Re: [quicwg/base-drafts] Add note that middleboxes might change datagram boundaries (#3337)

Eric Kinnear <notifications@github.com> Fri, 17 January 2020 06:36 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501B71201B7 for <quic-issues@ietfa.amsl.com>; Thu, 16 Jan 2020 22:36:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78uKF4fx7pXl for <quic-issues@ietfa.amsl.com>; Thu, 16 Jan 2020 22:36:40 -0800 (PST)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9595120227 for <quic-issues@ietf.org>; Thu, 16 Jan 2020 22:36:39 -0800 (PST)
Received: from github-lowworker-cd7bc13.ac4-iad.github.net (github-lowworker-cd7bc13.ac4-iad.github.net [10.52.25.102]) by smtp.github.com (Postfix) with ESMTP id E4E00661265 for <quic-issues@ietf.org>; Thu, 16 Jan 2020 22:36:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1579242998; bh=ydDLKKAjABuUOreAX3SH5UUR5ecgLgONE81C0jYsrLc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=HhW+ndrUnSLY82+MX/1Mce5fW5fbrtZrxa7W/0xOEr/o9ewzNz4g1o0DH0SemYhGU Jlh6+l88rrCE7OlNzNLpEKBURQTSWfux0INXxrgzsH2inz2nZ/yIhoey8v0wUgcibg n4pAkJSCKUcVCblBVALdD8IcjW2XvVMB2GOHWd+o=
Date: Thu, 16 Jan 2020 22:36:38 -0800
From: Eric Kinnear <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKYUH5NJKQAXBQYCV7F4F2EHNEVBNHHCBO77TE@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3337/c575495109@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3337@github.com>
References: <quicwg/base-drafts/pull/3337@github.com>
Subject: Re: [quicwg/base-drafts] Add note that middleboxes might change datagram boundaries (#3337)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e2155f6d66e8_38cd3fe4228cd96c72439"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: erickinnear
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/WZJzxZjLpRP9QTd7_826W6zCfCM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 06:36:42 -0000

Works for me! Will fold this in to #2925. 

How's this look for that section (otherwise this will get lost in a sea of green, new text is second half of the first sentence only): 
```
#### On-Path Handshake Termination

An on-path attacker can force the QUIC handshake to fail by replacing either the
client or server Initial messages with invalid messages or by modifying datagram
boundaries of coalesced QUIC packets, resulting in invalid Initial messages.  An
off-path attacker can also mount this attack by racing the Initials. Once valid
Initial messages have been exchanged, the remaining handshake messages are
protected with the handshake keys and an on-path attacker cannot force handshake
failure, though they can produce a handshake timeout by dropping packets.

An on-path attacker can also replace the addresses of packets on either side and
therefore cause the client or server to have an incorrect view of the remote
addresses. Such an attack is indistinguishable from the functions performed by a
NAT.
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3337#issuecomment-575495109