Re: [quicwg/base-drafts] amplification attack using Retry and VN triggered by coalesced Initial packets (#2259)

MikkelFJ <notifications@github.com> Fri, 04 January 2019 09:51 UTC

Date: Fri, 04 Jan 2019 01:51:48 -0800
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab9b00a92eda5ae495ec99e73ce2b470c49a93c95292cf000000011846eeb492a169ce177f0208@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2259/451399498@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2259@github.com>
References: <quicwg/base-drafts/issues/2259@github.com>
Subject: Re: [quicwg/base-drafts] amplification attack using Retry and VN triggered by coalesced Initial packets (#2259)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c2f2cb4bce4f_5ea73fb0d9ad45c0254823"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/JXKOPNkkWStRFh2fkOc70bHKjRY>

I was about to suggest that VN / Retry could only be sent if the QUIC packet had at least 1200 bytes, but that goes against the idea of using coalesced packets. I'm not sure that 600 bytes is much better because it limits how much you can send in a second coalesced package when you want to stay below the minimum PMTU.

By requiring that only the first QUIC packet in a datagram can trigger VN / Retry you avoid these problems, and I can't imagine a reasonable case where you want to coalesce packets in a way where later packets actually trigger a VN / Retry.

One could also add that coalesced packets must belong to the same logical connection or connection attempt and that an implementation MAY ignore part or all of the packets in a datagram that does not conform (without requiring this to be enforced because that could get complex fast).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2259#issuecomment-451399498

[quicwg/base-drafts] amplification attack using R… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Nick Banks
Re: [quicwg/base-drafts] amplification attack usi… ianswett
Re: [quicwg/base-drafts] amplification attack usi… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Dmitri Tikhonov
Re: [quicwg/base-drafts] amplification attack usi… Nick Banks
Re: [quicwg/base-drafts] amplification attack usi… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Nick Banks
Re: [quicwg/base-drafts] amplification attack usi… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Martin Thomson
Re: [quicwg/base-drafts] amplification attack usi… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Kazuho Oku
Re: [quicwg/base-drafts] amplification attack usi… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Kazuho Oku
Re: [quicwg/base-drafts] amplification attack usi… Marten Seemann
Re: [quicwg/base-drafts] amplification attack usi… Kazuho Oku
Re: [quicwg/base-drafts] amplification attack usi… ianswett
Re: [quicwg/base-drafts] amplification attack usi… Nick Banks
Re: [quicwg/base-drafts] amplification attack usi… David Schinazi
Re: [quicwg/base-drafts] amplification attack usi… MikkelFJ
Re: [quicwg/base-drafts] amplification attack usi… David Schinazi
Re: [quicwg/base-drafts] amplification attack usi… MikkelFJ
Re: [quicwg/base-drafts] amplification attack usi… David Schinazi
Re: [quicwg/base-drafts] amplification attack usi… MikkelFJ
Re: [quicwg/base-drafts] amplification attack usi… ianswett
Re: [quicwg/base-drafts] amplification attack usi… Kazuho Oku
Re: [quicwg/base-drafts] amplification attack usi… MikkelFJ
Re: [quicwg/base-drafts] amplification attack usi… Kazuho Oku
Re: [quicwg/base-drafts] amplification attack usi… MikkelFJ
Re: [quicwg/base-drafts] amplification attack usi… janaiyengar
Re: [quicwg/base-drafts] amplification attack usi… janaiyengar