From nobody Thu Sep 10 00:16:49 2020 Return-Path: X-Original-To: quic-issues@ietfa.amsl.com Delivered-To: quic-issues@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 606123A0F9E for ; Thu, 10 Sep 2020 00:16:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.099 X-Spam-Level: X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X6ofudesFgBk for ; Thu, 10 Sep 2020 00:16:47 -0700 (PDT) Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7F23A0F96 for ; Thu, 10 Sep 2020 00:16:47 -0700 (PDT) Received: from github-lowworker-9bcb4a1.ac4-iad.github.net (github-lowworker-9bcb4a1.ac4-iad.github.net [10.52.25.84]) by smtp.github.com (Postfix) with ESMTP id 26308340E4B for ; Thu, 10 Sep 2020 00:16:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1599722201; bh=OqCIZV5pJTmqDsnRU+3PjruN1Czrw8oLVNx+EuJxUb4=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=xYd1US4I6tkSIi1kWFlWgIHpwU1RuHITKtF25BR6lSdmL4zKAZYl/q/kCc4fW/Ljk Efq17YvpTui7ifkeO/tMO2FfeD/nlvLVCkdxm8RCaGouveKsBxIHIhbTxj698jUim/ 4THIkGAYvwe1OtaQ2ZLTwUDq+h3fcOOoc5MkYt7E= Date: Thu, 10 Sep 2020 00:16:41 -0700 From: Martin Thomson Reply-To: quicwg/base-drafts To: quicwg/base-drafts Cc: Subscribed Message-ID: Subject: [quicwg/base-drafts] Remove recommendation to not include tokens (#4089) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5f59d2d915e6a_51c719f0515545"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: martinthomson X-GitHub-Recipient: quic-issues X-GitHub-Reason: subscribed X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: quic-issues@ietf.org Archived-At: X-BeenThere: quic-issues@ietf.org X-Mailman-Version: 2.1.29 List-Id: Notification list for GitHub issues related to the QUIC WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Sep 2020 07:16:48 -0000 ----==_mimepart_5f59d2d915e6a_51c719f0515545 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit This is another judgment call, but as this wasn't a MUST in the first place, we weren't really preventing an attack. This just removes the recommendation to remove NEW_TOKEN tokens from Initial packets to new server addresses. It leaves the generic guidance, which is far more nuanced. I've added some commentary about the effect of withholding tokens on performance, as it seems like that is worth highlighting here. All in all, this leans more toward saying that request forgery is not the responsibility of QUIC deployments. Closes #4076. You can view, comment on, or merge this pull request online at: https://github.com/quicwg/base-drafts/pull/4089 -- Commit Summary -- * Remove recommendation to not include tokens -- File Changes -- M draft-ietf-quic-transport.md (14) -- Patch Links -- https://github.com/quicwg/base-drafts/pull/4089.patch https://github.com/quicwg/base-drafts/pull/4089.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/4089 ----==_mimepart_5f59d2d915e6a_51c719f0515545 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

This is another judgment call, but as this wasn't a MUST in the first
place, we weren't really preventing an attack. This just removes the
recommendation to remove NEW_TOKEN tokens from Initial packets to new
server addresses.

It leaves the generic guidance, which is far more nuanced.

I've added some commentary about the effect of withholding tokens on
performance, as it seems like that is worth highlighting here.

All in all, this leans more toward saying that request forgery is not
the responsibility of QUIC deployments.

Closes #4076.

You can view, comment on, or merge this pull request online at:

  https://github.com/quicwg/base-drafts/pull/4089

Commit Summary

  • Remove recommendation to not include tokens

File Changes

Patch Links:


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

----==_mimepart_5f59d2d915e6a_51c719f0515545--