IETF Logo Mail Archive

Re: Back to work

Eric Kinnear <ekinnear@apple.com> Wed, 28 October 2020 02:41 UTC

Return-Path: <ekinnear@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193DA3A0BC0 for <quic@ietfa.amsl.com>; Tue, 27 Oct 2020 19:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FgyLYdBOk76r for <quic@ietfa.amsl.com>; Tue, 27 Oct 2020 19:41:15 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3A283A0BC2 for <quic@ietf.org>; Tue, 27 Oct 2020 19:41:15 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 09S2c6od041929; Tue, 27 Oct 2020 19:41:13 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=YAnD39RQeym5FbeDdhVntbQF6gimqr+wl7kH8ieSRHE=; b=WY/xb/vk4mcBFhODNpq7gSSkYz0W9myseCeSF+NWVqHvDf69yY4STC47ITRbi3w5FiVs 5rMh3d3shKSdgaNYWk7+hu3eyq19pDViSnWgPTl3hW9ZfYVDUtUVMbdDVqHEjhcBaX4e wZe1Vw+FmMZYCt6rpjiuYXomny1brk2rcBtmQTsa5nnYP+utfmVV2orFqvat7irV3pS2 5lhk6ngVN0PTWPLe9F6lkqjZ/3cKqi6b1oFgmZviWe0qhioV9+2EQ0sCGJvS476LDLHx mA9c9m7H3D8wR7pUSWK8S1gmMI3LGtANmKR8aw61LB7Mo4FJhic1SOhH/w1MSlpudBNX ng==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 34ck8vbfvs-18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 27 Oct 2020 19:41:12 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPS id <0QIW006214SLBH00@rn-mailsvcp-mta-lapp03.rno.apple.com>; Tue, 27 Oct 2020 19:41:09 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QIW00Z004IYFU00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 27 Oct 2020 19:41:09 -0700 (PDT)
X-Va-A:
X-Va-T-CD: f47a32de39f1cfa35444508222caef20
X-Va-E-CD: f9547cdfcf1db34a2e58b4894fc4b8f8
X-Va-R-CD: 2ba71f0fef3449a5a37d3b7967c49b1e
X-Va-CD: 0
X-Va-ID: 292a5a91-3796-48e4-9737-92c1c00e1e64
X-V-A:
X-V-T-CD: f47a32de39f1cfa35444508222caef20
X-V-E-CD: f9547cdfcf1db34a2e58b4894fc4b8f8
X-V-R-CD: 2ba71f0fef3449a5a37d3b7967c49b1e
X-V-CD: 0
X-V-ID: 290c326b-d930-4ab6-983d-689f8ec5c9fd
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-27_17:2020-10-26, 2020-10-27 signatures=0
Received: from [17.232.194.161] (unknown [17.232.194.161]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPSA id <0QIW00FOZ4SJQJ00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Tue, 27 Oct 2020 19:41:08 -0700 (PDT)
From: Eric Kinnear <ekinnear@apple.com>
Message-id: <F70CDC51-5513-4FF0-8D65-E14ECF0F3003@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_882DC0CC-A920-4B60-B6C2-6DBD972768FC"
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: Back to work
Date: Tue, 27 Oct 2020 19:41:07 -0700
In-reply-to: <CANatvzz61vdfyUJs_+jQDjS0eiPCHwThMHuXy_76ST5USAD36Q@mail.gmail.com>
Cc: Martin Duke <martin.h.duke@gmail.com>, Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org>, "quic@ietf.org" <quic@ietf.org>, "ximaera@gmail.com" <ximaera@gmail.com>, "mt@lowentropy.net" <mt@lowentropy.net>, "ianswett=40google.com@dmarc.ietf.org" <ianswett=40google.com@dmarc.ietf.org>
To: Kazuho Oku <kazuhooku@gmail.com>
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com> <CAM4esxR8dswqRfaJFS0O5Lg4rL_W3A8geoMWFvEQgrZOJZhJOA@mail.gmail.com> <CANatvzw28JXqxGs7us68i7Y2Fst1KTgF7kVyOKa0xRfxx9dw4g@mail.gmail.com> <CAM4esxRuZbnGL94BYzZYR9GynJ2Jvucsfm69_XJt8E6yd1LJcw@mail.gmail.com> <CANatvzz61vdfyUJs_+jQDjS0eiPCHwThMHuXy_76ST5USAD36Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-27_17:2020-10-26, 2020-10-27 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/deu58r2MXmUgubTs_CgD88eMxWk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 02:41:18 -0000



> On Oct 27, 2020, at 4:49 PM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> 
> 
> 
> 2020年10月28日(水) 8:23 Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>:
> Again the spec says PATH_CHALLENGE MUST be padded to 1200
> 
> The specification says that. At the same time the receiver is *not* required to enforce that.
> 
> To be specific, the receiver is not allowed to error-close the connection, because the size of datagrams are never authenticated. See #4253. At the moment, section 14[1] permits *either* of the following two behaviors when receiving a small-sized datagram containing PATH_CHALLENGE: a) respond with a full-sized PATH_RESPONSE, b) discard that packet.
> 
> But as stated, we need a MUST that somehow prohibits the endpoint from sending PATH_RESPONSE, if we want the rule to be stringent.
> 
> That might sound like we will be enforcing b. But that's going to be problematic, due to the approach requiring implementations to do frame processing then discard the packet. That's going to be complicated for some QUIC stacks, because they make changes to the connection state (e.g., adding the packet number to ack queue) before processing the frames.
> 
> Fortunately, we have another option, and that is to state that endpoints MUST not respond with PATH_RESPONSEs under these conditions. By stating as such, the receiver can either discard the packet, or process the packet as usual but refrain from sending PATH_RESPONSE. 
> 
That seems like a not-unreasonable option, Kazuho. It certainly seems like it might close some loopholes that haven’t yet been fully explored around sizing of PATH_CHALLENGE and PATH_RESPONSE.
I’d also note that at one point we lost the 3x limit for path validation. We used to match the handshake, and when the pacing discussion came in we wound up with the X bytes / initial RTT duration.

It is important to be able to migrate immediately without validating, not just because an endpoint might be discovering/bringing up a new path at the same time as the old one is bad, but due to NAT or other routing changes — we can’t attempt to guarantee that the 4-tuple will stay the same and also expect to survive NAT rebinding. 

One of the situations that we’ve been using as an example attack is someone who is able to cause you to toggle between arbitrary ports on a NAT for each packet (if you go back and forth between two, ideally you’d just end up validating both and then be cheerfully willing to alternate the data between the two of them on a sub-RTT basis, probably with somewhat restricted flight sizes, but let’s not get back into multipath here).

Had a few more thoughts after reading through this thread and re-reading the relevant sections of the document, but will split those out into a separate message as they got rather long.

Thanks,
Eric


> [1] https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-14-8 <https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-14-8>
> 
> 
> On Tue, Oct 27, 2020 at 4:17 PM Kazuho Oku <kazuhooku@gmail.com <mailto:kazuhooku@gmail.com>> wrote:
> 
> 
> 2020年10月28日(水) 5:13 Martin Duke <martin.h.duke@gmail.com <mailto:martin.h.duke@gmail.com>>:
> PATH_CHALLENGE MUST be padded as well, so I don't see that as an amplification vector. It might be useful to add language to allow PATH_CHALLENGE to be ignored if not padded (SHOULD ignore?)
> 
> The problem here is that an attacker might establish a connection, then send small-sized datagrams containing PATH_CHALLENGE frames. Therefore, if we are to have a stringent amplification limit for path migration (BTW, I like Ian's proposal), we should better block this attack vector too.
> 
> So maybe something like "MUST NOT send PATH_RESPONSE frames in response to PATH_CHALLENGE frame carried by a datagram that is less than 1200 bytes."
> 
> 
> In migration, the path usually should have already been pre-validated so there is no attack vector once that happens.
> 
> But Ian's proposal to use the 3x limit is not so great in the NAT rebinding case. If a small packet causes this, data transfer is going to plummet, and we can't simultaneously verify the path and the MTU.
> 
> On Tue, Oct 27, 2020 at 10:04 AM Magnus Westerlund <magnus.westerlund=40ericsson.com@dmarc.ietf.org <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
> On Tue, 2020-10-27 at 09:12 -0400, Ian Swett wrote:
> > Thanks for summarizing this issue. I think the above discussion is about
> > immediate migration and repeated immediate migrations, but I also wonder if
> > we've introduced a single packet amplification attack by requiring
> > PATH_RESPONSEs be padded on new paths without a requirement on the size of
> > PATH_CHALLENGE(see first item)?
> > 
> > Validating a new path
> > If one receives only a PATH_CHALLENGE on a new path, then the server
> > responds with a full-sized PATH_RESPONSE.  This seems safe.  If a non-padded
> > PATH_CHALLENGE is received on a new path, then the peer is supposed to send a
> > fully padded PATH_RESPONSE on the path, which could be >20x larger.  I'm not
> > sure if we care about this, but I wanted to point it out. 
> > 
> > Immediately migrating to a new path
> > I think we should remove the text about allowing kMinimumWindow each
> > kInitialRtt after migration and change it to the 3x limit.  I'm actually
> > surprised the text about 2*kInitialWindow still exists, since recovery says
> > "Until the server has validated the client's address on the path, the amount
> > of data it can send is limited to three times the amount of data received, as
> > specified in Section 8.1 of {{QUIC-TRANSPORT}}.".
> > 
> > In order to not get deadlocked by the 3x factor, I think we should change the
> > newly added MUSTs to only apply to path validation prior to migration, not the
> > peer responding to migration.
> > 
> > My reasoning is that if a peer migrates prior to validating the path, it means
> > it's either unintentional or they have no other choice, so the migrating peer
> > has implicitly decided that validating PathMTU is not a prerequisite to
> > migrating.
> 
> So some quesitons and ideas as I think it is relevant to resolve this as best as
> possible.
> 
> So isn't this recreating the issue that if the client initiates a migration to a
> new path that is not QUIC compatible, by responding with a minimal size packet
> and completing the migration and then if the server performs the path
> verification with 1200 bytes UDP payload it fails. Thus maintaining a broken
> path. 
> 
> So is there need for the non pre-validated path migration case that one need
> need to do a two step process where one will ACK with minimal packet while
> initiating path validation. If path validatation fails then maybe one need to
> close down the connection as the migration ended up on a path that was unable to
> support QUIC. The question here is how to avoid the DoS attack this may open up
> if an attack rewrites source address of packets. 
> 
> So Maybe the path validation needs to be a two step process. First a return
> routability over the new path to verify that it is bi-directional. When that has
> been verified one does a test with minimal MTU to prove it to be QUIC
> compatible. This might even be done with application data if there is some that
> are available to send. 
> 
> But, I think that one needs to work through the criterias for when the QUIC
> connection is shut down under the conditions that the path available is not
> supporting 1200 bytes. Also do we end up in a situation where the client needs
> to do the second step itself towards the server to verify the path so that it
> can determine if it needs to try another path if this one doesn't work? 
> 
> Cheers
> 
> Magnus
> 
> 
> 
> -- 
> Kazuho Oku
> 
> 
> -- 
> Kazuho Oku

v2.23.0 | Report a Bug | By Email