Re: [quicwg/base-drafts] Defense against version number corruption (#3532)

Christian Huitema <notifications@github.com> Wed, 18 March 2020 21:35 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313B13A1CB7 for <quic-issues@ietfa.amsl.com>; Wed, 18 Mar 2020 14:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlhFscmFMGOH for <quic-issues@ietfa.amsl.com>; Wed, 18 Mar 2020 14:35:02 -0700 (PDT)
Received: from out-19.smtp.github.com (out-19.smtp.github.com [192.30.252.202]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3AE63A1CA3 for <quic-issues@ietf.org>; Wed, 18 Mar 2020 14:34:51 -0700 (PDT)
Received: from github-lowworker-6b40fdd.va3-iad.github.net (github-lowworker-6b40fdd.va3-iad.github.net [10.48.16.64]) by smtp.github.com (Postfix) with ESMTP id 2CBEB521E73 for <quic-issues@ietf.org>; Wed, 18 Mar 2020 14:34:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1584567291; bh=P8vR2jsDTc7Hdbn6vqBcuSXg6gIYly8lamx+FDvooHM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=UfrCmyMRi8XAZhiY+pTCPKzuznhIQm6kNzLRw8OJueC6/Nuc98prZPLPVCdGSGxnA xTpL2xO+hBCQLAdgjD804lILU0KwTxcNZxPwfAo9cvXdhTG7kUvCpnEu3nJcKvSNkH /O2cISlnPYtTKPI/mNtFS2wrXM/4n423+Xa23L3A=
Date: Wed, 18 Mar 2020 14:34:51 -0700
From: Christian Huitema <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6JJEWSTFHYTZCQSX54PZ2PXEVBNHHCFTPLZM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3532/600870295@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3532@github.com>
References: <quicwg/base-drafts/issues/3532@github.com>
Subject: Re: [quicwg/base-drafts] Defense against version number corruption (#3532)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e7293fb1d52d_2f553fb4654cd96c7469e"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/LWQGZb_5lv8TLBQAa8YpZyH4O2o>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 21:35:09 -0000

The problem with the "one in 300 million" figure is that it relies on the UDP checksum. If you cannot trust the UDP checksum, the figure is "1 in 5000", which is more concerning. And there are scenarios in which uncontrolled middle-boxes do rewrite that checksum.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3532#issuecomment-600870295