Re: [quicwg/base-drafts] Authenticating connection IDs (#3439)

Christian Huitema <notifications@github.com> Thu, 05 March 2020 21:39 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE893A0C80 for <quic-issues@ietfa.amsl.com>; Thu, 5 Mar 2020 13:39:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TonnoXIxdN5O for <quic-issues@ietfa.amsl.com>; Thu, 5 Mar 2020 13:39:03 -0800 (PST)
Received: from out-1.smtp.github.com (out-1.smtp.github.com [192.30.252.192]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A1273A0C7F for <quic-issues@ietf.org>; Thu, 5 Mar 2020 13:39:03 -0800 (PST)
Received: from github-lowworker-6349a71.ac4-iad.github.net (github-lowworker-6349a71.ac4-iad.github.net [10.52.18.20]) by smtp.github.com (Postfix) with ESMTP id 642E0C60D01 for <quic-issues@ietf.org>; Thu, 5 Mar 2020 13:39:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1583444342; bh=XSIb+b7ghlrNybMQ+xTjYGzLozUebtnqLiqGWqsAPYI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Q9KIA3yycvt72ujQNPLbdosrgoH36kOiMwkwOvsAxEDqfJdhECeVeu9Rner8EuDdT uzsZHd+yLFzaoqD6+K8kl9IcxS/rBeON2hx1otngj15m/RKuf3utzBpctAub7OS9wx /+k/e6ri0InNMog2Dazj28QtM+tMOEKwE4V/aZqg=
Date: Thu, 05 Mar 2020 13:39:02 -0800
From: Christian Huitema <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6CV3JNJVLVMAWKVS54NVJHNEVBNHHCC4LIRI@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3439/595460613@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3439@github.com>
References: <quicwg/base-drafts/issues/3439@github.com>
Subject: Re: [quicwg/base-drafts] Authenticating connection IDs (#3439)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e6171765509d_57c53faf722cd95c43465a"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/0MgKwfQigdzk9NcJe6MOWdCj-EU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 21:39:05 -0000

I am trying to wrap my head around the "transport parameters" proposal. I am looking at the sequence of the attack:

1) Client sends an Initial packet with a specific DCID (later referred to as ODCID)
2) Server sends a retry packet in which the DCID copies the original SCID of the client, and the SCID is set to the value that the server wants the client to use as the next DCID -- calling this Retry-CID
3) Attacker intercepts the retry packet, replaces the DCID by A-CID.
4) Client starts a new connection with DCID = A-CID instead of the expected Retry-CID, which possibly opens the possibility of attacks against the server, such as paying games with the load balancer.
5) Client includes some new transport parameters in Initial packets
6) Attacker possibly intercepts the client packet and messes with the transport parameters.

At that point, we have different outcomes based on the defenses implemented by the server:

a) If the server has tied the Retry-CID and the ODCID to the token, the server finds that the incoming client Initial does not meet expectations, and closes the connection with an adequate error code.

b) If the server did not do (a), the server will start establishing the connection, sending the server transport parameters as part of the encrypted extensions, in Handshake packets. The transport parameters include the ODCID. If I understand the proposal correctly, the transport parameters would also include the Retry-CID. The client would then receive these parameters, find out that something is amiss, and close the connection.

Given these two choices, it seems that option (a) is much better. The Retry mechanism is designed for use under attack. In these scenarios, it is important to minimize the amount of work at the server. If the server has tied Retry-CID to the token, the session is terminated upon the first initial packet, which seems like the desired result. If not doing that, the server will expand resource to compute session keys, signatures, etc., which means that the DOS attack is more effective.

I also think that the server should not rely on the client for protection. The ODCID transport parameter and the proposed Retry-CID parameter allow the client to verify that things are as expected. But suppose for a moment that the attacker is the client itself, and that the goal of the attack is to overwhelm a specific server in the farm by using well chosen DCID. The "attacker-client" will certainly not terminate the connection on Retry-CID mismatch!

Then, I also wonder how servers would implement the Retry-CID transport parameter. It seems that currently many servers implement the ODCID requirement by encoding the ODCID in the token. I assume that server will implement the Retry-CID either by using algorithmic derivation of Retry-CID from ODCID, or by adding the Retry-CID to the token. In both cases, they can implement option (a). 

So in practice, there is little incremental work for a server if it wants to do (a) rather than (b), and there are sizable benefits in terms of reduced DoS surface. The recommendation ought to be, do (a). Now, if servers actually do (a), they will have no problem also sending a Retry-CID transport parameter in the "all clear" case. But that will not be very useful.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3439#issuecomment-595460613