Re: [quicwg/base-drafts] Document request forgery (#3996)
Christian Huitema <notifications@github.com> Thu, 13 August 2020 14:56 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 301C73A0CB7 for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 07:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbY8Jr7Ly8NF for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 07:56:41 -0700 (PDT)
Received: from out-22.smtp.github.com (out-22.smtp.github.com [192.30.252.205]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBCE3A0CA4 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 07:56:40 -0700 (PDT)
Received: from github-lowworker-fa7043e.ash1-iad.github.net (github-lowworker-fa7043e.ash1-iad.github.net [10.56.109.45]) by smtp.github.com (Postfix) with ESMTP id 0F12C560042 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 07:56:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1597330600; bh=rEq4Wt8woSVesYP8yUv2VBW1gPy7JAWRDd+FVqWFabQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=AbYP/5IXTNcmOnYTZLmwQN+J+aKZ+h1t04Hmx+jZEyuv7cAa7vlG+eHclMBsoWw+D l1g4ZAjXeRmi1LuIQ5znkFgZKzou8jmIm/80mAGmAZwsKabtqaXOByRKHnZBcGkbjf jxN9dvLVGbw1DwvIOqnFvmfynjWr9JrbT4XFYMnA=
Date: Thu, 13 Aug 2020 07:56:39 -0700
From: Christian Huitema <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK54RE4RPTNPAJDKB3N5IE22PEVBNHHCQ3GPNU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3996/review/466843508@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3996@github.com>
References: <quicwg/base-drafts/pull/3996@github.com>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f3554a7f3cda_c3316f83536bd"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/67g8POElThUuseHi4t04p2a9H4A>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 14:56:42 -0000
@huitema commented on this pull request. > + +The most effective defense against request forgery attacks is to modify +vulnerable services to use strong authentication. However, this is not always +possible when deploying QUIC. This section outlines some others steps that QUIC +endpoints could take. These additional steps are all discretionary as, +depending on circumstances, they could interfere with or prevent legitimate +uses. + +Services offered over loopback interfaces (that is, ::1 or 127.0.0.1) often +lack proper authentication. Endpoints MAY prevent connection attempts or +migration to a loopback address. Endpoints SHOULD NOT allow connections or +migration to a non-loopback address if the same service was previously +available over a different interface or the address was provided by a service +at a non-loopback address. Endpoints that depend on these capabilities could +offer an option to disable these protections. + That's nice, but in many scenarios any of the node addresses can be used to reach services local to the node, in the same way as loopback addresses. In server farm scenarios, this requires guessing the local IP of the specific server, but that can probably be done. Same for clients behind NAT. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/3996#pullrequestreview-466843508
- [quicwg/base-drafts] Document request forgery (#3… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Kazuho Oku
- Re: [quicwg/base-drafts] Document request forgery… Christian Huitema
- Re: [quicwg/base-drafts] Document request forgery… Lucas Pardue
- Re: [quicwg/base-drafts] Document request forgery… Christian Huitema
- Re: [quicwg/base-drafts] Document request forgery… Christian Huitema
- Re: [quicwg/base-drafts] Document request forgery… Lucas Pardue
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Igor Lubashev
- Re: [quicwg/base-drafts] Document request forgery… Igor Lubashev
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Kazuho Oku
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Kazuho Oku
- Re: [quicwg/base-drafts] Document request forgery… ekr
- Re: [quicwg/base-drafts] Document request forgery… ekr
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… ianswett
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar