IETF Logo Mail Archive

[Masque] Forwarded Mode infinite loops

Martin Duke <martin.h.duke@gmail.com> Wed, 18 October 2023 21:25 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E7DC14CE38 for <masque@ietfa.amsl.com>; Wed, 18 Oct 2023 14:25:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YRnCKATiwu1D for <masque@ietfa.amsl.com>; Wed, 18 Oct 2023 14:25:20 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 861B5C14CF1D for <masque@ietf.org>; Wed, 18 Oct 2023 14:25:15 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id a1e0cc1a2514c-7a7e11a53c3so86234241.1 for <masque@ietf.org>; Wed, 18 Oct 2023 14:25:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697664314; x=1698269114; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Bec1o30+J7m34YBogBZuoL+oPi7Rmz/7HoOiBsyo/vc=; b=jlVBk+/cJjY0TW1t5TaFIMyrkeLtlz95TbMXX1CtaXWSRBapoqC5ORv9b1nTclP3fk fMAHuF7b5BeI7gB4oz9w76uj3jtN8HUduyu0EMnRLISPTJhG+P+Y1uS32CFo1iX9Y55k gwlCWcFwjafMt2dmCdSME3Riyzh7s+EKqaTC11v+VRdelEratfaGpfbKklsnlmQDctiU D3LsTOvhgVhOiTcpBhKXoD4PozAiflgc8m4AXkZefHfL1Q8l0NjU31pvMEs/h0ZpwqM4 4Pv+rCOC529s3M1qOV/Mbg7ehglQXKrjD/YkEIlOhrP0JIrKx6anYSN5xyjAZ7oFzoWp F2fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697664314; x=1698269114; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Bec1o30+J7m34YBogBZuoL+oPi7Rmz/7HoOiBsyo/vc=; b=uuoa6YR5jO+Z4/0bu8gy/Drsa27XRywNNVy7KjYrKmbuipFHox+m3e3P815VQvTDqO kWgJzKwGsphDpVJGOhuoqjIqHc3dPJw0FlLDmBuVCDTXWflU9HImy2SyyFpMUU/DqO51 l5qVLX5hOFO9RXNl2DEzT+pA716Kj7uA2QX1gHLiCiUTqW8GOJAV/3yDKPFju7gD4X8f R2tWb5XU3FRtOUQ78PbDfERWWDIO6RTWc3nu/Sp9Bh7bZ2Re9RNb5aXbn0StLGyXONLe GNhPZrvOU02TFIN9Z2e6dTQlxD8gHB1mtuGf9koX+KeAl9guMQz/qv+oMoG9B0GbAIJm JkgQ==
X-Gm-Message-State: AOJu0YybFWWGn6O49HXlVDyQ+VFIosLYhKuGJOu4TxQw1h6Xjssp+HK/ c7wGCeg4lzi8hAwOsRETvrvlZ8ZZbfXQ+aOhEFdtRTKiXuM=
X-Google-Smtp-Source: AGHT+IHlvTMzMqptLLDoTGQS5b3pqu7hdAebgYovLsE8HmG5BGiVpY7Z5/DS1jWhBaUdD/umNU0kDLymAsocjbYeuyI=
X-Received: by 2002:a67:c28b:0:b0:457:a98f:1e23 with SMTP id k11-20020a67c28b000000b00457a98f1e23mr37921vsj.8.1697664314036; Wed, 18 Oct 2023 14:25:14 -0700 (PDT)
MIME-Version: 1.0
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 18 Oct 2023 14:25:01 -0700
Message-ID: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com>
To: MASQUE <masque@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000062db41060804464c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/y4M_VX7-dMvOqkhKoHCtKUgnomA>
Subject: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2023 21:25:22 -0000

Hello MASQUE,

(with no hats on)

I was playing with some annoying but manageable amplification attacks on
CONNECT-UDP forwarding mode. Those will have to wait for another day,
because the current draft has a fatal vulnerability, though one that we can
fix pretty easily.

If I've gotten something incorrect, please say so! It wouldn't be the first
time.

Recall that for forwarded mode, clients notify the proxy of the connection
ID they are advertising to the target, and in the same capsule propose a
"virtual connection ID" for use on the proxy-client path. (IIUC, this
virtual CID is to prevent association of the packets on either end of the
proxy).

I reiterate that we are talking about the CLIENT connection ID and
its virtual counterparts, not the target.

Consider the following very stupid topology that a client C could construct
to target T via various proxies. Crucially, P2 and P3 are from the same
provider and share a VIP.* This wrinkle eliminates some really simple
mitigations for what I'm about to describe.

C -> P1 -> P2 -> P1 -> P3 ->  T

An otherwise well-intentioned client would advertise client Connection ID
CID0 to T, and via REGISTER_CLIENT_CID capsules might set up the rest like
so:

Nodes        C     P1     P2    P1    P3     T
CID on wire    CID4   CID3  CID2  CID1   CID0

So far, so good. A packet that leaves T will be destined for CID0. The
destination CID will be rewritten in turn, arriving at C with CID4.

However, a malicious client can register CIDs with the proxies as follows:
Nodes        C     P1            P2      P1      P3     T
CID on wire    CID4   CID3 / CID1    CID2    CID1   CID0

The only change is that P2 is "incorrectly" configured by the client to
rewrite incoming CID2 as CID1. As far as P2 is concerned, everything is
seems legit unless it is sharing enormous amounts of CID state with its
partner P3. Everything else is unchanged.

Thus, a packet leaving T with CID0 will be rewritten to CID1 and routed to
P1;  P1 will then route it to P2 with CID2. Then that gets routed back to
P1 with CID1, and the P1-P2-P1 loop continues to infinity. The attacker can
put as many proxy hops as it likes in that chain.

There are a few pretty simple things that can break this doom loop.
- Do encryption at each MASQUE hop, as previously proposed. This verifies
the previous hop of the packet and drops those where the CID does not have
the correct origin.
- Have the proxy provide the virtual CID instead of the client. Client
control is the root of these problems.
- Eliminate virtual client CIDs and just take the L on linkability in that
case

Martin

* Interestingly, this attack requires at least one proxy in the path (P1 in
this case) to not be load balanced or have an easily manipulated load
balancer, so that two QUIC connection attempts can with high probability go
to the same device.

v2.23.0 | Report a Bug | By Email