Re: [Masque] Forwarded Mode infinite loops
Alex Chernyakhovsky <achernya@google.com> Wed, 25 October 2023 19:46 UTC
Return-Path: <achernya@google.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB7BC131921 for <masque@ietfa.amsl.com>; Wed, 25 Oct 2023 12:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eynlrSkKCjUK for <masque@ietfa.amsl.com>; Wed, 25 Oct 2023 12:46:40 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 326BEC151534 for <masque@ietf.org>; Wed, 25 Oct 2023 12:46:40 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id ada2fe7eead31-457dc26ec2eso80145137.1 for <masque@ietf.org>; Wed, 25 Oct 2023 12:46:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1698263199; x=1698867999; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xl/nbSa+w2bLhbu5Nj7Xq2zC1/FpZ/ONc6mhqxAWPnQ=; b=HN5GZH/ck0BmNzlZS7E+GQwuOmcE4WsXTz77dKkjqVAbOkO+koXXmzaZiZPp0aYy9e BfbMaXUdOhHiBvPR387vnsGwuKj2R8WgK089ETTt6yEnkhgPnQbnLnLpp6OpEZMYAJGS oSAjA8lrsAxIWe336iA/w7NaJX8UhonOclyDpqui6XTj4aGRWr0vH12FcdgU28dhZs/q ZQEkrT9YU7cl3D/wR+0DwlX/B406hPNSbSnoipt/Ce7CxWmxNoJzuYnK86CKtcgqgMSH 295VnAkr6sSw6Vu+QAndnluNzzg5OD5poUZS7OqSGx83InWks3bD+1Yk7eSfNhOYNRZn 1QMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698263199; x=1698867999; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xl/nbSa+w2bLhbu5Nj7Xq2zC1/FpZ/ONc6mhqxAWPnQ=; b=mKc1Yqy3YySr06SCTkCxbKkw4ZwIWceaUjk4/RZXH90oB2XW92644r/tQFJHeMYQS5 7KOZQQtEFo0Kqx7IhU4bfnHS9jV7N/PCAnet53jpVs6d8yxa55kiX8DsrCw5cEvvD78L cJX2gyusMjMRDzBNJaBWIMhJ1Lp8iZ3+LV2Rl9x50E/rbWqmwu2COhnBXx0U2rOCvq1Z zFR90Bl3hYpAsjR0IP+V5JZ0PJn7Oa1b5/VjMMD4rUKPwhPm4JevJJ2Ok/Av1j1o4a86 /ITHU8iW0lvS3r2GLU6rBL6TcLsqAQzPlEj2VWXwX+/K3xQuaK9Dwn6sYFTCiccawSZe 6nAA==
X-Gm-Message-State: AOJu0Yx6dU2PeuUDyFnyS5TD6JlYLyhTy322gn8ynB+1Kffmvv0u9MP9 dv8awrzP0zClsbS4/h6P3GsdQPCAUAGBaTmM/679jw==
X-Google-Smtp-Source: AGHT+IHWracwgDAz0WFpmaDOM6q/bGslNGvbHc1cjCs6cWKg395g4yGv+LUQ+nUHwoJQ7G+3But+lN5tqAO3C58Cz5g=
X-Received: by 2002:a05:6102:4719:b0:457:cc32:39c6 with SMTP id ei25-20020a056102471900b00457cc3239c6mr16138018vsb.16.1698263198898; Wed, 25 Oct 2023 12:46:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com> <BN8PR15MB3281FF073C549E3A39DD087BB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAM4esxRKTNdGBpiO5_s33UikPnSG54K1dNKYua6_ca3f4jE2=A@mail.gmail.com> <BN8PR15MB32817A645AB33154DE9ACFFEB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <CAM4esxSMEtExuW0WewKCjz3Xc+_pe7czdx_gRcqe7uqZJ8B8Rw@mail.gmail.com> <CAM4esxQf6T7G8TWLcKsF0=cEyvndN2HHK+D4s8EvOF+Z=gXbMQ@mail.gmail.com> <CAM4esxTwkE1wHwFuLDLx8h5qzRtWTFhfQgWgteWPSoTeEuQQuA@mail.gmail.com> <CAPDSy+7cPETw-CEd910AodgV3ADJuFsfDRi3FAxyY=pYVRoc-Q@mail.gmail.com> <CAM4esxShEYAgZ-LhVSPtdaajiAhRx99tj0ef-t+AmJGBiHMOOA@mail.gmail.com> <34F58C3B-7677-4974-8AB9-CDF011EABA1B@apple.com> <CAKcm_gNUriekTx7WdmD4yjrRABecvXLvyqr+wPdfOLYaS1RRww@mail.gmail.com> <CAM4esxQamgoBTKVnJ6XCxgKqmYCkyKa0=MuzjMhvMvVDYa0f-Q@mail.gmail.com> <CAPDSy+5geFuqEpKREbbr6AT3heU4EQcPVVEW4H3FhKGnk4E1-Q@mail.gmail.com> <CAM4esxSMCk6+zT7_X=p498EnYY0foVMRhMXBA1eGdqTejo8jSw@mail.gmail.com>
In-Reply-To: <CAM4esxSMCk6+zT7_X=p498EnYY0foVMRhMXBA1eGdqTejo8jSw@mail.gmail.com>
From: Alex Chernyakhovsky <achernya@google.com>
Date: Wed, 25 Oct 2023 15:46:22 -0400
Message-ID: <CAHbWFkT_A7KHAiMnTPdgMiZFA5tEv9FWKekeHKQX_04nWwZHEw@mail.gmail.com>
To: Martin Duke <martin.h.duke@gmail.com>
Cc: David Schinazi <dschinazi.ietf@gmail.com>, Ian Swett <ianswett@google.com>, Tommy Pauly <tpauly@apple.com>, MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b5353806088fb6bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/H1ieQ9SRa5rg47fRUpwzNQ353-E>
Subject: Re: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2023 19:46:44 -0000
I chatted with David about this earlier today to better understand the problem and proposed solution, and one of the conclusions I left the discussion with is that Ian's point about decrementing the TTL is Necessary, but possibly not Sufficient, mitigation. It does mean that a straightforward software implementation of the proxy doing recvmsg(); sendmsg(); is insecure, and you need to do the appropriate setsockopts to IP_RECVTTL / set IP_TTL on each outgoing packet to turn the loop from infinite to finite. However, the thing that I find ideologically unsatisfying is that this does nothing to mitigate the case where the Target is turned into a confused-deputy to send unwanted traffic to a given client, because there's no way for the final egressing proxy (P1) to be sure the client used a chosen connection ID that does not conflict/overlap. It seems like we need to consider a QUIC-level feature to perhaps make this possible/mandatory to prevent this class of attack. I don't think that's possible to do with QUIC as formulated today and would probably require some changes. Sincerely, -Alex On Tue, Oct 24, 2023 at 3:37 PM Martin Duke <martin.h.duke@gmail.com> wrote: > That is pretty much a photo of my whiteboard when crafting the > original email! > > ISTM the design has to give up on one of three principles and/or > operational degrees of freedom: > (1) Receiver picks its connection ID. > (2) Proxies don't need to use server preferred address to use this feature > (3) Proxies don't have to open a new target-facing UDP socket for each > CONNECT (unlike CONNECT-UDP!) > > IIUC you are proposing eliminating (2), which to me sounds like the > biggest constraint to add. But you guys are the authors, so do what you > think is best. > > I also have a sense that (2) is a point solution to the only attack > someone has managed to assemble, and that other problems of this nature are > out there. But that's just conjecture at this point. > > Martin > > On Tue, Oct 24, 2023 at 11:52 AM David Schinazi <dschinazi.ietf@gmail.com> > wrote: > >> re: Martin and Tommy, thanks for the clarification about ingress vs >> egress - that's super helpful. My whiteboard was starting to look like this: >> >> https://i.kym-cdn.com/entries/icons/original/000/022/524/pepe_silvia_meme_banner.jpg >> > > At a more fundamental level, the issue stems from the fact that we're >> breaking one of the rules of QUIC. In QUIC, the general mindset is that the >> receiver of a Destination Connection ID is the one that picks this CID. The >> draft violates that in a few ways: >> * The Client Connection ID is picked by the client even though it's >> received by the proxy egress. This one's OK because the proxy gets to >> accept or reject the proposed CID. >> * The Target Connection ID is picked by the target, but communicated to >> the proxy by the client, so the client could lie. I haven't been able to >> mount an attack using that fact though. >> * The Virtual Client CID is picked by the client. That's perfectly fine >> in a single instance of this draft, but once you chain two of these >> (C-P1-P2-T) then the client gets to pick the Virtual Client CID that P2 >> sends to P1. This is the one that causes the attack here, Client is picking >> a CID that P1 receives. >> >> I'm not sure that having the proxy pick the Virtual Client CID is a good >> fix here because that also violates the QUIC rule of receiver picks CIDs >> and could lead to other issues where the proxy is the attacker. >> > > >> >> A mitigation we've discussed is the fact that the proxy could look at the >> target ingress IP when routing. That breaks when multiple proxies share an >> ingress IP. Perhaps we can prevent that by requiring something similar to >> server preferred address where the proxy can only use forwarded mode on an >> ingress IP that is unique to them? >> > > >> >> David >> >> On Tue, Oct 24, 2023 at 9:57 AM Martin Duke <martin.h.duke@gmail.com> >> wrote: >> >>> That's a good question! >>> >>> IIUC, CONNECT-IP does decrement the TTL, but CONNECT-UDP does not >>> because it is not preserving the IP header (The CONNECT-IP draft mentions >>> TTL and CONNECT-UDP does not). The quic-proxy draft doesn't say >>> anything about this, so I imagine that rule still applies. >>> >>> On Tue, Oct 24, 2023 at 6:43 AM Ian Swett <ianswett@google.com> wrote: >>> >>>> I assume each hop would decrement the TTL? If so, wouldn't this be a >>>> loop, but not infinite? >>>> >>>> Ian >>>> >>>> On Mon, Oct 23, 2023, 11:01 PM Tommy Pauly <tpauly= >>>> 40apple.com@dmarc.ietf.org> wrote: >>>> >>>>> It was useful for me to draw this out in (unnecessary) detail to show >>>>> how this only needs the ingress IP to be shared, not the egress IP. >>>>> >>>>> To help go through this, let me fill in the example you gave with more >>>>> details about IPs and ports — since the forwarding mappings depend on these >>>>> “sockets”. >>>>> >>>>> Let’s start with a case where the addresses aren’t being shared. >>>>> >>>>> *C *has address 1111::1 >>>>> *P1* has ingress address 2222::2, and egress address 3333::3 >>>>> *P2* has ingress address 4444::4, and egress address 5555::5 >>>>> *P3* has ingress address 6666::6, and egress address 7777::7 >>>>> *T* has ingress address 8888::8 >>>>> >>>>> *C *is set up to receive CID4 on 1111::1 port 10000 from 2222::2 port >>>>> 443 >>>>> *P1 *is set up to receive CID3 on 3333::3 port 20000 from 4444::4 >>>>> port 443, and forward it as CID4 to 1111::1 port 10000 from 2222::2 >>>>> port 443 >>>>> *P2 *is set up to receive CID2 on 5555::5 port 30000 from 2222::2 >>>>> port 443, and forward it as CID3 to 3333::3 port 20000 from 4444::4 >>>>> port 443 >>>>> *P1 *is set up to receive CID1 on 3333::3 port 40000 from 6666::6 >>>>> port 443, and forward it as CID2 to 5555::5 port 30000 from 2222::2 >>>>> port 443 >>>>> *P3 *is set up to receive CID0 on 7777::7 port 50000 from 8888::8 >>>>> port 443, and forward it as CID1 to 3333::3 port 40000 from 6666::6 >>>>> port 443 >>>>> *T *sends using CID0 to 7777::7 port 50000 from 8888::8 port 443 >>>>> >>>>> In this case, since there is no address sharing, if the client tells >>>>> *P2* to instead map from (CID2 on 5555::5 port 30000 from 2222::2 >>>>> port 443) to (CID1 to 3333::3 port 20000 from 4444::4 port 443), the >>>>> connection will break, but there will be no loop, since *P1* won’t >>>>> allow receiving CID1 on that socket. >>>>> >>>>> >>>>> Then, let’s explore the case of shared addresses. If we only have P2 >>>>> and P3 share an ingress VIP, and P1 reuses sockets on egress, we have the >>>>> following: >>>>> >>>>> *C *has address 1111::1 >>>>> *P1* has ingress address 2222::2, and egress address 3333::3 >>>>> *P2* has ingress address 4444::4, and egress address 5555::5 >>>>> *P3* has ingress address 4444::4, and egress address 7777::7 >>>>> *T* has ingress address 8888::8 >>>>> >>>>> *C *is set up to receive CID4 on 1111::1 port 10000 from 2222::2 port >>>>> 443 >>>>> *P1 *is set up to receive CID3 on 3333::3 port 20000 from 4444::4 >>>>> port 443, and forward it as CID4 to 1111::1 port 10000 from 2222::2 >>>>> port 443 >>>>> *P2 *is set up to receive CID2 on 5555::5 port 30000 from 2222::2 >>>>> port 443, and forward it as CID3 to 3333::3 port 20000 from 4444::4 >>>>> port 443 >>>>> *P1 *is set up to receive CID1 on 3333::3 port 20000 from 4444::4 >>>>> port 443, and forward it as CID2 to 5555::5 port 30000 from 2222::2 >>>>> port 443 >>>>> *P3 *is set up to receive CID0 on 7777::7 port 50000 from 8888::8 >>>>> port 443, and forward it as CID1 to 3333::3 port 20000 from 4444::4 >>>>> port 443 >>>>> *T *sends using CID0 to 7777::7 port 50000 from 8888::8 port 443 >>>>> >>>>> Then, if the client tells *P2* to instead map from (CID2 on 5555::5 >>>>> port 30000 from 2222::2 port 443) to (CID1 to 3333::3 port 20000 from >>>>> 4444::4 port 443), the loop occurs because there are two mappings for >>>>> receiving on *P1 *that differ only in CID. >>>>> >>>>> Tommy >>>>> >>>>> On Oct 23, 2023, at 7:08 PM, Martin Duke <martin.h.duke@gmail.com> >>>>> wrote: >>>>> >>>>> The reason I put in the point about VIPs is that P1 cannot distinguish >>>>> between a packet from P2 and P3 if they share an ingress VIP >>>>> >>>>> If they're from different IP addresses it's sufficient for P1 to check >>>>> the source IP of packets arriving from the target >>>>> >>>>> Does that answer your question? >>>>> >>>>> >>>>> On Mon, Oct 23, 2023, 18:34 David Schinazi <dschinazi.ietf@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Martin, >>>>>> >>>>>> I don't understand how the fact that P2 and P3 share a VIP impacts the >>>>>> attack. Thinking about this some more, maybe the issue is that we mean >>>>>> different things when we say VIP? In my mind: >>>>>> >>>>>> * a "VIP" is an (IP address, UDP port) tuple. The V stands for >>>>>> virtual in the >>>>>> sense that two separate servers can both have the same IP due to >>>>>> anycast. >>>>>> >>>>>> * an "ingress VIP" is the VIP that the client sends packets to. In >>>>>> the document >>>>>> this is called a "client-facing socket". >>>>>> >>>>>> * an "egress VIP" is the VIP that the target sends packets to. In the >>>>>> document >>>>>> this is called a "target-facing socket". >>>>>> >>>>>> Ingress VIPs are very common in practice. Many CDNs will use anycast >>>>>> and >>>>>> have an ingress VIP that represents a fleet of frontends. Egress VIPs >>>>>> however, >>>>>> don't make any sense to me, because you'd never want anycast on >>>>>> egress IPs. >>>>>> >>>>>> Could you help reframe the P2/P3 shared VIP point in terms of ingress >>>>>> and >>>>>> egress VIPs please? >>>>>> >>>>>> Thanks, >>>>>> David >>>>>> >>>>>> >>>>>> On Fri, Oct 20, 2023 at 3:00 PM Martin Duke <martin.h.duke@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> As I continue to think about this, I'm not sure that >>>>>>> authentication even solves the problem. The client could authenticate with >>>>>>> each client, sure, but to P1, P2 and P3 are essentially targets. Targets, >>>>>>> obviously will not do anything special just because this is a connection >>>>>>> over MASQUE, so there cannot be a special mechanism for P1 to verify >>>>>>> authenticity of packets from the target, unless it has the target-client >>>>>>> session keys. >>>>>>> >>>>>>> On Fri, Oct 20, 2023 at 12:14 PM Martin Duke < >>>>>>> martin.h.duke@gmail.com> wrote: >>>>>>> >>>>>>>> I should add that another way to thwart this attack is to require >>>>>>>> the proxy to open a new target-facing socket for every client request. Then >>>>>>>> the packet incoming to P1 would be disambiguated by the destination >>>>>>>> IP/port. Not opening a new socket is currently allowed in the spec, which >>>>>>>> IIUC is a change from CONNECT-UDP. >>>>>>>> >>>>>>>> So the proxy vulnerability occurs if >>>>>>>> (1) P2/P3 share a VIP, >>>>>>>> (2) P1 is not load balanced, so that the attacker can directly >>>>>>>> target it, and >>>>>>>> (3) P1 is not opening unique target-facing sockets for each >>>>>>>> request, even though the target IP/port are the same. >>>>>>>> >>>>>>>> On Fri, Oct 20, 2023 at 11:56 AM Martin Duke < >>>>>>>> martin.h.duke@gmail.com> wrote: >>>>>>>> >>>>>>>>> Forwarded packets from the client SHOULD count. The draft is >>>>>>>>> silent about forwarded packets from the target. >>>>>>>>> >>>>>>>>> But fair enough, the client needs to do just enough to keep it >>>>>>>>> alive. >>>>>>>>> >>>>>>>>> On Fri, Oct 20, 2023 at 11:15 AM Ben Schwartz <bemasc@meta.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> I'm not sure the client can actually "go away". If the HTTP >>>>>>>>>> connection ends, the forwarding sessions will also end, so this can be >>>>>>>>>> addressed by setting a QUIC max_idle_timeout. >>>>>>>>>> >>>>>>>>>> This assumes that forwarded packets don't count toward the idle >>>>>>>>>> timeout, which they shouldn't. We might need to say that in the draft. >>>>>>>>>> >>>>>>>>>> --Ben >>>>>>>>>> ------------------------------ >>>>>>>>>> *From:* Masque <masque-bounces@ietf.org> on behalf of Martin >>>>>>>>>> Duke <martin.h.duke@gmail.com> >>>>>>>>>> *Sent:* Friday, October 20, 2023 1:47 PM >>>>>>>>>> *To:* Ben Schwartz <bemasc@meta.com> >>>>>>>>>> *Cc:* MASQUE <masque@ietf.org> >>>>>>>>>> *Subject:* Re: [Masque] Forwarded Mode infinite loops >>>>>>>>>> >>>>>>>>>> Ben, Replies inline. On Fri, Oct 20, 2023 at 9: 53 AM Ben >>>>>>>>>> Schwartz <bemasc@ meta. com> wrote: Loops! This is a fun attack. >>>>>>>>>> It seems like there are probably lots of loopy configurations if you have >>>>>>>>>> access to two or more proxies. Most of the >>>>>>>>>> Ben, >>>>>>>>>> >>>>>>>>>> Replies inline. >>>>>>>>>> >>>>>>>>>> On Fri, Oct 20, 2023 at 9:53 AM Ben Schwartz <bemasc@meta.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Loops! This is a fun attack. It seems like there are probably >>>>>>>>>> lots of loopy configurations if you have access to two or more proxies. >>>>>>>>>> >>>>>>>>>> Most of the encryption discussion for forwarded mode has focused >>>>>>>>>> on unauthenticated encryption, which wouldn't help here. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have not seen a written proposal in this space, but if the >>>>>>>>>> encryption scheme has no authentication properties it doesn't mitigate >>>>>>>>>> pretty basic DoS attacks. Perhaps this attack creates a new design >>>>>>>>>> requirement for encryption? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Changing who chooses the Connection IDs could help, but >>>>>>>>>> proxy-chosen CIDs are not necessarily high entropy, so there's no clear >>>>>>>>>> guarantee. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> IIUC your contention is that this arises when P3 and P2 both >>>>>>>>>> happen to select CID1 as the virtual connection ID. A well-intentioned >>>>>>>>>> client would therefore register CID1 to P1 twice, and P1 would reject it as >>>>>>>>>> a duplicate in one of those instances, avoiding a loop. >>>>>>>>>> >>>>>>>>>> However, a malicious client could note the conflict and just >>>>>>>>>> register CID3 to P1 instead, creating the same attack. >>>>>>>>>> >>>>>>>>>> I do think that if we try to fix this with proxy-chooses, there >>>>>>>>>> need to be some minimum size limits to avoid this kind of thing. If CIDs >>>>>>>>>> are 64 bits (or even 32!) I feel pretty good about this not being an >>>>>>>>>> exploitable attack. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Ultimately, I'm not sure this matters. A hostile client can >>>>>>>>>> impose pretty much arbitrarily amplified load on the forwarder anyway, e.g. >>>>>>>>>> by downloading a large file and forging ACKs to dropped packets so that >>>>>>>>>> congestion control ramps up to infinity. Forwarders will need defenses to >>>>>>>>>> rate-limit or cap abusive clients. That said, it's probably worth fixing >>>>>>>>>> if there's an easy solution. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I agree there are other attacks -- in fact, I have other >>>>>>>>>> amplification attacks in mind, which will write about another day. >>>>>>>>>> >>>>>>>>>> What is particularly pernicious about this attack is that a >>>>>>>>>> single attacker packet results in infinity packets in the proxy path. This >>>>>>>>>> flow can be "rate limited" but the client can go away and this persists >>>>>>>>>> forever. >>>>>>>>>> >>>>>>>>>> Buit >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> --Ben >>>>>>>>>> ------------------------------ >>>>>>>>>> *From:* Masque <masque-bounces@ietf.org> on behalf of Martin >>>>>>>>>> Duke <martin.h.duke@gmail.com> >>>>>>>>>> *Sent:* Wednesday, October 18, 2023 5:25 PM >>>>>>>>>> *To:* MASQUE <masque@ietf.org> >>>>>>>>>> *Subject:* [Masque] Forwarded Mode infinite loops >>>>>>>>>> >>>>>>>>>> Hello MASQUE, (with no hats on) I was playing with some annoying >>>>>>>>>> but manageable amplification attacks on CONNECT-UDP forwarding mode. Those >>>>>>>>>> will have to wait for another day, because the current draft has a fatal >>>>>>>>>> vulnerability, though one that >>>>>>>>>> Hello MASQUE, >>>>>>>>>> >>>>>>>>>> (with no hats on) >>>>>>>>>> >>>>>>>>>> I was playing with some annoying but manageable amplification >>>>>>>>>> attacks on CONNECT-UDP forwarding mode. Those will have to wait for another >>>>>>>>>> day, because the current draft has a fatal vulnerability, though one that >>>>>>>>>> we can fix pretty easily. >>>>>>>>>> >>>>>>>>>> If I've gotten something incorrect, please say so! It wouldn't be >>>>>>>>>> the first time. >>>>>>>>>> >>>>>>>>>> Recall that for forwarded mode, clients notify the proxy of the >>>>>>>>>> connection ID they are advertising to the target, and in the same >>>>>>>>>> capsule propose a "virtual connection ID" for use on the proxy-client path. >>>>>>>>>> (IIUC, this virtual CID is to prevent association of the packets on either >>>>>>>>>> end of the proxy). >>>>>>>>>> >>>>>>>>>> I reiterate that we are talking about the CLIENT connection ID >>>>>>>>>> and its virtual counterparts, not the target. >>>>>>>>>> >>>>>>>>>> Consider the following very stupid topology that a client C could >>>>>>>>>> construct to target T via various proxies. Crucially, P2 and P3 are from >>>>>>>>>> the same provider and share a VIP.