Re: [TLS] TLSv1.3 Cookies
Matt Caswell <frodo@baggins.org> Wed, 13 September 2017 15:40 UTC
Return-Path: <frodo@baggins.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902FF132D3F for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6CbXF7mQ6mbK for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:40:13 -0700 (PDT)
Received: from mx496502.smtp-engine.com (mx496502.smtp-engine.com [IPv6:2001:8d8:968:7d00::19:7e53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C689D127517 for <tls@ietf.org>; Wed, 13 Sep 2017 08:40:12 -0700 (PDT)
Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172]) by mx496502.smtp-engine.com (Postfix) with ESMTPSA id 1C7C0BA2 for <tls@ietf.org>; Wed, 13 Sep 2017 16:40:10 +0100 (BST)
Received: by mail-io0-f172.google.com with SMTP id g32so2980035ioj.2 for <tls@ietf.org>; Wed, 13 Sep 2017 08:40:10 -0700 (PDT)
X-Gm-Message-State: AHPjjUj9bYNzYNf5FjZ7HltnP8K++irabbNfswlxEFZplLItCyE5Z75f kyGVUNeHBtYkPgCfJl1RffhVHkhlfJry6NACjho=
X-Google-Smtp-Source: AOwi7QCoB5YE2H+ltMr46xtteSvPglSbLz7RuTuJg9fOGDyznfDB2CqjIwhisPq3t+sygXFvvlseWH5+7KJW1R0/nPQ=
X-Received: by 10.107.197.198 with SMTP id v189mr7224928iof.94.1505317209461; Wed, 13 Sep 2017 08:40:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.165.25 with HTTP; Wed, 13 Sep 2017 08:40:08 -0700 (PDT)
In-Reply-To: <CABcZeBOS5C+oHchVqhOr-ob3t4c8dxqz5b_iUYiNcbXS5ZaCDQ@mail.gmail.com>
References: <CAMoSCWYXWJMkFAdrcy033_bjMZjRUiU-V5f8MkoTXyvDfw+z6A@mail.gmail.com> <CABcZeBOS5C+oHchVqhOr-ob3t4c8dxqz5b_iUYiNcbXS5ZaCDQ@mail.gmail.com>
From: Matt Caswell <frodo@baggins.org>
Date: Wed, 13 Sep 2017 16:40:08 +0100
X-Gmail-Original-Message-ID: <CAMoSCWYUN=M=HdqUG_xmsUxjYXEfp+VqeCvPfYYynwkxyi52_w@mail.gmail.com>
Message-ID: <CAMoSCWYUN=M=HdqUG_xmsUxjYXEfp+VqeCvPfYYynwkxyi52_w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CvMpfXvG2jpZPv16oMhGTtv76kg>
Subject: Re: [TLS] TLSv1.3 Cookies
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 15:40:14 -0000
On 13 September 2017 at 16:12, Eric Rescorla <ekr@rtfm.com> wrote: > On Wed, Sep 13, 2017 at 7:53 AM, Matt Caswell <frodo@baggins.org> wrote: >> >> I am looking at trying to implement the TLSv1.3 stateless cookie >> mechanism (in order to be able to support QUIC stateless retries). >> >> I am not clear how cookies are supposed to interact with early_data. >> Consider the scenario where a server is operating statelessly. Because >> there is no state each ClientHello looks like the first one it ever >> saw. The server only knows that a particular ClientHello is actually a >> ClientHello2 following an HRR because of the state held in the cookie. >> >> What happens when a client attempts to send early data to such a >> server? The server will process the ClientHello and determine that >> there is no cookie, sends back an HRR and then forgets all of its >> state and waits for the next ClientHello. However what it actually >> gets next is early_data. It does not know that that early data >> followed an earlier ClientHello (because it is stateless) so it does >> not know to skip the records. It just looks like illegal records so, >> presumably, it will respond with an alert. > > > It seems like there are three cases here: > > 1. TLS over TCP -- you won't do this statelessly, and so you can know to > dump > early data. > 2. DTLS -- you can be stateless, but you don't terminate connections on > decrypt > error, so you just discard the packets as you would any other bogus packet. > 3. QUIC -- the data looks like an unknown connection (you have dumped the > conn_id) > so you silently discard. Right - well that's the case right now - I guess we don't know how this feature might be used for in the future? So in case (3) should this be documented somewhere - either in the TLSv1.3 spec or the QUIC spec? Perhaps the TLSv1.3 spec should just state that protocols using the cookie feature should specify how early_data is to be handled - and then leave it up to QUIC/DTLS to define the behaviour in each of their cases. > > >> >> I am also unclear what protects against cookies being replayed. If an >> attacker wishes to perform an amplification attack on a particular IP >> it awaits a legitimate ClientHello with a cookie coming from that IP >> and records it. It then replays that ClientHello with cookie to the >> server many times. The cookie looks valid to the server and it >> responds with its ServerHello, full Certificate chain etc back to the >> original IP. What have I missed here? > > > Yes. Cookies aren't generally intended to stop that kind of amplification, > they're just designed to prevent blind attacks on IPs you're not on-path > for. Note that QUIC has an additional defense here of requiring that > that ClientInitial be a certain minimum size. Note that if you are on-path > you can still get a lot of amplification even with TCP at the cost of > sending SYN, ACK, ClientHello... Ok - that makes sense. Perhaps this is worth a note somewhere (not sure where it would fit). Matt
- [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Ilari Liusvaara
- Re: [TLS] TLSv1.3 Cookies Short, Todd
- Re: [TLS] TLSv1.3 Cookies Eric Rescorla
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Matt Caswell
- Re: [TLS] TLSv1.3 Cookies Eric Rescorla
- Re: [TLS] TLSv1.3 Cookies Ilari Liusvaara
- Re: [TLS] TLSv1.3 Cookies Matt Caswell