IETF Logo Mail Archive

Re: Back to work

Martin Duke <martin.h.duke@gmail.com> Tue, 27 October 2020 23:23 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D0913A067A for <quic@ietfa.amsl.com>; Tue, 27 Oct 2020 16:23:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IvLmRXbHuvGn for <quic@ietfa.amsl.com>; Tue, 27 Oct 2020 16:23:43 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F6163A05D0 for <quic@ietf.org>; Tue, 27 Oct 2020 16:23:43 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id k21so3412261ioa.9 for <quic@ietf.org>; Tue, 27 Oct 2020 16:23:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GhoYou9Bk9u2nHpXS+KWZhhRUh0usNX/DcXIi0TEvkM=; b=cdJRsxNvDJtel+Cmj9deoty6PR6rIaqq2UpSe5byde86bALAPbBxTKXOOA95ReYEP0 0PcoEYRI13m8c+x7DC0L45rpMn0geN7vKnyJQPP6q/rpWg57wZTkBke4fvnJUaKdA14u m8sFiqSySZALiWVozY+UZrqaSF20p9dp9Qaszsgh2fGSAQuzeArsdPQezgmRMEfDbZlZ HcKMAsvBSB9W4S2PK3rGerNcAQ2HbdHpBv7OrdSeI4DeW7wKjRhuXogUrNoHDBKu5E9q mVje/2xV15GQB53Y00EK0g2xD9sIjRZxtKxZExLDpSxpfP8eFrIuQty0T0hljIJqy+Je bJhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GhoYou9Bk9u2nHpXS+KWZhhRUh0usNX/DcXIi0TEvkM=; b=PiKvIBwwCGSYqOC7ZLjzMaJGopJKZX1l5lNiAU/Dq5OwMePkuigBl4Hdrk32qv3aF3 J1fE3DuwEr1QmKCwP35jQ33yZDdSQoAzByhrEu5/7M1JYBn598s25G3LMWrpe+ijRO2Q dyD6zIpZYQcMr6vZYvWoInHvmyvH+dFrHfqVoza7O3jjOB4442xfob9T+WwcFjq/D091 piwwWzpE3FIYe+0X7Di/JIeGTYVIxk3fgnX3h2FUTy2NnwdUXJNTiCMSpNMdsXb4VyMN fY54I0r+uXEebP/VVR8yUGNtqSFSwiAiBgERv/s0ragu7FqDD0Je13HuK6ldt+61O+ws A5CA==
X-Gm-Message-State: AOAM532EXXkg3ePXD/Ow32j8oJbSr7rYSj2Gs2PLTFAWccKGyw95Hw3b INFLAPSY9IrDh/eYbN48xolODdE6auJTtBXWAwI=
X-Google-Smtp-Source: ABdhPJxwe+//Gwxgn5SJNmITDsHVyjCQtWSyJwrthyW94EKiRZsc792v8h4AJsbXs8yki8RfWyWJTiHOESdrB6IjqNg=
X-Received: by 2002:a02:1783:: with SMTP id 125mr4561381jah.121.1603841022688; Tue, 27 Oct 2020 16:23:42 -0700 (PDT)
MIME-Version: 1.0
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com> <CAM4esxR8dswqRfaJFS0O5Lg4rL_W3A8geoMWFvEQgrZOJZhJOA@mail.gmail.com> <CANatvzw28JXqxGs7us68i7Y2Fst1KTgF7kVyOKa0xRfxx9dw4g@mail.gmail.com>
In-Reply-To: <CANatvzw28JXqxGs7us68i7Y2Fst1KTgF7kVyOKa0xRfxx9dw4g@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 27 Oct 2020 16:23:31 -0700
Message-ID: <CAM4esxRuZbnGL94BYzZYR9GynJ2Jvucsfm69_XJt8E6yd1LJcw@mail.gmail.com>
Subject: Re: Back to work
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "quic@ietf.org" <quic@ietf.org>, "ximaera@gmail.com" <ximaera@gmail.com>, "mt@lowentropy.net" <mt@lowentropy.net>, "ianswett=40google.com@dmarc.ietf.org" <ianswett=40google.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006f00b705b2af56b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Vree6Fo3tDpixttD_uptNooBn2s>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 23:23:45 -0000

Again the spec says PATH_CHALLENGE MUST be padded to 1200

On Tue, Oct 27, 2020 at 4:17 PM Kazuho Oku <kazuhooku@gmail.com> wrote:

>
>
> 2020年10月28日(水) 5:13 Martin Duke <martin.h.duke@gmail.com>:
>
>> PATH_CHALLENGE MUST be padded as well, so I don't see that as an
>> amplification vector. It might be useful to add language to allow
>> PATH_CHALLENGE to be ignored if not padded (SHOULD ignore?)
>>
>
> The problem here is that an attacker might establish a connection, then
> send small-sized datagrams containing PATH_CHALLENGE frames. Therefore, if
> we are to have a stringent amplification limit for path migration (BTW, I
> like Ian's proposal), we should better block this attack vector too.
>
> So maybe something like "MUST NOT send PATH_RESPONSE frames in response to
> PATH_CHALLENGE frame carried by a datagram that is less than 1200 bytes."
>
>
>> In migration, the path usually should have already been pre-validated so
>> there is no attack vector once that happens.
>>
>> But Ian's proposal to use the 3x limit is not so great in the NAT
>> rebinding case. If a small packet causes this, data transfer is going to
>> plummet, and we can't simultaneously verify the path and the MTU.
>>
>> On Tue, Oct 27, 2020 at 10:04 AM Magnus Westerlund <magnus.westerlund=
>> 40ericsson.com@dmarc.ietf.org> wrote:
>>
>>> On Tue, 2020-10-27 at 09:12 -0400, Ian Swett wrote:
>>> > Thanks for summarizing this issue. I think the above discussion is
>>> about
>>> > immediate migration and repeated immediate migrations, but I also
>>> wonder if
>>> > we've introduced a single packet amplification attack by requiring
>>> > PATH_RESPONSEs be padded on new paths without a requirement on the
>>> size of
>>> > PATH_CHALLENGE(see first item)?
>>> >
>>> > Validating a new path
>>> > If one receives only a PATH_CHALLENGE on a new path, then the server
>>> > responds with a full-sized PATH_RESPONSE.  This seems safe.  If a
>>> non-padded
>>> > PATH_CHALLENGE is received on a new path, then the peer is supposed to
>>> send a
>>> > fully padded PATH_RESPONSE on the path, which could be >20x larger.
>>> I'm not
>>> > sure if we care about this, but I wanted to point it out.
>>> >
>>> > Immediately migrating to a new path
>>> > I think we should remove the text about allowing kMinimumWindow each
>>> > kInitialRtt after migration and change it to the 3x limit.  I'm
>>> actually
>>> > surprised the text about 2*kInitialWindow still exists, since recovery
>>> says
>>> > "Until the server has validated the client's address on the path, the
>>> amount
>>> > of data it can send is limited to three times the amount of data
>>> received, as
>>> > specified in Section 8.1 of {{QUIC-TRANSPORT}}.".
>>> >
>>> > In order to not get deadlocked by the 3x factor, I think we should
>>> change the
>>> > newly added MUSTs to only apply to path validation prior to migration,
>>> not the
>>> > peer responding to migration.
>>> >
>>> > My reasoning is that if a peer migrates prior to validating the path,
>>> it means
>>> > it's either unintentional or they have no other choice, so the
>>> migrating peer
>>> > has implicitly decided that validating PathMTU is not a prerequisite to
>>> > migrating.
>>>
>>> So some quesitons and ideas as I think it is relevant to resolve this as
>>> best as
>>> possible.
>>>
>>> So isn't this recreating the issue that if the client initiates a
>>> migration to a
>>> new path that is not QUIC compatible, by responding with a minimal size
>>> packet
>>> and completing the migration and then if the server performs the path
>>> verification with 1200 bytes UDP payload it fails. Thus maintaining a
>>> broken
>>> path.
>>>
>>> So is there need for the non pre-validated path migration case that one
>>> need
>>> need to do a two step process where one will ACK with minimal packet
>>> while
>>> initiating path validation. If path validatation fails then maybe one
>>> need to
>>> close down the connection as the migration ended up on a path that was
>>> unable to
>>> support QUIC. The question here is how to avoid the DoS attack this may
>>> open up
>>> if an attack rewrites source address of packets.
>>>
>>> So Maybe the path validation needs to be a two step process. First a
>>> return
>>> routability over the new path to verify that it is bi-directional. When
>>> that has
>>> been verified one does a test with minimal MTU to prove it to be QUIC
>>> compatible. This might even be done with application data if there is
>>> some that
>>> are available to send.
>>>
>>> But, I think that one needs to work through the criterias for when the
>>> QUIC
>>> connection is shut down under the conditions that the path available is
>>> not
>>> supporting 1200 bytes. Also do we end up in a situation where the client
>>> needs
>>> to do the second step itself towards the server to verify the path so
>>> that it
>>> can determine if it needs to try another path if this one doesn't work?
>>>
>>> Cheers
>>>
>>> Magnus
>>>
>>>
>
> --
> Kazuho Oku
>

v2.23.0 | Report a Bug | By Email