IETF Logo Mail Archive

Re: [Masque] Forwarded Mode infinite loops

Eric Rosenberg <eric_rosenberg@apple.com> Fri, 20 October 2023 18:02 UTC

Return-Path: <eric_rosenberg@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E73FC14CEFE for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 11:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L32QhTM-cFDI for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 11:02:32 -0700 (PDT)
Received: from ma-mailsvcp-mx-lapp01.apple.com (ma-mailsvcp-mx-lapp01.apple.com [17.32.222.22]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3302FC14CF05 for <masque@ietf.org>; Fri, 20 Oct 2023 11:02:27 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by ma-mailsvcp-mx-lapp01.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S2U00HXDA3V5210@ma-mailsvcp-mx-lapp01.apple.com> for masque@ietf.org; Fri, 20 Oct 2023 11:02:26 -0700 (PDT)
X-Proofpoint-ORIG-GUID: sNh-5l631NC1vejOcwtTUDrxNlXOaTfL
X-Proofpoint-GUID: sNh-5l631NC1vejOcwtTUDrxNlXOaTfL
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-10-20_10:2023-10-19, 2023-10-20 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 adultscore=0 spamscore=0 suspectscore=0 phishscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2310170001 definitions=main-2310200151
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=Fp+ZavNbZmIFCG7GWQHUfuY6mJL69RugyJ5DadALOjo=; b=Q0TQYnWEcB3Hu3LN1PPPm7kCXE1WZ1AkZW8n63DSeDWN1pBomgA8cRy62kFDDfNQ+ywK MUnJU7kjKBIum/E7gPX4AADK1GZUJcdJE3Gv/+oBHOvSMgEp3Y/5G2kyEGEn9zYEuhde jLLgpIu9lYcxplALSGRHCPvN/4At+XILV3yaCJ5Z8QKMrPpxlmDC5EiTIWqXkqCRsDNQ O+HpoPvPsgdKGnHpVmxTInY/QExV3sjACyADT9VUMwXm1Q6vv9vtdnd1TcCF359APT5F NJheQjgnAadZVeTOVx4pwUueZel91bfCqlCyTlY5vu8uRCpzPIsLUTFq5kkGR5Nbq5BJ eg==
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S2U00Z4WA40HC50@rn-mailsvcp-mta-lapp01.rno.apple.com>; Fri, 20 Oct 2023 11:02:25 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) id <0S2U009009UKTH00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Fri, 20 Oct 2023 11:02:24 -0700 (PDT)
X-Va-A:
X-Va-T-CD: d4f23a1e11f32e23b0912230a807aa20
X-Va-E-CD: 75f5eb91f8e4b1a643616dee50375f1d
X-Va-R-CD: 09d87cb79815927a45ad8a29a54ff264
X-Va-ID: 5bacc137-c243-4275-8dd4-fc778ae5df3c
X-Va-CD: 0
X-V-A:
X-V-T-CD: d4f23a1e11f32e23b0912230a807aa20
X-V-E-CD: 75f5eb91f8e4b1a643616dee50375f1d
X-V-R-CD: 09d87cb79815927a45ad8a29a54ff264
X-V-ID: e2886839-c2a9-4450-ab95-b93b46826b81
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-10-20_10:2023-10-19, 2023-10-20 signatures=0
Received: from smtpclient.apple (unknown [17.234.19.187]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPSA id <0S2U00V13A3ZYK00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Fri, 20 Oct 2023 11:02:23 -0700 (PDT)
From: Eric Rosenberg <eric_rosenberg@apple.com>
Message-id: <B0D618B6-A6DD-4D94-AB20-2646C179B53A@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_FCAAA723-BADB-42CB-93EA-63A9A8862C5D"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
Date: Fri, 20 Oct 2023 11:02:13 -0700
In-reply-to: <BN8PR15MB328118A7CE6C88D57825826AB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com>
Cc: Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org>, Martin Duke <martin.h.duke@gmail.com>, MASQUE <masque@ietf.org>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
References: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com> <BN8PR15MB3281FF073C549E3A39DD087BB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <B4EF24E9-20B9-4BFD-90B8-75B9A8EF733B@apple.com> <BN8PR15MB328118A7CE6C88D57825826AB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/qFWIT-BW_02mo2wZ3yC-my53RwE>
Subject: Re: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 18:02:36 -0000

I think the loop Martin is describing is only possible when forwarders share a VIP - so not quite unrelated. There may be other loop attacks, but I believe this particular one would be mitigated if all proxies sharing a VIP constructed virtual client CIDs to guarantee no overlap.

Eric

> On Oct 20, 2023, at 10:44, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:
> 
> They could, but AFAIK they aren't obligated to. If a client has access to several unrelated QUIC Forwarders, it could theoretically set up a loop among them unless they decide to generate long, un-collidable Connection IDs.
> 
> --Ben
> From: Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org <mailto:eric_rosenberg=40apple.com@dmarc.ietf.org>>
> Sent: Friday, October 20, 2023 1:15 PM
> To: Ben Schwartz <bemasc@meta.com <mailto:bemasc@meta.com>>
> Cc: Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>; MASQUE <masque@ietf.org <mailto:masque@ietf.org>>
> Subject: Re: [Masque] Forwarded Mode infinite loops
>  
> This Message Is From an External Sender 
>> Changing who chooses the Connection IDs could help, but proxy-chosen CIDs are not necessarily high entropy, so there's no clear guarantee.
> 
> 
> Do you mind elaborating here? If the proxy chooses the virtual client connection ID, P2 and P3 can pick virtual client connection IDs that don’t overlap. For example, they could do something like virtual client CID = {server_id}{random_bytes}.
> 
> Eric Rosenberg
> 
> 
>> On Oct 20, 2023, at 09:53, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:
>> 
>> Loops!  This is a fun attack.  It seems like there are probably lots of loopy configurations if you have access to two or more proxies.
>> 
>> Most of the encryption discussion for forwarded mode has focused on unauthenticated encryption, which wouldn't help here.
>> 
>> Changing who chooses the Connection IDs could help, but proxy-chosen CIDs are not necessarily high entropy, so there's no clear guarantee.
>> 
>> Ultimately, I'm not sure this matters.  A hostile client can impose pretty much arbitrarily amplified load on the forwarder anyway, e.g. by downloading a large file and forging ACKs to dropped packets so that congestion control ramps up to infinity.  Forwarders will need defenses to rate-limit or cap abusive clients.  That said, it's probably worth fixing if there's an easy solution.
>> 
>> --Ben
>> From: Masque <masque-bounces@ietf.org <mailto:masque-bounces@ietf.org>> on behalf of Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>
>> Sent: Wednesday, October 18, 2023 5:25 PM
>> To: MASQUE <masque@ietf.org <mailto:masque@ietf.org>>
>> Subject: [Masque] Forwarded Mode infinite loops
>>  
>> Hello MASQUE,
>> 
>> (with no hats on)
>> 
>> I was playing with some annoying but manageable amplification attacks on CONNECT-UDP forwarding mode. Those will have to wait for another day, because the current draft has a fatal vulnerability, though one that we can fix pretty easily.
>> 
>> If I've gotten something incorrect, please say so! It wouldn't be the first time.
>> 
>> Recall that for forwarded mode, clients notify the proxy of the connection ID they are advertising to the target, and in the same capsule propose a "virtual connection ID" for use on the proxy-client path. (IIUC, this virtual CID is to prevent association of the packets on either end of the proxy).
>> 
>> I reiterate that we are talking about the CLIENT connection ID and its virtual counterparts, not the target.
>> 
>> Consider the following very stupid topology that a client C could construct to target T via various proxies. Crucially, P2 and P3 are from the same provider and share a VIP.* This wrinkle eliminates some really simple mitigations for what I'm about to describe.
>> 
>> C -> P1 -> P2 -> P1 -> P3 ->  T
>> 
>> An otherwise well-intentioned client would advertise client Connection ID CID0 to T, and via REGISTER_CLIENT_CID capsules might set up the rest like so:
>> 
>> Nodes        C     P1     P2    P1    P3     T
>> CID on wire    CID4   CID3  CID2  CID1   CID0
>> 
>> So far, so good. A packet that leaves T will be destined for CID0. The destination CID will be rewritten in turn, arriving at C with CID4.
>> 
>> However, a malicious client can register CIDs with the proxies as follows:
>> Nodes        C     P1            P2      P1      P3     T
>> CID on wire    CID4   CID3 / CID1    CID2    CID1   CID0
>> 
>> The only change is that P2 is "incorrectly" configured by the client to rewrite incoming CID2 as CID1. As far as P2 is concerned, everything is seems legit unless it is sharing enormous amounts of CID state with its partner P3. Everything else is unchanged.
>> 
>> Thus, a packet leaving T with CID0 will be rewritten to CID1 and routed to P1;  P1 will then route it to P2 with CID2. Then that gets routed back to P1 with CID1, and the P1-P2-P1 loop continues to infinity. The attacker can put as many proxy hops as it likes in that chain.
>> 
>> There are a few pretty simple things that can break this doom loop.
>> - Do encryption at each MASQUE hop, as previously proposed. This verifies the previous hop of the packet and drops those where the CID does not have the correct origin.
>> - Have the proxy provide the virtual CID instead of the client. Client control is the root of these problems.
>> - Eliminate virtual client CIDs and just take the L on linkability in that case
>> 
>> Martin
>> 
>> * Interestingly, this attack requires at least one proxy in the path (P1 in this case) to not be load balanced or have an easily manipulated load balancer, so that two QUIC connection attempts can with high probability go to the same device.
>> -- 
>> Masque mailing list
>> Masque@ietf.org
>> https://www.ietf.org/mailman/listinfo/masque
> 
> -- 
> Masque mailing list
> Masque@ietf.org <mailto:Masque@ietf.org>
> https://www.ietf.org/mailman/listinfo/masque

v2.23.0 | Report a Bug | By Email