Re: [quicwg/base-drafts] RESET_STREAM should be allowed in 0-RTT packets (#2344)

Mike Bishop <> Tue, 22 January 2019 19:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9974130F99 for <>; Tue, 22 Jan 2019 11:11:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.552
X-Spam-Status: No, score=-12.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FOoxjAiSMkNG for <>; Tue, 22 Jan 2019 11:11:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CBF0112785F for <>; Tue, 22 Jan 2019 11:11:53 -0800 (PST)
Date: Tue, 22 Jan 2019 11:11:52 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1548184312; bh=TWRBkUi9eSE2H+9M+AIeGB3L7w/3r6oB6AmUQfeVu1Y=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=A8xLv1CZVoWZ5XtqagP28bUfF3CBFQslEpYUnTQkjTVLYOYlkPD6wVx7BZUD7Mhoe pmc3vRcLWYrdiFf6kSb7Z7l5o6JyOvXQLay3DtQGX+ade3ge7ctbkRmma4KwXhA24t S7EubCIUHw//KiisFyz88t/dKAPjGuuCkRfHkfdY=
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2344/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] RESET_STREAM should be allowed in 0-RTT packets (#2344)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c476af8ae020_7b603ff070ad45bc1449cd"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Jan 2019 19:11:56 -0000

Because the client here is an attacker.  However, I'm not seeing as much threat related to this specific change -- this is something the client can do regardless (generating many connections and causing state to be allocated for each).

So the attack here is to artificially create a large batch of (hopefully work-intensive) 0-RTT packets which are legitimate given a particular session ticket.  Then open a large set of parallel connections using the same session ticket and dump all those 0-RTT packets into each connection.

To guard against this, TLS 1.3 recommends [not accepting a given session ticket for multiple connections](  This defense is the same for QUIC, and lives in the TLS layer.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: