IETF Logo Mail Archive

Re: Back to work

Eric Kinnear <ekinnear@apple.com> Fri, 30 October 2020 01:27 UTC

Return-Path: <ekinnear@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E943A0B83 for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 18:27:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkjXjJ1ToQWW for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 18:27:54 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FADD3A0B7E for <quic@ietf.org>; Thu, 29 Oct 2020 18:27:54 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.43/8.16.0.42) with SMTP id 09U1KReR026648; Thu, 29 Oct 2020 18:27:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=NI6E+xmUdirahjdRIZwTZ4aYxmrm5qXI3v1iTaEaXdo=; b=ZcBTfm8oBcCHoAJmSzCSbbAxVc/n1aZj90DD/spfCvxWeMcCAlCPOGKXoVCVUpj4NL8F EkWiuI4oiVfB7pUsEI9ts580Sd5uRuSxaUZBJIDu0cj1tzsNvE/37ZSY7B06H0z+WQaV axQJbCx/mwQWIhceKXutSscrgK3N34egwxy2HvFzkcPQHWFK/7tv8qNiHF4fOru6X7p+ oNTaN/jFtJq3Y7exfUuPKZqp3Orlov/aIct/MmqV4JylJWTKCokzcSqu42+eHWPRxhdD HajqcgiIYsJwviW2+nCwhWtnbreYCiuDbb+Gi6Yb7bO7p6sM/hJR0TxCc7PLP3Ucf52u Ng==
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by nwk-aaemail-lapp02.apple.com with ESMTP id 34cgujffs9-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 29 Oct 2020 18:27:53 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPS id <0QIZ00GXZQQH63E0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Thu, 29 Oct 2020 18:27:53 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QIZ00V00QJELD00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 29 Oct 2020 18:27:53 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 01a37c4388be431533d60b3d58eeb299
X-Va-E-CD: f9547cdfcf1db34a2e58b4894fc4b8f8
X-Va-R-CD: 2ba71f0fef3449a5a37d3b7967c49b1e
X-Va-CD: 0
X-Va-ID: 6926e6b7-cad4-42d2-a7e2-3bd54ea19722
X-V-A:
X-V-T-CD: 01a37c4388be431533d60b3d58eeb299
X-V-E-CD: f9547cdfcf1db34a2e58b4894fc4b8f8
X-V-R-CD: 2ba71f0fef3449a5a37d3b7967c49b1e
X-V-CD: 0
X-V-ID: d9b16c3c-9bcd-4fd4-9884-d73fdab6566e
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-29_12:2020-10-29, 2020-10-29 signatures=0
Received: from ekinnear1.scv.apple.com (ekinnear1.scv.apple.com [17.192.171.50]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPSA id <0QIZ00U8QQQG4Y00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 29 Oct 2020 18:27:52 -0700 (PDT)
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.1\))
Subject: Re: Back to work
From: Eric Kinnear <ekinnear@apple.com>
In-reply-to: <9c116544-c120-422b-8968-79effb3020ca@www.fastmail.com>
Date: Thu, 29 Oct 2020 18:27:52 -0700
Cc: Christian Huitema <huitema@huitema.net>, quic@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <C2E762A1-2CCD-4728-A9DB-32D6AE02A1BD@apple.com>
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com> <efe63bdf-7af2-49c0-932d-3a36de61bdd6@www.fastmail.com> <41A07550-1BFA-43E6-83A0-93FA96DF1E9B@apple.com> <CAN1APddS_qtMoUiUL9uwtAB3rXuAQ0NmiipXGDkS4hcA5od6Ag@mail.gmail.com> <CAKcm_gOcuuF_REWszJyYC6eO6swavMD3D9VnzgJTHEwEAXOsnw@mail.gmail.com> <CAM4esxT2kD6U-Hb5cOSfykBPvTmboEozqqiYiFF63ywxstm-LQ@mail.gmail.com> <CAKcm_gPzEgEssO3LMyW=t9tvbsRrLQBJ7M=2mxySs3H-YUXF5A@mail.gmail.com> <CACpbDceKFAVZ=Vrvj8ZoOj95TNfkCqNrpLh8FOBMBUBU=Qx_eQ@mail.gmail.com> <cc9aca43-7556-7fed-8ef8-1b5343316a0d@huitema.net> <59211AC5-0D72-4295-9E67-DA0BF5B92965@apple.com> <7fca948f-6c71-45c8-8c76-8cfabf11898b@www.fastmail.com> <5CD85C94-CFB2-47FF-9178-0DBE354EFCBF@apple.com> <f950a0cf-1be1-491b-8bc4-f5816cdb13e6@www.fastmail.com> <fed2a70b-954e-f224-fd0f-e80d36f12e87@huitema.net> <9c116544-c120-422b-8968-79effb3020ca@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3608.80.23.2.1)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-29_12:2020-10-29, 2020-10-29 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/q0axiSIYn6-TmCfNOs5G1x2M7ZQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 01:27:55 -0000

Agreed, I think that’s where the “client needs to pad PATH_CHALLENGE and any PATH_RESPONSE needs to be padded if the challenge was padded” came from. 

To the point about it being an error case — that totally makes sense, and as Christian points out, that is also significantly more likely under some of the attacks than someone being both idle and transferring lots of data at the same time. 

I’m pretty sure we did previously have text that allowed the server to treat the new address as validated if only the port changed, but we took it out to help with some of the MOTS attacks. Also fully agreed that it would be really nice to not split the logic across retaining some things (CC/RTT) some of the time, but not others (Path, MTU validation). 

All this said, I suspect these are all edge cases enough that the more conservative PR (as currently written) would be totally sufficient. 
My current feeling is that if we wanted to carve it out such that a small packet from an attacker on the side (or an unintentional migration) didn’t generate MAX(full_size_packet, 3x_what_came_in_from_the_attacker) sized packets, that would be neat, but not absolutely necessary.

Thanks,
Eric


> On Oct 29, 2020, at 5:09 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> On Fri, Oct 30, 2020, at 10:42, Christian Huitema wrote:
>> That means doing thing differently for a regular migration and for a NAT
>> rebinding. A regular migration happens starts the client sends a full
>> size packet, with a not yet seen CID, and containing a path challenge.
>> Responding to that with a full size response makes sense. But if the
>> server receives a short packet, with an already used CID, and without a
>> path challenge, that's probably a NAT rebinding. Responding with full
>> size challenge packets is counter-productive.
> 
> Ahh, that seems sensible.  Conveniently, the current PR results in what you describe, so I have less work to do :)

v2.23.0 | Report a Bug | By Email