IETF Logo Mail Archive

Re: Should QUIC have a path-verifiable proof of source address?

Martin Thomson <martin.thomson@gmail.com> Thu, 01 June 2017 01:29 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A97129443 for <quic@ietfa.amsl.com>; Wed, 31 May 2017 18:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjENAJPLvIxq for <quic@ietfa.amsl.com>; Wed, 31 May 2017 18:29:35 -0700 (PDT)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D671292CE for <quic@ietf.org>; Wed, 31 May 2017 18:29:35 -0700 (PDT)
Received: by mail-lf0-x22c.google.com with SMTP id a136so3803153lfa.0 for <quic@ietf.org>; Wed, 31 May 2017 18:29:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=89fJvVYQcnsO+nfXNy+WwTLKxfulI1HpCwt6Njsb9lg=; b=Zd86DAPqHUdviksZTPZ6tsi66SnCHEZ65eJmh5sR8qjRr95qexcjE94197SNboOLxf j2ru5TWhwuS6b3HIADF+h83Gg0fWPmHHvjl+ko6FfX80KlIzVDGPddELziuNmGHvS2Fs KvaaWSnIikh5XB7SGbsZHKtoeE4JIwGM5MAS+/PwDlDh/S3XSqbNW/Fu/+hVp6aILElC b1TENGBOjILo4bgapbnMZb15HI+SduDkcYOVYAsPJzMkLw0yb98sXYwpPzlJHH0sTN7n Dfl0CVR/G64UaB2EYIXWHHLQljcV8z36K1/d7onJ/3rPVETQ2Bw0v5AaZOcRmsxRrFAm ZKEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=89fJvVYQcnsO+nfXNy+WwTLKxfulI1HpCwt6Njsb9lg=; b=WJoUm7cdMAS6IEvG9DuhIZsZR8tjFPl43/blV6zf83//HiR35GwmweCuRdDrDjwByE 3g020oRK0PhkAGr8yY4ujeO9RhAkkjgGyvD2XQ7vSGZmHD/eTNWZewcQv6DKrm8Q/5QR 1dQVh5a5WsHKzwgiJdkFTfvGBFZ78cK0mzTKFKNYB8ZTqCuJdWmPOcVnFza2EBdqtXL4 fLpiXo5sbkrxMyEebOi/skaYWAyJS11HCTlVnwnBLyKYayKJvPHqFp8uYS0CZirUwQ4N vJY9JgPr+K/HsMJWLJ8MIOctNvlJUxV/t2JKfeX7VGAKltUzW+E4LETKXdWidgZ/8iZ7 VneQ==
X-Gm-Message-State: AODbwcDucUbgV5TqLjBkZXKXL+xcpjbq5hm9HSsyK4EdK4sLkcDl1lk5 v5ZrZfyvMFtkmeUhTOZ1Y6UEUcYIWNio
X-Received: by 10.46.81.89 with SMTP id b25mr8660043lje.33.1496280573848; Wed, 31 May 2017 18:29:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.46.8.66 with HTTP; Wed, 31 May 2017 18:29:33 -0700 (PDT)
In-Reply-To: <30eb5292-ac11-9772-b088-03b1f2fe372b@huitema.net>
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <30eb5292-ac11-9772-b088-03b1f2fe372b@huitema.net>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 01 Jun 2017 11:29:33 +1000
Message-ID: <CABkgnnWEg0N0WYsdMzsPT--MpRSQ7g2ysu2DvwenQ+mQpo6Anw@mail.gmail.com>
Subject: Re: Should QUIC have a path-verifiable proof of source address?
To: Christian Huitema <huitema@huitema.net>
Cc: QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/0V0zqECmMNLfXwHJVAPuyv0XDAE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 01:29:37 -0000

On 1 June 2017 at 06:09, Christian Huitema <huitema@huitema.net> wrote:
> Brian, I am not sure I understand your requirement. Do you mean
> something like the reachability verification implicit in the three ways
> handshake of TCP? Or do you mean some kind of cryptographic proof that
> the device is allowed to use the source address?

At risk of speaking for Brian, I think that this is intended to cover
the simple reachability verification implicit in TCP.  That is, proof
that the endpoint was able to see a packet that was sent to their
claimed address.

The verification provided by ICE also works.  There, it's not a
three-way handshake, but two independent request/response validations.

(I think that I see a companion to Brian's "what is an endpoint?" doc:
"what is a path?")

v2.23.0 | Report a Bug | By Email