IETF Logo Mail Archive

Re: [Masque] Forwarded Mode infinite loops

Ben Schwartz <bemasc@meta.com> Fri, 20 October 2023 17:44 UTC

Return-Path: <prvs=36575d06e7=bemasc@meta.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EF15C14CE47 for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 10:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CWiGkX5q5hS for <masque@ietfa.amsl.com>; Fri, 20 Oct 2023 10:44:12 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 911A2C14CF0C for <masque@ietf.org>; Fri, 20 Oct 2023 10:44:12 -0700 (PDT)
Received: from pps.filterd (m0148460.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 39KDxML0014666; Fri, 20 Oct 2023 10:44:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=wvfJ91bfGKluCxPkyqXAvJXcMNKKhHBwV+ReGcAga5s=; b=jduSkRbQAKIiyLeWVRiurTvzEA9QfAnmP1tJSr+5FHv2kMkztlW1+SV5xON+ZP9xrieV 5GHvP3bFOXpXH2gneb/P1f9bJMI/W+/Z3XOl4L/FZZ+MBHxjprSYlORHSqxDn/a93FmN cumjAD6aFhh8LNsmxjO9MBN2o2X7kjTNzotU3X9gYVsLkRGhhi9A2YH6WiEgZwLFWhGA R/Ft1pufsyVwovX31kzCyDH9JI/FAb4kKAIStyK4yDAMhsDyzO+FlhL7Wf829UF0GSWX kIHmSVEwYBIeMcJv1EsamuXtIKGFoEe73OXAsE3uhlNl4oJruVN8zhvSaBDnAjV4P/If ww==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2100.outbound.protection.outlook.com [104.47.55.100]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3tubxu620v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 20 Oct 2023 10:44:07 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bmQOmIjNSVx+q/bzt/g51iQqc6d9ZuBE2xPwZkZumWtMMTa6LrSeE4OjO2hKjGi/xgBXuxDahyGqHEetNoeD26MjSRDDPm+hCe0PxCflTZcUlz6ffaC573qM1wQza0bhmsepn6Iz9dALSVmk0CPn0ei9Xh6oSgwHHTF/yEsFxVLbMsgqoyEDl2loqdVeyFCWer01FQKJTvlTTucNXH1GHeGOeLlPbHz5ebCGPdV1O5ggmsC9U++GLdEM2b5ivTnfTaeV7xvzlWX8QhHvbopnVct+Zs33ChUksKfhY34pWIK/liWGjR+kPyWIXRPEBjKIYG4dmxgZzQBNyMYZFZxShg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b7ykGqmfJ+U1jnz3kImRR9AiyWYpNd2uE1NVikjL7MA=; b=J6UNxJ6Hh9h/KyOI6CID132Py9UZ7fA7TlHOD5Nj65kQ7IQ5wy9mu2f2bo7RZAwps9OdfwzulycSBhOeauFhA2+I1+zIS5BBknnUIySMtlz31PM4vKc08Ph2ElgDwjTmiQ2o3E+Cu2Mx17WvKxthAFkL/U9NZ84/JCoK23QZLhVFDjNPWIqiGlEVQ/qL60BGnmdlEA93edvhVr4YS+VPW4OXonb/3s89iXbnX05q/3caEY+kH31tJc/LRhnrjZZp91zxEwtlqIpjLIMRI5QccrlvKSCoc9UmoTB1Bo/WqxemQq8tQLZVs8NvqQCLBLGmPCWFdWCDiN8QSOcKs7zWRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by DS0PR15MB5782.namprd15.prod.outlook.com (2603:10b6:8:dc::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.11; Fri, 20 Oct 2023 17:44:04 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d9e2:fc18:82fa:fd56%5]) with mapi id 15.20.6863.043; Fri, 20 Oct 2023 17:44:04 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org>
CC: Martin Duke <martin.h.duke@gmail.com>, MASQUE <masque@ietf.org>
Thread-Topic: [Masque] Forwarded Mode infinite loops
Thread-Index: AQHaAgmezUI5C2Jo1kydYUxmv4AKKbBS4otsgAALVwCAAAXhzA==
Date: Fri, 20 Oct 2023 17:44:04 +0000
Message-ID: <BN8PR15MB328118A7CE6C88D57825826AB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <CAM4esxRzTu=njLp7Uk=4AvObxD5j0FG1fQHKtoyDGFWF7q1jdg@mail.gmail.com> <BN8PR15MB3281FF073C549E3A39DD087BB3DBA@BN8PR15MB3281.namprd15.prod.outlook.com> <B4EF24E9-20B9-4BFD-90B8-75B9A8EF733B@apple.com>
In-Reply-To: <B4EF24E9-20B9-4BFD-90B8-75B9A8EF733B@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|DS0PR15MB5782:EE_
x-ms-office365-filtering-correlation-id: 3081f689-688b-4179-99e5-08dbd1942735
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GAvnijw766nlmY7yjd6CNSdV/HXTfZgd4YUibkvqVPVD9fhFsJ6vjDBhaHX5AjgYRu1iETbBhMjLZQEnLhp7BBwj7WR+0ies9hSVn9TznLm2dFut9aUlHEjEIrMMaR/JMDFqm37iy2c0cREAZkPHkR3YAfMYRO8f3dI50SM3YcRl5vAmdvEIY1ma+1hvwxDKr1pIOdKPjDYpqOt9dO99uFhvgEUpGFQ6NVUbKGZhIVS59isnJMkfJMNE/m9h/h75Dz8gTo2ytHEEm1vVtyekyQgbMc7Lt8uBlsOfm6O05uhjXdE4Vp4vP9ga+yslc4fKcBbPvzQFAiwM2R6P8GD8YupcHmpjObPXqdSRmcJ7q+W4QltVG62I4qI/oxBu1sMv+OFXG82pl4caofnu+44DzhHomS9SSmBQgJbOiKqaqJsoorCt89kJg+FKfj73rPYEUoMWpC7Y2rxD6nNTPVRqeW/7yWRdL0UG1Wmx4ayvww/CgiVhn3a4xOyzsTp268KQgUb4SJlDqTw/nJxqQh0oe8Sj/MOxyeUezXxvimEA/i0QRcVTQI2D+zW7sk7s3UwWXP60lyDg79iXX9pDnl1xmkEOjRx3wGGsikZ4ESEEKdk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(136003)(39860400002)(366004)(346002)(396003)(376002)(230922051799003)(64100799003)(451199024)(186009)(1800799009)(2906002)(966005)(478600001)(5660300002)(41300700001)(4326008)(8676002)(52536014)(8936002)(76116006)(91956017)(316002)(55016003)(54906003)(64756008)(66446008)(66476007)(66556008)(66946007)(83380400001)(33656002)(86362001)(38070700009)(19627405001)(38100700002)(122000001)(166002)(71200400001)(6506007)(7696005)(9686003)(53546011); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: w+ZJwalxVhWqhBVEupUiEc6Jy7hSUg9C6wbqf6M+i02yVNfYoQgA5DyzIdzenketabwhh7SjS+jOahyc9B/1KZqhBmyqqygvSh6AYccESiZTai1Sj4Zj9u446OWhvE+cBh69TcAClYR2iwRssNv74XQtZs8p3vC60wvppYgrsMalkHBb6kYqvnj0HQLja2Nxx25PtheeHFIr4x5ElYw0NDa3dI4PDPPaIKRzM2m90eCJdEkYpGQKdV6R2PHy+4JYIYZHOguz1B/h9P1dKzxzL4q0xjO9LveCQGh31wzi/62gr3A8KZRXTufQjzoeZysODjyxqpQuguX6AUVG9T3paoyZLtiIMffjmnVpAGFHxN2Va4aMDsr+tbzVS+Z/5TovdfaYmVm1NFd2vS9hp9230CPlPZpoj/rISRT2SAVMrauMZ1y/njqNvra0YrRkqjA7yEIQLMJ6Y4sbB0BeCJXjVnfYouB/sRhQVYvOVSQTMB59q8ZoiX3Z6/UV91gCBWGX1O1dZjCuMrDai6giQVtPS1cm5HAVPc6ZsUA2MPZHqmeRoA87RnoB2v0qHUfPeBMg383IIjJvLXBkgxkfkcG3Y6Jjp3IwWnhKYDVfMUqGwZOIU3PD+0d9D5tgPBAut5kVRjpT1VqF/ORc07ukE0VPD0zq/DmFBGYYXvMFhPDFZIF1xflLTnuLohMvrrVzXUStXuturdoLgZyQzmGu/kEl9tGaG5Jgw+zuZf815X+W/1l3/0rxJ8/e+fnYNTEM64EvqDfnJyB9MUUWWOmy15QtF0krA/LUPsQ2Ep6BPTQ04o1r/+9gpxW7fllZN7bKJMD+JL85MlR1PlSqqiuBpQrHe/XdZAPBueQrl2BBPTfgVZIuUQv4YTdSdVDIYgOkudxi2+ActvpGSO00n0bslmeM5k6cW9ys7Xrd6RP9YEL3IEKaPx579shtK22k2IJUmQbkpuIJS0jSQZFA0qRrD5AZT9l+0LS5xyI1SpYn8ZEfrMG+XMfYCW2SPNNhMpdzpaElke1jam1loI9k6FGs86QwFYGtnGKVbcgPeQ6puv7MUODdCnd/SD8B9a8RzEC0NzUoarO9+j3Pn4k6LOYf02eN15pCLSPp5ZcNuOFmrJ4JlmWABrLvW5W/OVaS8QWvC4vRZYxk+mn7u9RAnsxOxVzDowp83eLYIsKZzMVTo7r/8EGI5htneHIPHGbTKMN3kP4fXaZqQ2jWKG66L5qB9jyiXbJFQNUCQiKINux6qjOWmeXZmQXJZAAq1FCT7kaNFfuZhMIQu40U4fTOSNqkM/eyFacT+roZvhwxJTgK0pXVw2OOsLOVBgKeE7ajOY2BPa/qSqEuU0Vb0ZOUu5NreAnYjOZJmIPMVVDJ7bcP/4XgoEOe5cOnjSoPZmxht8xwcoARgwnG9w0K6euuqAOT7qhxZzY+g9kbDj1AEFzmvljYll8KxPB5KmUnqJ3wOVHi3e7iwT9jwkLMDQQ88kMZa47GnkMj9L3SmEbFvUR+7tTsaniZK6vbo02NvKHAQUT4+oxXSWU3lQd6K3kXOKV1vg7KpYzI9NYBgOKkt/ssLOeP6aWTdOE2EtVP+0TS0U77jHgT
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB328118A7CE6C88D57825826AB3DBABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3081f689-688b-4179-99e5-08dbd1942735
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2023 17:44:04.6070 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PEFV+KV9eIlwsbJMu7p4CY2rV92N1zXV32j1aO7B7yuEkDfigm7X9R03WV3grMrl
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR15MB5782
X-Proofpoint-ORIG-GUID: NOwEWZ-6xWMZyTQCKOL3PQx6ER_qMhLk
X-Proofpoint-GUID: NOwEWZ-6xWMZyTQCKOL3PQx6ER_qMhLk
X-Proofpoint-UnRewURL: 2 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-10-20_10,2023-10-19_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/zYzK4UgvEd7c-py3UcoUHeyDm_E>
Subject: Re: [Masque] Forwarded Mode infinite loops
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 17:44:16 -0000

They could, but AFAIK they aren't obligated to. If a client has access to several unrelated QUIC Forwarders, it could theoretically set up a loop among them unless they decide to generate long, un-collidable Connection IDs.

--Ben
________________________________
From: Eric Rosenberg <eric_rosenberg=40apple.com@dmarc.ietf.org>
Sent: Friday, October 20, 2023 1:15 PM
To: Ben Schwartz <bemasc@meta.com>
Cc: Martin Duke <martin.h.duke@gmail.com>; MASQUE <masque@ietf.org>
Subject: Re: [Masque] Forwarded Mode infinite loops

Changing who chooses the Connection IDs could help, but proxy-chosen CIDs are not necessarily high entropy, so there's no clear guarantee. Do you mind elaborating here? If the proxy chooses the virtual client connection ID, P2 and P3 can pick
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
Changing who chooses the Connection IDs could help, but proxy-chosen CIDs are not necessarily high entropy, so there's no clear guarantee.

Do you mind elaborating here? If the proxy chooses the virtual client connection ID, P2 and P3 can pick virtual client connection IDs that don’t overlap. For example, they could do something like virtual client CID = {server_id}{random_bytes}.

Eric Rosenberg


On Oct 20, 2023, at 09:53, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:

Loops!  This is a fun attack.  It seems like there are probably lots of loopy configurations if you have access to two or more proxies.

Most of the encryption discussion for forwarded mode has focused on unauthenticated encryption, which wouldn't help here.

Changing who chooses the Connection IDs could help, but proxy-chosen CIDs are not necessarily high entropy, so there's no clear guarantee.

Ultimately, I'm not sure this matters.  A hostile client can impose pretty much arbitrarily amplified load on the forwarder anyway, e.g. by downloading a large file and forging ACKs to dropped packets so that congestion control ramps up to infinity.  Forwarders will need defenses to rate-limit or cap abusive clients.  That said, it's probably worth fixing if there's an easy solution.

--Ben
________________________________
From: Masque <masque-bounces@ietf.org<mailto:masque-bounces@ietf.org>> on behalf of Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>>
Sent: Wednesday, October 18, 2023 5:25 PM
To: MASQUE <masque@ietf.org<mailto:masque@ietf.org>>
Subject: [Masque] Forwarded Mode infinite loops

Hello MASQUE,

(with no hats on)

I was playing with some annoying but manageable amplification attacks on CONNECT-UDP forwarding mode. Those will have to wait for another day, because the current draft has a fatal vulnerability, though one that we can fix pretty easily.

If I've gotten something incorrect, please say so! It wouldn't be the first time.

Recall that for forwarded mode, clients notify the proxy of the connection ID they are advertising to the target, and in the same capsule propose a "virtual connection ID" for use on the proxy-client path. (IIUC, this virtual CID is to prevent association of the packets on either end of the proxy).

I reiterate that we are talking about the CLIENT connection ID and its virtual counterparts, not the target.

Consider the following very stupid topology that a client C could construct to target T via various proxies. Crucially, P2 and P3 are from the same provider and share a VIP.* This wrinkle eliminates some really simple mitigations for what I'm about to describe.

C -> P1 -> P2 -> P1 -> P3 ->  T

An otherwise well-intentioned client would advertise client Connection ID CID0 to T, and via REGISTER_CLIENT_CID capsules might set up the rest like so:

Nodes        C     P1     P2    P1    P3     T
CID on wire    CID4   CID3  CID2  CID1   CID0

So far, so good. A packet that leaves T will be destined for CID0. The destination CID will be rewritten in turn, arriving at C with CID4.

However, a malicious client can register CIDs with the proxies as follows:
Nodes        C     P1            P2      P1      P3     T
CID on wire    CID4   CID3 / CID1    CID2    CID1   CID0

The only change is that P2 is "incorrectly" configured by the client to rewrite incoming CID2 as CID1. As far as P2 is concerned, everything is seems legit unless it is sharing enormous amounts of CID state with its partner P3. Everything else is unchanged.

Thus, a packet leaving T with CID0 will be rewritten to CID1 and routed to P1;  P1 will then route it to P2 with CID2. Then that gets routed back to P1 with CID1, and the P1-P2-P1 loop continues to infinity. The attacker can put as many proxy hops as it likes in that chain.

There are a few pretty simple things that can break this doom loop.
- Do encryption at each MASQUE hop, as previously proposed. This verifies the previous hop of the packet and drops those where the CID does not have the correct origin.
- Have the proxy provide the virtual CID instead of the client. Client control is the root of these problems.
- Eliminate virtual client CIDs and just take the L on linkability in that case

Martin

* Interestingly, this attack requires at least one proxy in the path (P1 in this case) to not be load balanced or have an easily manipulated load balancer, so that two QUIC connection attempts can with high probability go to the same device.
--
Masque mailing list
Masque@ietf.org
https://www.ietf.org/mailman/listinfo/masque<https://www.ietf.org/mailman/listinfo/masque>

v2.23.0 | Report a Bug | By Email