[quicwg/base-drafts] Remove recommendation to not include tokens (#4089)
Martin Thomson <notifications@github.com> Thu, 10 September 2020 07:16 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 606123A0F9E for <quic-issues@ietfa.amsl.com>; Thu, 10 Sep 2020 00:16:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6ofudesFgBk for <quic-issues@ietfa.amsl.com>; Thu, 10 Sep 2020 00:16:47 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7F23A0F96 for <quic-issues@ietf.org>; Thu, 10 Sep 2020 00:16:47 -0700 (PDT)
Received: from github-lowworker-9bcb4a1.ac4-iad.github.net (github-lowworker-9bcb4a1.ac4-iad.github.net [10.52.25.84]) by smtp.github.com (Postfix) with ESMTP id 26308340E4B for <quic-issues@ietf.org>; Thu, 10 Sep 2020 00:16:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1599722201; bh=OqCIZV5pJTmqDsnRU+3PjruN1Czrw8oLVNx+EuJxUb4=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=xYd1US4I6tkSIi1kWFlWgIHpwU1RuHITKtF25BR6lSdmL4zKAZYl/q/kCc4fW/Ljk Efq17YvpTui7ifkeO/tMO2FfeD/nlvLVCkdxm8RCaGouveKsBxIHIhbTxj698jUim/ 4THIkGAYvwe1OtaQ2ZLTwUDq+h3fcOOoc5MkYt7E=
Date: Thu, 10 Sep 2020 00:16:41 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK5HUAKTPHZKUQADIEF5MWZ5TEVBNHHCTE4YVI@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/4089@github.com>
Subject: [quicwg/base-drafts] Remove recommendation to not include tokens (#4089)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f59d2d915e6a_51c719f0515545"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/pH7EpaJ0qfTI3yTCpPMExvh7DUg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 07:16:48 -0000
This is another judgment call, but as this wasn't a MUST in the first place, we weren't really preventing an attack. This just removes the recommendation to remove NEW_TOKEN tokens from Initial packets to new server addresses. It leaves the generic guidance, which is far more nuanced. I've added some commentary about the effect of withholding tokens on performance, as it seems like that is worth highlighting here. All in all, this leans more toward saying that request forgery is not the responsibility of QUIC deployments. Closes #4076. You can view, comment on, or merge this pull request online at: https://github.com/quicwg/base-drafts/pull/4089 -- Commit Summary -- * Remove recommendation to not include tokens -- File Changes -- M draft-ietf-quic-transport.md (14) -- Patch Links -- https://github.com/quicwg/base-drafts/pull/4089.patch https://github.com/quicwg/base-drafts/pull/4089.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/4089
- [quicwg/base-drafts] Remove recommendation to not… Martin Thomson
- Re: [quicwg/base-drafts] Remove recommendation to… ianswett
- Re: [quicwg/base-drafts] Remove recommendation to… David Schinazi
- Re: [quicwg/base-drafts] Remove recommendation to… Jana Iyengar
- Re: [quicwg/base-drafts] Remove recommendation to… Martin Thomson
- Re: [quicwg/base-drafts] Remove recommendation to… Jana Iyengar
- Re: [quicwg/base-drafts] Remove recommendation to… Jana Iyengar
- Re: [quicwg/base-drafts] Remove recommendation to… Jana Iyengar