Re: [quicwg/base-drafts] Authenticate connection IDs (#3499)

martinduke <notifications@github.com> Wed, 11 March 2020 02:44 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69CE93A0F80 for <quic-issues@ietfa.amsl.com>; Tue, 10 Mar 2020 19:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kDPkK55ehXSf for <quic-issues@ietfa.amsl.com>; Tue, 10 Mar 2020 19:44:04 -0700 (PDT)
Received: from out-6.smtp.github.com (out-6.smtp.github.com [192.30.252.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836E43A0F9B for <quic-issues@ietf.org>; Tue, 10 Mar 2020 19:44:04 -0700 (PDT)
Received: from github-lowworker-fa7043e.ash1-iad.github.net (github-lowworker-fa7043e.ash1-iad.github.net [10.56.109.45]) by smtp.github.com (Postfix) with ESMTP id 402221C07C0 for <quic-issues@ietf.org>; Tue, 10 Mar 2020 19:44:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1583894643; bh=ZZTLOhomN+fThvQG8TxaMCDDjagJcnC+DjRnazLdA3M=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=HdPQrA5ATuDNmIQ9K0Dted0o+ppBmNabZVZQ+Gag5p45C1oigMtqQ8Bz247xHruE/ evobdIkYwAa8YSAtHchxN0OdG7Yq9P5xw1iN1uLQcEJ4wZmk91seuJuZl94Ttwch2N tKUMKYrutXmuac+eeDjy05hsuH5Pzyt94CPlvuLU=
Date: Tue, 10 Mar 2020 19:44:03 -0700
From: martinduke <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKY6XKDI6BYO3WGGFGF4OQYXHEVBNHHCESD76A@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3499/review/372441388@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3499@github.com>
References: <quicwg/base-drafts/pull/3499@github.com>
Subject: Re: [quicwg/base-drafts] Authenticate connection IDs (#3499)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e68507330600_68ac3fc27b2cd96820193b"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinduke
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/ZbBYB1zcWQhqWs1PLNkDslESCV8>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 02:44:07 -0000

martinduke requested changes on this pull request.

Thanks to @martinthomson and @dschinazi for making it clear this is about security proofs, not specific attacks. I'm more inclined to support it now.

If there is really no path to proving that the spec already authenticates server initial SCIDs, then this may be the price we have to pay to be provably secure. The Retry parts may be necessary in any case.

But it's a pain. Clients keeping up to 3 different peer CIDs at one time in the handshake; longer retry tokens; and a bunch of mandatory TPs, changing on a per-connection basis, with no observable purpose. It feels like bloat but I don't have the tools and resources to prove it.

> @@ -4742,6 +4781,22 @@ active_connection_id_limit (0x0e):
   When a zero-length connection ID is being used, the active_connection_id_limit
   parameter MUST NOT be sent.
 
+handshake_connection_id (0x0f):
+
+: The value that the endpoint included in the Source Connection ID field of the
+  first Initial packet it sends during the handshake. Endpoints MUST validate
+  that this transport parameter is present and that it matches the value that
+  was received in Initial packets. Authenticating this value ensures that an
+  attacker is unable to influence the selection of connection IDs during the

What if some of these CIDs are zero length? Do we omit them?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3499#pullrequestreview-372441388