Re: [quicwg/base-drafts] Document request forgery (#3996)

Christian Huitema <> Thu, 13 August 2020 14:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 301C73A0CB7 for <>; Thu, 13 Aug 2020 07:56:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hbY8Jr7Ly8NF for <>; Thu, 13 Aug 2020 07:56:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CCBCE3A0CA4 for <>; Thu, 13 Aug 2020 07:56:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0F12C560042 for <>; Thu, 13 Aug 2020 07:56:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1597330600; bh=rEq4Wt8woSVesYP8yUv2VBW1gPy7JAWRDd+FVqWFabQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=AbYP/5IXTNcmOnYTZLmwQN+J+aKZ+h1t04Hmx+jZEyuv7cAa7vlG+eHclMBsoWw+D l1g4ZAjXeRmi1LuIQ5znkFgZKzou8jmIm/80mAGmAZwsKabtqaXOByRKHnZBcGkbjf jxN9dvLVGbw1DwvIOqnFvmfynjWr9JrbT4XFYMnA=
Date: Thu, 13 Aug 2020 07:56:39 -0700
From: Christian Huitema <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3996/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f3554a7f3cda_c3316f83536bd"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Aug 2020 14:56:42 -0000

@huitema commented on this pull request.

> +
+The most effective defense against request forgery attacks is to modify
+vulnerable services to use strong authentication. However, this is not always
+possible when deploying QUIC. This section outlines some others steps that QUIC
+endpoints could take. These additional steps are all discretionary as,
+depending on circumstances, they could interfere with or prevent legitimate
+Services offered over loopback interfaces (that is, ::1 or often
+lack proper authentication. Endpoints MAY prevent connection attempts or
+migration to a loopback address. Endpoints SHOULD NOT allow connections or
+migration to a non-loopback address if the same service was previously
+available over a different interface or the address was provided by a service
+at a non-loopback address. Endpoints that depend on these capabilities could
+offer an option to disable these protections.

That's nice, but in many scenarios any of the node addresses can be used to reach services local to the node, in the same way as loopback addresses. In server farm scenarios, this requires guessing the local IP of the specific server, but that can probably be done. Same for clients behind NAT.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: