Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Christian Huitema <> Fri, 07 December 2018 18:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 63743130FB7 for <>; Fri, 7 Dec 2018 10:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aZ0KfWxABXvK for <>; Fri, 7 Dec 2018 10:58:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 346EA130FAE for <>; Fri, 7 Dec 2018 10:58:16 -0800 (PST)
Date: Fri, 07 Dec 2018 10:58:14 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1544209094; bh=38SA4JedG69siYcPjbK9BYimjZ3nJZMxsEvrsdTJHxM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=HNl9M1k3P6F8f8K2liPBd69/TZ0XtBw15u+0W72az/7hOmAnicO4N9Vk4Dyr4BViA 5sn+plFDiDRn/EuushwJBwwCNR/235RZdarPWefWA6mzUbD7Okr04lcArWrMwdTsQ3 IPxddtaz2E09euo3X5kseFebDmav8jIP21G72bWc=
From: Christian Huitema <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c0ac2c692d8f_77373fcef44d45c438676a"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Dec 2018 18:58:19 -0000

@marten-seemann if I recall correctly, there was an intense discussion about 0-RTT and session ticket reuse in the TLS working group. Some forms of 0-RTT replay attacks can be prevented if session tickets are used at most once, or at least if session tickets enable 0-RTT data at most once per use. That discussion showed that at-most-once was very hard to handle in a big server farm, as it would require centralized management of state across many servers. See section 8 of RFC8446, "0-RTT and Anti-Replay" for the resulting compromise.

I understand that ensuring at-most-once with tokens might seem equally hard, although there is a possible solution in QUIC that is not available in TLS. The basic QUIC server farm architecture assumes that load balancers route packets to specific servers based on the destination CID. It should be possible to have that CID be a function of the content of the retry token. That could be as simple as allocating the destination CID before formatting the NEW TOKEN, and having that reserved CID part of the encrypted content of the token. The load balancer could then routed based on the CID decrypted from the token, and the individual server could select the destination CID based on the token. That would definitely limit token reuse.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: