IETF Logo Mail Archive

Re: [quicwg/base-drafts] Stateless Reset needs "on-path" proof (#1230)

Martin Thomson <notifications@github.com> Tue, 10 April 2018 04:15 UTC

Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CEEB12D889 for <quic-issues@ietfa.amsl.com>; Mon, 9 Apr 2018 21:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7BYnEEk1zUG for <quic-issues@ietfa.amsl.com>; Mon, 9 Apr 2018 21:15:22 -0700 (PDT)
Received: from o7.sgmail.github.com (o7.sgmail.github.com [167.89.101.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40EEE126FDC for <quic-issues@ietf.org>; Mon, 9 Apr 2018 21:15:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=vz1wWCBKGsz+/l3cgX0c0ky4XZU=; b=P/uVU5qZByHN/qqz 9cCgl5/gejcmKoIqh0f2wjJT2QdJr63aS3eOSyxX/KCEymgabG8h5Ni9iNQDlDN4 csYQlylhlIjNLbSuCmitR0dka3eAS7uY+37X8quvwfbTrdTobDfSPHCo8Yal7xI5 8bWzg0zVzjz2wNLLaQMr6QBz6i8=
Received: by filter0563p1mdw1.sendgrid.net with SMTP id filter0563p1mdw1-28651-5ACC3A58-1E 2018-04-10 04:15:20.594371562 +0000 UTC
Received: from smtp.github.com (out-5.smtp.github.com [192.30.252.196]) by ismtpd0010p1iad2.sendgrid.net (SG) with ESMTP id 5fv3OO-hTFKB0al9C8m2kg for <quic-issues@ietf.org>; Tue, 10 Apr 2018 04:15:20.634 +0000 (UTC)
Date: Tue, 10 Apr 2018 04:15:20 +0000
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abab37c455c61338acaf78e3f682c70d469efe6caf92cf0000000116e3fc5892a169ce12414b9e@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1230/379968590@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1230@github.com>
References: <quicwg/base-drafts/issues/1230@github.com>
Subject: Re: [quicwg/base-drafts] Stateless Reset needs "on-path" proof (#1230)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5acc3a587be76_12573fcdfd3c6f304006e3"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak3b6m+kW4PS87w1MKZHTvIa/Ug3iDnKi+NRKA GVjZ2Ot0D1STAMC3sncuEbr+S2NW97lRsAeX04sD+G3/7cdtv7fbd4TCP2DlAz/4kbSyTuHRSPZxR7 RlpPJchpfGMfZB9jUBbv6OuXUIrjDYth65VT5xoJ98LThLQr8uxKfuUIGmjmkXH3ypp3h9mVXnXb8N Q=
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/MpXxHr2ZyMEqi_Dnxsh_CpKCF3k>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2018 04:15:24 -0000

OK, thanks for clearing that up.  I think that you have an attack, though it might not be that interesting.

Connection IDs are scoped to a state store, whereas your proposed key is global.  That means that an attacker that can learn the key for a given connection ID in any state store can use it to attack all other state stores.  For high entropy connection IDs, that takes some doing, but it isn't generically safe, especially now we allow as little as 32 bits.

What is generically safe is co-extant state.  That is, the connection ID has to be valid everywhere the static key is used and thus a packet with a given connection ID either causes a valid stateless reset for that connection or it is accepted.

Given the complexity of the additional mechanism and that exposure, I'd rather concentrate on the attack that this issue was originally raised to address: the absence of a proof-of-receipt in the stateless reset packet.  Given that we now have a little as 32 bits of entropy (or less) in a connection ID, the potential for a stateless reset oracle is bothering me a little.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1230#issuecomment-379968590

v2.39.1 | Report a Bug | By Email | System Status