Re: Going STEK-less with QUIC?

Kazuho Oku <kazuhooku@gmail.com> Tue, 27 July 2021 23:03 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C2013A0E02 for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 16:03:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GkHb8kGUJtOy for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 16:03:09 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F235B3A0DF2 for <quic@ietf.org>; Tue, 27 Jul 2021 16:03:08 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id jg2so1475163ejc.0 for <quic@ietf.org>; Tue, 27 Jul 2021 16:03:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hSxCSseEKLjKpN2yqPP0sWLjWC0M1nEUxqElSiQSPCw=; b=joOUsvdAlwA72Bwh+tumuzQMpMOQKDTE1cONyoIqyIGyZ5FIoFVspJsWaUOdSt7nCg 5HXh9yimNyNbUQt1KS+qdjf4/sFU/M49YxploXigqADBAA9DndgI0uNubWKuMNmbhAoe T1J065MzMq7mTgLDKVwYSVf9aXbENyI8nNcZFWuxScy7Kdwke/4Ku7F2AhmXpj08gslk tCg08ztsclCxffROwrH6Dw4EXRnT3XuaaJZjtosTp9ECevVRKftRTaIliCsl2xCb8gi6 pjDBXYDic+tzLb+2GeD7THgJqI3PsOF6e4d5Jo/IgZx4cqjAphkrEOj25sG1T/wR+ag3 Er6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hSxCSseEKLjKpN2yqPP0sWLjWC0M1nEUxqElSiQSPCw=; b=Ya7pObCv80ISSakX7wEOhFwa73Hrddqa75ofibjDxnanqBodzw7UPrrCk2e2frhSZ4 vlP8o7sRLnWw1p2BCn/zcy4zCzkz2NQzFBOkgbUBgnsjrbq1g87I/VC6bvEigX31CDif 3iZ1gKBAyRfinyfW0CqdSCab+BW3pfEgyMVBNjIFKKt7epyCgvye/jF7IbWYX0JLdCyv FwnyQJ3oRlkMgtE2oSlEy53oeCrwixNjf8yReYB0kWolvl/cGKZ3AIOgT7GGTYlBwe/U 58+urKR7u+46U7qzzuhI7rb2MnUObSdgaMhNM2xOItjohpXX+E5HV8/VJoovib6HIGQo oxZA==
X-Gm-Message-State: AOAM5300WkMfHFgOaIznDf743QgfF8hg400oScSHrmJRfW2O5mwIURQ9 V6rFncvmLIqfDy1UyYKcqGNbZD37WHVmEE5paX9JCNzRJ+w=
X-Google-Smtp-Source: ABdhPJwNTshTJO2D/+NzrJxft64bWx0sEXtTofJ990D3p47RdVOqPnXUY8lfqA3WckvaHWpStEYq9EmvuWKr4bjTizA=
X-Received: by 2002:a17:906:b811:: with SMTP id dv17mr6324946ejb.444.1627426986115; Tue, 27 Jul 2021 16:03:06 -0700 (PDT)
MIME-Version: 1.0
References: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net>
In-Reply-To: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 28 Jul 2021 08:02:54 +0900
Message-ID: <CANatvzxBKNf+YdNLPwG=QpZv33o0Mp7uRU+N4JQUpYfbDypQkQ@mail.gmail.com>
Subject: Re: Going STEK-less with QUIC?
To: Christian Huitema <huitema@huitema.net>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000067c4ee05c822df6b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_CaogVQyMgApyBXbbQNTEhejyQs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 23:03:15 -0000

2021年7月28日(水) 6:05 Christian Huitema <huitema@huitema.net>:

> In theory, TLS 1.3 provides strong future secrecy guarantees, but the
> handling of session tickets can compromise that. In theory, the session
> Ticket could be a simple identifier, used by the server to retrieve the
> context of a past session. In practice, many servers encode the relevant
> session context data in the session ticket itself, using a Session
> Ticket Encryption Key (STEK). For server farms, there is no guarantee
> that the resumed session will hit the same server as the initial
> session, so in practice all servers in the farm share the STEK. And
> then, we have a serious future secrecy issue: if the STEK leaks, the
> attackers can decrypt all the sessions that were encrypted with that
> STEK, and might also be able to decrypt the initial sessions. In short,
> STEKs are convenient but risky.
>
> The load balancing draft defines Connection ID formats that assure that
> packets get routed to the right server in a pool. I think that we could
> use these connection IDs to ensure that a resumed connection goes back
> to the same server as the initial server. The simplest implementation
> would be for the client to remember one of the "New connection IDs"
> received in the initial session, and use that as Initial Connection ID
> in the resumed session. Once we do that, we get options. The server
> could for example have a server specific STEK, which reduces the impact
> of leaking STEk to just the sessions handled by that server, instead of
> all the sessions by servers sharing the STEK. Or, the server could just
> remember contexts of past sessions locally, and just place an identifier
> of that context in the session ticket, effectively going STEK-less.
>
> Would there be any interest in pursuing that idea?
>

I'm not sure if we'd be interested in deploying this sort of stuff, due to
the following two reasons:

* Most if not all of large-scale HTTP deployments use STEK for
TLS-over-TCP. Therefore, even if we address the issue on the QUIC side, the
low bar remains as-is on the TCP side.
* By allowing clients to "stick" to reusing the same server across multiple
connections, we are creating a new DoS attack vector that allows attackers
to target a particular host behind a load balancer. While we can implement
mitigations, that is an additional complexity.

That said, if we are to pursue this, I wonder if it would be better to
solve the issue entirely on the load-balancer & server side rather than
making a protocol change to QUIC.

To give an example, I think the same result can be achieved in practice by
designing a format of NEW_TOKEN tokens that is to be shared by the load
balancer and the server. That token would contain the server-id. When the
load balancer receives an Initial packet conveying such a token, it can
parse the server-id contained in that token, and forward the packet to the
specified backend.


> -- Christian Huitema
>
>
>

-- 
Kazuho Oku