IETF Logo Mail Archive

Re: [quicwg/base-drafts] Path Challenge Padding and Amplification Protection (#4257)

Martin Thomson <notifications@github.com> Thu, 22 October 2020 21:28 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7623A1097 for <quic-issues@ietfa.amsl.com>; Thu, 22 Oct 2020 14:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v7hgM6vdFOFl for <quic-issues@ietfa.amsl.com>; Thu, 22 Oct 2020 14:28:37 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51A693A1096 for <quic-issues@ietf.org>; Thu, 22 Oct 2020 14:28:37 -0700 (PDT)
Received: from github.com (hubbernetes-node-4acf9d7.va3-iad.github.net [10.48.112.63]) by smtp.github.com (Postfix) with ESMTPA id 64B9A340926 for <quic-issues@ietf.org>; Thu, 22 Oct 2020 14:28:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1603402116; bh=3Yuz7/sA7jEuswEJSdDe5hm6axgKRPH4rPdDAGl+RkM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=uLhYSCHRA/BAH0nh0c16G8EZk41mb1Lwgvm6L8tkueU0T8Kv+F7cJl3lEBIBbDusS Pwp5Ot/HfG54XWtx+Lu76PWuRmfij1Y6OGrQPRp+NZFzdk2sXDRDi7viDFh+dMcbE0 ciAIzmYoHpMjLElmAWyD9bfjjyAZN8dC+g0h4CAs=
Date: Thu, 22 Oct 2020 14:28:36 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6MKPPZNOMIUTLBKMN5TXNIJEVBNHHCWUAGFQ@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4257/714772404@github.com>
In-Reply-To: <quicwg/base-drafts/issues/4257@github.com>
References: <quicwg/base-drafts/issues/4257@github.com>
Subject: Re: [quicwg/base-drafts] Path Challenge Padding and Amplification Protection (#4257)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f91f98461797_5019b477526"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/qD4-87WYjD97QBm2VMJKMPcTdOQ>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 21:28:39 -0000

Hmm, @kazuho is right, I can't find any restriction on use of paths after migration.  Our limits for anti-amplification are specifically: handshake, closing, and stateless reset.  No other mention exists.

That doesn't mean that Nick is wrong to have this code though. Without limits, an attacker could connect to a server then spoof a bunch of small packets to cause an amplification attack toward a chosen target.  

We can turn that into a low-grade amplification attack if we allow probes to be exempt from that limit.  It's low-grade then for several reasons.  It is stateful at the server and the connection establishment is expensive.  A single connection can be used to attack multiple targets, but a server won't send many packets to each.  In my half-written migration code, this results in just three packets, which isn't that useful.

After digging in more here, I think that we can make two changes, one the direct response to this issue, but the first is in response to the unstated issue that we don't have anti-amplification protection for migration.

1. Add the 3x rule for any unvalidated path.

2. Allow path probes to ignore the 3x rule.

The alternative is to leave this alone and focus on clarification.  We have a requirement that the server reduce its congestion window, so the concrete amount of amplification that can be gained without the 3x rule being in place is not that much relative to the cost of setting up the attack.

I'm ambivalent on this.  I can see the appeal of the principled fix, but getting it right could be tricky.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/4257#issuecomment-714772404

v2.23.0 | Report a Bug | By Email