Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
MikkelFJ <notifications@github.com> Fri, 01 February 2019 13:13 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33ADF12DF72 for <quic-issues@ietfa.amsl.com>; Fri, 1 Feb 2019 05:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.149
X-Spam-Level:
X-Spam-Status: No, score=-11.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wv8GheWEzTVB for <quic-issues@ietfa.amsl.com>; Fri, 1 Feb 2019 05:13:53 -0800 (PST)
Received: from out-7.smtp.github.com (out-7.smtp.github.com [192.30.252.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB28127133 for <quic-issues@ietf.org>; Fri, 1 Feb 2019 05:13:53 -0800 (PST)
Date: Fri, 01 Feb 2019 05:13:52 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1549026832; bh=AE2PGT6dLaWg25Z0MTaNdzx3l8EdDJuPqaJq+xGSucI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=qoTrMyrVEx1tVuBaSFYZIrfgDaNyk80+AxawpEg/dfPyaK1NV8cWcZ3Bn9ziJQCQd mKjtSwmgK1AIAMsQbLOc/ODoTJ+eExTbvUChjqQ89sFe8gBaPL19l55HaOD+NdWFRW MwTi4Ii/bgqyNAy9nQyW38cHnnNngfLCwlf2NV8k=
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab8d34a928ffb198851ebf163c241996a1a421593292cf00000001186c081092a169ce1823c7c2@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2394/459718522@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2394@github.com>
References: <quicwg/base-drafts/issues/2394@github.com>
Subject: Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c544610a1333_d033fabd1ed45c4114924"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/XDkZzJVT90etLxXdsRjhgtdQaZY>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 13:13:55 -0000
So the conclusion is that you cannot do anything about it in v1. There isn't even much reason to strongly prevent token reuse since only path observers can reuse it, and they have powers anyway. But there is reason to advise in vulnerability that Retry only protects against off-path attackers, not on-the-side or on-path attackers. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/2394#issuecomment-459718522
- [quicwg/base-drafts] Spoofed retry token attack o… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Kazuho Oku
- Re: [quicwg/base-drafts] Spoofed retry token atta… MikkelFJ
- Re: [quicwg/base-drafts] Spoofed retry token atta… Martin Thomson
- Re: [quicwg/base-drafts] Spoofed retry token atta… ekr
- Re: [quicwg/base-drafts] Spoofed retry token atta… Jana Iyengar