Re: [quicwg/base-drafts] Discard Initial keys as soon as possible (#2045)

Marten Seemann <notifications@github.com> Sat, 24 November 2018 05:41 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F869130EE7 for <quic-issues@ietfa.amsl.com>; Fri, 23 Nov 2018 21:41:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.46
X-Spam-Level:
X-Spam-Status: No, score=-9.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9lc2LEwUqaZ for <quic-issues@ietfa.amsl.com>; Fri, 23 Nov 2018 21:41:19 -0800 (PST)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81913130EE6 for <quic-issues@ietf.org>; Fri, 23 Nov 2018 21:41:19 -0800 (PST)
Date: Fri, 23 Nov 2018 21:41:18 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1543038078; bh=cViKDUsUhT2UBL6mezvVVsCQ9e8E9iGyx7h5s40Hi3c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=M2dsH0uYMO08rFtqtfe2fKG/p8u2AkkO9uHvNbqBdUo5BeG/J3Q8CNvgDSzXPjxcV jOfMkcoDc0GF0zV8WEVAptoJSpjKsq3Vq0rjIFNotSB9q9I3IxCQW7RbPw7HBatcov I8Ax5+jmMnjfsWaHViIyp1UBxoqldVaGuqWSzo1c=
From: Marten Seemann <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab285100f1d828a1641581aa2efbfbc2f157e5155492cf000000011810a67e92a169ce16de7e61@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2045/review/178041112@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2045@github.com>
References: <quicwg/base-drafts/pull/2045@github.com>
Subject: Re: [quicwg/base-drafts] Discard Initial keys as soon as possible (#2045)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf8e47e6828d_ff63fa66fed45b8127559d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/_c0WyPgVSARRT1B-AcIF0LdPZP0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2018 05:41:21 -0000

marten-seemann commented on this pull request.



> @@ -691,6 +692,24 @@ will be marked as lost before this, as they leave a gap in the sequence of
 packet numbers.
 
 
+## Discarding Initial Keys {#discard-initial}
+
+Packets protected with Initial secrets ({{initial-secrets}}) are not
+authenticated, meaning that an attacker could spoof packets with the intent to
+disrupt a connection.  To limit these attacks, Initial packet protection keys
+can be discarded more aggressively than other keys.
+
+The successful use of Handshake packets indicates that no more Initial packets
+need to be exchanged, as these keys can only be produced after receiving all
+CRYPTO frames from Initial packets.  Thus, a client MUST discard Initial keys
+when it first sends a Handshake packet and a server MUST discard Initial keys
+when it first successfully processes a Handshake packet.  Endpoints MUST NOT
+send Initial packets after this point.

@rpaulo To clarify, I'm saying we should not send an ACK, and we should discard the keys as soon as possible.
Delaying to discard the keys until the ACK arrives is exactly what makes the attack possible in the first place: If we rely on ACKs, there's the problem that the ACK might get lost. Then the peer has to retransmit the last Initial packet, just to trigger the ACK (although it already knows that the packet was received, because new TLS keys became available). In the end, you'll end up generating and accepting Initial packets for **a lot** longer than the 3-way handshake in which they are actually needed, which is a big window for an attacker to inject a packet that will kill the connection.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2045#discussion_r236033019