IETF Logo Mail Archive

Re: [quicwg/base-drafts] Address validation for connection migration (#732)

Martin Thomson <notifications@github.com> Wed, 23 August 2017 00:51 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B691321A6 for <quic-issues@ietfa.amsl.com>; Tue, 22 Aug 2017 17:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.299
X-Spam-Level:
X-Spam-Status: No, score=-9.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tzd-kbqBLwb2 for <quic-issues@ietfa.amsl.com>; Tue, 22 Aug 2017 17:51:07 -0700 (PDT)
Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2-ext3.iad.github.net [192.30.252.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5116713218C for <quic-issues@ietf.org>; Tue, 22 Aug 2017 17:51:07 -0700 (PDT)
Date: Tue, 22 Aug 2017 17:51:06 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1503449466; bh=f/VdAdRqu904Z9UvFEdY8gNbG3/ejj+/F+RNC9VhRkM=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=0BJTOiARFtRARH+34dFAVyRbafbP4o2T/aCMh6XGqWU8Rcw8VxaxQug5A97L+2gsc VKLWMo0ri9cL/2GqMAgMsGjiPscB5GcHCnu+RAYC7JcKwjKBmjW4dGi9T/zFuDsQhu cP5LSXW/EFkjHjgUS9JJ+gPhIkVIfbv/UHYriXeE=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab68110d78a18743e95b1d1ec9efefe36cd8165b6092cf0000000115b4937a92a169ce0ee9dd49@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/732/review/57949557@github.com>
In-Reply-To: <quicwg/base-drafts/pull/732@github.com>
References: <quicwg/base-drafts/pull/732@github.com>
Subject: Re: [quicwg/base-drafts] Address validation for connection migration (#732)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_599cd17a865d3_79a33f8e65ed3c3427682"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/CvINUMnRxh6S4qAhEKT96e8_qI0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Aug 2017 00:51:10 -0000

martinthomson commented on this pull request.



> +Prior to validating the new remote address, and endpoint MUST limit the amount
+of data and packets that it sends to its peer.  At a minimum, this needs to
+consider the possibility that packets are sent without congestion feedback.
+
+Once a connection is established, address validation is relatively simple (see
+{{address-validation}} for the process that is used during the handshake).  An
+endpoint validates a remote address by sending a PING frame containing a payload
+that is hard to guess.  This frame MUST be sent in a packet that is sent to the
+new address.  Once a PONG frame containing the same payload is received, the
+address is considered to be valid.  The PONG frame can use any path on its
+return.  A PING frame containing 12 randomly generated {{?RFC4086}} octets is
+sufficient to ensure that it is easier to receive the packet than it is to guess
+the value correctly.
+
+If validation of the new remote address fails, after allowing enough time for
+possible loss and recovery of packets carrying PING and PONG frames, the

Firstly, this isn't new, but it suggests some more work (more on this below).

I considered this, but didn't give it enough thought.  The reason I dismissed this was that the very next packet from the victim will come from a genuine address and it will appear to be yet another migration, correcting the problem.  As long as that happens, the attacker only causes a few packets to be sent to it.  But then the next packet might take too long to arrive to be relevant.

That suggests some changes:

1. Abandon any tests on a previous address if a packet from another new address is seen.  (Use packet numbers to ensure that you can detect the most recent packet.)
2. Require that the endpoint that observes the migration ping the old address as well.

The first ensures that that the raced packet can't cause a flip to stick.  Unless the attacker can reliably capture and win a race on every packet, thereby denying service.

The second ensures that if this attack happens and the old address remains valid, a packet will be seen on the old address, causing the migration to switch back.

Does that work?

Or, we could design multipath...

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/732#discussion_r134635373

v2.40.3 | Report a Bug | By Email | System Status