Re: [quicwg/base-drafts] Add retry integrity tag (#3120)

Christian Huitema <> Fri, 15 November 2019 06:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C0AB31200FE for <>; Thu, 14 Nov 2019 22:43:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GtjMTJ2VSTpu for <>; Thu, 14 Nov 2019 22:43:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BA57E1200FD for <>; Thu, 14 Nov 2019 22:43:49 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9D1A1520357 for <>; Thu, 14 Nov 2019 22:43:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1573800228; bh=b2VfRtOURa0p2jQ23qRGJTZGiII4dsWQwhd+siL9TSY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=g7uWMwrb3FbylzCDWBnZdRQf9Ey0nYlvVYfEKIUtAUDHoFot8MurgcnX735DZ9dQi MTmBqsbl7wCYFd4g/nOepq1ZkS3GBZV9QMj7XjLashznMhq9zps+Qxg4tXgVewuWCv qfc4U9m/4euXdXb//+lxYnQ4751SY1J2KVnYCf3o=
Date: Thu, 14 Nov 2019 22:43:48 -0800
From: Christian Huitema <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3120/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dce49248e08e_2cdb3fdb36ccd96c33966c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: huitema
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Nov 2019 06:43:52 -0000

huitema commented on this pull request.

> +The Retry Pseudo-Packet is not sent over the wire. It is computed by taking
+the transmitted Retry packet, removing the Retry Integrity Tag and prepending
+the two following fields:
+: The ODCID Len contains the length in bytes of the Original Destination
+  Connection ID field that follows it, encoded as an 8-bit unsigned integer.
+Original Destination Connection ID:
+: The Original Destination Connection ID contains the value of the Destination
+  Connection ID from the Initial packet that this Retry is in response to. The
+  length of this field is given in ODCID Len. The presence of this field
+  mitigates an off-path attacker's ability to inject a Retry packet.

If the off-path attacker has not seen the client's initial packet, it cannot set the DCID of the Retry to the SCID of the client's Initial, which means the Retry would be rejected by the client already.

The additional protection is only effective if the client uses predictable CID, e.g. zero length -- but that's a truly bad idea for a variety of reasons. Such clients would be exposed to other attacks, e.g. injecting random bytes in the crypto-stream.

So in practice, the retry attack is only effective if the attacker is "in the middle" or "on the side". And the checksum will not protect against that.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: