLYaS1RRww@mail.gmail.com> <CAM4esxQamgoBTKVnJ6XCxgKqmYCkyKa0=MuzjMhvMvVDYa0f-Q@mail.gmail.com> <CAPDSy+5geFuqEpKREbbr6AT3heU4EQcPVVEW4H3FhKGnk4E1-Q@mail.gmail.com>
In-Reply-To: <CAPDSy+5geFuqEpKREbbr6AT3heU4EQcPVVEW4H3FhKGnk4E1-Q@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 24 Oct 2023 12:36:51 -0700
Message-ID: <CAM4esxSMCk6+zT7_X=p498EnYY0foVMRhMXBA1eGdqTejo8jSw@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Ian Swett <ianswett@google.com>, Tommy Pauly <tpauly@apple.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000099a34a06087b762a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/F_3cuAA01TW5xb4IHCw3cXjgnOA>
Subject: Re: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Oct 2023 19:37:09 -0000

That is pretty much a photo of my whiteboard when crafting the
original email!

ISTM the design has to give up on one of three principles and/or
operational degrees of freedom:
(1) Receiver picks its connection ID.
(2) Proxies don't need to use server preferred address to use this feature
(3) Proxies don't have to open a new target-facing UDP socket for each
CONNECT (unlike CONNECT-UDP!)

IIUC you are proposing eliminating (2), which to me sounds like the biggest
constraint to add. But you guys are the authors, so do what you think is
best.

I also have a sense that (2) is a point solution to the only attack someone
has managed to assemble, and that other problems of this nature are out
there. But that's just conjecture at this point.

Martin

On Tue, Oct 24, 2023 at 11:52 AM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> re: Martin and Tommy, thanks for the clarification about ingress vs egress
> - that's super helpful. My whiteboard was starting to look like this:
>
> https://i.kym-cdn.com/entries/icons/original/000/022/524/pepe_silvia_meme_banner.jpg
>

At a more fundamental level, the issue stems from the fact that we're
> breaking one of the rules of QUIC. In QUIC, the general mindset is that the
> receiver of a Destination Connection ID is the one that picks this CID. The
> draft violates that in a few ways:
> * The Client Connection ID is picked by the client even though it's
> received by the proxy egress. This one's OK because the proxy gets to
> accept or reject the proposed CID.
> * The Target Connection ID is picked by the target, but communicated to
> the proxy by the client, so the client could lie. I haven't been able to
> mount an attack using that fact though.
> * The Virtual Client CID is picked by the client. That's perfectly fine in
> a single instance of this draft, but once you chain two of these
> (C-P1-P2-T) then the client gets to pick the Virtual Client CID that P2
> sends to P1. This is the one that causes the attack here, Client is picking
> a CID that P1 receives.
>
> I'm not sure that having the proxy pick the Virtual Client CID is a good
> fix here because that also violates the QUIC rule of receiver picks CIDs
> and could lead to other issues where the proxy is the attacker.
>


>
> A mitigation we've discussed is the fact that the proxy could look at the
> target ingress IP when routing. That breaks when multiple proxies share an
> ingress IP. Perhaps we can prevent that by requiring something similar to
> server preferred address where the proxy can only use forwarded mode on an
> ingress IP that is unique to them?
>


>
> David
>
> On Tue, Oct 24, 2023 at 9:57 AM Martin Duke <martin.h.duke@gmail.com>
> wrote:
>
>> That's a good question!
>>
>> IIUC, CONNECT-IP does decrement the TTL, but CONNECT-UDP does not because
>> it is not preserving the IP header (The CONNECT-IP draft mentions TTL and
>> CONNECT-UDP does not). The quic-proxy draft doesn't say anything about
>> this, so I imagine that rule still applies.
>>
>> On Tue, Oct 24, 2023 at 6:43 AM Ian Swett <ianswett@google.com> wrote:
>>
>>> I assume each hop would decrement the TTL?  If so, wouldn't this be a
>>> loop, but not infinite?
>>>
>>> Ian
>>>
>>> On Mon, Oct 23, 2023, 11:01 PM Tommy Pauly <tpauly=
>>> 40apple.com@dmarc.ietf.org> wrote:
>>>
>>>> It was useful for me to draw this out in (unnecessary) detail to show
>>>> how this only needs the ingress IP to be shared, not the egress IP.
>>>>
>>>> To help go through this, let me fill in the example you gave with more
>>>> details about IPs and ports — since the forwarding mappings depend on these
>>>> “sockets”.
>>>>
>>>> Let’s start with a case where the addresses aren’t being shared.
>>>>
>>>> *C *has address 1111::1
>>>> *P1* has ingress address 2222::2, and egress address 3333::3
>>>> *P2* has ingress address 4444::4, and egress address 5555::5
>>>> *P3* has ingress address 6666::6, and egress address 7777::7
>>>> *T* has ingress address 8888::8
>>>>
>>>> *C *is set up to receive CID4 on 1111::1 port 10000 from 2222::2 port
>>>> 443
>>>> *P1 *is set up to receive CID3 on 3333::3 port 20000 from 4444::4 port
>>>> 443, and forward it as CID4 to 1111::1 port 10000 from 2222::2 port 443
>>>> *P2 *is set up to receive CID2 on 5555::5 port 30000 from 2222::2 port
>>>> 443, and forward it as CID3 to 3333::3 port 20000 from 4444::4 port 443
>>>> *P1 *is set up to receive CID1 on 3333::3 port 40000 from 6666::6 port
>>>> 443, and forward it as CID2 to 5555::5 port 30000 from 2222::2 port 443
>>>> *P3 *is set up to receive CID0 on 7777::7 port 50000 from 8888::8 port
>>>> 443, and forward it as CID1 to 3333::3 port 40000 from 6666::6 port 443
>>>> *T *sends using CID0 to 7777::7 port 50000 from 8888::8 port 443
>>>>
>>>> In this case, since there is no address sharing, if the client tells
>>>> *P2* to instead map from (CID2 on 5555::5 port 30000 from 2222::2 port
>>>> 443) to (CID1 to 3333::3 port 20000 from 4444::4 port 443), the
>>>> connection will break, but there will be no loop, since *P1* won’t
>>>> allow receiving CID1 on that socket.
>>>>
>>>>
>>>> Then, let’s explore the case of shared addresses. If we only have P2
>>>> and P3 share an ingress VIP, and P1 reuses sockets on egress, we have the
>>>> following:
>>>>
>>>> *C *has address 1111::1
>>>> *P1* has ingress address 2222::2, and egress address 3333::3
>>>> *P2* has ingress address 4444::4, and egress address 5555::5
>>>> *P3* has ingress address 4444::4, and egress address 7777::7
>>>> *T* has ingress address 8888::8
>>>>
>>>> *C *is set up to receive CID4 on 1111::1 port 10000 from 2222::2 port
>>>> 443
>>>> *P1 *is set up to receive CID3 on 3333::3 port 20000 from 4444::4 port
>>>> 443, and forward it as CID4 to 1111::1 port 10000 from 2222::2 port 443
>>>> *P2 *is set up to receive CID2 on 5555::5 port 30000 from 2222::2 port
>>>> 443, and forward it as CID3 to 3333::3 port 20000 from 4444::4 port 443
>>>> *P1 *is set up to receive CID1 on 3333::3 port 20000 from 4444::4 port
>>>> 443, and forward it as CID2 to 5555::5 port 30000 from 2222::2 port 443
>>>> *P3 *is set up to receive CID0 on 7777::7 port 50000 from 8888::8 port
>>>> 443, and forward it as CID1 to 3333::3 port 20000 from 4444::4 port 443
>>>> *T *sends using CID0 to 7777::7 port 50000 from 8888::8 port 443
>>>>
>>>> Then, if the client tells *P2* to instead map from (CID2 on 5555::5
>>>> port 30000 from 2222::2 port 443) to (CID1 to 3333::3 port 20000 from
>>>> 4444::4 port 443), the loop occurs because there are two mappings for
>>>> receiving on *P1 *that differ only in CID.
>>>>
>>>> Tommy
>>>>
>>>> On Oct 23, 2023, at 7:08 PM, Martin Duke <martin.h.duke@gmail.com>
>>>> wrote:
>>>>
>>>> The reason I put in the point about VIPs is that P1 cannot distinguish
>>>> between a packet from P2 and P3 if they share an ingress VIP
>>>>
>>>> If they're from different IP addresses it's sufficient for P1 to check
>>>> the source IP of packets arriving from the target
>>>>
>>>> Does that answer your question?
>>>>
>>>>
>>>> On Mon, Oct 23, 2023, 18:34 David Schinazi <dschinazi.ietf@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Martin,
>>>>>
>>>>> I don't understand how the fact that P2 and P3 share a VIP impacts the
>>>>> attack. Thinking about this some more, maybe the issue is that we mean
>>>>> different things when we say VIP? In my mind:
>>>>>
>>>>> * a "VIP" is an (IP address, UDP port) tuple. The V stands for virtual
>>>>> in the
>>>>>   sense that two separate servers can both have the same IP due to
>>>>> anycast.
>>>>>
>>>>> * an "ingress VIP" is the VIP that the client sends packets to. In the
>>>>> document
>>>>>   this is called a "client-facing socket".
>>>>>
>>>>> * an "egress VIP" is the VIP that the target sends packets to. In the
>>>>> document
>>>>>   this is called a "target-facing socket".
>>>>>
>>>>> Ingress VIPs are very common in practice. Many CDNs will use anycast
>>>>> and
>>>>> have an ingress VIP that represents a fleet of frontends. Egress VIPs
>>>>> however,
>>>>> don't make any sense to me, because you'd never want anycast on egress
>>>>> IPs.
>>>>>
>>>>> Could you help reframe the P2/P3 shared VIP point in terms of ingress
>>>>> and
>>>>> egress VIPs please?
>>>>>
>>>>> Thanks,
>>>>> David
>>>>>
>>>>>
>>>>> On Fri, Oct 20, 2023 at 3:00 PM Martin Duke <martin.h.duke@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> As I continue to think about this, I'm not sure that
>>>>>> authentication even solves the problem. The client could authenticate with
>>>>>> each client, sure, but to P1, P2 and P3 are essentially targets. Targets,
>>>>>> obviously will not do anything special just because this is a connection
>>>>>> over MASQUE, so there cannot be a special mechanism for P1 to verify
>>>>>> authenticity of packets from the target, unless it has the target-client
>>>>>> session keys.
>>>>>>
>>>>>> On Fri, Oct 20, 2023 at 12:14 PM Martin Duke <martin.h.duke@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I should add that another way to thwart this attack is to require
>>>>>>> the proxy to open a new target-facing socket for every client request. Then
>>>>>>> the packet incoming to P1 would be disambiguated by the destination
>>>>>>> IP/port. Not opening a new socket is currently allowed in the spec, which
>>>>>>> IIUC is a change from CONNECT-UDP.
>>>>>>>
>>>>>>> So the proxy vulnerability occurs if
>>>>>>> (1) P2/P3 share a VIP,
>>>>>>> (2) P1 is not load balanced, so that the attacker can directly
>>>>>>> target it, and
>>>>>>> (3) P1 is not opening unique target-facing sockets for each request,
>>>>>>> even though the target IP/port are the same.
>>>>>>>
>>>>>>> On Fri, Oct 20, 2023 at 11:56 AM Martin Duke <
>>>>>>> martin.h.duke@gmail.com> wrote:
>>>>>>>
>>>>>>>> Forwarded packets from the client SHOULD count. The draft is silent
>>>>>>>> about forwarded packets from the target.
>>>>>>>>
>>>>>>>> But fair enough, the client needs to do just enough to keep it
>>>>>>>> alive.
>>>>>>>>
>>>>>>>> On Fri, Oct 20, 2023 at 11:15 AM Ben Schwartz <bemasc@meta.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> I'm not sure the client can actually "go away".  If the HTTP
>>>>>>>>> connection ends, the forwarding sessions will also end, so this can be
>>>>>>>>> addressed by setting a QUIC max_idle_timeout.
>>>>>>>>>
>>>>>>>>> This assumes that forwarded packets don't count toward the idle
>>>>>>>>> timeout, which they shouldn't.  We might need to say that in the draft.
>>>>>>>>>
>>>>>>>>> --Ben
>>>>>>>>> ------------------------------
>>>>>>>>> *From:* Masque <masque-bounces@ietf.org> on behalf of Martin Duke
>>>>>>>>> <martin.h.duke@gmail.com>
>>>>>>>>> *Sent:* Friday, October 20, 2023 1:47 PM
>>>>>>>>> *To:* Ben Schwartz <bemasc@meta.com>
>>>>>>>>> *Cc:* MASQUE <masque@ietf.org>
>>>>>>>>> *Subject:* Re: [Masque] Forwarded Mode infinite loops
>>>>>>>>>
>>>>>>>>> Ben, Replies inline. On Fri, Oct 20, 2023 at 9: 53 AM Ben Schwartz
>>>>>>>>> <bemasc@ meta. com> wrote: Loops! This is a fun attack. It seems
>>>>>>>>> like there are probably lots of loopy configurations if you have access to
>>>>>>>>> two or more proxies. Most of the
>>>>>>>>> Ben,
>>>>>>>>>
>>>>>>>>> Replies inline.
>>>>>>>>>
>>>>>>>>> On Fri, Oct 20, 2023 at 9:53 AM Ben Schwartz <bemasc@meta.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Loops!  This is a fun attack.  It seems like there are probably
>>>>>>>>> lots of loopy configurations if you have access to two or more proxies.
>>>>>>>>>
>>>>>>>>> Most of the encryption discussion for forwarded mode has focused
>>>>>>>>> on unauthenticated encryption, which wouldn't help here.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have not seen a written proposal in this space, but if the
>>>>>>>>> encryption scheme has no authentication properties it doesn't mitigate
>>>>>>>>> pretty basic DoS attacks. Perhaps this attack creates a new design
>>>>>>>>> requirement for encryption?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Changing who chooses the Connection IDs could help, but
>>>>>>>>> proxy-chosen CIDs are not necessarily high entropy, so there's no clear
>>>>>>>>> guarantee.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> IIUC your contention is that this arises when P3 and P2 both
>>>>>>>>> happen to select CID1 as the virtual connection ID. A well-intentioned
>>>>>>>>> client would therefore register CID1 to P1 twice, and P1 would reject it as
>>>>>>>>> a duplicate in one of those instances, avoiding a loop.
>>>>>>>>>
>>>>>>>>> However, a malicious client could note the conflict and just
>>>>>>>>> register CID3 to P1 instead, creating the same attack.
>>>>>>>>>
>>>>>>>>> I do think that if we try to fix this with proxy-chooses, there
>>>>>>>>> need to be some minimum size limits to avoid this kind of thing. If CIDs
>>>>>>>>> are 64 bits (or even 32!) I feel pretty good about this not being an
>>>>>>>>> exploitable attack.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Ultimately, I'm not sure this matters.  A hostile client can
>>>>>>>>> impose pretty much arbitrarily amplified load on the forwarder anyway, e.g.
>>>>>>>>> by downloading a large file and forging ACKs to dropped packets so that
>>>>>>>>> congestion control ramps up to infinity.  Forwarders will need defenses to
>>>>>>>>> rate-limit or cap abusive clients.  That said, it's probably worth fixing
>>>>>>>>> if there's an easy solution.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I agree there are other attacks -- in fact, I have other
>>>>>>>>> amplification attacks in mind, which will write about another day.
>>>>>>>>>
>>>>>>>>> What is particularly pernicious about this attack is that a single
>>>>>>>>> attacker packet results in infinity packets in the proxy path. This flow
>>>>>>>>> can be "rate limited" but the client can go away and this persists forever.
>>>>>>>>>
>>>>>>>>> Buit
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --Ben
>>>>>>>>> ------------------------------
>>>>>>>>> *From:* Masque <masque-bounces@ietf.org> on behalf of Martin Duke
>>>>>>>>> <martin.h.duke@gmail.com>
>>>>>>>>> *Sent:* Wednesday, October 18, 2023 5:25 PM
>>>>>>>>> *To:* MASQUE <masque@ietf.org>
>>>>>>>>> *Subject:* [Masque] Forwarded Mode infinite loops
>>>>>>>>>
>>>>>>>>> Hello MASQUE, (with no hats on) I was playing with some annoying
>>>>>>>>> but manageable amplification attacks on CONNECT-UDP forwarding mode. Those
>>>>>>>>> will have to wait for another day, because the current draft has a fatal
>>>>>>>>> vulnerability, though one that
>>>>>>>>> Hello MASQUE,
>>>>>>>>>
>>>>>>>>> (with no hats on)
>>>>>>>>>
>>>>>>>>> I was playing with some annoying but manageable amplification
>>>>>>>>> attacks on CONNECT-UDP forwarding mode. Those will have to wait for another
>>>>>>>>> day, because the current draft has a fatal vulnerability, though one that
>>>>>>>>> we can fix pretty easily.
>>>>>>>>>
>>>>>>>>> If I've gotten something incorrect, please say so! It wouldn't be
>>>>>>>>> the first time.
>>>>>>>>>
>>>>>>>>> Recall that for forwarded mode, clients notify the proxy of the
>>>>>>>>> connection ID they are advertising to the target, and in the same
>>>>>>>>> capsule propose a "virtual connection ID" for use on the proxy-client path.
>>>>>>>>> (IIUC, this virtual CID is to prevent association of the packets on either
>>>>>>>>> end of the proxy).
>>>>>>>>>
>>>>>>>>> I reiterate that we are talking about the CLIENT connection ID and
>>>>>>>>> its virtual counterparts, not the target.
>>>>>>>>>
>>>>>>>>> Consider the following very stupid topology that a client C could
>>>>>>>>> construct to target T via various proxies. Crucially, P2 and P3 are from
>>>>>>>>> the same provider and share a VIP.* This wrinkle eliminates some really
>>>>>>>>> simple mitigations for what I'm about to describe.
>>>>>>>>>
>>>>>>>>> C -> P1 -> P2 -> P1 -> P3 ->  T
>>>>>>>>>
>>>>>>>>> An otherwise well-intentioned client would advertise client
>>>>>>>>> Connection ID CID0 to T, and via REGISTER_CLIENT_CID capsules might set up
>>>>>>>>> the rest like so:
>>>>>>>>>
>>>>>>>>> Nodes        C     P1     P2    P1    P3     T
>>>>>>>>> CID on wire    CID4   CID3  CID2  CID1   CID0
>>>>>>>>>
>>>>>>>>> So far, so good. A packet that leaves T will be destined for CID0.
>>>>>>>>> The destination CID will be rewritten in turn, arriving at C with CID4.
>>>>>>>>>
>>>>>>>>> However, a malicious client can register CIDs with the proxies as
>>>>>>>>> follows:
>>>>>>>>> Nodes        C     P1            P2      P1      P3     T
>>>>>>>>> CID on wire    CID4   CID3 / CID1    CID2    CID1   CID0
>>>>>>>>>
>>>>>>>>> The only change is that P2 is "incorrectly" configured by the
>>>>>>>>> client to rewrite incoming CID2 as CID1. As far as P2 is concerned,
>>>>>>>>> everything is seems legit unless it is sharing enormous amounts of CID
>>>>>>>>> state with its partner P3. Everything else is unchanged.
>>>>>>>>>
>>>>>>>>> Thus, a packet leaving T with CID0 will be rewritten to CID1 and
>>>>>>>>> routed to P1;  P1 will then route it to P2 with CID2. Then that gets routed
>>>>>>>>> back to P1 with CID1, and the P1-P2-P1 loop continues to infinity. The
>>>>>>>>> attacker can put as many proxy hops as it likes in that chain.
>>>>>>>>>
>>>>>>>>> There are a few pretty simple things that can break this doom loop.
>>>>>>>>> - Do encryption at each MASQUE hop, as previously proposed. This
>>>>>>>>> verifies the previous hop of the packet and drops those where the CID does
>>>>>>>>> not have the correct origin.
>>>>>>>>> - Have the proxy provide the virtual CID instead of the client.
>>>>>>>>> Client control is the root of these problems.
>>>>>>>>> - Eliminate virtual client CIDs and just take the L on linkability
>>>>>>>>> in that case
>>>>>>>>>
>>>>>>>>> Martin
>>>>>>>>>
>>>>>>>>> * Interestingly, this attack requires at least one proxy in the
>>>>>>>>> path (P1 in this case) to not be load balanced or have an easily
>>>>>>>>> manipulated load balancer, so that two QUIC connection attempts can with
>>>>>>>>> high probability go to the same device.
>>>>>>>>>
>>>>>>>>> --
>>>>>> Masque mailing list
>>>>>> Masque@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/masque
>>>>>>
>>>>> --
>>>> Masque mailing list
>>>> Masque@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/masque
>>>>
>>>>
>>>> --
>>>> Masque mailing list
>>>> Masque@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/masque
>>>>
>>>

v2.23.0 | Report a Bug | By Email