IETF Logo Mail Archive

Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)

Martin Thomson <notifications@github.com> Fri, 26 June 2020 01:52 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 309073A10E0 for <quic-issues@ietfa.amsl.com>; Thu, 25 Jun 2020 18:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9Su-PyCDbHc for <quic-issues@ietfa.amsl.com>; Thu, 25 Jun 2020 18:52:51 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B41BE3A10DF for <quic-issues@ietf.org>; Thu, 25 Jun 2020 18:52:51 -0700 (PDT)
Received: from github-lowworker-f144ac1.va3-iad.github.net (github-lowworker-f144ac1.va3-iad.github.net [10.48.16.59]) by smtp.github.com (Postfix) with ESMTP id CB6296A05E1 for <quic-issues@ietf.org>; Thu, 25 Jun 2020 18:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1593136370; bh=HDe5oo8sEq15XLSL1fKTWD8YtdYjT5lpPYDp3uPfeLQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=stYqT7z8s6teH4SpcK2P9CmyjaNGpF5AFW+02Npw3azASAgLiy7CdHZShL5oBV8Bd IqrF/FaBe7V4a/UnRIqAYXvr0cM+sr1mvDexZsZXAxCIZgVck3Yzb6lBKNlwT/5IQs pz3rgzHX11iuY7cEz5Lvnys+wJlMqqAnzs4yUxeI=
Date: Thu, 25 Jun 2020 18:52:50 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK2FHKNQLT3RWB2TEVV5AE27FEVBNHHCM4U4BA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3789/review/437966510@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3789@github.com>
References: <quicwg/base-drafts/pull/3789@github.com>
Subject: Re: [quicwg/base-drafts] Expand AEAD limits to consider multi-user security. (#3789)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ef554f2baa59_44d63fbbfa0cd96053123"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/grW3DvK75B-tdMpVhpCtQ5Jxa3g>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 01:52:53 -0000

@martinthomson commented on this pull request.



> -  This means that packets that fail authentication will often use the packet
-  protection keys from the next key phase.  It is therefore necessary to also
-  track the number of packets that fail authentication with the next set of
-  packet protection keys.  To avoid exhaustion of both sets of keys, it might be
-  necessary to initiate two key updates in succession.
-
-For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit on
-the number of packets that fail authentication is 2^36.  Note that the analysis
-in {{AEBounds}} supports a higher limit for the AEAD_AES_128_GCM and
-AEAD_AES_256_GCM, but this specification recommends a lower limit.  For
-AEAD_AES_128_CCM, the limit on the number of packets that fail authentication
-is 2^23.5; see {{ccm-bounds}}.
+Endpoints MUST count the number of encrypted packets for each set of keys. If
+the number of encrypted packets with the same key exceeds a limit that is
+specific to the AEAD in use, the endpoint MUST stop using those keys. If a key
+update is not possible, the endpoint MUST immediately close the connection.

I think that we need to just stop using the connection and send no more packets.  We probably need to be explicit about that and mention that a stateless reset is the only thing that can be sent thereafter.

An immediate close before reaching the limit might be recommended to avoid the sudden nature of that sort of close.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3789#discussion_r445927529

v2.23.0 | Report a Bug | By Email