IETF Logo Mail Archive

Re: Payload length 0

Christian Huitema <huitema@huitema.net> Sun, 20 May 2018 18:00 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADEBE12D80E for <quic@ietfa.amsl.com>; Sun, 20 May 2018 11:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R3jop4j83wTv for <quic@ietfa.amsl.com>; Sun, 20 May 2018 11:00:22 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3B5B12D7FC for <quic@ietf.org>; Sun, 20 May 2018 11:00:22 -0700 (PDT)
Received: from xsmtp06.mail2web.com ([168.144.250.232]) by mx63.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1fKSd2-000BvK-C1 for quic@ietf.org; Sun, 20 May 2018 20:00:21 +0200
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp06.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1fKScz-00055r-6P for quic@ietf.org; Sun, 20 May 2018 14:00:17 -0400
Received: (qmail 25644 invoked from network); 20 May 2018 18:00:14 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.56.42.66]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <manasi.deval@intel.com>; 20 May 2018 18:00:14 -0000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Dmitri Tikhonov <dtikhonov@litespeedtech.com>, Jana Iyengar <jri.ietf@gmail.com>, Ian Swett <ianswett@google.com>, Marten Seemann <martenseemann@gmail.com>, QUIC WG <quic@ietf.org>, "Deval, Manasi" <manasi.deval@intel.com>
References: <CAOYVs2q63DpkPZTbw9T24ZcFOxbvrWAGvOtUaHvCuSg_13pSkQ@mail.gmail.com> <CABkgnnWpgyN_OPac-uSKALEaVc8mO_LpT9gAOs-n1eKqso5QAQ@mail.gmail.com> <CAKcm_gMFumNgPq4FxwcgzgDUCvn_jUxb0qk7tAgYZ=LvKfxjfg@mail.gmail.com> <20180518134400.GA12617@ubuntu-dmitri> <1F436ED13A22A246A59CA374CBC543998B7C712F@ORSMSX111.amr.corp.intel.com> <CACpbDcdb6JK_-fmUcKMgbdm0iD2qFvQSVbM74uzo28aShb7H2w@mail.gmail.com> <6c99fb18-f511-7246-e248-466400675e62@huitema.net> <CACpbDcfjDfQP69ZvUNjcUnQBGYKJAEJuh2BMK5dQZ8eRwfzOGQ@mail.gmail.com> <90c7800b-2c91-762d-e822-883b45e2f814@huitema.net> <CABkgnnXETJUkghZu=xxLNU7pBiEWmZ5O32bxDR7f_5Fo9SoK1Q@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= xsBNBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAHNJ0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsLAeQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1bOwE0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAcLBfgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <b7cff98c-1e8b-6be5-3a93-804f6da28cc7@huitema.net>
Date: Sun, 20 May 2018 11:00:11 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnXETJUkghZu=xxLNU7pBiEWmZ5O32bxDR7f_5Fo9SoK1Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Subject: Re: Payload length 0
X-Originating-IP: 168.144.250.232
X-AntiSpamCloud-Domain: xsmtpout.mail2web.com
X-AntiSpamCloud-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-AntiSpamCloud-Outgoing-Class: unsure
X-AntiSpamCloud-Outgoing-Evidence: Combined (0.16)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5kcOQvVtAxNT1uHFUilEr6l602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO37pNwwF1lRXh5rzvPzo9Jts1ujulqUFmMITHM77eiVidSLt+zomffPyByYhEwPioc7i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pB4lampmfDNuiABFovtjnMdR/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8lRJSPf/SXbEnDSsal/zZzc4n9VZdr7RAFD5mRwooUYhwMPaBP aKeQW+/QlaOdv8isl/qMm08Zpim2AHUKEWvQ6G/bWfgucjnNmABpGhD9TTttrFCuZ0NkwnSz2Luu o1u9uevuNfM1HjkNEFwape+IgNezYqxGMqsKjARq8PBC4qjpVMhqNcdjhoIlgrKzBvjTmdySlZou 9qHIGOZDEEo7Oyc1nq0gsY582CWqKjiRB3ukywmZtiDkyd4mEBjJGGEJgawbllbHk+xyUKopM6rc KCaQX/lIXcRWtobViGg9fpX6N+2DyDXes8vYD17nJ00F1plJbJWyV2fhV11O+/8dD1nu99v86e+x KzdeJi5RoGhz1HQkoj+jjvmw3UQ3Zextr+7/jg66NXUoieIpLIJirIV7hPvBDpgDmC+XXO9ws5qS dbWrmlMqpoC2dVXCySAVi5bZXEudL3ieMOBM2bJNcVYE7tCqypI5WX0qWh4YQLAxL4Rl2gqNEBWr ilTpbNR2br8Ks0SqCpRWIiXMtOo8/pI8jnU4taLGlA8rnD8bXLXYENHEHdfH4WKtOnkQjvURQKHY 6H+wSCoVvwvquzDDiAFgqbLsMBS3CSu0TYW/KPOYdub/YU/cH64QiTAnRDmAKMFEHS3+vt/Njsed NDmPw/Ld14/y82ebPziYNS9mrGcHWFhVQvKDd9aHm1tzPaYBnxycJOQKmrvtOUL1jquCMfd5HnMi k4ibTRVHi8subW0=
X-Report-Abuse-To: spam@quarantine6.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/vzeFFz8z1jHCb7DCaIdlp-9_gaQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 May 2018 18:00:25 -0000

On 5/20/2018 12:14 AM, Martin Thomson wrote:

> It only works to ensure that the last packet remains the last packet.  That
> doesn't seem like an actual defense against splitting.

I have been thinking of the middle-box hacks that could interfere with
packet coalescing, trying to build a threat model. I am not sure I can't
come with convincing attacks, or rather with convincing attacks that we
can defend against. For me the main coalescing scenarios are:

1) Client Initial (Client Hello) + 0Rtt.

2) Server Handshake (first flight) + 1Rtt.

3) Client Handshake (second flight) + 1Rtt

What would be the motivation for splitting? In the CI+0-RTT case, the
middlebox designer might have heard that 0Rtt is insecure, and might
sell blocking 0RTT as a feature. It might want to pass the CI and block
the 0Rtt. This can be done in many ways. Flipping a couple bits in the
0Rtt payload would achieve that -- decryption would fail, and the 0Rtt
will be ignored. Or, unwrap the coalesced packet, decrypt the CI using
the well known key, add padding to reach the min size, and reencrypt
using the well known key. Tweaking the long header is not going to fix
either of these hacks.

In the Server Handshake + 1Rtt case, the motivation might be similar:
prevent 0.5Rtt transmission because it is arguably insecure. Again, this
can be achieved by flipping bits in the 1Rtt payload to cause a
decryption error, or unwrapping and reformatting the handshake packet.
Since the handshake is only "protected" by a well known key, this is
still possible, even if we added some kind of coalescing indication in
the short header of the 1Rtt data.

In the Client Handshake + 1Rtt case, I fail to find a motivation. But
evil middlebox designers could invent something. Again, if the goal is
to remove the 1Rtt packet, tweaking the headers of that packet won't help.

If we did want to remove the attack, we would have to protect the
coalescing indication with a key that is unknown to the middlebox. That
probably requires an encrypted extension to the client hello, server
hello or finished messages. we could do that, but I wonder whether
that's worth the effort.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email