Re: [quicwg/base-drafts] Do Initial secrets change after Retry packet? (#2823)
Kazuho Oku <notifications@github.com> Sat, 28 September 2019 07:11 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA74F12003F for <quic-issues@ietfa.amsl.com>; Sat, 28 Sep 2019 00:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.899
X-Spam-Level:
X-Spam-Status: No, score=-7.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4H48_KC_oDH for <quic-issues@ietfa.amsl.com>; Sat, 28 Sep 2019 00:11:56 -0700 (PDT)
Received: from out-4.smtp.github.com (out-4.smtp.github.com [192.30.252.195]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED681120018 for <quic-issues@ietf.org>; Sat, 28 Sep 2019 00:11:55 -0700 (PDT)
Received: from github-lowworker-9bcb4a1.ac4-iad.github.net (github-lowworker-9bcb4a1.ac4-iad.github.net [10.52.25.84]) by smtp.github.com (Postfix) with ESMTP id 0C360C60689 for <quic-issues@ietf.org>; Sat, 28 Sep 2019 00:11:55 -0700 (PDT)
Date: Sat, 28 Sep 2019 00:11:54 -0700
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZFHPJEROC2TLURC6N3TQ5DVEVBNHHBWWQD7M@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2823/536161181@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2823@github.com>
References: <quicwg/base-drafts/issues/2823@github.com>
Subject: Re: [quicwg/base-drafts] Do Initial secrets change after Retry packet? (#2823)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d8f07baf1c2e_5dc23fd6baacd96c11907b"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/eRq8jHE3wPUBGUj3MJ4L5z4dSg4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Sep 2019 07:11:58 -0000
Reading @martinthomson's comment on https://github.com/quicwg/base-drafts/issues/3014#issuecomment-535016758, I think that the computation cost of mounting a DoS attack would change if we are to retain the original Initial secrets after Retry, as proposed in #2878. In the current design, a server can use Retry packets to enforce clients to do equal amount of HKDF extractions, as the CIDs found in Retry packets update the Initial secrets. However, if we adopt #2878, the clients will given the freedom to choose the Initial key regardless of if Retry is used. That might open new attack vectors. For example, a DDoS attacker might send Initial packets that carry the same DCID (or a small set of DCIDs) from multiple addresses, receive Retry tokens, then send back Initial packets carrying the correct tokens and CIDs. The clients can use the precomputed Initial secrets when sending back the Initial packets, the client. I am not sure how important this kind of attack is, but I think we need to make sure that the change of computation cost is OK. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/2823#issuecomment-536161181
- [quicwg/base-drafts] Do Initial secrets change af… Nick Harper
- Re: [quicwg/base-drafts] Do Initial secrets chang… ianswett
- Re: [quicwg/base-drafts] Do Initial secrets chang… Nick Banks
- Re: [quicwg/base-drafts] Do Initial secrets chang… Kazuho Oku
- Re: [quicwg/base-drafts] Do Initial secrets chang… Marten Seemann
- Re: [quicwg/base-drafts] Do Initial secrets chang… Kazuho Oku
- Re: [quicwg/base-drafts] Do Initial secrets chang… Nick Banks
- Re: [quicwg/base-drafts] Do Initial secrets chang… Mike Bishop
- Re: [quicwg/base-drafts] Do Initial secrets chang… Martin Thomson
- Re: [quicwg/base-drafts] Do Initial secrets chang… Lars Eggert
- Re: [quicwg/base-drafts] Do Initial secrets chang… Nick Harper
- Re: [quicwg/base-drafts] Do Initial secrets chang… Martin Thomson
- Re: [quicwg/base-drafts] Do Initial secrets chang… Dmitri Tikhonov
- Re: [quicwg/base-drafts] Do Initial secrets chang… David Schinazi
- Re: [quicwg/base-drafts] Do Initial secrets chang… ianswett
- Re: [quicwg/base-drafts] Do Initial secrets chang… ianswett
- Re: [quicwg/base-drafts] Do Initial secrets chang… Kazuho Oku
- Re: [quicwg/base-drafts] Do Initial secrets chang… Martin Thomson
- Re: [quicwg/base-drafts] Do Initial secrets chang… ianswett
- Re: [quicwg/base-drafts] Do Initial secrets chang… Mark Nottingham
- Re: [quicwg/base-drafts] Do Initial secrets chang… Martin Thomson
- Re: [quicwg/base-drafts] Do Initial secrets chang… Martin Thomson