Re: [quicwg/base-drafts] Allow server to enforce port-Retry packet numbering (#3989)

Mike Bishop <> Tue, 11 August 2020 15:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 149453A0475 for <>; Tue, 11 Aug 2020 08:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.483
X-Spam-Status: No, score=-1.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hvxzfhGO3aet for <>; Tue, 11 Aug 2020 08:54:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ABE2E3A0407 for <>; Tue, 11 Aug 2020 08:54:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B919352007C for <>; Tue, 11 Aug 2020 08:54:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1597161279; bh=RwO5orhXliMgJsy/iIpB9SQlKmgN1ve4X28sQPYMgJQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=PzyRdYRPMvq1r8Hv5MTc3T2SdED1+UGxb6/B7Dn16ABMZmmJ3CwO+ygimyHkO1s25 IKt4igQIpyfc/KGXN1VkJbcIb5sN91KM1sp5Sk8vgGwhKA35CEPLmNsq3cR6jILhXp SAWk58uz3tz3fbwpdXcjYJJWb97yblAkjrvr3OTI=
Date: Tue, 11 Aug 2020 08:54:39 -0700
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3989/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Allow server to enforce port-Retry packet numbering (#3989)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f32bf3fa9f54_7c6e16f8896e6"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Aug 2020 15:54:42 -0000

If it's not trivial, it's verging on trivial.  The "right" way to enforce this, as Dmitri notes, is to include the client's packet number in the Retry token.  Upon receipt of any token, if it is a retry token, the server checks whether the containing packet number is less than or equal to that stored in the token.  If it's not a retry token, no check is needed.  This is completely stateless, so if packets get reordered, nothing breaks.

As to the point of modifying Initial packets, that's true.  An attacker that can modify packets can always cause the handshake to fail; this is just another way.  To use this for disruption by injecting a packet, the attacker has to observe the client's Initial, the server's Retry packet, and then fabricate an Initial with a lower packet number.  Not a high bar, but an attacker that can observe the packets in both directions and inject packets can break things in many other ways, too.

I'm comfortable with MAY enforce (which I think is already implicit in a MUST NOT) at least, if people think one more integer encoded in the token is too high a bar for a stronger recommendation.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: