Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)

Kazuho Oku <> Fri, 01 February 2019 12:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C332F127B4C for <>; Fri, 1 Feb 2019 04:00:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.553
X-Spam-Status: No, score=-12.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZKMGCVJ6-SGV for <>; Fri, 1 Feb 2019 04:00:11 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C0885128CE4 for <>; Fri, 1 Feb 2019 04:00:10 -0800 (PST)
Date: Fri, 01 Feb 2019 04:00:09 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1549022409; bh=mbZUa7Lml4crv4RwSX53+jzOAHssYRAc8iTg1Ibh7wg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=lr4sBKwCV9pcMf8eTfqgxs71N+YDnFZuvldhw6z211QzBwmYDFfWNDSYkE7GH0s5T /lQLYYleyfIPBCzoa/ccjjuPDiZYc6GiEclryn3e911IJDGvZvSvAqirvQ1TTXP5OV SYr+P3tU852PWoGenw982kZt/orRo6lxW7c2Xz1o=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2394/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c5434c9814b4_a043f9b57ed45b8192e5"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Feb 2019 12:00:13 -0000

This is an interesting attack, and I have several points that I would like to argue.

First, this is not an MOTS attack that we need to consider. Because the attack can be mounted by a malicious client. A client first obtains one token, then uses that token to create multiple connections. That is an attack vector that we need to fix (assuming that we haven't already).

Note also that we are giving up to have protection against on-path attackers injecting Initial packets.

Therefore, the protection method that @marten-seemann is fine. It's true that an MOTS attacker can race a Retry to prevent a legitimate client from establishing a connection. However that's not something we need to fix, considering that an MOTS attacker can simply inject an Initial packet containing a CONNECTION_CLOSE frame to disrupt the handshake.

Lastly, I would like to point out that there is another (possibly simpler) way of addressing the issue. A server can embed the server CID issued in the Retry packet in the Retry Token that it issues, and use the token to confirm that the Initial packet sent in response to the Retry contains the correct DCID.

I think we should recommend servers to implement some kind of protection.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: