IETF Logo Mail Archive

Re: [quicwg/base-drafts] Stateless Reset needs "on-path" proof (#1230)

Kazuho Oku <notifications@github.com> Tue, 10 April 2018 02:30 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DFF9126D45 for <quic-issues@ietfa.amsl.com>; Mon, 9 Apr 2018 19:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.009
X-Spam-Level:
X-Spam-Status: No, score=-8.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kYe8pUjcYgCf for <quic-issues@ietfa.amsl.com>; Mon, 9 Apr 2018 19:30:19 -0700 (PDT)
Received: from out-6.smtp.github.com (out-6.smtp.github.com [192.30.252.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E08951270FC for <quic-issues@ietf.org>; Mon, 9 Apr 2018 19:30:18 -0700 (PDT)
Date: Mon, 09 Apr 2018 19:30:17 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1523327417; bh=PLKSY1gZY7m6sVWAWvugyOdiscLoYTihth1hGUMUmCo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ct1LR2+7z1lrcf7B11ESGxU628xipAn9J06SahwYn39xD7GffmORqxaCBZs3migkX mBTPeOqKMG6QscphhVu2Aw4rsYJBFYEKfYdhJBo8Ghm0/iLKlQ/nX8mDujU5iXxJfM EpMZUTBFRw1zluHCcVmyTCp2cNZ1iZum0csxMhts=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab90c6d373e89a58f617c58f9920293729acf240ca92cf0000000116e3e3b992a169ce12414b9e@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1230/379953976@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1230@github.com>
References: <quicwg/base-drafts/issues/1230@github.com>
Subject: Re: [quicwg/base-drafts] Stateless Reset needs "on-path" proof (#1230)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5acc21b9d3fa1_38023fdca85c6f3890812"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/7XkhoMBXxD1yQsqXraBBgRLs4Tc>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 02:30:21 -0000

While I agree that this can be considered a deployment issue, I think we should forbid servers deploying the same static secret used for generating the stateless reset token among the servers that do not share the connection state, because it not only goes against what "authenticated" reset is but also has privacy concerns.

My understanding is that many of the server-side deployments that care about this are those that use BGP to distribute their packets among multiple POPs. Those operators tend to serve multiple hostnames.

That means unless we mandate such server operators to provide stateless reset tokens only in a secure manner, attackers can force a connection to terminate (by using a stateless reset token obtained from a different POP) and then see the SNI carried in the handshake of a new connection.

Therefore, I think that we should either forbid server deployments from sharing the static key without sharing connection state, or, look for a technical approach to prevent the attack.

One such approach would be something like below:
* for every QUIC connection, let the server advertise a "state-store ID" that designates the ID of the state-store that the connection is bound to
* let a Stateless Reset packet carry encrypted data, which is encrypted by a key (other than stateless reset token) derived from the server CID and the static key used to generate the stateless reset token
  * that encryption key will be sent together with the stateless reset token in the NEW_CONNECTION_ID frame
* a Stateless Reset packet will carry the "state-store ID" of the server that sends the Stateless Reset encrypted
* a client can compare the "state-store ID" of the connection with the value found in the Stateless Reset, and determine that:
  * if the values match, the connection has been reset
  * if the values do not match, the path is being rejected

WDYT?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1230#issuecomment-379953976

v2.39.1 | Report a Bug | By Email | System Status