Re: [quicwg/base-drafts] Do Initial secrets change after Retry packet? (#2823)

Kazuho Oku <> Sat, 28 September 2019 07:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DA74F12003F for <>; Sat, 28 Sep 2019 00:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.899
X-Spam-Status: No, score=-7.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id d4H48_KC_oDH for <>; Sat, 28 Sep 2019 00:11:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ED681120018 for <>; Sat, 28 Sep 2019 00:11:55 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0C360C60689 for <>; Sat, 28 Sep 2019 00:11:55 -0700 (PDT)
Date: Sat, 28 Sep 2019 00:11:54 -0700
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2823/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Do Initial secrets change after Retry packet? (#2823)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d8f07baf1c2e_5dc23fd6baacd96c11907b"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Sep 2019 07:11:58 -0000

Reading @martinthomson's comment on, I think that the computation cost of mounting a DoS attack would change if we are to retain the original Initial secrets after Retry, as proposed in #2878.

In the current design, a server can use Retry packets to enforce clients to do equal amount of HKDF extractions, as the CIDs found in Retry packets update the Initial secrets. However, if we adopt #2878, the clients will given the freedom to choose the Initial key regardless of if Retry is used.

That might open new attack vectors.

For example, a DDoS attacker might send Initial packets that carry the same DCID (or a small set of DCIDs) from multiple addresses, receive Retry tokens, then send back Initial packets carrying the correct tokens and CIDs. The clients can use the precomputed Initial secrets when sending back the Initial packets, the client.

I am not sure how important this kind of attack is, but I think we need to make sure that the change of computation cost is OK.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: