Re: [quicwg/base-drafts] Document request forgery (#3996)

ekr <> Fri, 28 August 2020 17:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9BD0D3A0E85 for <>; Fri, 28 Aug 2020 10:17:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.101
X-Spam-Status: No, score=-3.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5PsToHNSe8HO for <>; Fri, 28 Aug 2020 10:17:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1A95C3A0E83 for <>; Fri, 28 Aug 2020 10:17:06 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 38C6856074D for <>; Fri, 28 Aug 2020 10:17:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1598635026; bh=Ir5GLFK0UCsq6vDl1Xx/wYzEaeZ1pCmBvOKvHocyJ5c=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=f9yS5j1t8kzd8cGyAHXh9sfz5hcCRR95cvmm6uoTkJCkk5cc0Lpp1zYeJjibzGPT1 Yk6yP0ysnT4lKE+3P0+yW4wkwQc4eCMDlC5kxj4RAOB8/Na+Veq9HZW9PWJfK+OuvI DsBBOu7j8uqXJW3+vpeUCIxeLb+VVAqOby8Bmvsk=
Date: Fri, 28 Aug 2020 10:17:06 -0700
From: ekr <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3996/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f493c1228a45_25fb1964155870"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ekr
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Aug 2020 17:17:09 -0000

@ekr commented on this pull request.

> +used for request forgery.
+### Request Forgery with Client Initial Packets
+An attacker acting as a server can choose the IP address and port on which it
+advertises its availability, so Initial packets from clients are assumed to be
+available for use in this sort of attack. The address validation implicit in
+the handshake ensures that - for a new connection - a client will not send
+other types of packet to a destination that does not understand QUIC or is not
+willing to accept a QUIC connection.
+Initial packet protection (Section 5.2 of {{QUIC-TLS}}) makes it difficult for
+servers to control the content of Initial packets sent by clients. A client
+choosing an unpredictable Destination Connection ID ensures that servers are
+unable to control any of the encrypted portion of Initial packets from clients.

I don't believe that this is correct as written if there is a Retry because the server gets to control the next DCID. I don't think that this is relevant because you would need a round trip to make it work (I think!) but...

> +A client MUST NOT send non-probing frames to a preferred address prior to
+validating that address; see {{address-validation}}. This greatly reduces the
+options that a server has to control the encrypted portion of datagrams.
+This document does not offer any additional countermeasures that are specific
+to use of preferred addresses and can be implemented by endpoints. The generic
+measures described in {{forgery-generic}} could be used as further mitigation.
+### Request Forgery with Spoofed Migration
+Clients are able to present a spoofed source address as part of an apparent
+connection migration to cause a server to send datagrams to that address.
+The Destination Connection ID field in any packets that a server subsequently
+sends to this spoofed address can be used for request forgery.

Actually, I think not just DCID. Consider a (contrived) protocol in which the server was able to dictate the contents of the client's plaintext message. Because the server knows the keys, it can then produce any ciphertext of its choice.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: