Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
Martin Thomson <notifications@github.com> Wed, 23 October 2019 23:03 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E9512008D for <quic-issues@ietfa.amsl.com>; Wed, 23 Oct 2019 16:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zoEM-3LZWA77 for <quic-issues@ietfa.amsl.com>; Wed, 23 Oct 2019 16:02:58 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C685612008B for <quic-issues@ietf.org>; Wed, 23 Oct 2019 16:02:58 -0700 (PDT)
Date: Wed, 23 Oct 2019 16:02:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1571871777; bh=J8teqP3xT9MyzHRfKp6dHTX5h8KykjJPT6DU8F+Ggl8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=KVNo8+CblbGiR+6+atnVCeEnDY1zY5ZeT3c5c4eBRqNciAIwgUUGau6nZtgcF7Ps6 ysPdI7AsnTiTclU0Y2sezb5d4EquB8CcOtWtDl3UOjPl/5vLlfUxZpsE+rjfKH4G+0 WYKKXrlyC0ajCVMQyj9NAzZbpgQ8THn/oZC7mbvQ=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK7CYXDARBPX5CYHFPV3XYHKDEVBNHHB4UZE54@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3120/review/306237557@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3120@github.com>
References: <quicwg/base-drafts/pull/3120@github.com>
Subject: Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5db0dc21cd243_61f03fac6c2cd960916a1"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/zcJVw638ZxLOB5OwYmeGDu4qJ5A>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 23:03:01 -0000
martinthomson commented on this pull request. > @@ -1197,6 +1197,64 @@ TLS ClientHello. The server MAY retain these packets for later decryption in anticipation of receiving a ClientHello. +## Retry Packet Integrity {#retry-integrity} + +Retry packets (see the Retry Packet section of {{QUIC-TRANSPORT}}) carry a +Retry Integrity Tag that provides two properties: it allows discarding +packets that have accidentally been corrupted by the network, and it mitigates +off-path attackers' ability to send valid Retry packets. + +The Retry Integrity Tag is a 128-bit field that is computed as the output of +AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: + +- The secret key, K, is 128 bits all set to zero. +- The nonce, N, is 96 bits all set to zero. +- The plaintext is empty. +- The associated data is the contents of the Retry Pseudo-Packet, as described ```suggestion - The associated data, A, is the contents of the Retry Pseudo-Packet, as illustrated ``` > @@ -1197,6 +1197,64 @@ TLS ClientHello. The server MAY retain these packets for later decryption in anticipation of receiving a ClientHello. +## Retry Packet Integrity {#retry-integrity} + +Retry packets (see the Retry Packet section of {{QUIC-TRANSPORT}}) carry a +Retry Integrity Tag that provides two properties: it allows discarding +packets that have accidentally been corrupted by the network, and it mitigates +off-path attackers' ability to send valid Retry packets. + +The Retry Integrity Tag is a 128-bit field that is computed as the output of +AEAD_AES_128_GCM {{!AEAD=RFC5116}} used with the following inputs: + +- The secret key, K, is 128 bits all set to zero. +- The nonce, N, is 96 bits all set to zero. +- The plaintext is empty. ```suggestion - The plaintext, P, is empty. ``` > +| Version (32) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| DCID Len (8) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Destination Connection ID (0..160) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| SCID Len (8) | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Source Connection ID (0..160) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| Retry Token (*) ... ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +~~~ +{: #retry-pseudo title="Retry Pseudo-Packet"} + +The Retry Pseudo-Packet is not sent over the wire. It is computed by taking This is fine. I mean, the split between the documents boils down to "all the crypto bits" and "everything else". We have discussed moving packet protection to transport in the past, but that hasn't happened, and now probably won't. As this is packet protection (ish), this is the right place for now. > @@ -2736,7 +2736,7 @@ available. ## Protected Packets {#packet-protected} -All QUIC packets except Version Negotiation and Retry packets use authenticated +All QUIC packets except Version Negotiation packets use authenticated encryption with additional data (AEAD) {{!RFC5116}} to provide confidentiality and integrity protection. Details of packet protection are found in ```suggestion and integrity protection. Retry packets use an AEAD to provide integrity protection. Details of packet protection are found in ``` Note that the left indent here is weirdly broken. Likely the result of a bug in GitHub suggestions. > @@ -4111,37 +4111,31 @@ wishes to perform a retry (see {{validate-handshake}}). +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Connection ID (0..160) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| ODCID Len (8) | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -| Original Destination Connection ID (0..160) ... -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Retry Token (*) ... We already have impossible packets. The DCID Len field can indicate a length longer than the packet. > @@ -4163,10 +4157,10 @@ A client MUST accept and process at most one Retry packet for each connection attempt. After the client has received and processed an Initial or Retry packet from the server, it MUST discard any subsequent Retry packets that it receives. -Clients MUST discard Retry packets that contain an Original Destination -Connection ID field that does not match the Destination Connection ID from its -Initial packet. This prevents an off-path attacker from injecting a Retry -packet. +Clients MUST discard Retry packets whose Retry Integrity Tag cannot be Unnecessary anthropomorphism (or at least implied possessive). ```suggestion Clients MUST discard Retry packets that have a Retry Integrity Tag that cannot be ``` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/3120#pullrequestreview-306237557
- [quicwg/base-drafts] Add retry integrity tag (#31… David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Marten Seemann
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Nick Banks
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … Christopher Wood
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … ianswett
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … ianswett
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Mike Bishop
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … ianswett
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … MikkelFJ
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … ekr
- Re: [quicwg/base-drafts] Add retry integrity tag … Marten Seemann
- Re: [quicwg/base-drafts] Add retry integrity tag … Martin Thomson
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … David Schinazi
- Re: [quicwg/base-drafts] Add retry integrity tag … Jana Iyengar
- Re: [quicwg/base-drafts] Add retry integrity tag … Christian Huitema
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku
- Re: [quicwg/base-drafts] Add retry integrity tag … Kazuho Oku