Re: [quicwg/base-drafts] Remove DoS vector for spoofed connection migration (#2893)

Martin Thomson <notifications@github.com> Mon, 15 July 2019 00:08 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723CC1202A4 for <quic-issues@ietfa.amsl.com>; Sun, 14 Jul 2019 17:08:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OKpFTeOrVGsk for <quic-issues@ietfa.amsl.com>; Sun, 14 Jul 2019 17:08:55 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 681041202A1 for <quic-issues@ietf.org>; Sun, 14 Jul 2019 17:08:55 -0700 (PDT)
Date: Sun, 14 Jul 2019 17:08:54 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1563149334; bh=v5FWO+WaRHaPNnwziV6PskgKZ1PBH7jJakKyA8bznHU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=d0gT4webON1u5JNV9SI90snDDKJuf69QXKJ5Von07Qop/LiPzMYxvbaHOtfV7fwW+ k0g2i7Y5Js0vtzePt+E7uTTlf3O3rtaLBFltHCl3voJzbFU70edZeHMrrkLcYD/8Os k/yjwGDLqaQ7l56KcNFaBiHb+Od+svjJ2xO0ZWKg=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4AOLUD7KM3FQPWC6V3HD3JNEVBNHHBXX3J5E@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2893/review/261606178@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2893@github.com>
References: <quicwg/base-drafts/pull/2893@github.com>
Subject: Re: [quicwg/base-drafts] Remove DoS vector for spoofed connection migration (#2893)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d2bc4165f22e_17b03fac40ccd96444023"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/Sr2-4u-GpL0qWkhLmjkQA-FlZY4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 00:08:57 -0000

martinthomson requested changes on this pull request.

In reviewing this, and in light of the changes in #2851, I'm no longer clear on what value this transport parameter provides.  It seems like the benefit extends only to the ability to not implement path validation or providing extra connection IDs.

I don't think that we should be encouraging implementations to not implement providing of new connection IDs.  So that leaves implementing path validation.  We should probably discuss that more.

All of that need not block this change.  With the removal of that sentence, it looks good to go.

> -Not all changes of peer address are intentional migrations. The peer could
-experience NAT rebinding: a change of address due to a middlebox, usually a NAT,
-allocating a new outgoing port or even a new outgoing IP address for a flow.  An
-endpoint MUST perform path validation ({{migrate-validate}}) if it detects any
-change to a peer's address, unless it has previously validated that address.
+An endpoint also MUST NOT send packets from a different local address, actively
+initiating migration, if the peer sent the `disable_active_migration` transport
+parameter during the handshake. An endpoint which has sent this transport
+parameter, but detects that a peer has nonetheless migrated to a different
+network MUST either drop the incoming packets on that path without generating a
+stateless reset or proceed with path validation and allow the peer to migrate.
+This helps to prevent third parties in the network causing connections to close
+due to spoofed addresses or other manipulation of observed traffic. An endpoint
+MUST NOT actively initiate migration if its peer supplies a zero-length
+connection ID as packets without a Destination Connection ID cannot be
+attributed to a connection based on address tuple.

With the change in #2851, we don't need this last sentence.  The point there is that source addresses aren't allowed to be used in routing of packets, so we don't need to worry about forbidding migration in that case.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2893#pullrequestreview-261606178