IETF Logo Mail Archive

Re: How does a server identify a new connection?

Kazuho Oku <kazuhooku@gmail.com> Mon, 03 December 2018 01:15 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 126901274D0 for <quic@ietfa.amsl.com>; Sun, 2 Dec 2018 17:15:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W29sOvBcVPh3 for <quic@ietfa.amsl.com>; Sun, 2 Dec 2018 17:15:27 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E1C130DE1 for <quic@ietf.org>; Sun, 2 Dec 2018 17:15:26 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id n18so7855268lfh.6 for <quic@ietf.org>; Sun, 02 Dec 2018 17:15:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=XOsfIkEpFaFsGR23+wagrNHK0wPTbhfq9Rm+D3Jkvzw=; b=E3jl91PMukwF0Jb6nHaSI5LmT9rsIqR42PsnUPT93tpA29sDfiyva0YcjZCEPKxWZ9 KcN9q6D6n9nO53OaMnMf9Ghy5tEhm4RC3wjrDMJXTEGliLTljr8FSaLQqxFDsRGQFUxu 2tOh96GHXvpNcIorVvphlqQCnLYSx1LJhEHiEkV0vNuGl6sB56EZuyyU9XLO90CU3C5e dEz/W8fIjuXtU0mA+qDMzPaz36EVTh+frl2YMDWkhOAA14GC62YsNQ55hJkVwCsTCg/3 dTVt1vuR9FzUlIZHzlR3J6HjooS8qirwrugKJXb4nvl41Rsiyiy7XK+7gmQsJKzSni23 Zx0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=XOsfIkEpFaFsGR23+wagrNHK0wPTbhfq9Rm+D3Jkvzw=; b=IHwmBoD4BsAnifIVOXfcgiutdN90x6y9j/sChU9ajS1SpJN6/fvFLgpvgOjgHXfLh9 f34my4xqPQleSoWP0pEw4kHyu280QMvlXcxJ/rfqaUN+R4Bz+y1S0TiAlcAoszKaXJfG /dozT0QGZpEfCCuTTr/syOyypAa+E89uzyOBHSl4zs2oqXNwUyZX7lx+gkUC4mI1FE3N UKSDEvPOmq9/wsKayFujQu4VESjKd56b8GZBIsJHuu0gpFlj0EJ0cHyt+hi4Eyvf8OHU g7dDxhUxpv1UsB6sswIUBq6Y6xwoxqGtOvKlvYHXEXKspASm9Us+X/G1TzbvuS2CnTU0 O5lg==
X-Gm-Message-State: AA+aEWb3DSfOCIoP90Ikmm0/1TjAcmtyQbn6W0EdNZjOJtESShVN/1IC q6vymT97reQe7KVAyMMxr+wm1rvRvjlBXo9LoZY=
X-Google-Smtp-Source: AFSGD/VMoQ/VHwKQESLJMJG/QnnEsQzi/29CsysHBpp6t1rljwfjcOll82kPP548H8wi2ZjHcovlmjvwBcOMOmsT5EM=
X-Received: by 2002:a19:a502:: with SMTP id o2mr7821907lfe.92.1543799724860; Sun, 02 Dec 2018 17:15:24 -0800 (PST)
MIME-Version: 1.0
References: <CANatvzzaW-y6y6qN-K4W91WL+3A0fV3SLbOqcq5+SB=qXDpRXw@mail.gmail.com> <CABkgnnV9ONF5LEuCnpy8BsOHnFGidFbVKoMOeM9EohabMBMV6A@mail.gmail.com> <CANatvzxyUm86dNYAwiXeY_xHtcQBKuVWxa_3=9rgmFJtC4u+yw@mail.gmail.com> <20181130153734.GB19030@ubuntu-dmitri> <4A523623-09FD-4101-90A2-FCE202585B01@huitema.net> <20181130164440.GC19030@ubuntu-dmitri>
In-Reply-To: <20181130164440.GC19030@ubuntu-dmitri>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Mon, 03 Dec 2018 10:15:13 +0900
Message-ID: <CANatvzw6+HKbXqqP_MK1rvF3dSiLryhMRABnxV6VUmdJnNQoKw@mail.gmail.com>
Subject: Re: How does a server identify a new connection?
To: Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/3dje7soOs2ba3vu6T6ii9VD08FY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 01:15:29 -0000

2018年12月1日(土) 1:44 Dmitri Tikhonov <dtikhonov@litespeedtech.com>:
>
> On Fri, Nov 30, 2018 at 08:08:14AM -0800, Christian Huitema wrote:
> > > On Nov 30, 2018, at 7:37 AM, Dmitri Tikhonov <dtikhonov@litespeedtech.com> wrote:
> > > Is such attack feasible?  By definition, the man-on-the-side cannot
> > > delay the original packet.  For the spoofed packet to reach the
> > > server first, the man-on-the-side would have to have access to a
> > > different, faster path to that server.
> >
> > Non only feasible, but in actual use now. Do for example a search
> > for "Quantum Insert".
>
> The fundamental difference between the attack described in this thread
> and Quantum Insert [1] is that in our (the former) case, the attacker
> must spoof the very first Initial packet.  This makes it less likely
> (I am guessing a lot less likely) for the spoofed packet to win the race
> with the original.  I remain unconvinced (pleading ignorance again) that
> such attack is feasible.
>
> > > I am asking these questions a) out of ignorance and b) as the
> > > implications of the proposed change (PR 2076) begin to dawn on me.
> >
> > Defending against inserts after the handshake is relatively easy
> > and everybody should do it. Defending the initial handshake involves
> > speculative initiation of many connection copies, and then rolling
> > back the bad ones once a good one was verified. So, yes, it is costly.
>
> This realization is what prompted my email.

How high the "cost" is depends on who you are.

If you are running a client that is struggling to create a connection,
I do not think testing 10 ServerHellos you receive to identify which
one was correct is something you can pay for. It's essentially an
automatic and safer way of hitting the reload button.

OTOH, the cost is a big issue for the server, because it needs to pay
the cost for every connection attempt it accepts.

Therefore, a strategy that puts the most cost of detecting an
mitigating man-on-the-side attacks on the client-side is a good
approach.

The minimum requirement we need to have for the server is: 1) call
different ClientHellos as different connections 2) ignore (or delay
the application of) other information carried in Initial packet that
has fatal effect on connection establishment.

I can understand that some might not want to implement such behavior.
However, I think it is beneficial to document how you could build a
man-on-the-side attack resistance server, because that would help
people actually implement such servers.

Then, we can give clients that actually see the problem the chance to
implement the costly countermeasure.

>
>   - Dmitri.
>
> 1. https://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email