Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)

Marten Seemann <> Tue, 29 October 2019 05:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3BBA21200B1 for <>; Mon, 28 Oct 2019 22:21:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MzQHjdvrEZej for <>; Mon, 28 Oct 2019 22:21:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 72C64120044 for <>; Mon, 28 Oct 2019 22:21:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9EDEB2C19D2 for <>; Mon, 28 Oct 2019 22:21:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572326513; bh=m4p/v7224DLeGIG7qKTfNq6KRpiIAGubzUTiXq7Yiwo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=xIuF/I6jzCeKchNW8mHyWSblVE0je+JBzsC8oyP+EApXVWmfQQs/aK6wTTqRnw2Fv o0QUd/6Wx4+WCOTbsbKDxZgVUy8AYLVNeH9a5TNskHcECpIutB90e3p9BSKvTZeLTJ vfz8hrgKJFhkSLlePsAmNiXs60ldx5cyukTGevDs=
Date: Mon, 28 Oct 2019 22:21:53 -0700
From: Marten Seemann <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3166/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] token-based greasing / initial packet protection (#3166)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5db7cc7190c4a_48403faf4c8cd96811979e"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Oct 2019 05:21:56 -0000

marten-seemann commented on this pull request.

I like this approach, thanks for writing this up @kazuho.

While greasing helps against a passive attacker, it only helps against an active attacker if the set of of alternative version numbers is large, so large that the attacker can't obtain all alternatives by connecting to the server (a reasonable number of times).

An easy way to do this is to derive alternative version numbers by applying a transformation on the version number, e.g. use every number that fulfils `hash(salt || alternative version number) mod 4 == 0` as an alternative. This would generate a huge set of alternative version numbers. In that case, the server would probably also want to encode the initial salt into the token.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: