[quicwg/base-drafts] Attacks Against Address Migration (#2582)

martinduke <notifications@github.com> Tue, 02 April 2019 04:16 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D617D120131 for <quic-issues@ietfa.amsl.com>; Mon, 1 Apr 2019 21:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.001
X-Spam-Status: No, score=-8.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id PKW8NWQmQbtD for <quic-issues@ietfa.amsl.com>; Mon, 1 Apr 2019 21:16:37 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A225812001E for <quic-issues@ietf.org>; Mon, 1 Apr 2019 21:16:37 -0700 (PDT)
Date: Mon, 01 Apr 2019 21:16:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1554178596; bh=6qd4kHDdw3lWHjtPpsWnmQRPEFbDGLdI/RU8cxReUzo=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=B8TcgWzxxZc4Ab2HBOVHuF7cMZ7a102G5Ai5neQNF2LfTCSCI6nQo7Aj4bUOtqBFY m+uH1S2cUvmHgZREuj2H3gAVPAHqYILNZLTmE/y+4EThuYipqdG7sNvurA52vkSM07 Hp6V3Y5i09bKchb7UzQl6vJyS9luGrhjaZ0vZmSA=
From: martinduke <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab486f84d2d9ab6b102d75825566967fbdfa0fcb9e92cf0000000118baa42492a169ce19830385@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2582@github.com>
Subject: [quicwg/base-drafts] Attacks Against Address Migration (#2582)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ca2e224241d4_330c3fcdde4d45b85852ed"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinduke
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/kqGEy20qRXEVSuePEGDZyDKp6fY>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 04:16:41 -0000

There are a few DoS vectors in migration that aren't well addressed in the draft. @erickinnear will follow soon with a short PR to address this issue.

The current draft presents a specific case of a general attack. The generalized form of the attack is that the attacker observes both paths. He clones all packets from the client so that they appear to be from both addresses, and makes sure that all packets the server sends to each address both arrive at the client. He has the capability to out-race packets he observes.

The attacker might fabricate a NAT rebinding that didn't happen, or spoof the old address during a rebinding. 

With PATH_CHALLENGE going out on both paths, these duplicate packets create four outcomes depending on which packets arrive first: both paths appear to be valid, the right path only is valid, the wrong path only is valid, or neither path is valid. The current requirement that the source address of PATH_RESPONSE matches the destination of the PATH_CHALLENGE can cause validation of the correct path to fail.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: