Re: [quicwg/base-drafts] Fix for off-path migration attack (#2033)

Marten Seemann <notifications@github.com> Wed, 21 November 2018 14:18 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98E23130DBE for <quic-issues@ietfa.amsl.com>; Wed, 21 Nov 2018 06:18:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.47
X-Spam-Level:
X-Spam-Status: No, score=-8.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uwTpPiRNDITw for <quic-issues@ietfa.amsl.com>; Wed, 21 Nov 2018 06:18:00 -0800 (PST)
Received: from out-4.smtp.github.com (out-4.smtp.github.com [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4425130F39 for <quic-issues@ietf.org>; Wed, 21 Nov 2018 06:17:59 -0800 (PST)
Date: Wed, 21 Nov 2018 06:17:58 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542809878; bh=gTVmaAYdVHcJ6tt02gXwkAiuUlP0iPcEtghKgMoW1I0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=DkUnou2tysmhvi4S8qHw3hQMkpZBPdHXqGeQxJ8U/lgYOizBzS6uvh0xXx4PJH/Jw fPqdOQA15bHnA00xDusEGV8mt9uEUZBEa+1Pv8M8tkyH3g3fCAVRuJhQu3y8ONbYgz G8ocb2i5YYAER9bZ/MbPqVcrpXqlB/O7Cc8bRIKE=
From: Marten Seemann <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab7f3fe84b9c59f47579a306b4233e109460a1bda192cf00000001180d2b1692a169ce16d3ac5a@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2033/review/177241028@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2033@github.com>
References: <quicwg/base-drafts/pull/2033@github.com>
Subject: Re: [quicwg/base-drafts] Fix for off-path migration attack (#2033)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf569166bc49_205f3ffc412d45c41106d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/NOXcbk7rOEHzXBuzT0yNPzbF2oM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 14:18:08 -0000

marten-seemann commented on this pull request.



> @@ -1766,7 +1768,8 @@ abandons its attempt to validate the path.
 
 Endpoints SHOULD abandon path validation based on a timer. When setting this
 timer, implementations are cautioned that the new path could have a longer
-round-trip time than the original.
+round-trip time than the original.  A value of three times the current
+Retransmittion Timeout (RTO) as defined in {{QUIC-RECOVERY}} is RECOMMENDED.

This won’t work out well when switching from a 10ms WiFi. 
I don’t think any value derived from the current RTT helps here. We don’t have any information about the new path, so I suggest we define a constant duration. 

> @@ -1938,6 +1941,52 @@ Note that receipt of packets with higher packet numbers from the legitimate peer
 address will trigger another connection migration.  This will cause the
 validation of the address of the spurious migration to be abandoned.
 
+
+### Off-Path Packet Forwarding {#off-path-forward}
+
+An off-path attacker that can observe packets might forward copies of genuine
+packets to endpoints.  If the copied packet arrives before the genuine packet,
+this will appear as a NAT rebinding.  Any genuine packet will be discarded as a

We should be more precise in describing the attack:
* when racing packets to the server, the attacker uses his own sender address on the UDP packet
* when forwarding packets to the client, the attacker doesn’t spoofs the server’s address

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2033#pullrequestreview-177241028