Re: [Masque] TTL and infinite QUIC-proxy loops
Martin Duke <martin.h.duke@gmail.com> Wed, 15 November 2023 19:25 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3275FC14CE36 for <masque@ietfa.amsl.com>; Wed, 15 Nov 2023 11:25:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v7x_kTM81nm3 for <masque@ietfa.amsl.com>; Wed, 15 Nov 2023 11:25:00 -0800 (PST)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CD9CC14CE29 for <masque@ietf.org>; Wed, 15 Nov 2023 11:25:00 -0800 (PST)
Received: by mail-ua1-x935.google.com with SMTP id a1e0cc1a2514c-7b6e1770519so1894328241.2 for <masque@ietf.org>; Wed, 15 Nov 2023 11:25:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700076299; x=1700681099; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=A71NFghByg59bP0jFWouXWpQ1m+dpOUYbqGp9B5JrPU=; b=aZ+kJ8GvHT+PzJnVmnzrPtU5gAkhCDMYds4mL20mxzcQBZgTe+B7Q/7k57UDE824wJ glLCv/lkXtS9mvsDx9SlOb1xenlaKHQe6Hq8IYkWnOECxsxeOB5yO0qdoHftkHvGAE28 GdGbYKWrLpiAFER55SYlcY4adtj9vBjWwjcWo/AbyhTw32yiD1BXC5ZEWDmS1pNy3IEd u8fnZbNQqcdD6P3eI1fYU2O6D8KeoO64vmGdARh0R2EX/w2XzVibFKuhrFldfSrPYDdI NQs3PleiSnzCWP3J3JC8YwMnCm8lUtw9Gxp4S6b220/Zt8sLxP2hpqDMORlpEb5rUYy7 XCFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700076299; x=1700681099; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A71NFghByg59bP0jFWouXWpQ1m+dpOUYbqGp9B5JrPU=; b=esSHdaVS+VlRh8vxmm+avMSwvtSSTcNSpB7Qy+FHqHPWbgyF3f4JPEDLzcI2TT9+UF tiXDHGAQTVlU0WR4OCIOzltbszcDlbl9Hnc/g5RKwTLu0aCe9ar0pFAlUnml6ahVdmv1 q7TSa0m5XWaf+4aGZoy2wqB879oWzyrKvnaMa2nui8U+cOlQhSjrdlHoIIdywlqJ1Xjl ZeDDQKutoGVRyPKmldcUNbLnY7qHqr0SK/Aq7qj//vWBO+GEq+4gaH/C0swrqvMdjCqi Cc1TlZXYP64KVudT/RIMzdvomOH1Ax9bRSlR+Ta0G2bKpgTSLoBTGRZGNkO97BSbd/vh pF6w==
X-Gm-Message-State: AOJu0YyU+kktswwRGtjLLvEVdXn6ONFD4dB9AUXi4L5+Z1vhEWFPDmWs 2S3JvrxCTJt88MrwPUMfL/N0SZFVyjrJXwY3luE=
X-Google-Smtp-Source: AGHT+IFtsyOvjXsTRrA/yecfS+qjT0JqJHEKeToRy2l9B1kHIv0OwPt7yahJpS7Ie8TFEkhf0NXmXw0AXl2kF8smaA0=
X-Received: by 2002:a67:ac41:0:b0:45d:f80c:39b5 with SMTP id n1-20020a67ac41000000b0045df80c39b5mr9026268vsh.18.1700076299120; Wed, 15 Nov 2023 11:24:59 -0800 (PST)
MIME-Version: 1.0
References: <CAM4esxRt5nua=ftxaDn4N_L3jQigJpkOH6LCqDrK1h1qwhVHwA@mail.gmail.com> <BC36FA2E-F9ED-485C-B85C-61E063F429DC@viagenie.ca> <BN8PR15MB3281070DAD5690810944A568B3B1A@BN8PR15MB3281.namprd15.prod.outlook.com>
In-Reply-To: <BN8PR15MB3281070DAD5690810944A568B3B1A@BN8PR15MB3281.namprd15.prod.outlook.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 15 Nov 2023 11:24:46 -0800
Message-ID: <CAM4esxQqUY=OAtzOuwH4k3qkMO2XRY-yaJtPmJe_pBaFMPx72Q@mail.gmail.com>
To: Ben Schwartz <bemasc@meta.com>
Cc: Marc Blanchet <marc.blanchet@viagenie.ca>, MASQUE <masque@ietf.org>, Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e675d8060a35dbce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/KrOiCSBpViKuw6Zx5ZloQHAJ6oM>
Subject: Re: [Masque] TTL and infinite QUIC-proxy loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2023 19:25:01 -0000
Those connection ID rules both (1) don't solve the problem and (2) put unacceptable limits on the virtual target connection ID. The presented problem is based on two proxies accepting the same virtual client connection ID -- making them start with the same bit doesn't address it. Furthermore, one purpose of virtual target connection IDs is to meet the requirements of whatever load balancer scheme the QUIC proxy is behind. If it's QUIC-LB, it is definitely using the first bit for something else, and I would really rather not have MASQUE levy additional requirements on QUIC-LB> On Wed, Nov 15, 2023 at 11:17 AM Ben Schwartz <bemasc@meta.com> wrote: > I would still like to see if we can come up with a non-TTL solution, to > avoid large amplification factors and avoid adding complexity to the > forwarding plane. > > For example, we could add the following Connection ID rules: > > - Virtual Connection IDs are always longer than the corresponding real > Connection ID. > - Virtual Target Connection IDs always start with "1". > - Virtual Client Connection IDs always start with "0". > > The first rule ensures that an infinite cycle must traverse both upstream > (shortening) and downstream (lengthening) forwarding steps. The > other rules ensure that a downstream forwarded packet can never be misread > as an upstream packet to forward. > > These rules don't make any assumptions about who chooses the IDs, or which > paths are allowed by QUIC path validation. We might be able to come up > with even better loop-prevention by incorporating those aspects. > > --Ben > ------------------------------ > *From:* Masque <masque-bounces@ietf.org> on behalf of Marc Blanchet < > marc.blanchet@viagenie.ca> > *Sent:* Wednesday, November 15, 2023 1:10 PM > *To:* Martin Duke <martin.h.duke@gmail.com> > *Cc:* MASQUE <masque@ietf.org>; Ted Hardie <ted.ietf@gmail.com> > *Subject:* Re: [Masque] TTL and infinite QUIC-proxy loops > > !-------------------------------------------------------------------| > This Message Is From an External Sender > > |-------------------------------------------------------------------! > > > > > Le 15 nov. 2023 à 11:54, Martin Duke <martin.h.duke@gmail.com> a écrit : > > > > (Looking forward to not having to say "with no hats" in 4 months). > > > > In my presentation in Prague on infinite quic-proxy loops, I dismissed > the idea that simply decrementing the TTL was a sufficient mitigation for > infinite loops caused by a misbehaving client, because 256 hops is still a > lot. In response, Ted suggested that we could use a lower limit. > > > > Thankfully, we did not try to further design this at the mic. > > > > But, thinking about it some more, Ted's suggestion could mean two things: > > > > (1) Use the IP TTL field: "When receiving a packet from the target, a > proxy MUST set the TTL on the forwarded packet's IP header to a value lower > than the TTL value of the incoming IP header. Furthermore, the TTL value > MUST be no larger than N". > > My understanding of most implementations is that they use 64 by default, > not 256. 64 as an Internet hop count radius is already pretty large. Would > that value (64) make the issue less problematic? > > Marc. > > > > > > Clearly, for some value of N the mitigation would be sufficient. I have > not checked if this in some way violates the rules about IP TTL. I also > wonder if a hard limit is sufficiently permissive for legitimate but long > paths. > > > > (2) There is some sort of MASQUE field that counts down the number of > proxy hops. I cannot see how this can work, as (a) these are packets from > the target, which is not going to add MASQUE-specific stuff; (b) by design, > proxies do not know if targets are also MASQUE proxies; and (c) by design, > proxies to do not know if clients are MASQUE proxies. > > > > ***** > > > > I do not object to decrementing the IP TTL field by one in forwarded > mode, though I think that is an insufficient mitigation for this attack. If > anyone has a better-thought out design to enforce a limit, or thinks that > 256 hops is just fine, I would appreciate their input. > > > > Martin > > -- > > Masque mailing list > > Masque@ietf.org > > https://www.ietf.org/mailman/listinfo/masque > > -- > Masque mailing list > Masque@ietf.org > https://www.ietf.org/mailman/listinfo/masque >
- Re: [Masque] TTL and infinite QUIC-proxy loops Ben Schwartz
- [Masque] TTL and infinite QUIC-proxy loops Martin Duke
- Re: [Masque] TTL and infinite QUIC-proxy loops Alex Chernyakhovsky
- Re: [Masque] TTL and infinite QUIC-proxy loops Marc Blanchet
- Re: [Masque] TTL and infinite QUIC-proxy loops Martin Duke
- Re: [Masque] TTL and infinite QUIC-proxy loops Antoine FRESSANCOURT