IETF Logo Mail Archive

Re: [quicwg/base-drafts] Client's initial destination CID is unauthenticated (#1486)

MikkelFJ <notifications@github.com> Mon, 09 July 2018 19:56 UTC

Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F96B130F2C for <quic-issues@ietfa.amsl.com>; Mon, 9 Jul 2018 12:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.01
X-Spam-Level:
X-Spam-Status: No, score=-3.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAt_1FODnLQ1 for <quic-issues@ietfa.amsl.com>; Mon, 9 Jul 2018 12:56:18 -0700 (PDT)
Received: from o6.sgmail.github.com (o6.sgmail.github.com [192.254.113.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A3713106A for <quic-issues@ietf.org>; Mon, 9 Jul 2018 12:56:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=+WfQXPmUGXV0SoSN471/KfQ+RXs=; b=k+RfTMCIZjfQTgoz nkM5eaBzPhollcHtnuOCBouedn8k4uz1e2RQYRQeOlXUjXs+Z/XarewduKB3pzDh DSsin4Ig2ML9fAaYMHPesyHB3oMNilpfxYEIZllQFVxzK3XOdozFwyyGnuWBIUmY n76+mTVqs7sAR8Ho20e3h/1SkWM=
Received: by filter0764p1las1.sendgrid.net with SMTP id filter0764p1las1-30917-5B43BDE1-C 2018-07-09 19:56:17.502326191 +0000 UTC
Received: from github-lowworker-643483b.cp1-iad.github.net (unknown [192.30.252.45]) by ismtpd0008p1iad1.sendgrid.net (SG) with ESMTP id B3A4YxiaSye0qoX9do_Fhg for <quic-issues@ietf.org>; Mon, 09 Jul 2018 19:56:17.336 +0000 (UTC)
Received: from github.com (localhost [127.0.0.1]) by github-lowworker-643483b.cp1-iad.github.net (Postfix) with ESMTP id 4FD5F6C06D7 for <quic-issues@ietf.org>; Mon, 9 Jul 2018 12:56:17 -0700 (PDT)
Date: Mon, 09 Jul 2018 19:56:17 +0000
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4aba22d09cf1dda48c22afc431c1293088378aefe0792cf00000001175b7fe192a169ce140801b8@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1486/403600647@github.com>
In-Reply-To: <quicwg/base-drafts/issues/1486@github.com>
References: <quicwg/base-drafts/issues/1486@github.com>
Subject: Re: [quicwg/base-drafts] Client's initial destination CID is unauthenticated (#1486)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5b43bde14db10_287c3fbd435caf7c131261"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak0PVcQTOu9QcGk3nPqoKdHSAYiRJuZNXbR5BW 80jqtXCfirS8BXY2JU0NClK8VBIVnVXzdl3J+wFmo3AGKm28r+lym6kqD0Tbc/Q955wWjIQLre/q5e 5RoRS0TjA9zaV12GWHV9KP2SidkpVmzX39BMeoiAj+iN1Cic7pPpg+OihQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/wTq2PW8jSPEz9UIEO3XCLqxk75w>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.27
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 19:56:21 -0000

Well, yes - it won't work. That ODCID state will get into the handshake, but only in a hashed form that the client cannot verify, so it doesn't matter. In fact, an on path attacker could weaken the integrity by make the ODCID non-random.

If the server stored the ODCID in TP explicitly, or better, the initial AEAD tag, and if the client is required to verify it. then it all is good. (As I already suggested earlier).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1486#issuecomment-403600647

v2.29.0 | Report a Bug | By Email | System Status