Re: [quicwg/base-drafts] Prevent linkability from responding to migration (#2969)
Kazuho Oku <notifications@github.com> Mon, 19 August 2019 00:15 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED3D120018 for <quic-issues@ietfa.amsl.com>; Sun, 18 Aug 2019 17:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7x7QSFW3rdBx for <quic-issues@ietfa.amsl.com>; Sun, 18 Aug 2019 17:15:18 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D163A120052 for <quic-issues@ietf.org>; Sun, 18 Aug 2019 17:15:17 -0700 (PDT)
Date: Sun, 18 Aug 2019 17:15:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1566173716; bh=nez9T5B8DOcgu1Mz7QEVw5eGjkf8qHU5f4Sh1fe4qtY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=EQQNw+8+4JedMfrwioo4dDmTZBcHcI0re2z/fWt0ogorXqCbzkEM5qjPRXqsTm4dV 8Jqfb1IGXCkrFUrSMuExy8YfLlZq5fjBSWRh0I5iKDojSaSe3a8/usKrx9VfipQpJY ec10727HF46o+AGfZH+ugtUsYbd4AnDt7uKl/rsc=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7B7OKR4G6AGOJ7R7F3M4OJJEVBNHHBZKYFBA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2969/review/276302869@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2969@github.com>
References: <quicwg/base-drafts/pull/2969@github.com>
Subject: Re: [quicwg/base-drafts] Prevent linkability from responding to migration (#2969)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d59ea14cd210_4a743fa56eccd9601103a7"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/CLsHrC6zRK9HS695C0fniIAJ0A0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 00:15:20 -0000
kazuho commented on this pull request.
Thank you for the changes. I think it's much better, the discussion of "active" connection ID looks good.
> @@ -2057,11 +2058,17 @@ linked by any other entity.
At any time, endpoints MAY change the Destination Connection ID they send to a
value that has not been used on another path.
-An endpoint MUST use a new connection ID if it initiates connection migration.
-Using a new connection ID eliminates the use of the connection ID for linking
-activity from the same connection on different networks. Header protection
-ensures that packet numbers cannot be used to correlate activity. This does not
-prevent other properties of packets, such as timing and size, from being used to
+An endpoint MUST use a new connection ID if it initiates connection migration as
+described in {{initiating-migration}}. An endpoint MUST use a new connection ID
Maybe add something like: "or when probing a new path ({{#probing}})"?
> @@ -2057,11 +2058,17 @@ linked by any other entity.
At any time, endpoints MAY change the Destination Connection ID they send to a
value that has not been used on another path.
-An endpoint MUST use a new connection ID if it initiates connection migration.
-Using a new connection ID eliminates the use of the connection ID for linking
-activity from the same connection on different networks. Header protection
-ensures that packet numbers cannot be used to correlate activity. This does not
-prevent other properties of packets, such as timing and size, from being used to
+An endpoint MUST use a new connection ID if it initiates connection migration as
+described in {{initiating-migration}}. An endpoint MUST use a new connection ID
+in response to a change in the address of a peer if the packet with the new peer
+address uses an active connection ID that has not been previously used by the
+peer.
What should the responding endpoint do, when it does not have any unused Connection IDs?
I think we have at least four options, but neither of them seem to be very good: a) respond using a Connection ID already in use, b) error-close the connection (on the active path), c) respond with a stateless reset, d) drop the packet.
Option _a_ has the privacy concern. I do not think that option _b_ or _c_ is viable, as it creates an attack vector (a middlebox might race the packet that initiates the migration from a different source address. If the spoofed packet reaches the server before the legitimate one, the connection might get dropped as the server might have used all the spare connection IDs for responding to the spoofed packets). Option _d_ seems a bit odd.
Relatedly, Section 9.1 (Probing a New Path) states quote: _An endpoint that uses a new local address needs to ensure that at least one new connection ID is available at the peer. That can be achieved by including a NEW_CONNECTION_ID frame in the probe._ I think that this is a good advice and that we might want to promote the sentences to here, so that it would cover both path probing and immediate connection migration.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2969#pullrequestreview-276302869
- [quicwg/base-drafts] Prevent linkability from res… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Kazuho Oku
- Re: [quicwg/base-drafts] Prevent linkability from… MikkelFJ
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… MikkelFJ
- Re: [quicwg/base-drafts] Prevent linkability from… ianswett
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Kazuho Oku
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Kazuho Oku
- Re: [quicwg/base-drafts] Prevent linkability from… Mike Bishop
- Re: [quicwg/base-drafts] Prevent linkability from… Eric Kinnear
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson
- Re: [quicwg/base-drafts] Prevent linkability from… Eric Kinnear
- Re: [quicwg/base-drafts] Prevent linkability from… ianswett
- Re: [quicwg/base-drafts] Prevent linkability from… Martin Thomson