Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)

MikkelFJ <> Fri, 01 February 2019 12:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 02A0D128CE4 for <>; Fri, 1 Feb 2019 04:12:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -12.552
X-Spam-Status: No, score=-12.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vLQvMgJze6Du for <>; Fri, 1 Feb 2019 04:12:28 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4A150127B4C for <>; Fri, 1 Feb 2019 04:12:28 -0800 (PST)
Date: Fri, 01 Feb 2019 04:12:27 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1549023147; bh=FH5Ka39nNF0u3PVUcTj8rPOORRjclPFmZmmgUiEdW50=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=EMNH2baKNX7SX3L51uaGowlSKt9O0XSRqqmLDMxcQhT6+9BromrVxn5F5g1T+n4it u0+N34TWiwSqrRMn2ayf8nXYCdizkvJCVyNgOpRLGmCpZRMK4Gjh0B/sqyoIf7IJOw RSWvAdknKx6KRmU/HzNZR4o0dIleRvRi3QJ9x7tc=
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2394/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Spoofed retry token attack on IP authentication (#2394)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c5437abe917_42bf3fd1fbcd45bc229939"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Feb 2019 12:12:30 -0000

> However that's not something we need to fix, considering that an MOTS attacker can simply inject an Initial packet containing a CONNECTION_CLOSE frame to disrupt the handshake.

This is not about a DoS attack. It is about about privilege escalation. The man on the side can observe another connection and pretend to have the IP of the original client. If the server grants access to the observer based on the original clients IP, trust has been broken.

Racing the packet is sufficient to achieve that.

Racing will also close the original clients connection iff the token can only be used once, but that is a minor concern, I agree.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: