Re: Malicious Version Negotiation Handling (Was: Questions about Version Negotiation Concerning Possible Handshake Interruption)
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Sun, 18 February 2018 16:11 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CEC812420B for <quic@ietfa.amsl.com>; Sun, 18 Feb 2018 08:11:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id waYScCCRgf4y for <quic@ietfa.amsl.com>; Sun, 18 Feb 2018 08:11:00 -0800 (PST)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1199C120047 for <quic@ietf.org>; Sun, 18 Feb 2018 08:11:00 -0800 (PST)
Received: by mail-io0-x235.google.com with SMTP id t22so8933970iob.3 for <quic@ietf.org>; Sun, 18 Feb 2018 08:11:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=RQUP86xrX0q2ejrv/grJHPYBGWl77RMaYQBcaZMrT3w=; b=DYPPQmse/Fe4sBiiF1Vvt//PVCkf0lHGSLPd/HU0O4JOcbtHUQzmwmXrYE3cbxu+7R nA/x6h4VtssVQzwJVX1GLZ/q4VfmyNY+w5Uvo+qwZ0/tW25flsxswgWuqYyet9JfmopX LAeknAcU4NXlCEiNpfdptLqZUD2gCc4zUGUdklhyfSo3juXtQD9qAiKuWROf7ciNhmJt DJ+6EVH0dn9vJHdO82DAstT2XJIVIP4U70C2gbHR6eeSYok7IFh4o0dQiPQXuxdrSNw7 yypaejWlqJMPA9rpE0J9LqJsN4QxYxNMdZ/JneyB1jZw8WIFRIcuP/gevosssGl/onYt unEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=RQUP86xrX0q2ejrv/grJHPYBGWl77RMaYQBcaZMrT3w=; b=QZlsOx1ldbX+0SO3kpNPzrod5k+kcfeq+LFYYePS4+JjKgiycWJWmGllnOiTORJMY1 wbx0vmj/eAnZJIn8nwCXz8iZT+DTQxM58I1h/WxSB4FGRauGCnGxpj0uT8T82QxGeyqd /mxTI31S9OTe3XF0eWt/ek4xekhk/NVm3rScv4UG1Byx+51vw+7G1qKlUYVO08l9HxEZ 8HiSMI8KfGflkgefzKLaU1HMZd3olo3cfczKsircqnsFKS9nt7Vk00ErG0+60EIlTn6P 2Pry6U0eipRr5kCXRCHUnzqUqLZSdCvjN1ZyHjncnFyoQ96rm27AKkpdlCc0V8L2y3qx C/4g==
X-Gm-Message-State: APf1xPAO5eP6ecQ2uBdX/+nPSXURYnUTxuwCpYcQO1g1ZCxRUSxeCoPP nuCnJeAjt/w62949G019MAcEqKuVf1yL9bJ0jn2JeQ==
X-Google-Smtp-Source: AH8x227F/SO/1VLkI448EKDx6kRMKVRBlE7hza0HLriUAlPFWUdDv2vYU4XMhnAHTJxluuSPF4e5vUQPDayFnvfe5RQ=
X-Received: by 10.107.17.20 with SMTP id z20mr16589782ioi.274.1518970259366; Sun, 18 Feb 2018 08:10:59 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Sun, 18 Feb 2018 08:10:58 -0800
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <835e5014-3306-e7ac-fed0-3c90320551a9@gmail.com>
References: <1d386744-c46a-842a-b172-24e290e03668@gmail.com> <CABkgnnVRn+1sNZQFB8BZc4VyzN5usLmYJ3xLo+p2uTeW_0Ji_Q@mail.gmail.com> <CAN1APdfpJ0rYPPiOgfcdDRx3noh+YYvJatP0MYTqRRXMBwF6pA@mail.gmail.com> <3d558827-f2a7-877c-e00a-d6a22ef241c5@gmail.com> <CANatvzzZEuJ3TY=+0BMLqbBE5mScG_Jnrypg3xkciykOX78G8A@mail.gmail.com> <CAN1APdfov8Q3E+5NkT5pmMeU=eB=fsnDFe_=BK7TDE0TpXD3yA@mail.gmail.com> <142211e0-c7c9-642f-69ef-5f0d722b77cc@gmail.com> <529ac475-5291-2b2e-acf9-05efe720d584@huitema.net> <6937_1518251684_5A7EAEA4_6937_191_1_5A7EAEA5.2000605@orange.com> <CANatvzz_2BeRns5E-OO=CKKwK66LgMd=3vVCM84_+OAxj8CutQ@mail.gmail.com> <d3c8688a-3f01-30b1-a3de-1300a43c1d99@gmail.com> <835e5014-3306-e7ac-fed0-3c90320551a9@gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Sun, 18 Feb 2018 08:10:58 -0800
Message-ID: <CAN1APddWNmm0P9Y2eTdkTWzft-3Vm8hy1cZQe1RLutATKkhiKw@mail.gmail.com>
Subject: Re: Malicious Version Negotiation Handling (Was: Questions about Version Negotiation Concerning Possible Handshake Interruption)
To: Kazuho Oku <kazuhooku@gmail.com>, Christian Huitema <huitema@huitema.net>, alexandre.ferrieux@orange.com, Lingmo Zhu <zlm2006@gmail.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, "quic@ietf.org" <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a113eda8abbed4105657ed2de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/33eWbJZiTpscr71CylLL1qWSe9c>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Feb 2018 16:11:01 -0000
I was very close to proposing dropping the version negotation packet in favor of having the client offering multiple versions in the initial ClientHello. It would also save a roundtrip if negotiating. However, I realized that it would probably tie the version negotiation to the TLS handshake which is not a very good idea. Kind Regards, Mikkel Fahnøe Jørgensen On 18 February 2018 at 16.48.27, Lingmo Zhu (zlm2006@gmail.com) wrote: Hi all After some discussion with Kazuho and thanks to his help, I want to propose that for Version Negotiation handling, "a client MAY wait for a handshake packet after receiving a Version Negotiation packet". The attack utilizing fake Version Negotiation is too cheap and easy to be performed (due to no encryption exists) and would be harmful (even stopping the establishment of connections) so should be mitigated. The attack that means to make the client abort QUIC connection could be easily performed with small footprint but also could be mitigated by simply ignoring those unacceptable Version Negotiation packets in my rough experiment (if could be called so). Some possible approaches might be considered: * A timer could be set after Initial packet sent (might be combined with one used for re-transmit) for waiting ServerHello. If a Version Negotiation is received but totally unacceptable, just ignore it. If the received Version Negotiation is acceptable, it could be considered after the timeout instead of handled immediately. If a fake packet with ServerHello received, it should be rejected by TLS so not considered here. * When a Version Negotiation is received, instead of handling it within the same connection, handle it as another connection and remain the original connection context. If then the ServerHello packet is received, the new connection context could be dropped and the original connection would be used following up. This approach might be more difficult to be implemented than the previous one. The approaches above are both covered by the statement to be proposed but not exhaustive. This should be a handling for client side so server side would have no modification. Due to different implementations of different clients, it could not be ensure that those approaches are simple enough to be applied but those malicious Version Negotiation packets should be properly handled. Also, the scenario where fake Version Negotiation packets are triggered by each outgoing QUIC (Initial) packet should also be considered. For why those Version Negotiation attack would be utilized by malware, I think they could pretend as server side problem then attract less attention. If simply dropping packet or faking ICMP host unreachable are utilized, it would be considered as an issue on route configuration so more likely a client-side problem thus more attention. Lingmo Zhu
- Questions about Version Negotiation Concerning Po… Lingmo Zhu
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Martin Thomson
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Lingmo Zhu
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Kazuho Oku
- Re: Questions about Version Negotiation Concernin… Mikkel Fahnøe Jørgensen
- Re: Questions about Version Negotiation Concernin… Lingmo Zhu
- Re: Questions about Version Negotiation Concernin… Christian Huitema
- Re: Questions about Version Negotiation Concernin… alexandre.ferrieux
- Re: Questions about Version Negotiation Concernin… Martin Thomson
- Re: Questions about Version Negotiation Concernin… Kazuho Oku
- Re: Questions about Version Negotiation Concernin… alexandre.ferrieux
- Re: Questions about Version Negotiation Concernin… Lingmo Zhu
- Malicious Version Negotiation Handling (Was: Ques… Lingmo Zhu
- Re: Malicious Version Negotiation Handling (Was: … Mikkel Fahnøe Jørgensen
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- Re: Malicious Version Negotiation Handling (Was: … Lingmo Zhu
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- Re: Malicious Version Negotiation Handling (Was: … Subodh Iyengar
- Re: Malicious Version Negotiation Handling (Was: … Lingmo Zhu
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- Re: Malicious Version Negotiation Handling (Was: … Christian Huitema
- Re: Malicious Version Negotiation Handling (Was: … Eric Rescorla
- RE: Malicious Version Negotiation Handling (Was: … Lubashev, Igor
- Re: Malicious Version Negotiation Handling (Was: … Christian Huitema
- Re: Malicious Version Negotiation Handling (Was: … Mikkel Fahnøe Jørgensen
- Re: Malicious Version Negotiation Handling (Was: … Spencer Dawkins at IETF