Re: [quicwg/base-drafts] Document request forgery (#3996)

Jana Iyengar <> Wed, 19 August 2020 18:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 300DD3A0868 for <>; Wed, 19 Aug 2020 11:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.483
X-Spam-Status: No, score=-1.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mt_o9IRJMuKM for <>; Wed, 19 Aug 2020 11:31:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E43293A083C for <>; Wed, 19 Aug 2020 11:31:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DF803600DF9 for <>; Wed, 19 Aug 2020 11:31:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1597861880; bh=OV3rXAk5p1N3DfU0xyS2pziMT3xWtWRKmPSrhYuqjPU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=yvUR9hNUt8JXjeJSVAgFYD3r+rq5JqvrEUC/LA6x5Bgf0qmQIMpc4ds1lN5HTTrvk xsTc2YuMVj7Db4+QzmS/rBWiir23hIy+FeJHQkpEDQaKwFtkPPuT0Z/1FR6eC8sv+w UhIkFealuBOXWLEKF2J1U+csHJUP28iBfnT4cPOw=
Date: Wed, 19 Aug 2020 11:31:20 -0700
From: Jana Iyengar <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3996/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f3d6ff8d0e75_1d5719645559b"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: janaiyengar
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Aug 2020 18:31:23 -0000

@janaiyengar commented on this pull request.

> +feasible. The focus of the mitigations in subsequent sections is on limiting
+the ways to use datagrams that are sent prior to address validation for request
+### Request Forgery with Initial Packets
+Servers are assumed to be able to choose the IP address and port on which they
+advertise their availability, so Initial packets from clients are assumed to be
+available for use in this sort of attack. The address validation implicit in
+the handshake ensures that - for a new connection - a client will not send
+other types of packet to a destination that does not understand QUIC and is
+willing to accept connections.
+Initial packet protection (Section 5.2 of {{QUIC-TLS}}) makes it difficult for
+servers to control the content of Initial packets. A client choosing an

I think it's useful to clarify that this is not about the Initial packets from the server, which are trivially controllable.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: