Re: [quicwg/base-drafts] Add Advice and Rules for CONN_CLOSE in Initial and Handshake (#1786)

Mike Bishop <> Wed, 26 September 2018 19:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C242127333 for <>; Wed, 26 Sep 2018 12:19:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c9itLa1yqsOe for <>; Wed, 26 Sep 2018 12:19:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 787D2127133 for <>; Wed, 26 Sep 2018 12:19:02 -0700 (PDT)
Date: Wed, 26 Sep 2018 12:19:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1537989541; bh=VWw2nvMD7o/CotDSxr4+Wc62WpcDAsfJHlZ8l15Z2zk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=qdYod+d3Ms+768mZ9+vsp59V61O5wJtFcKTSNhY7WOb3SHwCXtGjCEvEXoOMkrsox XZuMyZ3GYQ/g+kZKOt5XlpRCC4okaEQ5Z3g+ZUgGowAxofynFVyqd4Gp2RpoRPfc0H QAF2iuDcy3MV9jbQ8gOQW9Roiw0ry2s8ZSQ4ihnc=
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/1786/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Add Advice and Rules for CONN_CLOSE in Initial and Handshake (#1786)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5babdba4d1f3c_2a683f93704d45c0782da"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Sep 2018 19:19:04 -0000

This is tricky, not just because you don't want an attacker to be able to inject the CC, but because all the mitigations themselves have ugly implications.

"Drop it" is a difficult directive -- if you mean drop the packet, what about other frames that you might have processed before encountering the CC frame?  Surely we're not adding a requirement that we be able to back out all interpreted frames if we encounter a frame that we don't like.

On the other hand, if you *don't* do that, then you're in an inconsistent state -- some of the frames that you've just consumed might have been attacker-generated and you've accepted them into the connection state.  Likewise if you only mean dropping the frame and continuing to process the rest of the packet.  That would argue for blowing up the connection as compromised anyway, which is exactly what would happen if you accepted the CONNECTION_CLOSE as valid.

Perhaps the most robust would be to require a first scan of any packet received at a lower encryption level than the highest ever seen (and always, for Initials) and reject the packet without processing any frames if illegal frame types are found.  (This is actually a compelling argument for making complex variable-length frames have an explicit length field, so they're easy to skip in this pass.)

Unless we do that, I'm inclined to think you don't fully trust a CONNECTION_CLOSE in Initial packets (perhaps not ever, or perhaps only after a short timeout to see if other Initials arrive), and you always trust and process a CONNECTION_CLOSE or APPLICATION_CLOSE from any other encryption level if you can validate the packet.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: