Re: [quicwg/base-drafts] Client's initial destination CID is unauthenticated (#1486)
Kazuho Oku <notifications@github.com> Wed, 27 June 2018 07:19 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBFB2130E47 for <quic-issues@ietfa.amsl.com>; Wed, 27 Jun 2018 00:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.01
X-Spam-Level:
X-Spam-Status: No, score=-8.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nudxiOkur57j for <quic-issues@ietfa.amsl.com>; Wed, 27 Jun 2018 00:19:19 -0700 (PDT)
Received: from out-16.smtp.github.com (out-16.smtp.github.com [192.30.254.199]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FD7E130E8D for <quic-issues@ietf.org>; Wed, 27 Jun 2018 00:19:19 -0700 (PDT)
Date: Wed, 27 Jun 2018 00:19:18 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1530083958; bh=L2HU5HG5wRqhkqLSrup2DrLNAKYrfGbHsQVsl08zLMc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=AhaGpqzZNvImb4iKusGa7rALzV26tpPK0n5e2uH8xkhLKO4H1x5syN9BjQqeHtOM/ hA5HyiSU0NyHt6YI4sP4641IQi/ns79dQQQgMm0Juu+zSD4Yh6dQ8JG/pc7WJfkXv6 ujMRdglnWwipdv738sMVLQqDoHwlmJx7vlhAuynw=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab157fab0ac69661208c68d647d671d4f0e58dff8292cf00000001174afc7692a169ce140801b8@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1486/400568727@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1486@github.com>
References: <quicwg/base-drafts/issues/1486@github.com>
Subject: Re: [quicwg/base-drafts] Client's initial destination CID is unauthenticated (#1486)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b333a76703ec_c6a2ad40345cf5c176998"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/jjXTbhhdg1rOIE6D99SnhDgtRYs>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.26
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 07:19:21 -0000
> Ahh, though it's only the first one, that might be enough. Not sure how much this matters, but we should do something, even if that is only write this down. Yes. Consider you want to build a middlebox that verifies Client Hello. What you might do is: * precompute AES-CTR for a special 8-octet CID (e.g., 0000000000000000) * send a Retry packet that contains the special CID in the source CID field and a zero-length token for every Initial packet that does not contain the special CID in the destination CID field By doing these, a middlebox can skip the cost of AES for decrypting the Initial packet, because the every Initial packet that it forwards will be encrypted using the same bitstream. I think we should permit the use of zero-length token, because it would be useful for *stateful* path validation. OTOH, I would like to prevent seeing these kind of hacks being applied by middleboxes (since it is an ossification concern), if the cost of preventing it is marginal. IMO, including initial DCID in TP and requiring the servers to validate the value when possible meets that goal. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/1486#issuecomment-400568727
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Igor Lubashev
- Re: [quicwg/base-drafts] Client's initial destina… Kazuho Oku
- Re: [quicwg/base-drafts] Client's initial destina… Martin Thomson
- Re: [quicwg/base-drafts] Client's initial destina… Kazuho Oku
- Re: [quicwg/base-drafts] Client's initial destina… Martin Thomson
- Re: [quicwg/base-drafts] Client's initial destina… Kazuho Oku
- [quicwg/base-drafts] Client's initial destination… Kazuho Oku
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… ekr
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… ekr
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… ekr
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Mike Bishop
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Igor Lubashev
- Re: [quicwg/base-drafts] Client's initial destina… Igor Lubashev
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Igor Lubashev
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… janaiyengar
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Kazuho Oku
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Martin Thomson
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Kazuho Oku
- Re: [quicwg/base-drafts] Client's initial destina… Antoine Delignat-Lavaud
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Antoine Delignat-Lavaud
- Re: [quicwg/base-drafts] Client's initial destina… MikkelFJ
- Re: [quicwg/base-drafts] Client's initial destina… Mike Bishop
- Re: [quicwg/base-drafts] Client's initial destina… Mike Bishop