IETF Logo Mail Archive

Re: [Masque] TTL and infinite QUIC-proxy loops

Ben Schwartz <bemasc@meta.com> Wed, 15 November 2023 19:17 UTC

Return-Path: <prvs=46836bc5ef=bemasc@meta.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51D6CC14CE27 for <masque@ietfa.amsl.com>; Wed, 15 Nov 2023 11:17:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vp1rTJV0-JGI for <masque@ietfa.amsl.com>; Wed, 15 Nov 2023 11:17:38 -0800 (PST)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A61BC14CF13 for <masque@ietf.org>; Wed, 15 Nov 2023 11:17:38 -0800 (PST)
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3AFEAbrH008314; Wed, 15 Nov 2023 11:17:37 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=bF1sgRpCglgys9Yludn/Ls8+ntTM2vpQKyDT/PBrfkE=; b=EVfBKia7CSrzTobp1S6JpPvBrVni4dNH8YRWYiGba4mLJD73nm2J2NpEgkf3v2Tk4+RC lP5uSn5vt86BqQYHgRYlr+sgEdLI2PtAsP4bcAtSpOvoefSLvWOOilADIzbhaW8Bv0xw rij7s15B+Mqiy9oTt+bs/fuH3A52ZXbxj9YWaWsKPmcQ3GwOTpGhJfOStXZPZjFiF+Yd b8bgEwUHKFiUpTSGCv4cnMkdPUroujeh3JIZmnM+uJSFFSqayxxkFoheiojoSFOxsKvU TmZk7nFIGtqCWUmo8YFq9Y2AlC4ZSPj0UBmKBqyfKlzLeboaynWX9VhiFBHa5zqh130A bg==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3ucdg2gkcp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Nov 2023 11:17:36 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fHWVd9y9a4rvDBnA7j25M26SNKdxmU4VsXSnKF9NmKDx0FuoBWtITFaClVzLHQODE7uEdnvR0xINd03prFfCxlZhUrOVAJWpFsnNkB+vBaeQI7iOF2kSQ+tStGxLZDvsCiOSawjX7ChSuuOGJneLn+NxWit4cw+gV9kXHvhSwexQ2YaioAVgLT6TXP0fcZQ3EncMeMGauyEEOIi0ge6Wls/BAAta44TPH/+5E7hW74ArJ3/j6iuudz/DCIsGwD0XHl30jxh76KNvZi/oMy9vwrhhc6novFNke5dZmsaA8TNX/atmbtDTv5LSbBQXOEo1iUItkhmuyigSJNFokNLoEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/U1CFFM+8FHHGXdKpX0yt1VwgHpSi/u/VDB4dJtlDTI=; b=RaKop8khekHMXgRK0Frht5w2qLQsWmGLeRfzQ9AU4vOu6pw7A43KGzrwL0WlqCHt6URfv+8TnxFG6zZX0y1jAGQ7PkB0jiDBy1ZMs/fwrGjeWYSzUTal5NPTo1rvxpaPOXPZ8wjWeO/PjGYg/E5JkyHB4KnyUW/TwyDIw7VBYXQDdNHH23pmZb8d9oe5PGczCe5TUrw5vDr7foRqiPWGPO4yP2EnWTl0NzP7eYdVC0GzTwsOVRs89vyZS3pYsnKsxgcFInoTDMKNWQMr1+yq+7+B8Wl9+UKrqr8Wq131cmv8rkpkRwkV8Z4y3ROMZYlQZ/C5bnZEMJBRdFNWe4Sh9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by SA1PR15MB4657.namprd15.prod.outlook.com (2603:10b6:806:19c::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7002.17; Wed, 15 Nov 2023 19:17:34 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.7025.007; Wed, 15 Nov 2023 19:17:34 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Marc Blanchet <marc.blanchet@viagenie.ca>, Martin Duke <martin.h.duke@gmail.com>
CC: MASQUE <masque@ietf.org>, Ted Hardie <ted.ietf@gmail.com>
Thread-Topic: [Masque] TTL and infinite QUIC-proxy loops
Thread-Index: AQHaF+RoNC6B+JppiUi5tBBU/UxMILB7rlGAgAAImHY=
Date: Wed, 15 Nov 2023 19:17:34 +0000
Message-ID: <BN8PR15MB3281070DAD5690810944A568B3B1A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <CAM4esxRt5nua=ftxaDn4N_L3jQigJpkOH6LCqDrK1h1qwhVHwA@mail.gmail.com> <BC36FA2E-F9ED-485C-B85C-61E063F429DC@viagenie.ca>
In-Reply-To: <BC36FA2E-F9ED-485C-B85C-61E063F429DC@viagenie.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|SA1PR15MB4657:EE_
x-ms-office365-filtering-correlation-id: 7d3a0eb9-9f10-4a09-650f-08dbe60f85b3
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rHpMjWibNWnq9HmgdlmS9uYKvbywprNNVguzVOP+h2ceLtA9ObD5EavpL3lYnTnJkUi4ML+sXWpAbIzeBGCcbB/6UXqC0hZ7GAaaxjD+oHaZOnUBBvFas51B+Oyy29292DEd1mj3kY8Kc5gJIZem1ZdkyS2QJR8qHfCkAX0O080vHOkW7mo2azSl+T5izlhjX2XgFvJjSbatGUyesdobLtRB+C013wecZ3Lgrt6qIKaBefabSpb4drvmlN1PDblBH0/uj5vKqCXGqzPQHUwpxi6wN7wlOmv0aV+acCjtweL1qWwQeD7XxSwcigxv7aT4TK4Z75T2TKRuMkggTZWYwdWyhquay/74CL49qBJhDLpMOTGpEwVbg51hWrcUYVmSQoyvpFuO3s/qiKApWLG0N1ixHDfSmmfcTu/KZBpTq7OQbZlR1wTzuHZKSyeIYs5ALhzqxukOQdv/5WIHwZUM9wyUuQkI6LG9z/IzWcxDCvseSW1tG4sCJ9BGUkST19bWGC5KSvJ7iQqIszF422llr/FTb2LGVVojHHgS9zAYsEW6uh+oegcgpUDZbduZSOZSPgCgw341e1A4QfsjQ+Z76PwDY8TFquXw/nBJEe6/5gbk8mSRn+Ojt/K4TO6ThTMwfZBlnmIVdIpHcN7w8UjI1A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(136003)(376002)(39860400002)(346002)(396003)(230173577357003)(230922051799003)(230273577357003)(64100799003)(1800799009)(186009)(451199024)(66574015)(55016003)(7696005)(53546011)(6506007)(71200400001)(19627405001)(83380400001)(38100700002)(122000001)(166002)(2906002)(9686003)(41300700001)(33656002)(110136005)(5660300002)(8676002)(52536014)(8936002)(86362001)(4326008)(66946007)(66476007)(76116006)(64756008)(66556008)(91956017)(66446008)(316002)(54906003)(38070700009)(478600001)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: pTIWp/fba4bz6S+ikBWHMPWZ1sP7f1Q+I9W8ywkQSuLA74FSjRP0E8eRT6b7nFu+Jen0X4kR2jR9poX+tEz0xcrcTlagjp//lMv+4hbETogy7yW+1pr42YaTIkXBb8idzBb9p1YqEJQziqjWfCTieazKz4RQ6nrBOzRfVTHe6+Obo1uHGQRr/Ygq1yonBZ4UbVbgF73Qb0fd2VGGEMho8Rx1gSiazS0q7fsIMJmDBKexJpcsyMZn6cMTyK+Jb7G5QAFItJ51X1MxvMP5ZZ9IkwuDPQwGzN1hB0usfr3z7xIk6LFxblJKQ82NY1fhiaTDMwhO7TpBb9GJlKV/qnweYdRxzhFeElVqHVW4PKrjdgCl4ZEEqbVWze/muQvBsRcbq6wpOQCDbfNC/O9CLp8HcXnqismX3Q/NAc7L7DNDBx51YlYfMdB7/1gqygo+gd1oiiJmNGv1N4YKhFlbaodxESSUZytgyyFvqF0s170vZheMLxsnuA6qHKwOT666JO1HS1OSPWjw/9oYmK/+AlCftmQbeGja5fM8cnbEjMnh52Y9xrDhAAzynRdbXyDZwYsRuE2NaHaPUMRA5Y1htSPoLYHjyaFvWc0C6qr8jZWCisJ/a9//gcUeswny9hlyeycxWPv+RsRq/ZmLRWCdGkQovdCEWXAks7fwmfO2QtkdW47CfBPlXon4UYO/LGHV901GYVUxezB/IQAjU9lIoNRwfLcaN0hPw+pPS5bCBE1w2KO+77ATxpYNSVy87tqkd0MOyLKGD3drsSY3bsYVvF3iGBQ4ZBkI2crk5FMjDBLmI1oedHb9b7rCEjVr+wPcaxN726G+rJu3wkinbmvIlRz1Lnriy1/JTeF+LW11MDrJt4o2jO9xq26osjDyWjmyMUDvXma2qZXARgi2FS1I1QRRWi/r6do/6O7nLEHjgBmYYQFn9mEGX24puRKdEjcQ3dFq4mJLcJl/gYHK3semQbPB//pal0vG48cKJXPLLX3bLNvFX6Ld88Epe+kck+QuZ+KokNhqYekErITOMXWgAhaR9v2fnB1zlo5QF7DYNh8p8/moVBAExXITqPQvITj8h6Ybigfk5lxZ/4vxzpCqIGIBPUtuEmezqcoUqdChTlAGohu+U3KJY2Pv1Irxp2e77FSAP2h9+bc5OKiNvg/PGWA9yRwGK4lmY2Rycm1T4RE+8ufLfPlY+Q+Is0NLp45CVAs9Ppg32pPh0vitPy3PKJUxcM1zZnoTTjE+UuJb3oVFtLpBJJp2DyvnW7++PJ7RUfXRJW0qWENEfGUTKbI8w3+ftGF0lCwb5joA0ceJsz9WBx3dPfNEgYNF2wmQPRitUS9Lkxifm9oTfLIZMnKVwDONQ1rwFGasANk1C4T0bq0OK9Bnm1dfxHupLPw36iNnZRzabLiccVh+THFo9b25xwPPPHdA4R6FdmGBQwFEdM37c7O1IUR5YqBcjfUoIHh19WlzHDXlb+qqtb47/ln9lAQXeI2gIBhUZExJmu8uaj8blC2sH5aUqP1YuMAET8G8NQ5YY9orwItBhcN+FP/XrRihAuh2639MZ1k0thq6w4hMDSWiVcybHRCj9xYHfHPbEAkP
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281070DAD5690810944A568B3B1ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d3a0eb9-9f10-4a09-650f-08dbe60f85b3
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2023 19:17:34.4671 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ccU5HVKsyKkXYPDnuGDVhHbT5uLCT1YvyM5Pjmtnxh6UwaF78qZzoas0MTrJw4DK
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR15MB4657
X-Proofpoint-ORIG-GUID: wNuL2NoATNtbJHtKfDGyOdUhlamjcROr
X-Proofpoint-GUID: wNuL2NoATNtbJHtKfDGyOdUhlamjcROr
X-Proofpoint-UnRewURL: 8 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-15_18,2023-11-15_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/dpYg-299cwxDHxLazf_WUQrurZ0>
Subject: Re: [Masque] TTL and infinite QUIC-proxy loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Nov 2023 19:17:42 -0000

I would still like to see if we can come up with a non-TTL solution, to avoid large amplification factors and avoid adding complexity to the forwarding plane.

For example, we could add the following Connection ID rules:

  *   Virtual Connection IDs are always longer than the corresponding real Connection ID.
  *   Virtual Target Connection IDs always start with "1".
  *   Virtual Client Connection IDs always start with "0".

The first rule ensures that an infinite cycle must traverse both upstream (shortening) and downstream (lengthening) forwarding steps.  The other rules ensure that a downstream forwarded packet can never be misread as an upstream packet to forward.

These rules don't make any assumptions about who chooses the IDs, or which paths are allowed by QUIC path validation.  We might be able to come up with even better loop-prevention by incorporating those aspects.

--Ben
________________________________
From: Masque <masque-bounces@ietf.org> on behalf of Marc Blanchet <marc.blanchet@viagenie.ca>
Sent: Wednesday, November 15, 2023 1:10 PM
To: Martin Duke <martin.h.duke@gmail.com>
Cc: MASQUE <masque@ietf.org>; Ted Hardie <ted.ietf@gmail.com>
Subject: Re: [Masque] TTL and infinite QUIC-proxy loops

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!



> Le 15 nov. 2023 à 11:54, Martin Duke <martin.h.duke@gmail.com> a écrit :
>
> (Looking forward to not having to say "with no hats" in 4 months).
>
> In my presentation in Prague on infinite quic-proxy loops, I dismissed the idea that simply decrementing the TTL was a sufficient mitigation for infinite loops caused by a misbehaving client, because 256 hops is still a lot. In response, Ted suggested that we could use a lower limit.
>
> Thankfully, we did not try to further design this at the mic.
>
> But, thinking about it some more, Ted's suggestion could mean two things:
>
> (1) Use the IP TTL field: "When receiving a packet from the target, a proxy MUST set the TTL on the forwarded packet's IP header to a value lower than the TTL value of the incoming IP header. Furthermore, the TTL value MUST be no larger than N".

My understanding of most implementations is that they use 64 by default, not 256. 64 as an Internet hop count radius is already pretty large. Would that value (64) make the issue less problematic?

Marc.


>
> Clearly, for some value of N the mitigation would be sufficient. I have not checked if this in some way violates the rules about IP TTL. I also wonder if a hard limit is sufficiently permissive for legitimate but long paths.
>
> (2) There is some sort of MASQUE field that counts down the number of proxy hops. I cannot see how this can work, as (a) these are packets from the target, which is not going to add MASQUE-specific stuff; (b) by design, proxies do not know if targets are also MASQUE proxies; and (c) by design, proxies to do not know if clients are MASQUE proxies.
>
> *****
>
> I do not object to decrementing the IP TTL field by one in forwarded mode, though I think that is an insufficient mitigation for this attack. If anyone has a better-thought out design to enforce a limit, or thinks that 256 hops is just fine, I would appreciate their input.
>
> Martin
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque

--
Masque mailing list
Masque@ietf.org
https://www.ietf.org/mailman/listinfo/masque

v2.23.0 | Report a Bug | By Email