Re: How does a server identify a new connection?
Kazuho Oku <kazuhooku@gmail.com> Fri, 30 November 2018 01:49 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A53E11277C8 for <quic@ietfa.amsl.com>; Thu, 29 Nov 2018 17:49:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eq31rK01vXpJ for <quic@ietfa.amsl.com>; Thu, 29 Nov 2018 17:49:49 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6F7212008A for <quic@ietf.org>; Thu, 29 Nov 2018 17:49:48 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id e5-v6so3568155lja.4 for <quic@ietf.org>; Thu, 29 Nov 2018 17:49:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=GyIFFALLhb3kozR+RL0NzsFqWUhco+jcYzJJB8s1cvc=; b=IiAYseTMRBHkDSy//Wiv5gfKquL6evAAnm7LOgqVTj/nWtv9D5HMEupBXw0eGt3KVI C+89x1EULDQLBtqwdVUhLp8qTGMTGxJCg825xp/86pHhveaQ7X8Oklav+xzheNP7czOv txGxg/lqZ8mRtr8CMsXjP4b+5GtsuvMwnoQt/6uv8P2tMxdQ9rhyxu9mqrgxIVqRlnuF QFB7wkQ4pbaP8hZd7OkbhWt6iIuWFLxlO8bw6X5JMXtEhY4fZNm58UrviM2giswN6X9s ViVEH258jFCmpKS7Oryg/nujSWZIk3Sq03X+ObQU0/pHJKM/9XOxb8opkAvHsC3+B7+j DiKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=GyIFFALLhb3kozR+RL0NzsFqWUhco+jcYzJJB8s1cvc=; b=TRcDu+UUeSrgfDRQPur8pICPQhuIRFM+GAEN8h7FsZMAa6ao9fSGx1w1Bvi9gurOOn wqMdRKHhpiNcxlcQyH7m540uAbwbJAPdkAoVVinofRcBCyK5XWtFe9a9gHaAugjxRBWd 5ywnOEjf1YzKvc32L0a3iOB6uHsdMUn8ACA1YVYz6WXOd9c2yyH6wO70vQKpNBjzOSQp SJ3YD/SSzpvY/OA5Fc8riEITGwOAtp8RbVwWvzXC/aVg7C5TWZc/bKnGPi2dVuQdSIAT 2rjbnj3LbYYmF0mBsie94SD4QTr/jSPDQ4S7pJlQNVupBMRxcDaoYUJBPT0HHdp4JjRn zYEQ==
X-Gm-Message-State: AA+aEWagC7YDThE+8CStM9bopw7+Nc2eVmlRXZqBBsfwoZOT4xwlpjst kwQguxWmGnegK4aXlJlbBnhbMG47DKSU9cmzvIsP872QGJ8=
X-Google-Smtp-Source: AFSGD/UJj94biwggg8JaIJS9mCg7Yg8bUfZvtr2ZtsosXvecfTW8whN/6kd6ZbP47h/983dadD6zdhPEMhqrRgYOeAU=
X-Received: by 2002:a2e:86ca:: with SMTP id n10-v6mr2465895ljj.49.1543542586884; Thu, 29 Nov 2018 17:49:46 -0800 (PST)
MIME-Version: 1.0
References: <CANatvzzaW-y6y6qN-K4W91WL+3A0fV3SLbOqcq5+SB=qXDpRXw@mail.gmail.com>
In-Reply-To: <CANatvzzaW-y6y6qN-K4W91WL+3A0fV3SLbOqcq5+SB=qXDpRXw@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Fri, 30 Nov 2018 10:49:28 +0900
Message-ID: <CANatvzwconP3Zcr4VS9T-ciF3yC1VFGsT_1c-q3XLUHHSF08Tw@mail.gmail.com>
Subject: Re: How does a server identify a new connection?
To: IETF QUIC WG <quic@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/YEt56t4X8A8e528Ah1QGmC8ploA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 01:49:52 -0000
I've submitted a PR that implements the proposed approach. https://github.com/quicwg/base-drafts/pull/2076 2018年11月29日(木) 11:30 Kazuho Oku <kazuhooku@gmail.com>: > > So far, we have been trying to spend reasonable effort to prevent > man-on-the-side attacks. > > Specifically, PR #2045 (Discard Initial keys as soon as possible) is > an attempt to prevent that during the handshake. > > Assuming that we adopt the PR, client's complexity of avoiding a > man-on-the-side attack becomes O(M*N) where M is the number of > server's Initial packets (assuming that ServerHello fits in one packet > and HRR is not involved) and N is the number of packets being received > [1]. > > However, there still exists an attack vector. The attacker can target > the server instead, racing an Initial packet. If the attacker's > Initial (that contain a different ClientHello) reaches the server > before the one sent by the client, the TLS handshake would fail, > assuming that the server considers those two Initial packets to be > belonging to the same connection. > > The question is if (and how) we can prevent that from happening. > > One way that might work is to use H(SCIDL || DCIDL || SCID || DCID || > ClientHello) of the Initial packet where H is a cryptographic hash > function to identify each connection establishment attempt. In > practice, a server would remember this value for each connection, and > if the value differs from a known value, creates a new connection > context and responds with an Initial that contains a new Server CID > (even if the 5-tuple and Client's CID is identical to an existing > connection). > > Does this sound sufficient to avoid the man-on-the-side attack > targeting the server racing Initial packets? Is there a better way? > Should we describe this type of construction in the drafts? > > > [1] https://docs.google.com/document/d/1fRsJqPinJl8N3b-bflDRV6auojfJLkxddT93j6SwHY8/edit > section 3.4 > > -- > Kazuho Oku -- Kazuho Oku
- Re: How does a server identify a new connection? Kazuho Oku
- How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Martin Thomson
- Re: How does a server identify a new connection? Martin Thomson
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Martin Thomson
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- RE: How does a server identify a new connection? Lubashev, Igor
- RE: How does a server identify a new connection? Mike Bishop
- Re: How does a server identify a new connection? Christian Huitema
- RE: How does a server identify a new connection? Lubashev, Igor
- Re: How does a server identify a new connection? Christian Huitema
- RE: How does a server identify a new connection? Lubashev, Igor
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Dmitri Tikhonov
- Re: How does a server identify a new connection? Christian Huitema
- Re: How does a server identify a new connection? Dmitri Tikhonov
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Dmitri Tikhonov
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Dmitri Tikhonov
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Chuck Crisler
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Christian Huitema
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Dmitri Tikhonov
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Mikkel Fahnøe Jørgensen
- Re: How does a server identify a new connection? Christian Huitema
- Re: How does a server identify a new connection? Dmitri Tikhonov
- Re: How does a server identify a new connection? Christian Huitema
- Re: How does a server identify a new connection? Kazuho Oku
- Re: How does a server identify a new connection? Dmitri Tikhonov