Re: [quicwg/base-drafts] Add retry integrity tag (#3120)

ianswett <> Sun, 20 October 2019 12:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1F6E2120020 for <>; Sun, 20 Oct 2019 05:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LcRsswxr3iRq for <>; Sun, 20 Oct 2019 05:49:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E5CA2120033 for <>; Sun, 20 Oct 2019 05:49:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2692A660499 for <>; Sun, 20 Oct 2019 05:49:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1571575742; bh=9516FTaQYkCIKoQc54s6Gwmb9no/QgDkJp6tRU9CHbc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=lJ5ycp9lMEGjQa4WK3IH81PTYkn6PTgArAmGZtBesL2xsKVfDazqKSZzQxOFgvgao Ac3ddv4vlSENTr6hKnWRs8q2rs0RVQHD8b7NlbCQwvBE9GlcZaMJtvTtVNedUDnpXd XrmQuDxQLmrhwUMVJxPmiQnItrDV9XcmZFaGaXes=
Date: Sun, 20 Oct 2019 05:49:02 -0700
From: ianswett <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3120/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dac57be17369_59073f9653ecd9601949c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Oct 2019 12:49:06 -0000

ianswett approved this pull request.

If possible, I think it'd be nice to add this to the transport draft, since if we ever changed crypto handshakes, I expect we'd still want this.  If that conversation is a wider discussion, I'm happy to have it on a separate PR.

> +|                         Version (32)                          |
+| DCID Len (8)  |
+|               Destination Connection ID (0..160)            ...
+| SCID Len (8)  |
+|                 Source Connection ID (0..160)               ...
+|                        Retry Token (*)                      ...
+{: #retry-pseudo title="Retry Pseudo-Packet"}
+The Retry Pseudo-Packet is not sent over the wire. It is computed by taking

I somehow missed the removal of ODCID and ODCID len upon first review, so this makes sense now.

Q: Is there a reason this needs to be in TLS?  It seems like this doesn't interact with TLS at all.

> @@ -1197,6 +1197,64 @@ TLS ClientHello.  The server MAY retain these packets for later decryption in
 anticipation of receiving a ClientHello.
+## Retry Packet Integrity {#retry-integrity}
+Retry packets (see the Retry Packet section of {{QUIC-TRANSPORT}}) carry a
+Retry Integrity Tag that provides two properties: it allows discarding
+packets that have accidentally been corrupted by the network, and it mitigates
+off-path attackers' ability to send valid Retry packets.

Thanks, how about being being specific and saying "to send valid retry packets without having seen the original destination connection ID."?

That was also true before this change, so I was thinking there was some new protection I was unaware of.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: