IETF Logo Mail Archive

Re: [quicwg/base-drafts] Compatible version upgrade (#1901)

Martin Thomson <notifications@github.com> Fri, 26 October 2018 02:33 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E03129BBF for <quic-issues@ietfa.amsl.com>; Thu, 25 Oct 2018 19:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.47
X-Spam-Level:
X-Spam-Status: No, score=-8.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkEhA4MChwwF for <quic-issues@ietfa.amsl.com>; Thu, 25 Oct 2018 19:33:17 -0700 (PDT)
Received: from out-3.smtp.github.com (out-3.smtp.github.com [192.30.252.194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D3B5126BED for <quic-issues@ietf.org>; Thu, 25 Oct 2018 19:33:17 -0700 (PDT)
Date: Thu, 25 Oct 2018 19:33:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1540521196; bh=/hZgNY6DnHpjHNyndLhqnibI0JiJgvqbprs6s04NajU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=dLhQe7SNM/ab9dkfQt/WdR6sGpNrLHkumLk2t7OWvyizB5UabAwfvjNBgqegYp3DL xFCMXG41L8Hkaei+Kx6H5RfRxkXF6Ju6YT6UNScI4+uJrWSHTOI730r5hu0S2pkyrj s/boE2YPYyamW4em9MrV46ohCm/kLDOFNp2cEExY=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab36524b222ab7cf41236a854efc311a664933b12c92cf0000000117ea3eec92a169ce1640b1a8@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/1901/c433266476@github.com>
In-Reply-To: <quicwg/base-drafts/pull/1901@github.com>
References: <quicwg/base-drafts/pull/1901@github.com>
Subject: Re: [quicwg/base-drafts] Compatible version upgrade (#1901)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bd27cec374ee_294f3f915c6d45c0231642"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/vVmCv6goBZaEfsc9eNZQGGKrEXU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2018 02:33:19 -0000

OK, change implemented.

I realized that we're now relying on different pieces for different capabilities.  We use unsupported versions to protect against a spoofed Version Negotiation packet.  That might lead a client to believe that the server doesn't support a version that it does.

We use the supported versions list and the compatible version upgrade to protect against an attacker rewriting the version of the Initial packet.  That suggests that the server needs to choose, it can't just stay with a version that it doesn't prefer (of course, not choosing is a form of choosing, a server could easily not care).

Then I realized that there is a weakening of our guarantees if we don't record the final version in the transcript, so I put that back.  This is mainly from a surplus of caution.  An attacker could maybe rewrite the version in the server Initial packet and convince the client that the version the server chose was different.  Of course, the version is under integrity protection for later packet types, so this would fail at that point, but it's not great that we don't have the final selection covered by the handshake, so I added it back.  It's not that hard and it makes the integrity protection far more direct.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/1901#issuecomment-433266476

v2.23.0 | Report a Bug | By Email