Re: [quicwg/base-drafts] Add initial threat model to security considerations (#2925)

Eric Kinnear <> Fri, 03 January 2020 16:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8B2F1120091 for <>; Fri, 3 Jan 2020 08:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pAI3N3lpyENu for <>; Fri, 3 Jan 2020 08:46:15 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1ED612008F for <>; Fri, 3 Jan 2020 08:46:15 -0800 (PST)
Date: Fri, 03 Jan 2020 08:46:15 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1578069975; bh=Ve5qCC39Y+sZr+S3Sse8XjMRegs5pu0sQeR2JMUjUMs=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=DlhYBPr5ytq+Yv/W29Ka0mI/ANjCBDs7Fhafo58xu5i9FpwIYGkPj7sTXQrJChF8k 8kpBHPkaaZj8GN/4mn1k2FYLJ8dtsHq3XEBzwZg1gzxQQapWLPFQecYkqB141I2Jqd ActLqO8S8VLvHCHyDCd5CInp53YiOGYVY2X9Gy0w=
From: Eric Kinnear <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2925/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Add initial threat model to security considerations (#2925)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e0f6fd79b29_406b3f990c2cd96092350"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: erickinnear
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Jan 2020 16:46:19 -0000

erickinnear commented on this pull request.

Thanks for the review @MikeBishop! Applied suggestions and rewrapping.

> @@ -5874,6 +5874,288 @@ decisions are made independently of client-selected values; a Source Connection
 ID can be selected to route later packets to the same server.
+## Overview of Security Properties {#security-properties}
+A complete security analysis of QUIC is outside the scope of this document.
+This section provides an informal description of the desired security properties
+as an aid to implementors and to help guide protocol analysis.
+QUIC provides protection against various types of attacks, as described in more

Nice! No worries, rewrapped :)

> +any expensive computations at the cost of a single round trip.  After a
+successful handshake, servers can issue new tokens to a client which will allow
+new connection establishment without incurring this cost.
+#### On-Path Handshake Termination
+An on-path attacker can force the QUIC handshake to fail by replacing either the
+client or server Initial messages with invalid ones.  An off-path attacker can
+also mount this attack by racing the Initials.  Once valid Initial messages have
+been exchanged, the remaining handshake messages are protected with the
+handshake keys and an on-path attacker cannot force handshake failure, though
+they can produce a handshake timeout by dropping packets.
+An on-path attacker can also replace the addresses of packets on either side and
+therefore cause the client or server to have an incorrect view of the remote

Yes, great idea! Added a sentence here indicating that an attack here is indistinguishable from the presence of a NAT. (We've got a similar note about some of that later, but this is a great place to start people thinking in that direction.)

> +{{handshake-properties}}.  Similarly, any active attacker that observes QUIC
+packets and attempts to insert new data or modify existing data in those packets
+should not be able to generate packets deemed valid by the receiving endpoint.
+A spoofing attack, in which an active attacker rewrites unprotected parts of a
+QUIC packet that it forwards or injects, such as the source or destination
+address, is only effective if the attacker can forward packets to the original
+endpoint.  Packet protection ensures that the packet payloads can only be
+processed by the endpoints that completed the handshake, and invalid QUIC
+packets are ignored by those endpoints.
+An attacker can also modify the boundaries between QUIC packets and UDP
+datagrams, causing multiple packets to be coalesced into a single datagram, or
+splitting coalesced packets into multiple datagrams.  Such modification has no
+functional effect on a QUIC connection, although it might change the performance
+characteristics exhibited by the receiving endpoint.

Good thinking, it might be worth a note around those rules in the Initial that such a thing is possible (and might be more likely than if you just padded the initial packet?). PMTUD is probably worth calling out a little bit more clearly -- I'll file an editorial issue for each, since that's way elsewhere.

> +present between the QUIC client and server, and a QUIC endpoint is required to
+send packets through this attacker to establish connectivity on a given path.
+An on-path attacker can:
+- Inspect packets
+- Modify IP and UDP packet headers
+- Inject new packets
+- Delay packets
+- Reorder packets
+- Drop packets
+- Split and merge datagrams along packet boundaries
+An on-path attacker cannot:
+- Modify an authenticated and encrypted portion of a packet and cause the

This seems like a nice balance with the mention of both authentication and encryption in the later paragraph, while the specific capability is only around the authenticated portion.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: