Re: [quicwg/base-drafts] handling of coalesced packets with decryption errors creates DoS opportunity (#2308)

Kazuho Oku <notifications@github.com> Thu, 09 May 2019 04:19 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC9F120267 for <quic-issues@ietfa.amsl.com>; Wed, 8 May 2019 21:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.607
X-Spam-Level:
X-Spam-Status: No, score=-6.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7tSAn4weLY8 for <quic-issues@ietfa.amsl.com>; Wed, 8 May 2019 21:18:58 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8176D12025B for <quic-issues@ietf.org>; Wed, 8 May 2019 21:18:58 -0700 (PDT)
Date: Wed, 08 May 2019 21:18:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1557375537; bh=cwoL0/DH0TB/MTg8uf54cKrJNV1uJyqijH5q54gvaGY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=BaaPfj3Qmt/Tt7SiXcVME0WSh5rPuIt62aQNgmwDluJfTLdeYNOZqTLqu0ThrDF2H nZE+QfqvZ1Di7TVidB5wiMReAbFbnS/spEdFg0sLh9ifqoFpIfdZ2uVwCPyx3rmCfj E6t8e7q2cKyyP5qVnrBtsys65QamBBJmxDvSS3FI=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK46GHASTEWXC3UGXYF24DOLDEVBNHHBPH547M@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2308/490737296@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2308@github.com>
References: <quicwg/base-drafts/issues/2308@github.com>
Subject: Re: [quicwg/base-drafts] handling of coalesced packets with decryption errors creates DoS opportunity (#2308)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5cd3aa3125cf7_2bdd3fadc9ecd9649371"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/KSw2tswYhooWaZ9DZdKp49USkBE>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 May 2019 04:19:01 -0000

@huitema 
> If I receive a handshake packet after the handshake is finished, I will most probably ignore it. I don't have the keys anymore, I cannot remove header protection or packet protection. Packet will be treated as a decryption error, and whatever is coalesced with it will most likely be ignored.

I would point out that the draft says don't. Quoting from [section 12.2](https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#rfc.section.12.2): _if decryption fails (because the keys are not available or any other reason), the receiver MAY either discard or buffer the packet for later processing and MUST attempt to process the remaining packets._

> I understand the goal of coalescing is to find a CID in the ICMP payload, but that seems somewhat brittle. Parsing the ICMP based on the 5 tuple would be much more robust, and does not require playing games with packet coalescing.

I agree that endpoints should rely on the 5 tuple whenever possible. However, if a stateless load balancer is being used, the CID becomes the only identifier for routing packets. That's why we have this mechanism.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2308#issuecomment-490737296