Re: Security of coalesced packets
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Thu, 12 July 2018 07:50 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1351130E01 for <quic@ietfa.amsl.com>; Thu, 12 Jul 2018 00:50:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.997
X-Spam-Level:
X-Spam-Status: No, score=-0.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZ3cQG5wCYV5 for <quic@ietfa.amsl.com>; Thu, 12 Jul 2018 00:50:54 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C706012F1A2 for <quic@ietf.org>; Thu, 12 Jul 2018 00:50:53 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id w16-v6so5653221ita.0 for <quic@ietf.org>; Thu, 12 Jul 2018 00:50:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=AAAlWmsi9UKqOsRBpa71X3RZmuy7YaFqfUzwgdyW1L8=; b=lcUy62LQRTleiN1JCGLmMIJk0+Qd5K0Hnl6D2m1uUshLD3OwAhyq1sxPU8mKlIAxpd SeWj8bcgX6mJ7N0CFMPSaYBq20JpS46tcY4VlO4+wThzAK/JdX8XpbkV1aaDNHK1hk93 fZdovWrKq0Xl1AkFx8o2jRAbGgg+MqZ5h0yFiZ6uLh1AvcgZCKK/bTQCMjrnjQvcEcAH l385STS7xpmWg7uRS0tv/0Urk0W3ii7UktEUvD+lzXjiZrV1A+Dehfcugvc7jPxXUVDG 4a7F9UxescDrGxEA53MkjihjgX1gks2pos4wlaD6jX+Fwg/D+xMM+h36uYBTcVWwrXlB 21JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=AAAlWmsi9UKqOsRBpa71X3RZmuy7YaFqfUzwgdyW1L8=; b=pZcA+2MQCuKYEZO0yJvv8wfM0N7HuKodKO7LaU10s6AdIb2h4P5t7sZQXMatu7TafU Sr2Oml4lxzYbINYjzxkex7x0/+cTrl8kv6fjMwFNFQnc1Yya+NQK2QLRNf7CaIx/0TRe OKU3rMfmwXeo2HaxYLuZv+/OJa6TDG7BxzopUWPk6LdEVNJJySSkj2pVKtQ6KkhygR4t SNR4Mi6ckvpq1MNXMVGQqVEWLInMONpYqo8dhmHYVOmBy6rdghE9mlA5wIY63AODRx6o pyiAJ2Xum/ePA6eZhlEHtK7FvnPYeXGEk8ZXa2MK6mzElaeFELzhOglqHSlN7l0bPzAh u/sA==
X-Gm-Message-State: AOUpUlEvTFfYPh0Ua7JLxdc/7oMCj9jBrJV/t7uL0mM0lYvnrcosZv4d 8WJFg/E0Xuvon0OWwO5fwcuI5ylM6BD2XdeYkQs=
X-Google-Smtp-Source: AAOMgpccV8G45+W2NH7rarCZ1L9OjS1d7bwen+VZtSHDQLLbctD2nzKmm+6CA3MYdSZb9T33rHQIOIMHNNiJLDiWWBY=
X-Received: by 2002:a02:9833:: with SMTP id t48-v6mr617451jaj.111.1531381853046; Thu, 12 Jul 2018 00:50:53 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 12 Jul 2018 00:50:51 -0700
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CANatvzyrfvjnZ3Y4FKiW0fRVahmArXyaJk9gt2NrZPgaOX-WaQ@mail.gmail.com>
References: <CAN1APdfrjbZvvJj33taJpYCc2utTuHwZx8O6_um-nB7OLpFx5Q@mail.gmail.com> <CANatvzyrfvjnZ3Y4FKiW0fRVahmArXyaJk9gt2NrZPgaOX-WaQ@mail.gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Thu, 12 Jul 2018 00:50:51 -0700
Message-ID: <CAN1APddC_-pjZ4Gs-fh56e7KbwyvWxGoAASxAsV+toYZz33rZg@mail.gmail.com>
Subject: Re: Security of coalesced packets
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005dd3310570c89f00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/TUVasgJzFlXuQvl_0jTde2QrwPw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 07:50:56 -0000
Would you mind elaborating what the additional attack vector by allowing on-path devices to embed octets introduces? It is widely known that there are is broad logging of traffic at major distribution points, typically controlled by various state actors or related agencies. Hence, if you can inject a signal early on the path, you can collect it later for correlation. Additionally script kiddies might be able to inject traffic monitoring at corporate traffic gateways so work at home employees could ferry payload via their NAT router to somewhere inside the firewall, and vice versa. Thus you could download massive amounts of sensitive data undetected such as stealing operating system source code or the latest release of Shawn the Sheep extended DVD edition. On 12 July 2018 at 09.30.01, Kazuho Oku (kazuhooku@gmail.com) wrote: 2018-07-12 15:44 GMT+09:00 Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>: > An issues was recently closed regarding what to do when UDP datagrams > contain coalesced QUIC packets where some are not understood. The > requirement is that the connection ID must match in all QUIC packets but > otherwise packets that do not verify should be buffered or ignored > independently of other packets. > > https://github.com/quicwg/base-drafts/issues/1319#issuecomment-404403569 > > There are good reasons to coalesce because it makes the early handshake much > more efficient and there are good reasons to allow packets that do not > verify because they may relate to key material not yet available. > > However, considering the effort spend in trying to avoid linkability, it > appears to me that third-parties can easily inject tracking information in > ordinary QUIC packets using the coalescing mechanism. Would you mind elaborating what the additional attack vector by allowing on-path devices to embed octets introduces? Current design just throws away the junk. It does not affect the state of the connection. So while it is possible for an on-path device to alter the packet, the device cannot see if it reached the peer. To me the situation seems indifferent to on-path devices sending additional packet using the 5-tuple when it sees a packet belonging to the QUIC connection. > > Even if the connection ID must match, it is easy to just copy the connection > ID from the primary packet and insert a global tracking cookie near the > source of the packet, such as in a compromised home NAT router. > > Tracking can also be done with ordinary tunnelling but that is sometimes > desirable inside infrastructure, and far more difficult to manipulate > outside such boundaries - e.g. a compromised NAT router would not be able to > do it. > > These issues could be avoided by only permitting certain early packets to > coalesce. > > I do not have the overview of other possible valid uses of coalescing such > as during migration or rekeying. > > > Kind Regards, > Mikkel Fahnøe Jørgensen > -- Kazuho Oku
- Security of coalesced packets Mikkel Fahnøe Jørgensen
- Re: Security of coalesced packets Martin Thomson
- Re: Security of coalesced packets Mikkel Fahnøe Jørgensen
- Re: Security of coalesced packets Mikkel Fahnøe Jørgensen
- Re: Security of coalesced packets Kazuho Oku
- Re: Security of coalesced packets Mikkel Fahnøe Jørgensen
- Re: Security of coalesced packets Kazuho Oku