Re: [quicwg/base-drafts] Need to prevent amplification attack for any case where the server's response is big (#1309)
janaiyengar <notifications@github.com> Wed, 25 April 2018 22:49 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0E0112D7F4 for <quic-issues@ietfa.amsl.com>; Wed, 25 Apr 2018 15:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.606
X-Spam-Level:
X-Spam-Status: No, score=-6.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hrdAndbZFClR for <quic-issues@ietfa.amsl.com>; Wed, 25 Apr 2018 15:49:20 -0700 (PDT)
Received: from out-1.smtp.github.com (out-1.smtp.github.com [192.30.252.192]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC376124207 for <quic-issues@ietf.org>; Wed, 25 Apr 2018 15:49:19 -0700 (PDT)
Date: Wed, 25 Apr 2018 15:49:19 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1524696559; bh=HuQ/9StEj4fsht1VqXY6St05sC65SrTAwhsI1WvcuHk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=I9ETLVf6uyCUiecnT9ZOB9LnwwSdfSek0ubcgm9zALkT7cecwBI3ClcrXuVhsubaZ ZtM2295oJX9egM9xeQ57twaDA1eNyhJ/ncPbspkoma4SzWGhmpPaVxlt6XIAtcGxu7 3BR1h/sIlxYLRzqD0e2ZR+7z4Ot8CY/IUF+gR+Ko=
From: janaiyengar <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abe1dbac66c92e1104c0c579d047acc9b3ac4c57bb92cf0000000116f8c7ef92a169ce12d73e29@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1309/384457997@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1309@github.com>
References: <quicwg/base-drafts/issues/1309@github.com>
Subject: Re: [quicwg/base-drafts] Need to prevent amplification attack for any case where the server's response is big (#1309)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ae105ef5448b_2d552b1b61cd2f602507a"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: janaiyengar
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/AII21f6q25vwohFYEMY4PPOPLek>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2018 22:49:22 -0000
I wonder if this text should be stronger, given that we rely on servers doing the right thing to avoid amplification attacks. This is an issue IMO with TFO deployments, and I worry that if we don't specify something here we may end up with careless implementations. We can have recommendations around the expiration time, and around what information should be included and verified. I don't want to bikeshed on these values, but having something here is better than nothing I think. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/1309#issuecomment-384457997
- [quicwg/base-drafts] Need to prevent amplificatio… ekr
- Re: [quicwg/base-drafts] Need to prevent amplific… Patrick McManus
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… janaiyengar
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson
- Re: [quicwg/base-drafts] Need to prevent amplific… Martin Thomson