[Masque] Connection ID correlation attack on quic-proxy
Martin Thomson <mt@lowentropy.net> Fri, 07 November 2025 14:58 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: masque@mail2.ietf.org
Delivered-To: masque@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E07AD855BAC2 for <masque@mail2.ietf.org>; Fri, 7 Nov 2025 06:58:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="tElHjwEC"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="OdkVEWKI"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bf50_jcEl9yN for <masque@mail2.ietf.org>; Fri, 7 Nov 2025 06:58:25 -0800 (PST)
Received: from fout-b8-smtp.messagingengine.com (fout-b8-smtp.messagingengine.com [202.12.124.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 963EA855BA7E for <masque@ietf.org>; Fri, 7 Nov 2025 06:58:06 -0800 (PST)
Received: from phl-compute-04.internal (phl-compute-04.internal [10.202.2.44]) by mailfout.stl.internal (Postfix) with ESMTP id 2F8061D00034 for <masque@ietf.org>; Fri, 7 Nov 2025 09:58:06 -0500 (EST)
Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-04.internal (MEProxy); Fri, 07 Nov 2025 09:58:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:message-id:mime-version:reply-to :subject:subject:to:to; s=fm1; t=1762527486; x=1762613886; bh=1M yfHTJ5MiBto5DOf/8ayuahV9yRFNFHjaNC0HQVnt4=; b=tElHjwECtqX0KBH7qU cXEq+2aq2cgE97EulGfUsLpbwQrw+rY/L8D+Uzlbwb7aZOnMVbBiHG6CbGmGIZAM VS8uiQxtrOYuTAcfq+aR4o1jEetkBvRa39xhXQfiXqtylZVM3Vq7tQBHkZSzOhpZ MAaUKvDo0EI3kYrIocL9r5Y+V6eJJrzKu3nAdnroTk00wE1uQ4lnwQ7jpLkTTECE JuBppnvJmyGkRpbqbgzs+UKPgty3Ad3mPtmhRItnGqWTAVI0kgHITbmGukNcLPUm CG13hypsa/UJzzFOHLIMD7UeyeJD6Llmb0hexKfQlXKYTBqhOVG63Kw0r4K+Kn0D Vopg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1762527486; x=1762613886; bh=1MyfHTJ5MiBto5DOf/8ayuahV9yRFNFHjaN C0HQVnt4=; b=OdkVEWKIKJVRw04mzeB314BRO3RDQIjexN5wQRccMD9wWoeKjNq btBTqnW68HLBKP0HcRNfnADB4kaLqjUTC68Glp23+MOgmqaPOmTQ4hkVr/k6Dk9Y wfkvutLhOEHIKEYtxA2X9rfRh41KeAotY2P1qe9gJa2gsfFI3wpHbAe+yDqSwx4E pxTpldvbE2Khfs5OFf/1ebVr3t1NIOOyKEwAtSGJp+XGGAzW8ou94f9lILpB7wj1 glzdkNqYbVgxxfwZFfzJxCJMZVMoCJ/U2h1suG+rODxKuMnsi5F6BjtfjPVlfv2B 55ARdsORszRTmTZkkKl+kv04V41D7Qltepg==
X-ME-Sender: <xms:_QgOad5Kvm85GJT8Jxc6vQ9SEzO6ROJ_eGjt3RTzhyNMNdZEE7SZtg> <xme:_QgOaVsogO9-zwCwvlelP4NRuKeFRFiQGfuZ-K2CkR4ijFjJ3ZtDqnpeGKMfOCspn N3c4MH9W6f5CQyhPVZqpNTlQ_NBbqUZfYgOElo5MYiAMS7W4tnQsOQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddukeelleeiucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkffutgfgsehtjeertdertd dtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhht rhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeevjedvvdfhheegleffhefhteelge eltdefgeegleejfeduueefkefhfedvteejueenucevlhhushhtvghrufhiiigvpedtnecu rfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtpdhnsg gprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehmrghsqhhu vgesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:_QgOabdTezg1g_WSS8t0S9PoLSm60xlXtcYKT_UiSK3kO6wNFwGsGA> <xmx:_QgOaYIjDV8hK7klfIhOJ1FZ6DNbJFQjDY4xYRI54W0bRkfAXhvhgw> <xmx:_QgOaaJVeTod4V51IXHBg5zM6uLjQ-ggWiKAatOQcf6U28BTHE-DKA> <xmx:_QgOaSGDZr5Lyoe9GxiAJe7fQhr36wdTR4PhUkf_3wFGwQ9idWvaIw> <xmx:_ggOacXoqHW2KU5YlUkNPKvDLWTdzfMwQC6-9BNONQP3vxv4dQuM_chu>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id B8169780076; Fri, 7 Nov 2025 09:58:05 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: AIPIRNC0HBt-
Date: Fri, 07 Nov 2025 09:57:44 -0500
From: Martin Thomson <mt@lowentropy.net>
To: masque@ietf.org
Message-Id: <3e2440c2-c932-46d5-a691-3e80c5d86bfa@app.fastmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: JPGUN252S3MHLI4ZESHV7CUDZHON6UVN
X-Message-ID-Hash: JPGUN252S3MHLI4ZESHV7CUDZHON6UVN
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Masque] Connection ID correlation attack on quic-proxy
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/_Y9Kr53zU9M3NfLrlz46npbUSiQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Owner: <mailto:masque-owner@ietf.org>
List-Post: <mailto:masque@ietf.org>
List-Subscribe: <mailto:masque-join@ietf.org>
List-Unsubscribe: <mailto:masque-leave@ietf.org>
There's a missing attack on the scramble transform that might be worth adding to the security considerations. An attacker can modify packets to recover connection ID mappings. This is, of course, trivial for the identity transform. Consider a case where all connections that transit a proxy use padding to the same length. All packets in and out of that proxy are indistinguishable. An attacker could modify one packet to remove or add a byte. That will allow them to correlate connection IDs across the proxy. That's a degenerate case of a more general attack. Real connections are more variable, so it could require more packet modification to effect the same correlation. This might be mitigated to some extent by adding padding when forwarding. A possible fix for this, which would require protocol changes, would use the QUIC bit. An encoded packet could use the QUIC bit to indicate the presence of padding. I'd recommend using TLS-style padding, which involves any number of zero-valued bytes at the end of packets, plus a single non-zero marker byte. To restore the original value of the QUIC bit, you would have to encode that bit in the padding, probably in the marker byte. The alternative is to document the risk, which seems like a very reasonable thing to do.
- [Masque] Connection ID correlation attack on quic… Martin Thomson
- [Masque] Re: Connection ID correlation attack on … Tommy Pauly
- [Masque] Re: Connection ID correlation attack on … Christian Huitema
- [Masque] Re: Connection ID correlation attack on … Martin Thomson