IETF Logo Mail Archive

Re: Questions about Version Negotiation Concerning Possible Handshake Interruption

Lingmo Zhu <zlm2006@gmail.com> Fri, 09 February 2018 11:19 UTC

Return-Path: <zlm2006@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 211EA126D0C for <quic@ietfa.amsl.com>; Fri, 9 Feb 2018 03:19:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.449
X-Spam-Level:
X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ah8rjOh64TwW for <quic@ietfa.amsl.com>; Fri, 9 Feb 2018 03:19:50 -0800 (PST)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3008E1200C1 for <quic@ietf.org>; Fri, 9 Feb 2018 03:19:50 -0800 (PST)
Received: by mail-it0-x232.google.com with SMTP id o13so10497437ito.2 for <quic@ietf.org>; Fri, 09 Feb 2018 03:19:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=ytDpyNHo7W6GtWhCdNN2chcO0uSRZCUyRpcebvopMns=; b=YbnGJfLLG2np4hDnyZrD7t1Kx8f/7ivlZdP4kc/iRpCzyJKK+dtO0J2dsuiXW3Idtk XMWFwqwcbCAxDzIbo9Mctf62ex9rvBlwda1+vKt4XNp/vz8XJ27LqQd2v+hre8uPpQAG BlucI87/Ymfdc3rRK/Z779Exc8GIyFHfMmISV+5CUgYgbcNlJuC2aGEqQF5hRin1FV2I wKOP4L7ANxA9gGwNk5LHI+M7pO0DxOH2lNzkmJF53czvC3wGnEh8ueLJHxsyR+tLWYx8 jvbTxTQCbrXaW8Neo187mTpTcoV5Zo1/49rgRUCrBusvKiN8uyaOobU7Xb9Y9I1KEhKZ S/FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ytDpyNHo7W6GtWhCdNN2chcO0uSRZCUyRpcebvopMns=; b=G4HuIGHj1wRwty/Y+XqXvGHoFONnOAsljb4VnTQnBQjz0UcQrxQQwjSZCffbSBAm8r rptSVf04agVH9l61w1K3X4Ykpi0dsszR7sJnAb+rUDwo/KT5KhSfQ1uX33jt7tLNI4P8 wZ4Dg2HUf7Mvtg3TWwtCOOCoPBkWOrJAtpngVwhEamdEqWREM1m2MWWbMsn2Ha9r2w2p LO4tdP6A57i9EJ6l+CtOU6JHG53oK0SQ4phOLRhD99s9ABZcndY7+aRwfLxxk+BQzMft 4qVoOfM++IR1fVetlF97f4fpzX56VwBCiL92735gbxGlv/sO+EfUD0C5eok4Tz74ylIY aSww==
X-Gm-Message-State: APf1xPDsOIZVJny8NO/44qQQ1GLGZhxx6Rm48+0+3AApcpKHBZtoqQRz 43LWIO+Adg/JKnfjv+jbCyquvasmb3Y=
X-Google-Smtp-Source: AH8x224AFXLu8guKJteSygSm+dzd0lS1cbuozbOo5T8hnGJExNGJjjhn1fkmcpk0ovF3EqIzd+PMnA==
X-Received: by 10.36.125.8 with SMTP id b8mr2997973itc.149.1518175189391; Fri, 09 Feb 2018 03:19:49 -0800 (PST)
Received: from Justins-MacBook-Pro.local ([103.65.40.65]) by smtp.gmail.com with ESMTPSA id b41sm2956293iod.30.2018.02.09.03.19.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Feb 2018 03:19:48 -0800 (PST)
Subject: Re: Questions about Version Negotiation Concerning Possible Handshake Interruption
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>, Martin Thomson <martin.thomson@gmail.com>
Cc: "quic@ietf.org" <quic@ietf.org>
References: <1d386744-c46a-842a-b172-24e290e03668@gmail.com> <CABkgnnVRn+1sNZQFB8BZc4VyzN5usLmYJ3xLo+p2uTeW_0Ji_Q@mail.gmail.com> <CAN1APdfpJ0rYPPiOgfcdDRx3noh+YYvJatP0MYTqRRXMBwF6pA@mail.gmail.com>
From: Lingmo Zhu <zlm2006@gmail.com>
Message-ID: <3d558827-f2a7-877c-e00a-d6a22ef241c5@gmail.com>
Date: Fri, 09 Feb 2018 19:19:45 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAN1APdfpJ0rYPPiOgfcdDRx3noh+YYvJatP0MYTqRRXMBwF6pA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------CE7773FF3340A993A48E7FF0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/tmc-jJBS66PIgtQXVI8xuBFXQHo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2018 11:19:52 -0000

Thank you for the clarification. I admit that downgrade attack could be 
hard to imagine. In fact what I really concerned is some scenario like:

The client accepts version set X and the server cluster accepts some 
versions in X, so handshake should go well. But middle box tries to send 
VNEG with a version list excluding X. If VNEG wins, handshake could be 
aborted.

In that scenario, HTTP could fall back to TCP and be interrupted simply 
by RST. TBH I just hope QUIC could not be easily interrupted. I'm not 
sure if such corner case should be considered.


On 2018/02/09 18:22, Mikkel Fahnøe Jørgensen wrote:
> A possible attack scenario:
>
> A server cluster accepts version X and version Y, and sends {X, Y} in 
> VNEG message if it sees any other requested version.
> Except: the cluster also accepts version X_old to deal with hard to 
> upgrade baby alarms. It never announces X_old in VNEG but it will 
> accept it if proposed by the client.
>
> Middleware now tries to inject X_old in version negotiation to 
> convince the client to use that version in instead of version X the 
> client would normally use. If VNEG wins the handshake race, X_old is 
> now triggered.
>
> But the cluster knows that it would never have proposed X_old so if 
> the client does verify properly, the handshake should fail.
>
> What I’m not sure about is if the current logic actually supports a 
> case were X_old is accepted if volunteered, but never when negotiated.
>
>
> Kind Regards,
> Mikkel Fahnøe Jørgensen
>
>
> On 9 February 2018 at 11.11.13, Martin Thomson 
> (martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>) wrote:
>
>> Any spoofed version negotiation packet will be detected once the
>> handshake completes: the server is required to include its list of
>> supported versions in the TLS handshake. See the link Mikkel provided
>> for details.
>>
>> On Fri, Feb 9, 2018 at 8:34 PM, Lingmo Zhu <zlm2006@gmail.com 
>> <mailto:zlm2006@gmail.com>> wrote:
>> > Hi
>> >
>> > I'm new to QUIC and not sure if that could be considered but for 
>> Version
>> > Negotiation with the same connection ID as Initial packet, client 
>> should
>> > choose an acceptable version from the list. What if spoofing from 
>> something
>> > like router happens? Should mitigations be considered, such as 
>> adding a
>> > delay for validated Version Negotiation handling so that following 
>> handshake
>> > packets could be received later and that fake Version Negotiation 
>> could be
>> > ignored?
>> >
>> > Such concerning is just come out from DNS hijacking which is partially
>> > similar, though for QUIC it would only interrupt the handshake. I'm 
>> not sure
>> > but it might be used by downgrade attack in the future. Of course 
>> I'm new to
>> > this field so my opinion would be wrong.
>> >
>> > Thanks.
>> >
>> > Lingmo Zhu
>> >
>>

v2.23.0 | Report a Bug | By Email