Re: [quicwg/base-drafts] Be more conservative about migration? (#2143)

Eric Kinnear <notifications@github.com> Tue, 23 July 2019 05:08 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FDE1120041 for <quic-issues@ietfa.amsl.com>; Mon, 22 Jul 2019 22:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BiMwzhKRljhC for <quic-issues@ietfa.amsl.com>; Mon, 22 Jul 2019 22:08:29 -0700 (PDT)
Received: from out-7.smtp.github.com (out-7.smtp.github.com [192.30.252.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2453C120033 for <quic-issues@ietf.org>; Mon, 22 Jul 2019 22:08:29 -0700 (PDT)
Date: Mon, 22 Jul 2019 22:08:28 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1563858508; bh=ozU4GH2eE6NigN8BXQ4CKYuIIxN6tUdb2MH9QB9K2zg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Hfxe/K/Eebb+eaD8/8ix6vnGhnwwd6S/njTlPVIXxsUX6m/eRmlGNzxh/PvlsBolH vfYzJKifQfXzYbo4QV8urVCl9hkUbkWm8//lF3fvqkZIiWpIZoVIxeyANJkdLQl3JD vQfO2g3Rm/vd0M5/1rDCgh4sM2kIEyhbsf4AwVv8=
From: Eric Kinnear <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZFHSR7RZHJPIURJB53IPEMZEVBNHHBOSK35E@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2143/514055926@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2143@github.com>
References: <quicwg/base-drafts/issues/2143@github.com>
Subject: Re: [quicwg/base-drafts] Be more conservative about migration? (#2143)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d36964c1820b_4def3fdbf06cd96c65535"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: erickinnear
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/m12K6pWXcmOTpNS6z_LRg9-8Nzw>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 05:08:31 -0000

The PR (so far) establishes the following definitions and guarantees:

### On-Path Attacker
An on-path attacker can:
- Inspect packets
- Modify unencrypted packet headers
- Inject new packets
- Delay packets
- Drop packets

An on-path attacker cannot:
- Modify encrypted packet payloads

### Off-Path Attacker
An off-path attacker can:
- Inspect packets
- Inject new packets

An off-path attacker cannot:
- Modify any part of a packet
- Delay packets
- Drop packets

### Limited Off-Path Attacker
A limited on-path attacker can:
- Inspect packets
- Inject new packets
- Modify unencrypted packet headers

A limited on-path attacker cannot:
- Delay packets beyond the original packet duration
- Drop packets
- Modify encrypted packet payloads

## Guarantees
### On-Path Attacker
1. An on-path attacker can interrupt a QUIC connection, causing it to fail if it cannot migrate to a new path that does not contain the attacker. This can be achieved by dropping all packets, modifying them so that they fail to decrypt, or other methods.
2. An on-path attacker can prevent migration to a new path for which the attacker is also on-path by causing path validation to fail on the new path.
3. An on-path attacker cannot prevent a client from migrating to a path for which the attacker is not on-path.
4. An on-path attacker can reduce the throughput of a connection by delaying packets or dropping them.

### Off-Path Attacker
1. An off-path attacker can race packets and attempt to become a “limited” on-path attacker.
2. An off-path attacker can cause path validation to succeed for forwarded packets with the source address listed as the off-path attacker as long as it can provide improved connectivity between the client and the server.
3. An off-path attacker cannot cause a connection to close.
4. An off-path attacker cannot cause migration to a new path to fail if it cannot observe the new path.
5. An off-path attacker can become a limited on-path attacker during migration to a new path for which it is also an off-path attacker.
6. An off-path attacker can become a limited on-path attacker by affecting shared NAT state such that it sends packets to the server from the same IP address and port that the client originally used.

### Limited Off-Path Attacker
1. A limited on-path attacker cannot cause an active connection to close.
2. A limited on-path attacker cannot cause an idle connection to close if the client is first to resume activity.
3. A limited on-path attacker can cause an idle connection to be deemed lost if the server is the first to resume activity.

There's more descriptive text in the PR, as well, covering in a bit more detail our expectations about capabilities of the attackers, pathologically worst-case behaviors they may engage in, etc.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2143#issuecomment-514055926