IETF Logo Mail Archive

Re: Malicious Version Negotiation Handling (Was: Questions about Version Negotiation Concerning Possible Handshake Interruption)

Eric Rescorla <ekr@rtfm.com> Mon, 19 February 2018 02:56 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 829111270A3 for <quic@ietfa.amsl.com>; Sun, 18 Feb 2018 18:56:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYlAjbf1Ni_J for <quic@ietfa.amsl.com>; Sun, 18 Feb 2018 18:56:27 -0800 (PST)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D2A212708C for <quic@ietf.org>; Sun, 18 Feb 2018 18:56:27 -0800 (PST)
Received: by mail-qt0-x229.google.com with SMTP id d14so10645887qtg.1 for <quic@ietf.org>; Sun, 18 Feb 2018 18:56:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fA1RwFyL26GuD0/pQrUmqBDX77AkJIwMURrW3SXNDMg=; b=H1CC6GrmKVy39/FrbRii26ctGcZZyeYr3VJ3AQ9IHrtEN4/LVKAZ3B41qLsnq5UGi2 bdEFgQhLYCojIQZuiV8MqRU8gGHy7rpo5mDcWfClmfj4uISlLsjN6u1wIQkyp7DPCLs8 N2OQN+odjuX97S+T7LG0z58az9yfgXAuhDc21xmeRc9PgYuTXWjTo4prxUjHE6pFY7Ky XWVo86/ySO34in38qe8Q7DXc46gbxK9sLzqZ1kw64V1XSbLNAol585eENAfVsiwo1/zM 1pAKVQKe/voNfWF92d0Y65YR1B2jP81Yo2oCBefmY0mxcaDBVdGguBIzn086JcEr5E9Z fa7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fA1RwFyL26GuD0/pQrUmqBDX77AkJIwMURrW3SXNDMg=; b=BehyM3CVkAIST+JvN5ldubVSiJXZev4KLUjtb6qjOXLBb33yJMhJFgKk5/yS3nFGlX ijq2mrJGvtobQy6QZr6wM1r6p1Z7ds9tQ3uhjkIpl47tw2P1YOl6gOYQnVtSAO9I5N3q IngSFLX2X1R3/W6hJGAzrhXC72Bh28oFM9poMLhRnVScmSJ12HSupCYbyHVZMCsNLY+W JYEMmBvSSQ7uPcj/rOEkroyEfxL7T2blBKilK49/99kvRGnRSb1+JpCanqYFI/9OtQE0 +ExTH9OGaY2Swy5MSvUPh/d1MMrELvJq8EuSzCk4HGf1h7ASls6zXKLYduHjTFD1Ojw9 KT8w==
X-Gm-Message-State: APf1xPB/wee6Md0O/HnMA3aDNJNMahUsgjR79/wqn68AZqH/0OhinVAk cWGvQOpnoIpAZe7FkaI2Exm03kcJJheiVtmXUPFAew==
X-Google-Smtp-Source: AH8x226lg/fMwDgimEl+O+eQ3EBTOwFT/GDp36clpU5HnjPLPy3O56KtypwuZDw5/mRHBk64JGtTqdqIEhdqULI9OVo=
X-Received: by 10.237.61.112 with SMTP id h45mr22274011qtf.225.1519008986103; Sun, 18 Feb 2018 18:56:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Sun, 18 Feb 2018 18:55:45 -0800 (PST)
In-Reply-To: <efc46f51-41ff-f69c-d627-f6d585013b1e@gmail.com>
References: <1d386744-c46a-842a-b172-24e290e03668@gmail.com> <CABkgnnVRn+1sNZQFB8BZc4VyzN5usLmYJ3xLo+p2uTeW_0Ji_Q@mail.gmail.com> <CAN1APdfpJ0rYPPiOgfcdDRx3noh+YYvJatP0MYTqRRXMBwF6pA@mail.gmail.com> <3d558827-f2a7-877c-e00a-d6a22ef241c5@gmail.com> <CANatvzzZEuJ3TY=+0BMLqbBE5mScG_Jnrypg3xkciykOX78G8A@mail.gmail.com> <CAN1APdfov8Q3E+5NkT5pmMeU=eB=fsnDFe_=BK7TDE0TpXD3yA@mail.gmail.com> <142211e0-c7c9-642f-69ef-5f0d722b77cc@gmail.com> <529ac475-5291-2b2e-acf9-05efe720d584@huitema.net> <6937_1518251684_5A7EAEA4_6937_191_1_5A7EAEA5.2000605@orange.com> <CANatvzz_2BeRns5E-OO=CKKwK66LgMd=3vVCM84_+OAxj8CutQ@mail.gmail.com> <d3c8688a-3f01-30b1-a3de-1300a43c1d99@gmail.com> <835e5014-3306-e7ac-fed0-3c90320551a9@gmail.com> <CABcZeBOHgM1xnvmx=CWEEeLnU9bO3DuFCYzbk6m2Kg=sxbYZYA@mail.gmail.com> <efc46f51-41ff-f69c-d627-f6d585013b1e@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 18 Feb 2018 18:55:45 -0800
Message-ID: <CABcZeBO4OHJDtFkjcCwRFNL_mU5QzOGBcC-zMJPHStJq090gzw@mail.gmail.com>
Subject: Re: Malicious Version Negotiation Handling (Was: Questions about Version Negotiation Concerning Possible Handshake Interruption)
To: Lingmo Zhu <zlm2006@gmail.com>
Cc: Kazuho Oku <kazuhooku@gmail.com>, alexandre.ferrieux@orange.com, Christian Huitema <huitema@huitema.net>, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, "quic@ietf.org" <quic@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a113520e007183a056587d7fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/FW4MPxRuiPwZaoqjCqTCia-S9Ao>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2018 02:56:28 -0000

On Sun, Feb 18, 2018 at 6:10 PM, Lingmo Zhu <zlm2006@gmail.com> wrote:

>
>
> On 2018/02/19 1:25, Eric Rescorla wrote:
>
>>
>>
>> On Sun, Feb 18, 2018 at 7:48 AM, Lingmo Zhu <zlm2006@gmail.com <mailto:
>> zlm2006@gmail.com>> wrote:
>>
>>     Hi all
>>
>>     After some discussion with Kazuho and thanks to his help, I want to
>>     propose that for Version Negotiation handling, "a client MAY wait for
>> a
>>     handshake packet after receiving a Version Negotiation packet".
>>
>>
>> Can you describe the precise attack you are concerned about? The VN packet
>> contains the client's randomly chosen CID, so only an on-path attacker can
>> forge a VN, but such an attacker can also generate a bogus ServerHello or
>> other messages that would cause the QUIC negotiation to fail.
>>
>> -Ekr
>>
>>
>>
> It's an attack that generates VN packets with no acceptable version, on
> path. Of course such an attacker can generate other messages to interfere
> QUIC but utilizing VN packets needs no knowledge other than CID and no
> encryption, or only CID needs to be changed from a template. If other
> cleartext packet with wrong or no AEAD encryption described for the TLS
> handshake would be just ignored, those other messages should at least be
> encrypted, which costs much more and more complex to be implemented.


Thanks for the explanation. I don't consider this a significant difference
in attacker capabilities.

-Ekr


>
> Lingmo Zhu
>

v2.23.0 | Report a Bug | By Email