Re: [quicwg/base-drafts] Document request forgery (#3996)

Martin Thomson <> Tue, 01 September 2020 22:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 525673A1128 for <>; Tue, 1 Sep 2020 15:13:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.483
X-Spam-Status: No, score=-1.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gW1w0wN24xBD for <>; Tue, 1 Sep 2020 15:13:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 486173A0FB6 for <>; Tue, 1 Sep 2020 15:13:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9AF22560AC6 for <>; Tue, 1 Sep 2020 15:13:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1598998392; bh=XnO9cbp6YenyXyPq4WHJSxt2iqrPDlEQz6NOjdgx5h0=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Ca0+l9wW7QlFoKSMpokqf1bKcJtXYBj1LkxI17KyNoHt1vOwJZgEK8viKbHyTB9Zp skxRjW+ZV7CTdFgCnHzQo+o0XXYq8eSYYYkbUnTzFtiIXrEFJYGAFxHdOl8bodxupx A9M46Z1hiFO6Kwc+4AuFaEIrvDYkHzd32Xhq2fas=
Date: Tue, 01 Sep 2020 15:13:12 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3996/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f4ec7788b903_6dbc1964372468"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Sep 2020 22:13:14 -0000

@martinthomson commented on this pull request.

> +frames in packets prior to completing address validation. Note that this does
+not prevent an attacker from using the Destination Connection ID field for an
+Endpoints are not expected to have specific information about the location of
+servers that could be vulnerable targets of a request forgery attack. However,
+it might be possible over time to identify specific UDP ports that are common
+targets of attacks or particular patterns in datagrams that are used for
+attacks. Endpoints MAY choose to avoid sending datagrams to these ports or not
+send datagrams that match these patterns prior to validating the destination
+address. Endpoints MAY retire connection IDs containing patterns known to be
+problematic without using them.
+: Modifying endpoints to apply these protections is more efficient than

The first requires that the endpoint decide *before* it sends anything.  It can't add a round trip, because that round trip would enable the attack.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: