Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Christian Huitema <> Wed, 28 November 2018 21:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 595421274D0 for <>; Wed, 28 Nov 2018 13:08:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Be4vx-DQJUw6 for <>; Wed, 28 Nov 2018 13:08:01 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8F53E130EBC for <>; Wed, 28 Nov 2018 13:08:00 -0800 (PST)
Date: Wed, 28 Nov 2018 13:07:59 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1543439279; bh=jlAvfKpkoDNj/YjYJHsWGP6m9aTw12aHQYJ1rfWCsfQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Pzb+YCCo6NBlrtesqi3ZUDOm8bIKcW53ZDTWgpO0WwDs80VhGM9fbsX8gINHAFAnP SsJDADDrBof9vq3QJKjRFeUew3DamZafDkIk1bg0HaVrOjxSj76gQMWGw/oJaeiBYG ZGM8WtOsygEZnYhDc5KbSvzNyBKlUR1DhY2QmJMc=
From: Christian Huitema <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bff03afb9198_108e3f929a6d45b8690f1"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Nov 2018 21:08:02 -0000

I am happy to negotiate. Instead of making a requirement on servers, we can document the attack in the security section. We should also explain to clients that servers MAY enforce single use of the tokens, and that thus they REALLY SHOULD NOT try to reuse a token multiple times.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: