Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)

Christian Huitema <> Thu, 13 December 2018 20:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70F86130E95 for <>; Thu, 13 Dec 2018 12:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.459
X-Spam-Status: No, score=-4.459 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tWzCcgsu3ISA for <>; Thu, 13 Dec 2018 12:43:16 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A6526130E86 for <>; Thu, 13 Dec 2018 12:43:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=8rPDIptGQg4UVP7EbOPMD51ju+M=; b=tDmAAVS6flxBdnZF 1P6wz1kCKhsE7R4A8VxzmSKI8aNCSzJuMKCC1pvdQYF920Ml6HrO5rS/n9ZA034q k/0AvoaYpslb7VbOZPvUReEe/LHt5ABSRGOeAHV8zyYl2o4SKq6NC5oJhRKt9VLr +vhEi9K8h3GCR/6BZj5L5LyKiuc=
Received: by with SMTP id filter1694p1mdw1-28244-5C12C461-10 2018-12-13 20:43:13.287123375 +0000 UTC m=+668.245495136
Received: from (unknown []) by (SG) with ESMTP id dJFAdVbRSRe6cfjBe3D0MQ for <>; Thu, 13 Dec 2018 20:43:13.298 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTP id 3BBF32A08DA for <>; Thu, 13 Dec 2018 12:43:13 -0800 (PST)
Date: Thu, 13 Dec 2018 20:43:13 +0000
From: Christian Huitema <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2064/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Amplification attack using retry tokens and spoofed addresses (#2064)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c12c4613901b_5fcb3fd050cd45b42115b7"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak0rdxmW5jB6emdrsU2s7aRlJOvfgbHABwG3AI EYkEpiaD7yEn8N8KpHQC9E/mWKjv9jw6/Fq28yCW2AxvvwOx6XsZnqWZIIg7zphjNAY/zyJE8wUXav PZIXUClOg/vjPQCgc/XGH5qfPPEBR9MBbgKzEZw4NNi5k0RsDU9dsN4/xPIWKimkm8FOsapRz4Wcy+ k=
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Dec 2018 20:43:17 -0000

@mikkelfj : _"If a connection attempt fails halfway and client makes a new connection attempt with the same token, the only token it has, what happens then?"_  

The token is logically tied to the original CID. It is only valid in the context of that original connection. The client can repeat the second (retry) Initial packet, but it cannot reuse the token in a new connection attempt with a new CID. If the connection fails, the new attempt will have to start from scratch.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: