IETF Logo Mail Archive

Re: [quicwg/base-drafts] Stateless reset oracle defense (#1554)

ianswett <notifications@github.com> Mon, 30 July 2018 15:28 UTC

Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A46A13110C for <quic-issues@ietfa.amsl.com>; Mon, 30 Jul 2018 08:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.009
X-Spam-Level:
X-Spam-Status: No, score=-3.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alTbCDqVKL4I for <quic-issues@ietfa.amsl.com>; Mon, 30 Jul 2018 08:28:30 -0700 (PDT)
Received: from o4.sgmail.github.com (o4.sgmail.github.com [192.254.112.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3AB713110D for <quic-issues@ietf.org>; Mon, 30 Jul 2018 08:28:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=jMp7O728TPPupnVQ3tV341c9R+Q=; b=xcjEVMDLpYMj0FaU FFLTs21eSJloCOwXHpj4UmtlITNGf0R8E/Fu++ptPIMOLL08/MOJaLOTW5OCleFi EV821Kcng14StC2l02BK8rsUJc92TL48K73/VnOkFM8q5FONSVVOzPWEMPzEZDjH U+0x4UXxr+cNNzBs/bfX2bBhvho=
Received: by filter0854p1las1.sendgrid.net with SMTP id filter0854p1las1-21044-5B5F2E8D-9 2018-07-30 15:28:13.211237755 +0000 UTC m=+407394.802547944
Received: from github-lowworker14-cp1-prd.iad.github.net (unknown [192.30.252.38]) by ismtpd0003p1iad1.sendgrid.net (SG) with ESMTP id xPZ3LL7pSayi2xIZSugCHA for <quic-issues@ietf.org>; Mon, 30 Jul 2018 15:28:12.974 +0000 (UTC)
Received: from github.com (localhost [127.0.0.1]) by github-lowworker14-cp1-prd.iad.github.net (Postfix) with ESMTP id E1FE0DFDB7 for <quic-issues@ietf.org>; Mon, 30 Jul 2018 08:28:12 -0700 (PDT)
Date: Mon, 30 Jul 2018 15:28:13 +0000
From: ianswett <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab169e5bcab07ba38f9bd5bf9f5a9efa259b70e03092cf000000011776f08c92a169ce144b974b@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1554/review/141579246@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1554@github.com>
References: <quicwg/base-drafts/pull/1554@github.com>
Subject: Re: [quicwg/base-drafts] Stateless reset oracle defense (#1554)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b5f2e8cdf726_6a983f84f1cbe624887df"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak26YJSwiHvkry9sRtTwtsfwurVPGzr7TqZQwi ZoS1qVp8X/UqL0B9tTRim5EtKk6svW9YUuIGJcgUJvzDKsrWzh4qGu0o4FF5ksjvsW163o2Y4Jh4Yu cxh/xNo0ikg9K523m+nU7i5fEkb/Vghssz10fpB/arQ4CTsOY/rT/HwVIw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/o1I24qEEwtEfY8QnQArk-X9jasI>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 15:28:33 -0000

ianswett commented on this pull request.

Some editorial suggestions

> @@ -4730,6 +4727,32 @@ receiver, an off-path attacker will need to race the duplicate packet against
 the original to be successful in this attack.  Therefore, QUIC receivers ignore
 ECN codepoints set in duplicate packets (see {{using-ecn}}).
 
+## Stateless Reset Oracle {#reset-oracle}
+
+An attacker that can cause a server to emit a stateless reset token can force
+the closure of any connection that uses the same connection ID and method of
+producing the token.  This creates a possible denial of service attack on

I think of this as a reset injection attack.  Do you think denial of service is a better characterization?

> @@ -4730,6 +4727,32 @@ receiver, an off-path attacker will need to race the duplicate packet against
 the original to be successful in this attack.  Therefore, QUIC receivers ignore
 ECN codepoints set in duplicate packets (see {{using-ecn}}).
 
+## Stateless Reset Oracle {#reset-oracle}
+
+An attacker that can cause a server to emit a stateless reset token can force
+the closure of any connection that uses the same connection ID and method of
+producing the token.  This creates a possible denial of service attack on
+existing connections if the attacker is able to cause a stateless reset token to
+be generated for a connection with a selected connection ID.  That is, an attack
+is possible if an attacker can alter packet routing so that a packet is received
+by an instance that uses the same stateless reset key, but no connection state
+for the connection ID.
+
+To defend against this style of denial service, endpoints that operate in
+clusters and that share a static key for stateless reset (see {{reset-token}})

I think "that operate in clusters and" is unnecessary.  If they share a static key for stateless reset, it's an issue.

> @@ -4730,6 +4727,32 @@ receiver, an off-path attacker will need to race the duplicate packet against
 the original to be successful in this attack.  Therefore, QUIC receivers ignore
 ECN codepoints set in duplicate packets (see {{using-ecn}}).
 
+## Stateless Reset Oracle {#reset-oracle}
+
+An attacker that can cause a server to emit a stateless reset token can force
+the closure of any connection that uses the same connection ID and method of
+producing the token.  This creates a possible denial of service attack on

I find this paragraph difficult to read.  How about reordering it and rewording it slightly:

"Stateless resets create a possible denial of service(reset injection) attack on existing connections if an attacker is able to cause a stateless reset token to be generated for a connection with a selected connection ID.  An attacker that can cause this token to be generated and appear to be on-path can reset any active connection."

I'd move the concept from the last sentence to the end of the next paragraph.  "If a connection ID may be routed to different instances that share a static key, for example by changing the destination IP or port, then an attacker can cause the server to create a stateless reset token."

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/1554#pullrequestreview-141579246

v2.23.0 | Report a Bug | By Email