Re: [quicwg/base-drafts] Let server abort on post-Retry packet number reset (#3990)

Kazuho Oku <> Wed, 02 September 2020 03:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE0C83A0AAE for <>; Tue, 1 Sep 2020 20:11:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Wmzrbm-HbgHg for <>; Tue, 1 Sep 2020 20:11:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 389953A0802 for <>; Tue, 1 Sep 2020 20:11:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A9DFC580575 for <>; Tue, 1 Sep 2020 20:11:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1599016263; bh=oZ6wAkYVyzfsr5gvf4GPkpSmjGzsp3AreJ207Kj0LHQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=PhAQDa6Q4OCK4xahpCE9HArkf1cYk96VifWegwZSRwOwtxoJtwIbRffkBHMvoCVJw 2ZNAwMHkXDOjrtd6JjKBlwu9NsLPRecZBj+8yv3DCm/FnNtaJqRFTEGVGgA1QBnBiL mFgAffgeO3KF7HJxi7FDb9IbuTm89NYYRBigkX2A=
Date: Tue, 01 Sep 2020 20:11:03 -0700
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3990/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Let server abort on post-Retry packet number reset (#3990)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f4f0d4764e48_5d251964258114"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Sep 2020 03:11:06 -0000

@kazuho commented on this pull request.

> @@ -4807,6 +4807,8 @@ responding to a Retry packet. However, the data sent in these packets could be
 different than what was sent earlier. Sending these new packets with the same
 packet number is likely to compromise the packet protection for those packets
 because the same key and nonce could be used to protect different content.
+A server MAY abort the connection if it detects that the client reset the

Generally speaking, detecting MUST violations is fine for Handshake and ApplicationData packets, after decrypting them, is fine because it will always be about a misbehaving peer, and because we do not (yet) have existing implementations that do not follow the MUSTs.

However, using information that is not protected by AEAD is going to be dangerous, as it is a potential attack vector. For unprotected data (incl. Initial packets), a reader should not assume that a MUST on the sender side implies a "MAY detect" on the receiver side. As can be seen on the issue, we discussed if we might or might not want to have a MAY here, knowing that we have a MUST on the sender side.

To summarize, I tend to believe that having an explicit MAY here makes sense.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: