Re: [quicwg/base-drafts] Count entire datagram for anti-amplification (#3470)

Mike Bishop <notifications@github.com> Wed, 26 February 2020 14:53 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8743A08D5 for <quic-issues@ietfa.amsl.com>; Wed, 26 Feb 2020 06:53:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.696
X-Spam-Level:
X-Spam-Status: No, score=-1.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1znFlzuQV8e for <quic-issues@ietfa.amsl.com>; Wed, 26 Feb 2020 06:53:05 -0800 (PST)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B75403A08D6 for <quic-issues@ietf.org>; Wed, 26 Feb 2020 06:53:04 -0800 (PST)
Received: from github-lowworker-28f8021.ac4-iad.github.net (github-lowworker-28f8021.ac4-iad.github.net [10.52.25.98]) by smtp.github.com (Postfix) with ESMTP id DABBB661ECA for <quic-issues@ietf.org>; Wed, 26 Feb 2020 06:53:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1582728782; bh=A+ONX5ALBNMMUY5jm05qwBuj7nX/EWUZ1GUKrmsMYkU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=xBVgR4V8xzVrYS0SwpLVFDR2z+24ase76TCsrqwsdh2EBJeDBxe7wBTAqDFpI7eKY PPHpYqQ/jbZV/UJxgh7CR8vu+uVhfBPJcE/U2DZe5NWugKAAprslu3VVaPdIIX2w8Z 7uPc9EXLRekci6XyNmgKw1BLGOULMIA+ah+re20M=
Date: Wed, 26 Feb 2020 06:53:02 -0800
From: Mike Bishop <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4GBQP3Y62CCHNXUXV4MO4M5EVBNHHCDT2TFA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3470/review/364963348@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3470@github.com>
References: <quicwg/base-drafts/pull/3470@github.com>
Subject: Re: [quicwg/base-drafts] Count entire datagram for anti-amplification (#3470)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e56864ecc266_705d3fe3692cd968423416"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/_5Uv6XxVkH0z44GvWa2kwcu6fjw>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 14:53:10 -0000

MikeBishop approved this pull request.



> @@ -1625,8 +1625,11 @@ consider the client address to have been validated.
 Prior to validating the client address, servers MUST NOT send more than three
 times as many bytes as the number of bytes they have received.  This limits the
 magnitude of any amplification attack that can be mounted using spoofed source
-addresses.  In determining this limit, servers only count the size of
-successfully processed packets.
+addresses.  For the purposes of avoiding amplification prior to address
+validation, servers MUST count all of the payload bytes received in datagrams
+that are uniquely attributed to a single connection. This includes datagrams

This feels a little duplicative, but the emphasis might be appropriate.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3470#pullrequestreview-364963348