IETF Logo Mail Archive

[quicwg/base-drafts] Avoid attack on address validation during connection migration (#746)

Martin Thomson <notifications@github.com> Wed, 23 August 2017 01:51 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00022132721 for <quic-issues@ietfa.amsl.com>; Tue, 22 Aug 2017 18:51:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.299
X-Spam-Level:
X-Spam-Status: No, score=-9.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQYLSRMi6Luf for <quic-issues@ietfa.amsl.com>; Tue, 22 Aug 2017 18:51:34 -0700 (PDT)
Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2-ext4.iad.github.net [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE3571321BE for <quic-issues@ietf.org>; Tue, 22 Aug 2017 18:51:34 -0700 (PDT)
Date: Tue, 22 Aug 2017 18:51:34 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1503453094; bh=KoN2S8p/kPFH58jYzIDmHz88puZwiI5BukzAjllXvPk=; h=From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=1oPKkcjUFRi5+NXFDEx2FP7hImEuTMejykPie9GMQhhd7osEsrOfYHp9mD0V2wS0U i0STnBOeD4WcdSYhR99vbZ+T27Tu1Lqf2mKwYbOHSYy0YrIxdzfCvbrUpGL7mqWSYH 2SctrfgVarEzwwkcaJRNBEcg7PMg2BCVjxlZyu8o=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab4f7c27b3fe75da7eccf643f19da6101713ab6a4b92cf0000000115b4a1a592a169ce0f074cba@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/746@github.com>
Subject: [quicwg/base-drafts] Avoid attack on address validation during connection migration (#746)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_599cdfa5f3b41_c3ec3f999ed11c2c1002e0"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/69jfKdT3f4C-DK9IoUPaWuIgvjE>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 01:51:37 -0000

The attack here is that an attacker might duplicate a legitimate packet and
send that packet from an invalid address such that it arrives before the real
copy.  That causes the recipient to think that there was a connection
migration.  They will attempt to validate that address and this will fail.  The
connection is then closed.

The fix is to cause a migration back to the original, legitimate address.  For
this to work, you need two things:

1. when a migration happens, abandon any validation on the old address on the
   expectation that it will fail

2. when a migration happens, make sure that you try to trigger packets from the
   old address first

For the second point, I decided to mandate address validation, rather than an
ordinary PING.  The reason being that you have to retransmit the packet on that
path and I doubt that implementations will want to have two sets of special
machinery for transmiting - and retransmitting - frames on a specific path.
Maybe this is too much of a constraint on implementations, so I'd like to hear
from people about whether they would prefer a more generic requirement (send
any packet that demands acknowledgment would work, it doesn't even have to be
the same packet every time, though the usual situation will be that the packet
will be lost, so you probably don't want to send anything important).
You can view, comment on, or merge this pull request online at:

  https://github.com/quicwg/base-drafts/pull/746

-- Commit Summary --

  * Avoid attack on address validation during connection migration

-- File Changes --

    M draft-ietf-quic-transport.md (47)

-- Patch Links --

https://github.com/quicwg/base-drafts/pull/746.patch
https://github.com/quicwg/base-drafts/pull/746.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/746

v2.40.3 | Report a Bug | By Email | System Status