Re: [quicwg/base-drafts] Spoofed connection migration as a DoS vector (#2342)

Martin Thomson <> Wed, 30 January 2019 07:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 07BB41311D5 for <>; Tue, 29 Jan 2019 23:13:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.553
X-Spam-Status: No, score=-12.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QHJIcu0-uj6r for <>; Tue, 29 Jan 2019 23:13:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B3D71311D3 for <>; Tue, 29 Jan 2019 23:13:43 -0800 (PST)
Date: Tue, 29 Jan 2019 23:13:42 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1548832422; bh=zXACNOc3evgk/5bMI330FTPcUwbfmuNqW5g6Jw71MpM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Yz/R6MwRZfl0qFAqlZ5ScwlRRCdKvORMyQTnXwvyoJD7hmgxdRGa0356gX4dQaJR9 h/d7xEjz6StaQkKPpn631b4xi9ZdZrCCHEwJ8NMoI6Jd06/OjQIXvwOd8vOh151SH7 jC/d4Bp3DFG6JKLW5QqeXbT0HWvDqGOUxg23RTZ0=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2342/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Spoofed connection migration as a DoS vector (#2342)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c514ea6cf4a_32d03ff316ad45b4595334"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jan 2019 07:13:45 -0000

Tokyo conclusion: with our answer to #2143, the endpoint that disables migration will have to do the full migration machinery.  If it doesn't do that work, then the server needs to drop the packet (thereby ignoring it).

Note that it can't send a stateless reset here, because that would produce the attack in a different form - our existing text on defense against stateless reset oracles would prohibit that anyway.

We should perhaps rename the transport parameter to "disable_explicit_migration" or "disable_active_migration".

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: