IETF Logo Mail Archive

Re: How does a server identify a new connection?

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Mon, 03 December 2018 14:33 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DC8512008A for <quic@ietfa.amsl.com>; Mon, 3 Dec 2018 06:33:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWrUqamPcWex for <quic@ietfa.amsl.com>; Mon, 3 Dec 2018 06:33:00 -0800 (PST)
Received: from mail-it1-x135.google.com (mail-it1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED89130DEE for <quic@ietf.org>; Mon, 3 Dec 2018 06:32:59 -0800 (PST)
Received: by mail-it1-x135.google.com with SMTP id b5so8795299iti.2 for <quic@ietf.org>; Mon, 03 Dec 2018 06:32:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=RoOmqJFKX5pg9JjX2Kc7x5ONS6+Y0JH5iUN3qXulBZ8=; b=XYzn6e1wv0olwFuRCYkksPnhYjNQ73dhGn2UwxMzsCWJiyzyV4EaE0IQJ35j7O8EBF ifNmz0a7xOI1W4/lPXLQtBcNgjLPdoAsHre5LAdtQxIy2jxtxmwTOTdAK48f2chin26g UZZZ9QfCoFRlTZgMFtnO/3yPSEn/ykrB1AR980xp0HnU/5oRx+xhv1ewIjEN7pRJjriV g3kd9NWY2vm5oJPIXnMRiVxzVVW7/008CZDT0rbBJMi9qlziLEA0TszRut4/Giu5AQBs H17O6i07J0LKePU6COICgbFtrP1AVXC+oqahFJXg/Q0UVR3oTi3UFeHbkQIXGc8n4Hrl g5Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=RoOmqJFKX5pg9JjX2Kc7x5ONS6+Y0JH5iUN3qXulBZ8=; b=VQ4J09AryiF8pOppFPJzSBM3PAo/Rd1/ekSRgwiZ/CrTIU7Vv1bI0mD865VQUJE+RA BbQHByxptMsp/44FmmmVIXwRwuFoNOFUkhogMeCiNgID4RPlbk7oYLpO5jCnCc6NHNaX zizfaQK1UaKk8loRSKaSAbcMOjVDlJW5krk0SoSUtISn2taySxugMi/KBqdvJfueUsUl RVmOCJcPdANq2sF6xLFlVgLtZ6jNf8Imh2gr1Ir4dvGUjy7dX+qaUA9eZYOtqAiTtOVo 5KTqQhuXQ5zAXZ+VWV8Y6JKXPfRi6SycxyXU/lssOMkHW8BfXzg8B2JsNfWkVIbv2W25 rNfw==
X-Gm-Message-State: AA+aEWYtkSLWKdDr2cYTFr7qlDsxiOBzkYuvvFrlAIYKgdFmmN6/vXz2 O4nVRhAvP5K4AF5XRTUPJpX4QnnLelzU1sJb6e0=
X-Google-Smtp-Source: AFSGD/W2eyY8ScX4JKVLv+1Y+KxxTftDJiodAAXaqNVdn3GFYrbxkRPmTjcjcnc1Ecs8GT8eRymIjSvCVVcUpj2gdSk=
X-Received: by 2002:a05:660c:81a:: with SMTP id j26mr8005178itk.70.1543847579309; Mon, 03 Dec 2018 06:32:59 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 3 Dec 2018 09:32:58 -0500
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <20181203135630.GA8140@ubuntu-dmitri>
References: <CANatvzzaW-y6y6qN-K4W91WL+3A0fV3SLbOqcq5+SB=qXDpRXw@mail.gmail.com> <CABkgnnV9ONF5LEuCnpy8BsOHnFGidFbVKoMOeM9EohabMBMV6A@mail.gmail.com> <CANatvzxyUm86dNYAwiXeY_xHtcQBKuVWxa_3=9rgmFJtC4u+yw@mail.gmail.com> <20181130153734.GB19030@ubuntu-dmitri> <4A523623-09FD-4101-90A2-FCE202585B01@huitema.net> <20181130164440.GC19030@ubuntu-dmitri> <CANatvzw6+HKbXqqP_MK1rvF3dSiLryhMRABnxV6VUmdJnNQoKw@mail.gmail.com> <20181203031430.GA29864@ubuntu-dmitri> <CANatvzxicJ2D48cpNJe3Cz8+ju0VJmf25+8NTdjSvJXH8j9bog@mail.gmail.com> <20181203135630.GA8140@ubuntu-dmitri>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Mon, 03 Dec 2018 09:32:58 -0500
Message-ID: <CAN1APdd8h0wVSr6kpLXnc7T7O5tbPBbsij9jyV6ooUxMAHg8Xw@mail.gmail.com>
Subject: Re: How does a server identify a new connection?
To: Dmitri Tikhonov <dtikhonov@litespeedtech.com>, Kazuho Oku <kazuhooku@gmail.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Christian Huitema <huitema@huitema.net>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008d6179057c1f06c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/XQoeYjkN3Er0hqiQdfeJwfIFY8A>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 14:33:03 -0000

It ought not be that difficult to race packets. I know someone who measured
a cross Atlantic datacenter to datacenter vs public network to same
location.
It was 30ms faster on the internal network. It might have been RTT in which
case a packet race it is still 15ms faster.

So if you have good connectivity it is viable to race packets over longer
distances.



On 3 December 2018 at 14.56.54, Dmitri Tikhonov (dtikhonov@litespeedtech.com)
wrote:

On Mon, Dec 03, 2018 at 01:17:06PM +0900, Kazuho Oku wrote:
> 2018年12月3日(月) 12:14 Dmitri Tikhonov <dtikhonov@litespeedtech.com>:
> > Why is the client struggling? In other words, what attack are we
> > defending against? Is this a real attack -- an adversary racing
> > against the very first client packet -- or a theoretical attack?
>
> I am not sure if the question is good way to consider how QUIC will be
> attacked, because the security properties (and therefore the attack
> vectors) of QUIC is different from that of TCP (that optionally have
> used TLS older than 1.3).

The question is asked in order to understand whether the proposed
defense mechanism is reasonable to implement. The implementation
cost on the server is high given that the attack does not exist.

> Having that said, what we know is that 1) man-on-the-side reset
> injection is a common technique, and 2) it is often coupled with
> packet payload inspection [1].

The reset injection attack described in the referred paper (Section
4.2.3) injects RST packets into an-already established connection.
Both in this and in the Quantum Insert scenarios the injected
packets do not have to race the legitimate packet(s) that were used
to construct them. This seems like an impossible problem for the
man-on-the-side to solve.

> With TLS 1.3, the only remaining way for a middlebox to inspect the
> payload of a packet in practice is to look at the SNI of the
> ClientHello. With QUIC, injection during the exchange of Initial
> packets would be the only way for a man-on-the-side attacker to
> disrupt the connection (assuming that we address the issue with
> spoofing path challenges / responses).
>
> Considering that, I would assume that racing a spoofed Initial to the
> server will be one of the vectors to be considered by the attackers,
> and therefore it's worth considering, documenting and encouraging
> implementations to have the countermeasures.

I agree that it's worth considering. I have been wanting to see how
this vector could be used for an attack by the man-on-the-side, but
no explanation has been put forth so far.

- Dmitri.

> [1] https://tools.ietf.org/html/draft-hall-censorship-tech-06

v2.23.0 | Report a Bug | By Email