* This wrinkle eliminates some really >>>>>>>>>> simple mitigations for what I'm about to describe. >>>>>>>>>> >>>>>>>>>> C -> P1 -> P2 -> P1 -> P3 -> T >>>>>>>>>> >>>>>>>>>> An otherwise well-intentioned client would advertise client >>>>>>>>>> Connection ID CID0 to T, and via REGISTER_CLIENT_CID capsules might set up >>>>>>>>>> the rest like so: >>>>>>>>>> >>>>>>>>>> Nodes C P1 P2 P1 P3 T >>>>>>>>>> CID on wire CID4 CID3 CID2 CID1 CID0 >>>>>>>>>> >>>>>>>>>> So far, so good. A packet that leaves T will be destined for >>>>>>>>>> CID0. The destination CID will be rewritten in turn, arriving at C with >>>>>>>>>> CID4. >>>>>>>>>> >>>>>>>>>> However, a malicious client can register CIDs with the proxies as >>>>>>>>>> follows: >>>>>>>>>> Nodes C P1 P2 P1 P3 T >>>>>>>>>> CID on wire CID4 CID3 / CID1 CID2 CID1 CID0 >>>>>>>>>> >>>>>>>>>> The only change is that P2 is "incorrectly" configured by the >>>>>>>>>> client to rewrite incoming CID2 as CID1. As far as P2 is concerned, >>>>>>>>>> everything is seems legit unless it is sharing enormous amounts of CID >>>>>>>>>> state with its partner P3. Everything else is unchanged. >>>>>>>>>> >>>>>>>>>> Thus, a packet leaving T with CID0 will be rewritten to CID1 and >>>>>>>>>> routed to P1; P1 will then route it to P2 with CID2. Then that gets routed >>>>>>>>>> back to P1 with CID1, and the P1-P2-P1 loop continues to infinity. The >>>>>>>>>> attacker can put as many proxy hops as it likes in that chain. >>>>>>>>>> >>>>>>>>>> There are a few pretty simple things that can break this doom >>>>>>>>>> loop. >>>>>>>>>> - Do encryption at each MASQUE hop, as previously proposed. This >>>>>>>>>> verifies the previous hop of the packet and drops those where the CID does >>>>>>>>>> not have the correct origin. >>>>>>>>>> - Have the proxy provide the virtual CID instead of the client. >>>>>>>>>> Client control is the root of these problems. >>>>>>>>>> - Eliminate virtual client CIDs and just take the L on >>>>>>>>>> linkability in that case >>>>>>>>>> >>>>>>>>>> Martin >>>>>>>>>> >>>>>>>>>> * Interestingly, this attack requires at least one proxy in the >>>>>>>>>> path (P1 in this case) to not be load balanced or have an easily >>>>>>>>>> manipulated load balancer, so that two QUIC connection attempts can with >>>>>>>>>> high probability go to the same device. >>>>>>>>>> >>>>>>>>>> -- >>>>>>> Masque mailing list >>>>>>> Masque@ietf.org >>>>>>> https://www.ietf.org/mailman/listinfo/masque >>>>>>> >>>>>> -- >>>>> Masque mailing list >>>>> Masque@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/masque >>>>> >>>>> >>>>> -- >>>>> Masque mailing list >>>>> Masque@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/masque >>>>> >>>> -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque >
- [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Eric Rosenberg
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Eric Rosenberg
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Ben Schwartz
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops David Schinazi
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Tommy Pauly
- Re: [Masque] Forwarded Mode infinite loops Ian Swett
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Tommy Pauly
- Re: [Masque] Forwarded Mode infinite loops David Schinazi
- Re: [Masque] Forwarded Mode infinite loops Martin Duke
- Re: [Masque] Forwarded Mode infinite loops Alex Chernyakhovsky
- Re: [Masque] Forwarded Mode infinite loops Martin Duke