Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Martin Thomson <notifications@github.com> Sun, 03 February 2019 21:55 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2A21288BD for <quic-issues@ietfa.amsl.com>; Sun, 3 Feb 2019 13:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.551
X-Spam-Level:
X-Spam-Status: No, score=-12.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSVHOYYorLRA for <quic-issues@ietfa.amsl.com>; Sun, 3 Feb 2019 13:55:53 -0800 (PST)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4E3312DD85 for <quic-issues@ietf.org>; Sun, 3 Feb 2019 13:55:52 -0800 (PST)
Date: Sun, 03 Feb 2019 13:55:51 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1549230951; bh=ZOJBNqdkVmo5NHP9N9XenNnN0DeVLIjcQVDd8FtmFdc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=J5LisBq+hJQ34smBaHg/KN4SlvNWbMyspJkU6S3KnlHJISZuxudIEtHz/TUelJcZI 85m0DHczx886VWwX0aOBlay7NXYlK4TmDfvqvAs6MhqHmyPe2+2Xbf5Z55SljQjlV+ bSLbe2dtFIxDbewIhXxbwMWqiirxCxBWmpewxv2M=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab9e932009a1f6b1be110533da349484427f3ee2ab92cf00000001186f256792a169ce1823c7c2@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2394/460092507@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2394@github.com>
References: <quicwg/base-drafts/issues/2394@github.com>
Subject: Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c576367172c5_2f73f8c1e2d45bc7561ca"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/FK8FlbkidUMSO8LslfWWAnv2N5w>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Feb 2019 21:55:55 -0000
This is a fairly non-interesting attack. I read this as saying that if you can send and receive packets for a given IP address you can make connections from that address. From the perspective of what we can reasonably test, there is no distinction between that and genuinely owning the address. The point about the number of times that Retry tokens can be used is a fine one. Adding a note about expected lifetime of these tokens to [Section 8.1.1](https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#validate-retry) is a fine idea. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/2394#issuecomment-460092507
- [quicwg/base-drafts] Spoofed retry token attack o… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Martin Thomson
- Re: [quicwg/base-drafts] Spoofed retry token atta… ekr
- Re: [quicwg/base-drafts] Spoofed retry token atta… Jana Iyengar