Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id D617D120131
 for <quic-issues@ietfa.amsl.com>; Mon,  1 Apr 2019 21:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.001
X-Spam-Level: 
X-Spam-Status: No, score=-8.001 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001,
 HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5,
 RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PKW8NWQmQbtD for <quic-issues@ietfa.amsl.com>;
 Mon,  1 Apr 2019 21:16:37 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id A225812001E
 for <quic-issues@ietf.org>; Mon,  1 Apr 2019 21:16:37 -0700 (PDT)
Date: Mon, 01 Apr 2019 21:16:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
 s=pf2014; t=1554178596;
 bh=6qd4kHDdw3lWHjtPpsWnmQRPEFbDGLdI/RU8cxReUzo=;
 h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post:
 List-Unsubscribe:From;
 b=B8TcgWzxxZc4Ab2HBOVHuF7cMZ7a102G5Ai5neQNF2LfTCSCI6nQo7Aj4bUOtqBFY
 m+uH1S2cUvmHgZREuj2H3gAVPAHqYILNZLTmE/y+4EThuYipqdG7sNvurA52vkSM07
 Hp6V3Y5i09bKchb7UzQl6vJyS9luGrhjaZ0vZmSA=
From: martinduke <notifications@github.com>
Reply-To: quicwg/base-drafts
 <reply+0166e4ab486f84d2d9ab6b102d75825566967fbdfa0fcb9e92cf0000000118baa42492a169ce19830385@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2582@github.com>
Subject: [quicwg/base-drafts] Attacks Against Address Migration (#2582)
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_5ca2e224241d4_330c3fcdde4d45b85852ed";
 charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinduke
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/kqGEy20qRXEVSuePEGDZyDKp6fY>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG
 <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 04:16:41 -0000


----==_mimepart_5ca2e224241d4_330c3fcdde4d45b85852ed
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

There are a few DoS vectors in migration that aren't well addressed in the draft. @erickinnear will follow soon with a short PR to address this issue.

The current draft presents a specific case of a general attack. The generalized form of the attack is that the attacker observes both paths. He clones all packets from the client so that they appear to be from both addresses, and makes sure that all packets the server sends to each address both arrive at the client. He has the capability to out-race packets he observes.

The attacker might fabricate a NAT rebinding that didn't happen, or spoof the old address during a rebinding. 

With PATH_CHALLENGE going out on both paths, these duplicate packets create four outcomes depending on which packets arrive first: both paths appear to be valid, the right path only is valid, the wrong path only is valid, or neither path is valid. The current requirement that the source address of PATH_RESPONSE matches the destination of the PATH_CHALLENGE can cause validation of the correct path to fail.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2582
----==_mimepart_5ca2e224241d4_330c3fcdde4d45b85852ed
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

<p>There are a few DoS vectors in migration that aren't well addressed in the draft. <a class="user-mention" data-hovercard-type="user" data-hovercard-url="/hovercards?user_id=32474881" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/erickinnear">@erickinnear</a> will follow soon with a short PR to address this issue.</p>
<p>The current draft presents a specific case of a general attack. The generalized form of the attack is that the attacker observes both paths. He clones all packets from the client so that they appear to be from both addresses, and makes sure that all packets the server sends to each address both arrive at the client. He has the capability to out-race packets he observes.</p>
<p>The attacker might fabricate a NAT rebinding that didn't happen, or spoof the old address during a rebinding.</p>
<p>With PATH_CHALLENGE going out on both paths, these duplicate packets create four outcomes depending on which packets arrive first: both paths appear to be valid, the right path only is valid, the wrong path only is valid, or neither path is valid. The current requirement that the source address of PATH_RESPONSE matches the destination of the PATH_CHALLENGE can cause validation of the correct path to fail.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">&mdash;<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/quicwg/base-drafts/issues/2582">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AWbkq7palGHWOgmtO1_IzlP3r9v0WNnLks5vctmkgaJpZM4cXG2i">mute the thread</a>.<img src="https://github.com/notifications/beacon/AWbkq3A4_VlSdCynh7j3122fFa1ca3URks5vctmkgaJpZM4cXG2i.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/quicwg/base-drafts","title":"quicwg/base-drafts","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/quicwg/base-drafts"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Attacks Against Address Migration (#2582)"}],"action":{"name":"View Issue","url":"https://github.com/quicwg/base-drafts/issues/2582"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/quicwg/base-drafts/issues/2582",
"url": "https://github.com/quicwg/base-drafts/issues/2582",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>
----==_mimepart_5ca2e224241d4_330c3fcdde4d45b85852ed--