Re: [quicwg/base-drafts] 5tuple routing (#3536)

Kazuho Oku <> Sat, 21 March 2020 00:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70F2E3A0FD3 for <>; Fri, 20 Mar 2020 17:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8hZ87_YsUCG3 for <>; Fri, 20 Mar 2020 17:24:26 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B941B3A0FD1 for <>; Fri, 20 Mar 2020 17:24:26 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 684B6660DFA for <>; Fri, 20 Mar 2020 17:24:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1584750265; bh=koYXKlwRXJf4DmTeC6y4teM4gKSOEqstK1UCg2pxMAQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=QY6yo/gUxm1rQixw89u6AoQVeQPoaJpPAz6mIJ6IOY2Vq3MclK9008msMj6csuxrl E2pTq41N05vIXG9kRsGKiucTp+6hkixyJuzRLJ2rjeCcnHifd3J2KD17nOqqZ3Z7LK OSO+ReL5NBVLpkEIeEr1GbkFtntIaol5BBUi6SFA=
Date: Fri, 20 Mar 2020 17:24:25 -0700
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3536/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] 5tuple routing (#3536)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e755eb95786f_120d3fe3002cd968529e6"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 21 Mar 2020 00:24:29 -0000

kazuho commented on this pull request.

Generally looks good, though I think there is one issue.

> +
+* Servers can use an out-of-band mechanism to deliver packets to the correct
+destination or transfer state from the original destination. Properly designed,
+this completely solves the problem and no further measures are necessary.
+* Sending the disable_active_migration transport parameter informs the client
+that any address change is likely to terminate the connection, which can lead it
+to use more aggressive timeouts or terminate connections when its IP address
+* The preferred_address transport parameter can provide a path that does not use
+the 5-tuple based routers.
+* Servers MUST either use different Stateless Reset Token keys, or encode the
+client IP address and port in the Stateless Reset token. Doing neither will
+create a Reset Oracle (see {{reset-oracle}}).

The last two advices contradict against each other (or are incomplete).

The discussion about the use of preferred_address TP suggests that there is a direct path to any of the servers behind the server cluster, that are reachable from any client address. An attacker might try to use that path to let one of the servers generate a valid stateless token, and send it to the client.

As an example, consider the case of a server cluster consisting of two servers A and B. Server A is handling a connection QUIC connection that goes to client address X. If an attacker might send a packet directly to server B with source address of X, server B would send a valid stateless reset token to X, causing the connection to be reset.

Regarding specification, I think it might be better to simply refer to {{reset-oracle}} regarding the discussion of Stateless Resets, rather than trying to provide an exhaustive list of how to prevent attacks.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: