IETF Logo Mail Archive

Re: [Masque] TTL and infinite QUIC-proxy loops

Antoine FRESSANCOURT <antoine.fressancourt@huawei.com> Thu, 16 November 2023 10:04 UTC

Return-Path: <antoine.fressancourt@huawei.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 822E1C14F748 for <masque@ietfa.amsl.com>; Thu, 16 Nov 2023 02:04:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hIDMRI1myj0Z for <masque@ietfa.amsl.com>; Thu, 16 Nov 2023 02:04:01 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4193DC14F693 for <masque@ietf.org>; Thu, 16 Nov 2023 02:04:01 -0800 (PST)
Received: from lhrpeml500004.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4SWFrh37Rvz6K7CH; Thu, 16 Nov 2023 18:00:04 +0800 (CST)
Received: from lhrpeml500003.china.huawei.com (7.191.162.67) by lhrpeml500004.china.huawei.com (7.191.163.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Thu, 16 Nov 2023 10:03:57 +0000
Received: from lhrpeml500003.china.huawei.com ([7.191.162.67]) by lhrpeml500003.china.huawei.com ([7.191.162.67]) with mapi id 15.01.2507.031; Thu, 16 Nov 2023 10:03:57 +0000
From: Antoine FRESSANCOURT <antoine.fressancourt@huawei.com>
To: Martin Duke <martin.h.duke@gmail.com>, Ben Schwartz <bemasc@meta.com>
CC: Marc Blanchet <marc.blanchet@viagenie.ca>, MASQUE <masque@ietf.org>, Ted Hardie <ted.ietf@gmail.com>
Thread-Topic: [Masque] TTL and infinite QUIC-proxy loops
Thread-Index: AQHaF+SFygYCcnBBsEaqJtG0e2bEpbB7rlGAgAASqwCAAAI5aIAA8sYQ
Date: Thu, 16 Nov 2023 10:03:57 +0000
Message-ID: <bf8ff62cb5b1408589bdf9f3b8be9812@huawei.com>
References: <CAM4esxRt5nua=ftxaDn4N_L3jQigJpkOH6LCqDrK1h1qwhVHwA@mail.gmail.com> <BC36FA2E-F9ED-485C-B85C-61E063F429DC@viagenie.ca> <BN8PR15MB3281070DAD5690810944A568B3B1A@BN8PR15MB3281.namprd15.prod.outlook.com> <CAM4esxQqUY=OAtzOuwH4k3qkMO2XRY-yaJtPmJe_pBaFMPx72Q@mail.gmail.com>
In-Reply-To: <CAM4esxQqUY=OAtzOuwH4k3qkMO2XRY-yaJtPmJe_pBaFMPx72Q@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.206.215.65]
Content-Type: multipart/alternative; boundary="_000_bf8ff62cb5b1408589bdf9f3b8be9812huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/kS8qZ0E_vm2uEWXndry9thbpYT8>
Subject: Re: [Masque] TTL and infinite QUIC-proxy loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2023 10:04:05 -0000

Hello,

For the sake of curiosity, I looked at the prescribed behavior for GENEVE, as this tunneling / encapsulation mechanism also work at the transport layer to convey IP packet or Ethernet frames.

In Section 4.4.2 of RFC 8926, the behavior of the TTL is described as:
“Though either the Uniform or Pipe models could be used for handling TTL (or Hop Limit in case of IPv6) when tunneling IP packets, the Pipe model is more consistent with network virtualization.  [RFC2003] provides guidance on handling TTL between inner IP header and outer IP tunnels; this model is similar to the Pipe model and is RECOMMENDED for use with Geneve for network virtualization applications.”

Now if we look at Section 3.1 in RFC 2003, the behavior of the TTL is described as follows:
“When encapsulating a datagram, the TTL in the inner IP header is decremented by one if the tunneling is being done as part of forwarding the datagram; otherwise, the inner header TTL is not changed during encapsulation.  If the resulting TTL in the inner IP header is 0, the datagram is discarded and an ICMP Time Exceeded message SHOULD be returned to the sender.  An encapsulator MUST NOT encapsulate a datagram with TTL = 0.
The TTL in the inner IP header is not changed when decapsulating. If, after decapsulation, the inner datagram has TTL = 0, the decapsulator MUST discard the datagram.  If, after decapsulation, the decapsulator forwards the datagram to one of its network interfaces, it will decrement the TTL as a result of doing normal IP forwarding.”

From my understanding, in GENEVE, the TTL of the inner IP header is not touched except when the packet is first encapsulated. I think we should adopt the same strategy in MASQUE, and look after using a solution that is specific (while respecting the QUIC invariants etc.)

Best,

Antoine

From: Masque <masque-bounces@ietf.org> On Behalf Of Martin Duke
Sent: mercredi 15 novembre 2023 20:25
To: Ben Schwartz <bemasc@meta.com>
Cc: Marc Blanchet <marc.blanchet@viagenie.ca>; MASQUE <masque@ietf.org>; Ted Hardie <ted.ietf@gmail.com>
Subject: Re: [Masque] TTL and infinite QUIC-proxy loops

Those connection ID rules both (1) don't solve the problem and (2) put unacceptable limits on the virtual target connection ID.

The presented problem is based on two proxies accepting the same virtual client connection ID -- making them start with the same bit doesn't address it.

Furthermore, one purpose of virtual target connection IDs is to meet the requirements of whatever load balancer scheme the QUIC proxy is behind. If it's QUIC-LB, it is definitely using the first bit for something else, and I would really rather not have MASQUE levy additional requirements on QUIC-LB>

On Wed, Nov 15, 2023 at 11:17 AM Ben Schwartz <bemasc@meta.com<mailto:bemasc@meta.com>> wrote:
I would still like to see if we can come up with a non-TTL solution, to avoid large amplification factors and avoid adding complexity to the forwarding plane.

For example, we could add the following Connection ID rules:

  *   Virtual Connection IDs are always longer than the corresponding real Connection ID.
  *   Virtual Target Connection IDs always start with "1".
  *   Virtual Client Connection IDs always start with "0".
The first rule ensures that an infinite cycle must traverse both upstream (shortening) and downstream (lengthening) forwarding steps.  The other rules ensure that a downstream forwarded packet can never be misread as an upstream packet to forward.

These rules don't make any assumptions about who chooses the IDs, or which paths are allowed by QUIC path validation.  We might be able to come up with even better loop-prevention by incorporating those aspects.

--Ben
________________________________
From: Masque <masque-bounces@ietf.org<mailto:masque-bounces@ietf.org>> on behalf of Marc Blanchet <marc.blanchet@viagenie.ca<mailto:marc.blanchet@viagenie.ca>>
Sent: Wednesday, November 15, 2023 1:10 PM
To: Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>>
Cc: MASQUE <masque@ietf.org<mailto:masque@ietf.org>>; Ted Hardie <ted.ietf@gmail.com<mailto:ted.ietf@gmail.com>>
Subject: Re: [Masque] TTL and infinite QUIC-proxy loops

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!



> Le 15 nov. 2023 à 11:54, Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>> a écrit :
>
> (Looking forward to not having to say "with no hats" in 4 months).
>
> In my presentation in Prague on infinite quic-proxy loops, I dismissed the idea that simply decrementing the TTL was a sufficient mitigation for infinite loops caused by a misbehaving client, because 256 hops is still a lot. In response, Ted suggested that we could use a lower limit.
>
> Thankfully, we did not try to further design this at the mic.
>
> But, thinking about it some more, Ted's suggestion could mean two things:
>
> (1) Use the IP TTL field: "When receiving a packet from the target, a proxy MUST set the TTL on the forwarded packet's IP header to a value lower than the TTL value of the incoming IP header. Furthermore, the TTL value MUST be no larger than N".

My understanding of most implementations is that they use 64 by default, not 256. 64 as an Internet hop count radius is already pretty large. Would that value (64) make the issue less problematic?

Marc.


>
> Clearly, for some value of N the mitigation would be sufficient. I have not checked if this in some way violates the rules about IP TTL. I also wonder if a hard limit is sufficiently permissive for legitimate but long paths.
>
> (2) There is some sort of MASQUE field that counts down the number of proxy hops. I cannot see how this can work, as (a) these are packets from the target, which is not going to add MASQUE-specific stuff; (b) by design, proxies do not know if targets are also MASQUE proxies; and (c) by design, proxies to do not know if clients are MASQUE proxies.
>
> *****
>
> I do not object to decrementing the IP TTL field by one in forwarded mode, though I think that is an insufficient mitigation for this attack. If anyone has a better-thought out design to enforce a limit, or thinks that 256 hops is just fine, I would appreciate their input.
>
> Martin
> --
> Masque mailing list
> Masque@ietf.org<mailto:Masque@ietf.org>
> https://www.ietf.org/mailman/listinfo/masque

--
Masque mailing list
Masque@ietf.org<mailto:Masque@ietf.org>
https://www.ietf.org/mailman/listinfo/masque

v2.23.0 | Report a Bug | By Email