IETF Logo Mail Archive

Re: [quicwg/base-drafts] Stateless reset oracle defense (#1554)

Kazuho Oku <notifications@github.com> Fri, 13 July 2018 00:11 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50F5131228 for <quic-issues@ietfa.amsl.com>; Thu, 12 Jul 2018 17:11:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.009
X-Spam-Level:
X-Spam-Status: No, score=-8.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjLliZdyzIFb for <quic-issues@ietfa.amsl.com>; Thu, 12 Jul 2018 17:11:53 -0700 (PDT)
Received: from out-5.smtp.github.com (out-5.smtp.github.com [192.30.252.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0B9D131223 for <quic-issues@ietf.org>; Thu, 12 Jul 2018 17:11:52 -0700 (PDT)
Date: Thu, 12 Jul 2018 17:11:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1531440712; bh=HWPHtROY0v+MyUH+QQvD0vFEryjF0rzoyu0RAKeU1gY=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=RiOAsy8We8RzH8ywxij4hj7f5wlnKBWtY+vqAcWezkCsHqVhb3X7OfqIwTAU6b8nI YUdjv/WE8XBUpMvLDlabLRQc/Rn2fn04TujbOXern3Xi9jI9S9jecKKtQnXnZioUvH fhxnHGDmTNZD6BnvI5MRcn/zehdAhQFUzYMoN7eU=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab6ca9348e2abb34a8a9c19e5b6b28449a38a7b30692cf00000001175fb04892a169ce144b974b@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1554/review/136871375@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1554@github.com>
References: <quicwg/base-drafts/pull/1554@github.com>
Subject: Re: [quicwg/base-drafts] Stateless reset oracle defense (#1554)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b47ee484890d_18a53f86a0fdef881198e3"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/lolggRpoH-uj_iGzpnwbbGQ0yd8>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 00:11:55 -0000

kazuho commented on this pull request.



> +packets for a given connection ID.  That is, the routing needs to ensure that a
+stateless reset is not generated unless the associated connection (as identified
+by the connection ID) cannot proceed.
+
+For endpoints that operate in clusters, instances that share a static key for
+stateless reset (see {{reset-token}}) MUST be arranged so that packets with a
+given connection ID always arrive at an instance that has connection state,
+unless that connection is no longer active.
+
+In the case of a cluster that uses dynamic load balancing, it's possible that a
+change in load balancer configuration could happen while an active instance
+retains connection state; even if an instance retains connection state, the
+change in routing and resulting stateless reset will result in the connection
+being terminated.  This is acceptable as long as the loss of connections during
+rebalancing is by design and not something that an external entity can
+influence.

I am not sure how the last sentence applies to the discussion in the paragraph.

If I understand correctly, the intent of the paragraph is to state that if there is no chance in the packet being routed to the correct server, it is logical to send a stateless reset rather than waiting for timeout. That is logical. However, the last sentence talks about frequency of rebalancing, which IMO is unrelated to whether if we send a reset or wait for timeout.

It seems to me that it might be a better idea to state here that, by using the rebalancing as an example, that sending stateless reset is preferable than waiting for timeout, and move the discussion about the frequency of rebalancing to somewhere else, since it is not an issue specific to QUIC having authenticated resets (TCP sharding using 5-tuple has the same issue).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/1554#pullrequestreview-136871375

v2.23.0 | Report a Bug | By Email