Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
David Schinazi <notifications@github.com> Tue, 22 October 2019 01:54 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2CF6120AD1 for <quic-issues@ietfa.amsl.com>; Mon, 21 Oct 2019 18:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Level:
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zUQWQu7H1Ur for <quic-issues@ietfa.amsl.com>; Mon, 21 Oct 2019 18:54:21 -0700 (PDT)
Received: from out-6.smtp.github.com (out-6.smtp.github.com [192.30.252.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FBC0120ACD for <quic-issues@ietf.org>; Mon, 21 Oct 2019 18:54:21 -0700 (PDT)
Date: Mon, 21 Oct 2019 18:54:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1571709260; bh=PDP1z5UTrQ094Ik3ImDvoIeTcniBori2brADOU2Flnk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Gwtn1/Zp9oSzaGMbNhka7xsbSg3GdTsdZFl55UiDwnvot2P1oK1SNuF5EXFb30wi3 bACzZdjPL74jwUry8VYuhxHT5CFvQpqZK9wMWHprKmBaNVOEzxUXgNVHI4D5umaF7T 4G2aIcj+PAMJX65q5KELW+Ff0uU9WyapXOEoHm+M=
From: David Schinazi <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7NV2FWZBSPFFYMEY53XOQ5ZEVBNHHB4UZE54@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3120/review/304935327@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3120@github.com>
References: <quicwg/base-drafts/pull/3120@github.com>
Subject: Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dae614c3a4f9_1c773f9b72ecd964123936"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: DavidSchinazi
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/rdHRIhXLA2xFhDeMB0SePmwDAfU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 01:54:23 -0000
DavidSchinazi commented on this pull request.
> @@ -4163,10 +4157,9 @@ A client MUST accept and process at most one Retry packet for each connection
attempt. After the client has received and processed an Initial or Retry packet
from the server, it MUST discard any subsequent Retry packets that it receives.
-Clients MUST discard Retry packets that contain an Original Destination
-Connection ID field that does not match the Destination Connection ID from its
-Initial packet. This prevents an off-path attacker from injecting a Retry
-packet.
+Clients MUST discard Retry packets whose Retry Integrity Tag cannot be
+validated, see the Retry Packet Integrity section of {{QUIC-TLS}}. This
+mitigates an off-path attacker's ability to inject a Retry packet.
Done
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3120#discussion_r337308215
- [quicwg/base-drafts] Add retry integrity tag (#31… David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Marten Seemann
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Nick Banks
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … Christopher Wood
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … ianswett
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … ianswett
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Mike Bishop
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … ianswett
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … Marten Seemann
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku