Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)

MikkelFJ <> Fri, 01 February 2019 13:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33ADF12DF72 for <>; Fri, 1 Feb 2019 05:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -11.149
X-Spam-Status: No, score=-11.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Wv8GheWEzTVB for <>; Fri, 1 Feb 2019 05:13:53 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8BB28127133 for <>; Fri, 1 Feb 2019 05:13:53 -0800 (PST)
Date: Fri, 01 Feb 2019 05:13:52 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1549026832; bh=AE2PGT6dLaWg25Z0MTaNdzx3l8EdDJuPqaJq+xGSucI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=qoTrMyrVEx1tVuBaSFYZIrfgDaNyk80+AxawpEg/dfPyaK1NV8cWcZ3Bn9ziJQCQd mKjtSwmgK1AIAMsQbLOc/ODoTJ+eExTbvUChjqQ89sFe8gBaPL19l55HaOD+NdWFRW MwTi4Ii/bgqyNAy9nQyW38cHnnNngfLCwlf2NV8k=
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2394/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c544610a1333_d033fabd1ed45c4114924"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Feb 2019 13:13:55 -0000

So the conclusion is that you cannot do anything about it in v1. There isn't even much reason to strongly prevent token reuse since only path observers can reuse it, and they have powers anyway.

But there is reason to advise in vulnerability that Retry only protects against off-path attackers, not on-the-side or on-path attackers.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: