How do treat CID changes before HANDSHAKE_DONE
Christian Huitema <huitema@huitema.net> Fri, 21 February 2020 01:11 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 804541200F5 for <quic@ietfa.amsl.com>; Thu, 20 Feb 2020 17:11:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zX29noJOcTO7 for <quic@ietfa.amsl.com>; Thu, 20 Feb 2020 17:11:03 -0800 (PST)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A8D8120048 for <quic@ietf.org>; Thu, 20 Feb 2020 17:11:03 -0800 (PST)
Received: from xse144.mail2web.com ([66.113.196.144] helo=xse.mail2web.com) by mx181.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1j4wqJ-000KhP-Nl for quic@ietf.org; Fri, 21 Feb 2020 02:11:02 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 48Ntgh4DHGzP00 for <quic@ietf.org>; Thu, 20 Feb 2020 17:10:56 -0800 (PST)
Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1j4wqG-000718-Ep for quic@ietf.org; Thu, 20 Feb 2020 17:10:56 -0800
Received: (qmail 21927 invoked from network); 21 Feb 2020 01:10:56 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.204]) (envelope-sender <huitema@huitema.net>) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 21 Feb 2020 01:10:55 -0000
To: IETF QUIC WG <quic@ietf.org>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Subject: How do treat CID changes before HANDSHAKE_DONE
Message-ID: <b253b2b4-c35a-23b6-85c7-668e1cd503fb@huitema.net>
Date: Thu, 20 Feb 2020 17:10:57 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------FBBD0D19CF941EC0EF9DFA6E"
Content-Language: en-US
X-Originating-IP: 66.113.196.144
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.144/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.144/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0UaqOYGQPGxXNcBH7FeyDZOpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDcnqpk5VeF3xR4kF6iVwRtbgN zB/4Jkrw1eDLcif59ftC7cIsfrHWs8zegc19r7m5U7Tmz6iKnkQL9gqsxD347235Nhqq+/HvroPq 8GSPg+60/QPNqXybIny9WGhadIo/ICKD+bz1QuA8GxLVsb4edbyme9ldZJ7uNXfg/GfS8fUvP/L5 rCqHDsKZM+xa1iwJX+gRCHfMVnsAk591zk0uilUI+ZL4xWiN8NS6C+dmX6OEdA4u1aThyWrQ/ou2 +v/lmX4Em37yFgrCB6NHRn1g+f3uncIqYSL3lhh5c81YyJqFoLZMmkWsaurVZfvqROaDnDtHb8z5 dpPkEuJ8Snwqla7jUnW3hy14Yji8fo+4xCnSRo4Rcu5Z37rMuDjCny5fE9ykbJ7I9co1MAEE3ruN Xsm8UJsAPvDcVSKtDCYkioPY5Qx4fJOk03R5fJtf/Dv/dkIzS7m4GUpXCY1Y3j3ilWEbX+OBfQvZ a2Z4uSB28NKCS+noqnLkLJ1dbiS8jHdfkQgX8db83GIgj8tVCbQqAYoQyfCZMHnX1xyiSXpQFfgM 7OYFXYdC3tRq275m/U3VTS31mvt+TpfpG7oe1oU5RLdCp3Zd9clP8wSiJZWbJCj+xRrjVmRxpGtS cvUmgj1LWPMRLM1ifcN/zogSpcxW3F2jZAOanSBpz6Rja2u/0jJnL+1r1xeA3qpV36sq6s9ITZYh Llri23ia6HDqcuNUS/ysta6u1iHEyuS7GD1uvcpETbjT//oj21hbHDB2NaOPJOYIJd4MvQ0Nf4Ec bvHO1diDanHV9KirFAIIecsyj+YNTo81GR+jDXFsz/ZQnbbTizvwlZsrbltGiZoUh+c+5pFVgpT1 b21uZVckGp0ccOa2XhkGbmsUNPNkere1WheNsVXmhO8BzADiszcWR9bz/SDtF09JpSbuuCeiIDK0 C/0=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/9eyN3c5Q9wxTTdRqmEwoVepx7kc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 01:11:06 -0000
In the past, we have discussed the potential benefits for the client of quickly switching to a new connection ID once the handshake is complete. Suppose for example that there are several connections multiplexed on the same 5 tuple between a client and a server. Without migration, attackers can observe the pairing between CID used in each direction of traffic, associate a client sub-stream to a server sub-stream, and use that for example as input in a fingerprinting mechanism. If clients and server migrate to new CIDs, that pairing becomes more difficult. The question is, when to start doing that? And my proposal is, "after handshake complete", which in the client case means "after receiving handshake done". I have two worries. On one hand, I am concerned that staring a migration while the handshake is not finished makes the handshake process less robust to packet loss. On the other hand, I am also concerned that all potential privacy benefits of migrating to new CIDs are lost if the peer sends handshake packets with long headers associating the new DCID with the old SCID. For example, the client may have to repeat the final handshake packet on a timer. It will have to use a pair of CID in the long header. If it uses the new ones, it will reveal the linkage between the new client and server CID. If it uses the old one, it might end up using a CID that the server already discarded after the transition. The client can avoid these issues by simply waiting "handshake done" before migrating to new CID. There is some ambiguity in the spec on this subject. On one hand, section 9 says that "An endpoint MUST NOT initiate connection migration before the handshake is confirmed, as defined in section 4.1.2 of [QUIC-TLS <https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#QUIC-TLS>]." On the other hand, section 9.5 says that "At any time, endpoints MAY change the Destination Connection ID they send to a value that has not been used on another path." What shall the peer do if it receive data on a new DCID before the handshake is complete, before the handshake encryption keys have been discarded? My simplifying assumption is that before the handshake is done, peer can simply treat all incoming DCID as equivalent to DCID[0], and not trigger any specific processing. Is that correct? -- Christian Huitema
- How do treat CID changes before HANDSHAKE_DONE Christian Huitema
- Re: How do treat CID changes before HANDSHAKE_DONE Martin Thomson