IETF Logo Mail Archive

Re: [quicwg/base-drafts] Define an anti-forgery limit (#3620)

Kazuho Oku <notifications@github.com> Fri, 08 May 2020 00:36 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65F03A0840 for <quic-issues@ietfa.amsl.com>; Thu, 7 May 2020 17:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.101
X-Spam-Level:
X-Spam-Status: No, score=-3.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D6-atlH0seZf for <quic-issues@ietfa.amsl.com>; Thu, 7 May 2020 17:36:50 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 886113A083D for <quic-issues@ietf.org>; Thu, 7 May 2020 17:36:49 -0700 (PDT)
Received: from github-lowworker-5fb2734.va3-iad.github.net (github-lowworker-5fb2734.va3-iad.github.net [10.48.19.27]) by smtp.github.com (Postfix) with ESMTP id 3A86B960500 for <quic-issues@ietf.org>; Thu, 7 May 2020 17:36:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1588898209; bh=0utUu7jBdWxCCVhy7X18vmK2rwJJvmj8K+8Mfp+HSYA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=MKd8OiWYP4cSMW8ZfBPeRRYBC9zipzYF1SXgMGcHJrYvrU6Ni5wTF0x0cGbQyfHmw ZfAKdhAjxxe/YAYAfSMOcBpnATh6RaZkIsYLabaaM/kpPPNzkmn2rbHxE2fCuOzm30 JMzveAS9QIW3kGvlIF8lX0KqAtTtseINVenT7Sws=
Date: Thu, 07 May 2020 17:36:49 -0700
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZD5OI3S7TP6OL2LGN4YCFKDEVBNHHCIZGB6U@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3620/review/407925512@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3620@github.com>
References: <quicwg/base-drafts/pull/3620@github.com>
Subject: Re: [quicwg/base-drafts] Define an anti-forgery limit (#3620)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5eb4a9a12abe3_28a83fafb74cd960193a8"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/UiUM14EutEqxfUGrqmxBJnUmAm4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 00:36:55 -0000

@kazuho commented on this pull request.



> +integrity protections in authenticated encryption also depend on limiting the
+number of attempts to forge packets. TLS achieves this by closing connections
+after any record fails an authentication check. In comparison, QUIC ignores any
+packet that cannot be authenticated, allowing multiple attempts at defeating
+integrity protection.
+
+Endpoints MUST count the number of packets that are received but cannot be
+authenticated. Packet protection keys MUST NOT be used for removing packet
+protection after authentication fails on more than a limit that is specific to
+the AEAD in use. Endpoints MUST initiate a key update before reaching this
+limit. Applying a limit reduces the probability that an attacker is able to
+successfully forge a packet; see {{AEBounds}} and {{ROBUST}}.
+
+For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, if the
+number of packets that fail authentication exceeds 2^36, the endpoint MUST
+immediately close the connection.  Note that the analysis in {{AEBounds}}

I see. Thank you for the clarification.

Then, I think that the text could become less confusing if we move "MUST close the connection" to the paragraph above, and change this paragraph to just listing the numbers.

For example, the paragraph above can be changed to something like:
_Endpoints MUST count the number of packets that are received but cannot be authenticated. If the number of packets that fail authentication exceeds a limit that is specific to the AEAD in use, the endpoint MUST immediately close the connection. Endpoints MUST initiate a key update before reaching this limit. Applying a limit reduces the probability that an attacker is able to successfully forge a packet; see {{AEBounds}} and {{ROBUST}}._

_For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit on the number of packets that fail authentication is 2^36..._

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3620#discussion_r421871212

v2.23.0 | Report a Bug | By Email