Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Kazuho Oku <> Fri, 07 December 2018 18:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DC11E130FF7 for <>; Fri, 7 Dec 2018 10:15:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R4fKW6zt2re6 for <>; Fri, 7 Dec 2018 10:15:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61341130FAB for <>; Fri, 7 Dec 2018 10:15:16 -0800 (PST)
Date: Fri, 07 Dec 2018 10:15:14 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1544206515; bh=xqpJsGP5OfQny+dC+O/h2Rmo+rOk27QnFZHjHKkJby8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=A89/zMSaF7g02SlUhLBrVbzUpatSo7VNH8WW7q56p+Wvhvoi2pwplMalsIfc597+9 KoUEQnw1YI7UemZrntwFIg7nuvBnlkkYoFPMWtDHx4dROYd0k1jMjwOndHCqzTYndE uU68zpjRigAJrxLC3Id4uaZ23+Sha+NezYQug3ts=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c0ab8b2e3fe1_44913fd6172d45c4199942"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Dec 2018 18:15:23 -0000

> I don't a short token life time works as a protection here. I expect servers to issue tokens (in NEW_TOKEN frames) that have the same life time as TLS session tickets, which, if I remember correctly, is a 7 days.

I am not sure if that's correct. IIUC, the reason we split information that are maintained across connections to TLS session tickets and tokens was because they have different properties, including lifetime. Tokens are per-path objects and they should have a short span. If that's not clear, I think we should clarify that.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: