IETF Logo Mail Archive

Re: How does a server identify a new connection?

Kazuho Oku <kazuhooku@gmail.com> Fri, 30 November 2018 00:27 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF81D12D4F0 for <quic@ietfa.amsl.com>; Thu, 29 Nov 2018 16:27:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWEKhEI4hvCk for <quic@ietfa.amsl.com>; Thu, 29 Nov 2018 16:27:47 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6B7212D4E9 for <quic@ietf.org>; Thu, 29 Nov 2018 16:27:46 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id v15-v6so3400568ljh.13 for <quic@ietf.org>; Thu, 29 Nov 2018 16:27:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UuwEzJxXtSAL+V4uyJmFjmHWzbnFM/A53DM3Rgn13SE=; b=qBR6yfc1ySLZZcSQQXC3VT9Sfzp0W8jejumsHOkI9DtTnROFwa/1hIHIK47rSpSX2a +O9sko8Da0qqiaN2Z6ByXWKoPRzv7WL2AwhWZEpwoBoaeOqCudXpMW3AOwB8vArx+Aev wTJyLFCWZQSjXpJl/b3AWRpsQCKtDNFYOfi61e7heCl75HmyFD4w29wjCWMgV7cb87UC xlK6PqOP+rdLjvTlW9IvKMzZD23WNp9AoD6uUq/s3ORpT9lFHqCc3S02hHiI/mSMX6Lw BMhYLCbgGo9HifB6cA/hREz0JBrR1F405UNIPSmeJyNZCSGiPDsTIA8wZ7UoeplIb4iL 6kBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UuwEzJxXtSAL+V4uyJmFjmHWzbnFM/A53DM3Rgn13SE=; b=uZJ0bp8j6BrLFRNke3PA1YFKivRJQsPGfkoxVBr/ANETRUZ6/KLh6uCA0ZO/ZBSj88 mit4+PjSKPGZWhVYLWNoe304ty8uc6UufX2oEJPUo/pXU/jZOQjPDdJH4bTmGp/FgrcF mDl71qbGL1vlGNmCW7jYwzrJpg6OeIow2E4n9/+eXVAyXMZa0r9bmzY3Mllwb3/B5Yjv +IuN+B4TsdrxPEdP9dysvB/8Ct/IrPX+JYbM27K53VLWHhOhQLXcd76fe7GfL2dEGKDN usfz3dPqhFmZDasl/amVCpmqBBFzDaosLOp2ndBUiYSreH0MnhogcZSqdRFUeZhUAHcZ y1uQ==
X-Gm-Message-State: AA+aEWb5+B6Xxu9vhw7+BYBpfXxChfNC77/XTGbhrNmjSWudeEIc/ffh HCnKn2MrCZoel9OAfQ0uZ0QeMF/fGspGF1nHeVt2hA==
X-Google-Smtp-Source: AFSGD/W9JzRyH3RO3ouhUzDtzMXphwrhPBgsADQUbfYPOz9fdolkmlXBn5Yo74Upp9km9NdPgt1sYUx8NN3eoXTtHLg=
X-Received: by 2002:a2e:9715:: with SMTP id r21-v6mr2441490lji.30.1543537665039; Thu, 29 Nov 2018 16:27:45 -0800 (PST)
MIME-Version: 1.0
References: <CANatvzzaW-y6y6qN-K4W91WL+3A0fV3SLbOqcq5+SB=qXDpRXw@mail.gmail.com> <CABkgnnV9ONF5LEuCnpy8BsOHnFGidFbVKoMOeM9EohabMBMV6A@mail.gmail.com> <CANatvzxyUm86dNYAwiXeY_xHtcQBKuVWxa_3=9rgmFJtC4u+yw@mail.gmail.com> <CABkgnnUwK37q7jMSiKseJJtWUN1dxv-uV3M9btdjNurHw_NG9w@mail.gmail.com> <CANatvzxDcBz77F07wnJyPnHwJCj08DhbVi_2wtWYquroZtODxg@mail.gmail.com> <67268dd11a054e6eb7101abaafb0faa8@ustx2ex-dag1mb5.msg.corp.akamai.com> <CY4PR22MB09837FF9D76CA77FCAA0E808DAD20@CY4PR22MB0983.namprd22.prod.outlook.com> <4eaba056-b1b1-ed08-d65c-db0374e26648@huitema.net> <5e0e15b3942244f9b14e540f7baba53c@ustx2ex-dag1mb5.msg.corp.akamai.com>
In-Reply-To: <5e0e15b3942244f9b14e540f7baba53c@ustx2ex-dag1mb5.msg.corp.akamai.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 30 Nov 2018 09:27:34 +0900
Message-ID: <CANatvzxxphaMw2E-JtaecYHB7OqYU4W7BL-uus30dBxA2LkfQA@mail.gmail.com>
Subject: Re: How does a server identify a new connection?
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Christian Huitema <huitema@huitema.net>, Mike Bishop <mbishop@evequefou.be>, Martin Thomson <martin.thomson@gmail.com>, IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/GuaSNO8Ve_aV4-iEzuSOl-H9xqc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 00:27:49 -0000

2018年11月30日(金) 6:38 Lubashev, Igor <ilubashe@akamai.com>:
>
> > -----Original Message-----
> > From: Christian Huitema <huitema@huitema.net>
> >
> > On 11/29/2018 11:06 AM, Mike Bishop wrote:
> >
> > > For the first property, Igor’s idea seems sensible.  If the initial
> > > DCID were a hash of the unencrypted packet payload, that doesn’t
> > > require interpreting the ClientHello, just the bytes at the transport.
> > > Then the server would accept Initials with either this property or a
> > > valid token from a Retry.
> >
> > This is making the assumption that if the client repeats an Initial packet, the
> > content will be exactly the same. I know that this is false in at least one case:
> > the first UDP packet contains a short Initial packet coalesced with a 0-RTT
> > packet; the repeated Initial packet contains a long Initial packet, padded up
> > to the required length.
> >
> > If you want to make that work, you want the DCID to be a hash of the crypto
> > frame inside the Initial packet.
>
> I am not sure I see why the coalesced packet matters, since the protection is for the integrity of the Initial QUIC packet only (not the entire UDP datagram).  It seems to be better to protect the entire packet and not just the crypto frame(s).

In addition to PADDING and PN being different, the content of the
CRYPTO frame will be different for the 2nd ClientHello when HRR is
involved.

Therefore, distinguishing different handshake contexts need to be done
using the CRYPTO frame of the first Initial (which is the first
ClientHello message).

>
>
> > But I don't understand very well how that's
> > supposed to be verified by the server. Do we want to specify a default hash
> > algorithm?
>
> The server would need to know the algorithm used.  Any cryptographic hash function would do, but it would need to be specified.
>
> The downside, of course, is another case of multi-path encryption: plaintext -> DCID -> initial packet encryption.

The approach does not help the client, because a middlebox can spoof
the server's Initial packet. A client needs to collect all the Initial
packets it receives, and determine which one was correct. This is why
the complexity is O(N * M) on the client side, as I pointed out in the
mail that started this thread.

>
> - Igor



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email