Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

MikkelFJ <> Fri, 30 November 2018 22:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D345013107F for <>; Fri, 30 Nov 2018 14:15:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id b5UZgKH1bmSX for <>; Fri, 30 Nov 2018 14:15:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 340AD13107E for <>; Fri, 30 Nov 2018 14:15:43 -0800 (PST)
Date: Fri, 30 Nov 2018 14:15:42 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1543616142; bh=8kWrzB6M0AlFRBwegrli6Rstr8Ta2amWtWMQzHZ+qAw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=zikRFQe4R+C1JihffE584xivFzAhfHg3E0cvPT1QUBQX27ZlySL0N7t9bH4yypodO E81oqSHTJIxCv+k36PXE1fgMDrnmPy100e2u46d2rOgdkK5tovg6VXqPF98SeFNmj/ uGP8ynA5JoLLiinQUs07LKeJPxkBHhDLG8YsoOE4=
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c01b68e8650d_664b3fadf4ad45bc159598"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Nov 2018 22:15:45 -0000

The token IP validation can be disabled in some not unlikely deployments:

The server is behind a NAT'ing load balancer so all tokens get the IP of the LB. Instead of targeting the QUIC server directly, it attempts to punch a hole in the NAT with a spoofed IP and possible a token it fetched for itself through an ordinary connection, assuming the token does not cover the port number. A port number is not likely included in the token because it would prevent a new 0-length CID connection.

For reference, here is the text I failed to read:
There is no need for a single well-defined format for the token because the server that generates the token also consumes it. A token could include information about the claimed client address (IP and port), a timestamp, and any other supplementary information the server will need to validate the token in the future.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: