IETF Logo Mail Archive

Re: Request forgery in QUIC

Martin Thomson <mt@lowentropy.net> Fri, 14 August 2020 00:41 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D28A3A0B78 for <quic@ietfa.amsl.com>; Thu, 13 Aug 2020 17:41:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=jLYZTfmo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=eJJBFqrU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V_Nay1gI2NdA for <quic@ietfa.amsl.com>; Thu, 13 Aug 2020 17:41:33 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A26903A0B76 for <quic@ietf.org>; Thu, 13 Aug 2020 17:41:33 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id E79F05C0178 for <quic@ietf.org>; Thu, 13 Aug 2020 20:41:32 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute2.internal (MEProxy); Thu, 13 Aug 2020 20:41:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=eAopj RJLDuRnKOzukWEFn6OwT7EcpZrmNMB714qMW8s=; b=jLYZTfmoRQP58NCtUDb38 9uIvi2Y1tHLZExTac9by/Lkrcq4RlanyYGUYlpngGzcO86apYiCnO9xkV9NCMEtm h/fKvoz7VpS5+X37cUm2aVnS/CVskRazFbnvqsfM4FrhEfgIfqbLABY4I2luB9pi LWTvfEEKy5slmTJocdjV3dGhI9iXlv3Pc0q83kMxfZCBYdSoJ8Gm752OqYCf5BFV cYqwUJeZiwvN9O7vAwVhqsaGXQccWesJ1s3TjofdJMhkJRti2koZv6GPmQmPfpWW SBXCjx/6EeDwzL/G3gdxDIC8Jdntx+ajNmU72lKzPY75cmomktR011nPz72gAGfq w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=eAopjRJLDuRnKOzukWEFn6OwT7EcpZrmNMB714qMW 8s=; b=eJJBFqrUzRh095kPtlJ9aMONWI0/wCn0fwplOlKQvQNve1dXYTE/JOXMV XfJwXy8QXZR7qoFi/dlV+j0sSZE9jX3t1RGxb4zln5q9TZKGTM23hSfbB7DW3drB Ipp6ymH0vehMgAdQd7JBxOvwUWSRnd0zSdXaQwrIMt/KxkH/eXPU+echLCOFzr4h Ya2uVHlGYL67PRvtdITvAe2qulY8O0eVJLL0GjJMCmvXuk7Rf3mGpUN1WWEzt7uu KUts7qcBku52jnvfp6oPKwHdj5A4HqoNv0n0qgynwuVNJhb6zvExCo1LONM1wr2l JVsJxrwwARFwKDJ1YLTz60jczs9vw==
X-ME-Sender: <xms:vN01X7afyKT3a_fQDFfLo8ni3mtDF1rvM2IabtRyO4g_L8cvu_XVmQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrleeigdefjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpefgjeeuudeiffeltdegle ehjedvtedtjeduudehgfegfefgkefgueeiteegffdttdenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:vN01X6agp8Du_USV9rig8VqKJsqw4sQH0Agz6qxlOYIzvzMlefnNxg> <xmx:vN01X9_iHKbETwmdFEsFkhvwcg77UgWLi13z9mr8vB_SaPShAQ_bqQ> <xmx:vN01XxpfmHpRw6a3rFfSnx8hV1U-kjDbasRBgPFlAMQH018id6Nfug> <xmx:vN01X36hDSnvjwCgGI-4tz4oDS-F0nkvG4X9mnPH6oFGchhmTR6iFQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9ABE5E00DF; Thu, 13 Aug 2020 20:41:32 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-185-g038a4a3-fm-20200813.001-g038a4a3b
Mime-Version: 1.0
Message-Id: <5e080370-0bb4-4951-9483-c0395eeeccf0@www.fastmail.com>
In-Reply-To: <6ab780e6ff5c4e9283df2f8db43519d4@ustx2ex-dag1mb5.msg.corp.akamai.com>
References: <71e81136-92f3-4c51-b78c-1ae572b29d69@www.fastmail.com> <2d8f7393-f72d-41f0-9e75-a13015c6499a@www.fastmail.com> <CANatvzw0nbDG2_mkMQHr4AtLFCsenGV34NF+0Y+rPdWgdghvhg@mail.gmail.com> <6ab780e6ff5c4e9283df2f8db43519d4@ustx2ex-dag1mb5.msg.corp.akamai.com>
Date: Fri, 14 Aug 2020 10:41:13 +1000
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Request forgery in QUIC
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ifM6Y-dtEcx00Su7QqA4gc3sJsc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 00:41:35 -0000

Hi Igor.

On Fri, Aug 14, 2020, at 01:06, Lubashev, Igor wrote:
>   * We can recommend clients to use NEW_TOKEN tokens only when it 
> reconnects to an address that is previously known.
>  
> 
> This would mostly defeat the purpose of NEW_TOKEN tokens in the context 
> of DNS-mapped CDNs.  Clients would quickly learn to either not to 
> follow this recommendation, or to keep an extensive history of 
> addresses and guess at subnets they come from, or to risk lower 
> handshake performance.

The PR tries to address this in stages.  It first says that clients MUST NOT send a token if the server address changes, but then it goes on to list some exceptions.  The first is allowing clients to treat "nearby" addresses as equivalent, for some definition of nearby.  The second is allowing the original address and any validated preferred address to be equivalent.

This might not work for you here.  In particular, if you believe that you can share tokens between servers in dramatically different networks, then you those tokens won't be carried between those server instances.  I can think of a couple of cases that are at least plausible:

* if you have an in-ISP CDN node and one in the cloud they will likely have very different IP addresses (assuming that you don't use anycast) so the client will believe them to be different and not transfer tokens from one to the other.

* if the same name is served by multiple CDNs and somehow they are able to consume tokens from each other, then clients wont transfer tokens.

No matter the circumstances, the loss is not serious.  Tokens from NEW_TOKEN are always opportunistic and provide pretty weak address validation anyway.  They might lift the 3x limit, but that mostly only helps you get a large certificate out.

Servers can't rely on getting these tokens anyway, which is why I think this is a reasonable countermeasure.

> The best recommendation is watching for a notional security escalation 
> between “globally routable IP space” -> “RFC1918/unique-local IP space” 
> -> “link-local” -> “loopback”.  

The PR addresses this point specifically under a heading for generic countermeasures.  I can see clients being cautious about these "escalations", but I don't think that anything but the last can be uniformly blocked.  And even that might need exceptions.  If you have an argument to support stronger protection, that would be good.  But I think that dropping NEW_TOKEN tokens is a far safer choice.  

BTW, under the pull request, clients are free to treat all globally routeable space as equivalent for the purposes of token reuse.  However, I don't think that is at all advisable.  On the contrary, I know for certain that it is unsafe.  Maybe this doesn't happen much any more - it certainly shouldn't - but at a previous employer we had unprotected services that used public IP addresses (the company used a class A IPv4 subnet for its services, which might give you a clue...)

v2.23.0 | Report a Bug | By Email