Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)

Martin Thomson <> Sun, 03 February 2019 21:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0C2A21288BD for <>; Sun, 3 Feb 2019 13:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.551
X-Spam-Status: No, score=-12.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rSVHOYYorLRA for <>; Sun, 3 Feb 2019 13:55:53 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B4E3312DD85 for <>; Sun, 3 Feb 2019 13:55:52 -0800 (PST)
Date: Sun, 03 Feb 2019 13:55:51 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1549230951; bh=ZOJBNqdkVmo5NHP9N9XenNnN0DeVLIjcQVDd8FtmFdc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=J5LisBq+hJQ34smBaHg/KN4SlvNWbMyspJkU6S3KnlHJISZuxudIEtHz/TUelJcZI 85m0DHczx886VWwX0aOBlay7NXYlK4TmDfvqvAs6MhqHmyPe2+2Xbf5Z55SljQjlV+ bSLbe2dtFIxDbewIhXxbwMWqiirxCxBWmpewxv2M=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2394/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c576367172c5_2f73f8c1e2d45bc7561ca"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Feb 2019 21:55:55 -0000

This is a fairly non-interesting attack.  I read this as saying that if you can send and receive packets for a given IP address you can make connections from that address.  From the perspective of what we can reasonably test, there is no distinction between that and genuinely owning the address.

The point about the number of times that Retry tokens can be used is a fine one.  Adding a note about expected lifetime of these tokens to [Section 8.1.1]( is a fine idea.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: