[quicwg/base-drafts] 25361f: Address validation for connection migration
Martin Thomson <martin.thomson@gmail.com> Mon, 16 October 2017 05:19 UTC
Return-Path: <bounce+565321.40f-quic-issues=ietf.org@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CD85132026 for <quic-issues@ietfa.amsl.com>; Sun, 15 Oct 2017 22:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.798
X-Spam-Level:
X-Spam-Status: No, score=-0.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com; domainkeys=pass (1024-bit key) header.sender=martin.thomson=gmail.com@github.com header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruGHVBPQ2qtv for <quic-issues@ietfa.amsl.com>; Sun, 15 Oct 2017 22:19:28 -0700 (PDT)
Received: from m71-131.mailgun.net (m71-131.mailgun.net [166.78.71.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E3EF134285 for <quic-issues@ietf.org>; Sun, 15 Oct 2017 22:19:28 -0700 (PDT)
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=github.com; q=dns/txt; s=mailo; t=1508131167; h=Content-Transfer-Encoding: Content-Type: Mime-Version: Subject: Message-ID: To: Reply-To: From: Date: Sender; bh=v3yTUZSCaGrS4FHuua93CMUxm+S0TkuPb7UvCis6CRs=; b=bTMWV00O4OQGf8iXnIzGK5NvuF8OHLId7YjbGZzQ9OyJgvv2N1nOuI1Ueo4JZyNuFCAIjQeH jLiqKvOcKnqcMWkatFSITepVnak46G3cxh+xjc5K70trC2vnSk/K8bPUNMyoEn8zIaz4jl0Z CIx45EsIk0Rv/aatLmAOdjBKjxg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=github.com; s=mailo; q=dns; h=Sender: Date: From: Reply-To: To: Message-ID: Subject: Mime-Version: Content-Type: Content-Transfer-Encoding; b=qNDcMsyXEDkx/18UVp5ME+qqlHcBUvjW9aVwSV0A7LiGKAQ5sz9ijiOJ13lVonLNvHA4lP XAwI10cphy5O200BIuEqHllrY1yzVfGi44nCn9SUswtDt5FPYWdMGTJ0+7S+Yc/XwS21VhEW pfUowdbdFt6ZnaXhR1bT5q+90muDk=
Sender: martin.thomson=gmail.com@github.com
X-Mailgun-Sending-Ip: 166.78.71.131
X-Mailgun-Sid: WyJhNzYyYiIsICJxdWljLWlzc3Vlc0BpZXRmLm9yZyIsICI0MGYiXQ==
Received: from github.com (Unknown [192.30.252.35]) by mxa.mailgun.org with ESMTP id 59e4415e.7f5b3c553cc0-smtp-out-n02; Mon, 16 Oct 2017 05:19:26 -0000 (UTC)
Date: Sun, 15 Oct 2017 22:19:26 -0700
From: Martin Thomson <martin.thomson@gmail.com>
Reply-To: Martin Thomson <martin.thomson@gmail.com>
To: quic-issues@ietf.org
Message-ID: <59e4415eac66e_2a83fee48823c3411023b@hookshot-fe-92cdb05.cp1-iad.github.net.mail>
Subject: [quicwg/base-drafts] 25361f: Address validation for connection migration
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="--==_mimepart_59e4415eac314_2a83fee48823c34110156"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/m4-RnfFjhpD2_YuGnaYqChlojSM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Oct 2017 05:19:30 -0000
Branch: refs/heads/proof-of-receipt Home: https://github.com/quicwg/base-drafts Commit: 25361f2fa61da64d37210c18cc64c2ca1819eff0 https://github.com/quicwg/base-drafts/commit/25361f2fa61da64d37210c18cc64c2ca1819eff0 Author: Martin Thomson <martin.thomson@gmail.com> Date: 2017-10-16 (Mon, 16 Oct 2017) Changed paths: M draft-ietf-quic-transport.md Log Message: ----------- Address validation for connection migration This has been much-discussed, and it's a relatively isolated change, so I did it. This modifies PING to have an optional payload and adds a PONG frame to echo the PING. An empty PING generates an ACK; a PING with a payload demands a PONG. Generating an unguessable PING is the basis of mid-connection address validation. If the PING is sent on the new path, and the PONG comes back, then the remote address is probably OK to use. I've taken the discussion in the issue into consideration here. There's a lot of potential nuance to capture in terms of how an endpoint might reduce and restore send rates, but I've done what I can to thread the gap between allowing unbounded sending along new and untested paths and allowing connections to get back to doing business. It's annoying that this makes PING and PONG so disparate. I think that we have a re-ordering of frames in our near future to correct minor infidelities like this. I didn't want to do that here and pollute this PR though. Closes #161. Commit: c0419697a6c7d3058db0d601a05e5bcace365bc2 https://github.com/quicwg/base-drafts/commit/c0419697a6c7d3058db0d601a05e5bcace365bc2 Author: Martin Thomson <martin.thomson@gmail.com> Date: 2017-10-16 (Mon, 16 Oct 2017) Changed paths: M draft-ietf-quic-transport.md Log Message: ----------- Avoid attack on address validation during connection migration The attack here is that an attacker might duplicate a legitimate packet and send that packet from an invalid address such that it arrives before the real copy. That causes the recipient to think that there was a connection migration. They will attempt to validate that address and this will fail. The connection is then closed. The fix is to cause a migration back to the original, legitimate address. For this to work, you need two things: 1. when a migration happens, abandon any validation on the old address on the expectation that it will fail 2. when a migration happens, make sure that you try to trigger packets from the old address first For the second point, I decided to mandate address validation, rather than an ordinary PING. The reason being that you have to retransmit the packet on that path and I doubt that implementations will want to have two sets of special machinery for transmiting - and retransmitting - frames on a specific path. Maybe this is too much of a constraint on implementations, so I'd like to hear from people about whether they would prefer a more generic requirement (send any packet that demands acknowledgment would work, it doesn't even have to be the same packet every time, though the usual situation will be that the packet will be lost, so you probably don't want to send anything important). Commit: 0f0ca7fa49d63b11aca4b9941d86f3da0d06a4df https://github.com/quicwg/base-drafts/commit/0f0ca7fa49d63b11aca4b9941d86f3da0d06a4df Author: Martin Thomson <martin.thomson@gmail.com> Date: 2017-10-16 (Mon, 16 Oct 2017) Changed paths: M draft-ietf-quic-transport.md Log Message: ----------- More review comments Commit: ef3864a594dfe7b687828c41296d7d30351e77fe https://github.com/quicwg/base-drafts/commit/ef3864a594dfe7b687828c41296d7d30351e77fe Author: Martin Thomson <martin.thomson@gmail.com> Date: 2017-10-16 (Mon, 16 Oct 2017) Changed paths: M draft-ietf-quic-transport.md Log Message: ----------- Require new PING on loss Compare: https://github.com/quicwg/base-drafts/compare/3ba9c175da01...ef3864a594df
- [quicwg/base-drafts] 25361f: Address validation f… Martin Thomson