Re: [quicwg/base-drafts] Add initial threat model to security considerations (#2925)

[Martin Thomson <notifications@github.com>]

martinthomson commented on this pull request.

WIP

> +
+TBD.
+
+### Short Headers {#short-headers-properties}
+
+TBD.
+
+### Connection Migration {#migration-properties}
+
+Connection Migration ({{migration}}) provides endpoints with the ability to
+transition between IP addresses and ports on multiple paths, using one path at a
+time for transmission and receipt of non-probing frames.  Path validation
+({{migrate-validate}}) establishes that a peer is both willing and able
+to receive packets sent on a particular path.  This helps reduce the effects of
+address spoofing, by limiting the number of packets sent to a spoofed address,
+unless an attacker is able to also receive packets sent to that address.

This can probably go, I think.

```suggestion
```

> +transition between IP addresses and ports on multiple paths, using one path at a
+time for transmission and receipt of non-probing frames.  Path validation
+({{migrate-validate}}) establishes that a peer is both willing and able
+to receive packets sent on a particular path.  This helps reduce the effects of
+address spoofing, by limiting the number of packets sent to a spoofed address,
+unless an attacker is able to also receive packets sent to that address.
+
+This section describes the intended security properties of connection migration
+when under various types of attack, as described in more detail by {{?RFC3552}}.
+
+For this purpose, attacks are divided into passive and active attacks, passive
+attackers having the capability to read packets from the network and active
+attackers having the capability to write packets into the network.
+
+Attackers are additionally categorized as either on-path attackers or off-path
+attackers (see Section 3.5 of {{?RFC3552}}); an on-path attacker is on the

```suggestion
attackers; see Section 3.5 of {{?RFC3552}}).  An on-path attacker is on the
```

> +time for transmission and receipt of non-probing frames.  Path validation
+({{migrate-validate}}) establishes that a peer is both willing and able
+to receive packets sent on a particular path.  This helps reduce the effects of
+address spoofing, by limiting the number of packets sent to a spoofed address,
+unless an attacker is able to also receive packets sent to that address.
+
+This section describes the intended security properties of connection migration
+when under various types of attack, as described in more detail by {{?RFC3552}}.
+
+For this purpose, attacks are divided into passive and active attacks, passive
+attackers having the capability to read packets from the network and active
+attackers having the capability to write packets into the network.
+
+Attackers are additionally categorized as either on-path attackers or off-path
+attackers (see Section 3.5 of {{?RFC3552}}); an on-path attacker is on the
+critical path for a given connection and can read, modify, or remove any packet

This definition of on-path uses "on the critical path".  I think that you can reduce to "can read, modify, or remove any packet [...]"

> +unless an attacker is able to also receive packets sent to that address.
+
+This section describes the intended security properties of connection migration
+when under various types of attack, as described in more detail by {{?RFC3552}}.
+
+For this purpose, attacks are divided into passive and active attacks, passive
+attackers having the capability to read packets from the network and active
+attackers having the capability to write packets into the network.
+
+Attackers are additionally categorized as either on-path attackers or off-path
+attackers (see Section 3.5 of {{?RFC3552}}); an on-path attacker is on the
+critical path for a given connection and can read, modify, or remove any packet
+it observes such that it no longer reaches its destination, while an off-path
+attacker observes the packets, but cannot prevent the original packet from
+reaching its intended destination. An off-path attacker can transmit arbitrary
+packets, and it may be able to attack the network so as to place itself on-path.

This last clause is probably worth making its own sentence.  That is,

> Properties of connection migration allow an off-path attacker to place itself on path by sending packets under certain narrow conditions.

> +Both on-path and off-path attackers can mount a passive attack in which they
+save observed QUIC packets for an offline attack against QUIC packet protection
+at a future time; this is true for any observer of any packet on any network.

Is this something that ekr should deal with?

> +save observed QUIC packets for an offline attack against QUIC packet protection
+at a future time; this is true for any observer of any packet on any network.
+
+
+#### Active Attacks
+
+An active attack ({{?RFC3552}}) involves writing data to the network.  An
+attacker with such a capability might be in a position to additionally prevent
+the original packets it observes from reaching their intended destination.  If
+so, they are considered to be an on-path attacker.
+
+An active attacker may also choose to rewrite the source or destination IP
+addresses of packets that it forwards or injects. Such spoofing attacks are only
+effective against a QUIC connection if the attacker can still forward the
+contents of the packets to the original endpoint, since QUIC connections are
+both authenticated and encrypted.

Not sure what this last bit is intended to say.  Rewriting addresses is not covered by packet protection, but this might be read to imply otherwise.

> +
+An active attack ({{?RFC3552}}) involves writing data to the network.  An
+attacker with such a capability might be in a position to additionally prevent
+the original packets it observes from reaching their intended destination.  If
+so, they are considered to be an on-path attacker.
+
+An active attacker may also choose to rewrite the source or destination IP
+addresses of packets that it forwards or injects. Such spoofing attacks are only
+effective against a QUIC connection if the attacker can still forward the
+contents of the packets to the original endpoint, since QUIC connections are
+both authenticated and encrypted.
+
+A blind attacker, one who injects packets without being able to observe valid
+packets for a QUIC connection, is unlikely to be successful, since QUIC packet
+protection ensures that valid packets are only generated by endpoints which
+possess the key material established during the handshake.  Similarly, any

This will need a backref to the handshakey bits.

> +#### Active Attacks
+
+An active attack ({{?RFC3552}}) involves writing data to the network.  An
+attacker with such a capability might be in a position to additionally prevent
+the original packets it observes from reaching their intended destination.  If
+so, they are considered to be an on-path attacker.
+
+An active attacker may also choose to rewrite the source or destination IP
+addresses of packets that it forwards or injects. Such spoofing attacks are only
+effective against a QUIC connection if the attacker can still forward the
+contents of the packets to the original endpoint, since QUIC connections are
+both authenticated and encrypted.
+
+A blind attacker, one who injects packets without being able to observe valid
+packets for a QUIC connection, is unlikely to be successful, since QUIC packet
+protection ensures that valid packets are only generated by endpoints which

The missing observation here is that endpoints won't accept invalid packets.

> +
+However, an attacker can modify the boundaries between QUIC packets and UDP
+datagrams, causing multiple packets to be coalesced into a single datagram, or
+splitting coalesced packets into multiple datagrams.  Such modification has no
+functional effect on a QUIC connection, however it might change the performance
+characteristics exhibited by the receiving endpoint.
+
+A spoofing attack, in which an attacker rewrites unprotected parts of a QUIC
+packet such as the source or destination address, is only effective if the
+attacker can forward packets to the original endpoint, as path validation
+({{migrate-validate}}) ensures that an endpoint's ability and willingness to
+decrypt QUIC packets is demonstrated before sending significant amounts of data
+to a new endpoint as part of an established QUIC connection.
+
+
+##### On-Path Active Attacks

I don't accept patches with five ######### in a row.  Can we bump the real stuff up a level?

> +the original packets it observes from reaching their intended destination.  If
+so, they are considered to be an on-path attacker.
+
+An active attacker may also choose to rewrite the source or destination IP
+addresses of packets that it forwards or injects. Such spoofing attacks are only
+effective against a QUIC connection if the attacker can still forward the
+contents of the packets to the original endpoint, since QUIC connections are
+both authenticated and encrypted.
+
+A blind attacker, one who injects packets without being able to observe valid
+packets for a QUIC connection, is unlikely to be successful, since QUIC packet
+protection ensures that valid packets are only generated by endpoints which
+possess the key material established during the handshake.  Similarly, any
+active attacker that observes QUIC packets and attempts to insert new data or
+modify existing data in those packets should not be able to generate packets
+deemed valid by the receiving endpoint.

This belongs in earlier sections. This is packet protection.

> +- Reorder packets
+- Drop packets
+- Split and merge datagrams along packet boundaries
+
+An on-path attacker cannot:
+
+- Modify an authenticated and encrypted portion of a packet and cause the
+ recipient to accept that packet
+
+An on-path attacker has the opportunity to modify the packets that it observes,
+however any modifications to an authenticated portion of a packet will cause it
+to be dropped by the receiving endpoint as invalid, as QUIC payloads are both
+authenticated and encrypted.
+
+In the presence of an on-path attacker, QUIC aims to provide the following
+properties.

```suggestion
properties:
```

> +A limited on-path attacker differs from an on-path attacker in that it is not on
+the original path between endpoints, and therefore the original packets sent by
+an endpoint are still reaching their destination.  This means that a future
+failure to route copied packets to the destination faster than their original
+path will not prevent the original packets from reaching the destination.
+
+A limited on-path attacker can:
+
+- Inspect packets
+- Inject new packets
+- Modify unencrypted packet headers
+- Reorder packets
+
+A limited on-path attacker cannot:
+
+- Delay packets beyond the original packet duration

```suggestion
- Delay packets so that they arrive later than packets sent on the original path
```

> +### Short Headers {#short-headers-properties}
+
+TBD.
+
+### Connection Migration {#migration-properties}
+
+Connection Migration ({{migration}}) provides endpoints with the ability to
+transition between IP addresses and ports on multiple paths, using one path at a
+time for transmission and receipt of non-probing frames.  Path validation
+({{migrate-validate}}) establishes that a peer is both willing and able
+to receive packets sent on a particular path.  This helps reduce the effects of
+address spoofing, by limiting the number of packets sent to a spoofed address,
+unless an attacker is able to also receive packets sent to that address.
+
+This section describes the intended security properties of connection migration
+when under various types of attack, as described in more detail by {{?RFC3552}}.

You definitely need to constrain this section to just DoS consequences of migration.  Because this doesn't cover what an attacker might learn about communications.

> +
+- Inspect packets
+- Inject new packets
+- Modify unencrypted packet headers
+- Reorder packets
+
+A limited on-path attacker cannot:
+
+- Delay packets beyond the original packet duration
+- Drop packets
+- Modify the authenticated and encrypted portion of a packet and cause the
+ recipient to accept that packet
+
+A limited on-path attacker can only delay packets up to the point that the
+original packets arrive before the duplicate packets, meaning that it cannot
+offer worse routing than the original path, only improved routing.  If a limited

```suggestion
offer routing with worse latency than the original path.  If a limited
```

> +
+A limited on-path attacker cannot:
+
+- Delay packets beyond the original packet duration
+- Drop packets
+- Modify the authenticated and encrypted portion of a packet and cause the
+ recipient to accept that packet
+
+A limited on-path attacker can only delay packets up to the point that the
+original packets arrive before the duplicate packets, meaning that it cannot
+offer worse routing than the original path, only improved routing.  If a limited
+on-path attacker drops packets, the original copy will still arrive at the
+destination endpoint.
+
+In the presence of a limited on-path attacker, QUIC aims to provide the
+following properties.

```suggestion
following properties:
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2925#pullrequestreview-317958576