[quicwg/base-drafts] Fix for off-path migration attack (#2033)
Martin Thomson <notifications@github.com> Wed, 21 November 2018 06:13 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F161F1277BB for <quic-issues@ietfa.amsl.com>; Tue, 20 Nov 2018 22:13:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.47
X-Spam-Level:
X-Spam-Status: No, score=-8.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sm0pkH4LTQrS for <quic-issues@ietfa.amsl.com>; Tue, 20 Nov 2018 22:13:39 -0800 (PST)
Received: from out-2.smtp.github.com (out-2.smtp.github.com [192.30.252.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2780B12D4EA for <quic-issues@ietf.org>; Tue, 20 Nov 2018 22:13:39 -0800 (PST)
Date: Tue, 20 Nov 2018 22:13:37 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542780817; bh=P6M22AUtKBomVVx9BG0Vv/HG3GrwxxxP3R9Dqnw6TCA=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=AhY9LLTt4tE6t21xU8ABqRYqLnWgcxIqOHACtGa8qPtwMsDveI6s/7DDaoKwcohT1 2Og1B8Tpz6/PppKFwPsrR6uCVUXlsA4E9kxnv3JehC+4kd71UrVFvEgL4OazAD+Sje SrKuCCQr9i+V5rz1H3IKkccrSaU2RQ/NSvu41goE=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab46951ef890a1248167f86802891e7803c3dcd20092cf00000001180cb99192a169ce16d3ac5a@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2033@github.com>
Subject: [quicwg/base-drafts] Fix for off-path migration attack (#2033)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf4f791df72f_59463f9be52d45b844067c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/1I52Awzdr9ApIZg_KWU5F8Ngy0o>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 06:13:41 -0000
This is not an easy attack to defend against, except for probabilistically. So what we do is recommend more probing on old paths to give the endpoint that is apparently migrating more opportunities to cause the connection to migrate away from the path chosen by an attacker. I've tweaked surrounding text a little. The most interesting being the 3RTO timer on path validation. It's not the right number, but I don't think that the right number is attainable, and this is close enough. This text isn't final. I'd like it to be more accurate AND shorter, but lack the skills and perspective. Closes #1278, #1749. You can view, comment on, or merge this pull request online at: https://github.com/quicwg/base-drafts/pull/2033 -- Commit Summary -- * Fix for off-path migration attack -- File Changes -- M draft-ietf-quic-transport.md (80) -- Patch Links -- https://github.com/quicwg/base-drafts/pull/2033.patch https://github.com/quicwg/base-drafts/pull/2033.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/2033
- [quicwg/base-drafts] Fix for off-path migration a… Martin Thomson
- Re: [quicwg/base-drafts] Fix for off-path migrati… Kazuho Oku
- Re: [quicwg/base-drafts] Fix for off-path migrati… Marten Seemann
- Re: [quicwg/base-drafts] Fix for off-path migrati… MikkelFJ
- Re: [quicwg/base-drafts] Fix for off-path migrati… Mike Bishop
- Re: [quicwg/base-drafts] Fix for off-path migrati… Christian Huitema
- Re: [quicwg/base-drafts] Fix for off-path migrati… Christian Huitema
- Re: [quicwg/base-drafts] Fix for off-path migrati… Kazuho Oku
- Re: [quicwg/base-drafts] Fix for off-path migrati… erickinnear
- Re: [quicwg/base-drafts] Fix for off-path migrati… Martin Thomson
- Re: [quicwg/base-drafts] Fix for off-path migrati… Martin Thomson
- Re: [quicwg/base-drafts] Fix for off-path migrati… Ken McMillan
- Re: [quicwg/base-drafts] Fix for off-path migrati… janaiyengar
- Re: [quicwg/base-drafts] Fix for off-path migrati… janaiyengar
- Re: [quicwg/base-drafts] Fix for off-path migrati… Martin Thomson
- Re: [quicwg/base-drafts] Fix for off-path migrati… Martin Thomson