IETF Logo Mail Archive

Re: [quicwg/base-drafts] Add warning about request forgery and client-side migration (#4086)

Mike Bishop <notifications@github.com> Fri, 11 September 2020 15:21 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B91293A0D4E for <quic-issues@ietfa.amsl.com>; Fri, 11 Sep 2020 08:21:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zXMV0emZCTm for <quic-issues@ietfa.amsl.com>; Fri, 11 Sep 2020 08:21:15 -0700 (PDT)
Received: from out-26.smtp.github.com (out-26.smtp.github.com [192.30.252.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 985A43A0BCE for <quic-issues@ietf.org>; Fri, 11 Sep 2020 08:21:15 -0700 (PDT)
Received: from github-lowworker-e8b54ca.ac4-iad.github.net (github-lowworker-e8b54ca.ac4-iad.github.net [10.52.23.39]) by smtp.github.com (Postfix) with ESMTP id C6E795E0760 for <quic-issues@ietf.org>; Fri, 11 Sep 2020 08:21:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1599837674; bh=oTsEJtwmfOTuyuTgcf0AQT+IefilAfLlDmZQoc7aK3w=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=mTE2pPix16hvqA9vOP3/3Ro64flc/GWaqfhpCU+og/Tc3JZm0ZQCkCkNuK5upbIyE peqSdwWNSH1NS4OsB/NInu9mZIIqvtIcKA+Wls9AuUeGjad40LLVNEwfrTYy3tqQJ5 pdYomc9hEzcjHZ1GmVw3P0NzxmhexUAp/u6kVEDY=
Date: Fri, 11 Sep 2020 08:21:14 -0700
From: Mike Bishop <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4SNTMDVPFHUNXTXUF5M53OVEVBNHHCTEJ27M@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4086/691158462@github.com>
In-Reply-To: <quicwg/base-drafts/issues/4086@github.com>
References: <quicwg/base-drafts/issues/4086@github.com>
Subject: Re: [quicwg/base-drafts] Add warning about request forgery and client-side migration (#4086)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f5b95eab7620_16ae19f03089d0"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/veUVZmtUwBwpDv4aRHEO1VF52Qk>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 15:21:17 -0000

FWIW, when we've talked about a server migration extension before, it was usually in the form of a frame that mimics the preferred_address TP, prompting the client to probe the new address and actually make the change.  That approach seems like it limits the attacks to those already possible with SPA, though it broadens the window / number of attempts.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/4086#issuecomment-691158462

v2.39.1 | Report a Bug | By Email | System Status