Re: [quicwg/base-drafts] Let Endpoints Ignore invalid Initial Packets (#1819)

Martin Thomson <> Fri, 19 October 2018 05:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 26238130E3D for <>; Thu, 18 Oct 2018 22:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.064
X-Spam-Status: No, score=-8.064 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.064, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gkVW-3Ew6L2A for <>; Thu, 18 Oct 2018 22:20:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F20F4130DFC for <>; Thu, 18 Oct 2018 22:20:04 -0700 (PDT)
Date: Thu, 18 Oct 2018 22:20:04 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1539926404; bh=1XYUUg0uTMMtjlAqeMVvCwJqTDZhR/g41IdENhzX+6Q=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=HI4rxjw9SVP3GUly3KJzT+Ux/jIvTdWggQTRSX293QBp0Lu4xS2apFfv3KxVKohtq fXVi64dUCWArto4zmAB/4HIbgWOnkFYTvZCz6S5Nag5Oe3jOKrL742XYE/NCsuLxSz 4YmhInl2xBh263QElz21BUMMlIwAsEEODsoKabxc=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/1819/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Let Endpoints Ignore invalid Initial Packets (#1819)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bc9698444c90_585e3fe2fd6d45b41572fd"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 19 Oct 2018 05:20:07 -0000

As I said in #1890, I don't think that we want to do this.  Not only because it requires a lot of words that are very hard to get right.

Yes, an implementation can attempt to manage state in a way that is resilient to interference in the handshake.  Every packet that can be successfully processed relative to any pre-existing checkpoint in the state of the connection adds another dependent checkpoint to that tree.  For instance, should I have received N packets, I would have potentially 2^N copies of the nascent connection state as a result, though likely fewer as each packet is likely only valid when interpreted from a certain subset of those states.  When a packet causes the connection to be successfully established, other states can then be discarded.

I've heard that there are partial approaches that are less onerous than the fully exhaustive option and this advocates for something in that space.

I don't think that we need to specify any of that.  On the positive side, I don't think that anything we write into the draft would prohibit someone from implementing these techniques.  They might be complex, but it would be very nice if we could do away with packet injection attacks being used to interfere with connection establishment.  

In the end, this runs directly counter to what we already agreed was the guidelines: we would not put in measures that prevented an attacker from interfering with connection establishment if they were able to observe and inject packets.  QUICv2 seems like the right place for this, if anything.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: