Re: [quicwg/base-drafts] Attacks Against Address Migration (#2582)

Martin Thomson <notifications@github.com> Wed, 24 April 2019 03:34 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15F78120112 for <quic-issues@ietfa.amsl.com>; Tue, 23 Apr 2019 20:34:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.002
X-Spam-Level:
X-Spam-Status: No, score=-8.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qx9JUGKVKRtp for <quic-issues@ietfa.amsl.com>; Tue, 23 Apr 2019 20:34:09 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 486D3120046 for <quic-issues@ietf.org>; Tue, 23 Apr 2019 20:34:09 -0700 (PDT)
Date: Tue, 23 Apr 2019 20:34:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1556076848; bh=cvA2Lqnof1HSM26+Suld2wj4IuYnE1eoyzLmA7PN2Eo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=LopAa9tsDhRxkKkExOncRlqYeKuFlreo+k82ZR35XqVky80+me+2euxMMyqB1y8eN LDtgRHdSyMR2CrHSHkQMSmS5jT88aFLeMNBxyZU6hOqO4fIAAmbrLdzSHpZS3+m76P NTVzPI41r3QGfRT22PQKtUnX7RGHeLf5MKaKG7+s=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZTVV7IOMME33LRUSN2ZUF3BEVBNHHBTAYDQU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2582/486054142@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2582@github.com>
References: <quicwg/base-drafts/issues/2582@github.com>
Subject: Re: [quicwg/base-drafts] Attacks Against Address Migration (#2582)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5cbfd930800c7_1d323fa6cb0cd9682625a1"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/DvgkNfh133cS62U65NnXAsIajCs>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 03:34:11 -0000

Yeah, we gotta go full design here.  This is a major change to the path validation logic.

There's a good case here for the change: path validation is currently unnecessarily symmetric. The decision to consider a path valid is a decision each peer makes unilaterally.  That is, for the path to be used, both peers need to independently validate that packets sent on that path reach the other side.  We don't need the PATH_RESPONSE to follow the path because we expect the peer to also send a PATH_CHALLENGE down that path.

The requirement that PATH_RESPONSE follow the path is a case of trying to attain or enforce behaviour from a peer unnecessarily.  An endpoint doesn't need to be assured that its peer has also validated the path, but that is what the existing text attempts to assure.  If a peer decides not to validate a path, then that is on them.

The fix here prevents an attacker from using the fact that duplicate packets are dropped to prevent path validation.  And I can't see a down side.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2582#issuecomment-486054142