Re: Back to work
Martin Duke <martin.h.duke@gmail.com> Tue, 27 October 2020 20:13 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E43AE3A1582 for <quic@ietfa.amsl.com>; Tue, 27 Oct 2020 13:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sW7pI47G58E8 for <quic@ietfa.amsl.com>; Tue, 27 Oct 2020 13:13:25 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 175113A1580 for <quic@ietf.org>; Tue, 27 Oct 2020 13:13:25 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id k6so2963468ior.2 for <quic@ietf.org>; Tue, 27 Oct 2020 13:13:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uiWsFfGyZ8zJVA9UE3mtDoc+pejzBoSRRsHY+vwJKp4=; b=rQZzqlqXGtT4yfL5b8EcdtoUDPbSOne03RBPcuDku18lSIobAFjQ3oaMYUcTyvK/vU t0z4mMjqF8ou/tRXc8hKt7gA8WcM5Ksex5qFOk+rv/0+pyMFMtHbtQGHHgFnCyVhEl4+ 6cx5FH82ATb7OOV0H8NgZ2MHb8ZaffCct95moes6adtdmYqkA2kfrmdBotGaa4gkV4Vr MT32r1r5jhlbewO4xvepSG3XpnjcSXA+1w3jKJRbO008oWHPbm5W+l7pNE2ZZAD5eygC T+hJzZLuKS9sdMYuf4gHHUA2nHeX/1IGEmyyibPNN1uHwS4ObZeBZVC2w58lHlte1Z+e iigQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uiWsFfGyZ8zJVA9UE3mtDoc+pejzBoSRRsHY+vwJKp4=; b=Fkny0qryFpGyFZf9gzVDVKzMWEGJBpE/69L969DJaJdPC89+kBweEtrfzuIuTwhhQJ OwBziVwXK6+KchS0dPd2A7VgQHevAM9JpDzTJkP/iCI5dPFcDh+bJrQiAQZ7+wCbKVFV V193zTTCIA9UyXFnkBkhqrKXz1CiTdwWcJ54E6aM0NyobIKYAJ8SZd2mS+jCJyJyUuoB QOfO5q3M4DiyAAUMNWG76P6Zpq73Z+hbGNSZeFU4uZIbVV+Lw43/4mHr+CP149pNgFA1 GnpMAe5HoQHWAe9ToiWd8Wsu0N/zaKu+m6nH637dIqlqN3rZlOkITogVENT33ZdwBjND kbsA==
X-Gm-Message-State: AOAM531yU5wiacEWb7G1N0nup1sYQS5Fv6ypVEvo7FXnQYNg9wEDlt0/ n/ADyhdhxaq9VwRcSwwR+C+nw/HDpvK0Frob3J4=
X-Google-Smtp-Source: ABdhPJxkgGJXKRLxqdjwiXeh4SFsoLrkoAE/VHfdgz6LtzE84hAwUjyrK+WqYbTVbud6WVmLCSD1dCJpYa9lPBiNH1M=
X-Received: by 2002:a05:6602:160a:: with SMTP id x10mr3434245iow.19.1603829604217; Tue, 27 Oct 2020 13:13:24 -0700 (PDT)
MIME-Version: 1.0
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com>
In-Reply-To: <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 27 Oct 2020 13:13:13 -0700
Message-ID: <CAM4esxR8dswqRfaJFS0O5Lg4rL_W3A8geoMWFvEQgrZOJZhJOA@mail.gmail.com>
Subject: Re: Back to work
To: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>
Cc: "ianswett=40google.com@dmarc.ietf.org" <ianswett=40google.com@dmarc.ietf.org>, "ximaera@gmail.com" <ximaera@gmail.com>, "quic@ietf.org" <quic@ietf.org>, "mt@lowentropy.net" <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000d6f91205b2acad8a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/K3y2xEf7UCWekzlO4jwHpwcPqwQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 20:13:27 -0000
PATH_CHALLENGE MUST be padded as well, so I don't see that as an amplification vector. It might be useful to add language to allow PATH_CHALLENGE to be ignored if not padded (SHOULD ignore?) In migration, the path usually should have already been pre-validated so there is no attack vector once that happens. But Ian's proposal to use the 3x limit is not so great in the NAT rebinding case. If a small packet causes this, data transfer is going to plummet, and we can't simultaneously verify the path and the MTU. On Tue, Oct 27, 2020 at 10:04 AM Magnus Westerlund <magnus.westerlund= 40ericsson.com@dmarc.ietf.org> wrote: > On Tue, 2020-10-27 at 09:12 -0400, Ian Swett wrote: > > Thanks for summarizing this issue. I think the above discussion is about > > immediate migration and repeated immediate migrations, but I also wonder > if > > we've introduced a single packet amplification attack by requiring > > PATH_RESPONSEs be padded on new paths without a requirement on the size > of > > PATH_CHALLENGE(see first item)? > > > > Validating a new path > > If one receives only a PATH_CHALLENGE on a new path, then the server > > responds with a full-sized PATH_RESPONSE. This seems safe. If a > non-padded > > PATH_CHALLENGE is received on a new path, then the peer is supposed to > send a > > fully padded PATH_RESPONSE on the path, which could be >20x larger. I'm > not > > sure if we care about this, but I wanted to point it out. > > > > Immediately migrating to a new path > > I think we should remove the text about allowing kMinimumWindow each > > kInitialRtt after migration and change it to the 3x limit. I'm actually > > surprised the text about 2*kInitialWindow still exists, since recovery > says > > "Until the server has validated the client's address on the path, the > amount > > of data it can send is limited to three times the amount of data > received, as > > specified in Section 8.1 of {{QUIC-TRANSPORT}}.". > > > > In order to not get deadlocked by the 3x factor, I think we should > change the > > newly added MUSTs to only apply to path validation prior to migration, > not the > > peer responding to migration. > > > > My reasoning is that if a peer migrates prior to validating the path, it > means > > it's either unintentional or they have no other choice, so the migrating > peer > > has implicitly decided that validating PathMTU is not a prerequisite to > > migrating. > > So some quesitons and ideas as I think it is relevant to resolve this as > best as > possible. > > So isn't this recreating the issue that if the client initiates a > migration to a > new path that is not QUIC compatible, by responding with a minimal size > packet > and completing the migration and then if the server performs the path > verification with 1200 bytes UDP payload it fails. Thus maintaining a > broken > path. > > So is there need for the non pre-validated path migration case that one > need > need to do a two step process where one will ACK with minimal packet while > initiating path validation. If path validatation fails then maybe one need > to > close down the connection as the migration ended up on a path that was > unable to > support QUIC. The question here is how to avoid the DoS attack this may > open up > if an attack rewrites source address of packets. > > So Maybe the path validation needs to be a two step process. First a return > routability over the new path to verify that it is bi-directional. When > that has > been verified one does a test with minimal MTU to prove it to be QUIC > compatible. This might even be done with application data if there is some > that > are available to send. > > But, I think that one needs to work through the criterias for when the QUIC > connection is shut down under the conditions that the path available is not > supporting 1200 bytes. Also do we end up in a situation where the client > needs > to do the second step itself towards the server to verify the path so that > it > can determine if it needs to try another path if this one doesn't work? > > Cheers > > Magnus > >
- Re: Back to work Christian Huitema
- Re: Back to work Jana Iyengar
- Back to work Martin Thomson
- Re: Back to work Töma Gavrichenkov
- Re: Back to work Ian Swett
- RE: Back to work Nick Banks
- Re: Back to work Magnus Westerlund
- Re: Back to work Martin Duke
- Re: Back to work Kazuho Oku
- Re: Back to work Martin Duke
- Re: Back to work Kazuho Oku
- Re: Back to work Martin Thomson
- Re: Back to work Eric Kinnear
- Re: Back to work Eric Kinnear
- Re: Back to work Mikkel Fahnøe Jørgensen
- Re: Back to work Ian Swett
- Re: Back to work Martin Duke
- Re: Back to work Eric Kinnear
- Re: Back to work Ian Swett
- Re: Back to work Martin Thomson
- Re: Back to work Eric Kinnear
- Re: Back to work Martin Thomson
- Re: Back to work Christian Huitema
- Re: Back to work Martin Thomson
- Re: Back to work Eric Kinnear
- Re: Back to work Ian Swett
- Re: Back to work Martin Duke
- Re: Back to work Ian Swett
- Re: Back to work Martin Duke
- Re: Back to work Ian Swett
- Re: Back to work Magnus Westerlund
- Re: Back to work Gorry Fairhurst