IETF Logo Mail Archive

Re: [quicwg/base-drafts] Connection migration failure mode (#1278)

Martin Thomson <notifications@github.com> Tue, 10 July 2018 06:21 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9379130F08 for <quic-issues@ietfa.amsl.com>; Mon, 9 Jul 2018 23:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.009
X-Spam-Level:
X-Spam-Status: No, score=-8.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0lwGz-Kl7jIE for <quic-issues@ietfa.amsl.com>; Mon, 9 Jul 2018 23:21:29 -0700 (PDT)
Received: from out-4.smtp.github.com (out-4.smtp.github.com [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73FBD130F05 for <quic-issues@ietf.org>; Mon, 9 Jul 2018 23:21:29 -0700 (PDT)
Date: Mon, 09 Jul 2018 23:21:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1531203688; bh=LCMAkK86LMB7Xnt6bUE58b3HQWS7Mix8m99hNQSuX+c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ywF27koH96OdNoWAzp5cj7g6nwVVuAmPgZ6em/8T1Nmd/ZyxoduekNiPswlrn5Oym O815NY/FeKTBAPkQ/uMWrNMD8DDboXn8bKMeKRz1sLJwxEjZj1Zd5ofYIqsOwHJGqP SvTxjjgMgyszqnznPaubAGmhdDjPIGVyozuJG3bg=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abfe76e7f70180ab2c00657133c9fc51531e92083c92cf00000001175c126892a169ce129ff705@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1278/403713519@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1278@github.com>
References: <quicwg/base-drafts/issues/1278@github.com>
Subject: Re: [quicwg/base-drafts] Connection migration failure mode (#1278)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b4450685936c_326c3f82d15f8f78547786"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/9G0_5NNLjW6d0jBjCdSmk8e-HeM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 06:21:32 -0000

Not sure if [that comment](https://github.com/quicwg/base-drafts/issues/1278#issuecomment-394753339) helps, if we misunderstood when we met, or if it is just missing something important.

The second point doesn't seem connected to the problem, though the first might be sufficient.

If an attacker can capture a packet and send it from a new address twice, with a similar rewrite of the packet containing PATH_CHALLENGE, then it *might* be reasonable to say that they are on the path.  But this is possible from the side.  

Given that most traffic patterns have at least some (non-probing) activity in both directions (an ACK suffices here), the genuine path might naturally reassert itself naturally as the victim sends more packets.  The problem is that the attacker might be able to find a natural stop in the cadence of the protocol where the victim has no further data to send.  For instance, a HTTP request was sent, acknowledged, and now the victim is only waiting for the response.  If the victim stops receiving packets, and has no natural triggers for sending its own packets, then the connection could time out as being apparently broken.

The suggested defense was to do post-hoc validation of a migration by sending a message on the original path as well indicating that migration happened.  That might get lost (which is OK if the path really is dead), but if the migration was spurious and the packet got through then the victim might be able to reassert their use of the valid path by sending more data on that path. In effect, they would migrate back.  Of course, then there is the question of how often and how many of those you might send.

We might agree that this is an attack not worth building specific countermeasures for and that documenting it is sufficient.  I'm undecided here.  I really don't like the idea that connections could be broken so trivially by rewriting the IP header, but the mitigations aren't especially strong.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1278#issuecomment-403713519

v2.23.0 | Report a Bug | By Email