From 7a09db3eaa92fdc09765104fca1bf7a6be971701 Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Wed, 11 Oct 2023 11:05:31 -0400 Subject: [PATCH 01/46] Proposal: Packet Transforms --- draft-ietf-masque-quic-proxy.md | 102 +++++++++++++++++++++++++++++--- 1 file changed, 94 insertions(+), 8 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index c08ee56..7387c4c 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -77,12 +77,11 @@ client <-> proxy QUIC packets. These packets use multiple layers of encryption and congestion control. QUIC long header packets MUST use this mode. QUIC short header packets MAY use this mode. This is the default mode for UDP proxying. -2. Forwarded, in which client <-> target QUIC packets are sent directly over the -client <-> proxy UDP socket. These packets are only encrypted using the -client-target keys, and use the client-target congestion control. This mode MUST -only be used for QUIC short header packets. +2. Forwarded, in which client <-> target QUIC packets are sent separately over the +client <-> proxy UDP socket, using a special-purpose transform instead of full +QUIC encapsulation. This mode MUST only be used for QUIC short header packets. -Forwarded mode is defined as an optimization to reduce CPU processing on clients and +Forwarded mode is defined as an optimization to reduce CPU and memory cost to clients and proxies, as well as avoiding MTU overhead for packets on the wire. This makes it suitable for deployment situations that otherwise relied on cleartext TCP proxies, which cannot support QUIC and have inferior security and privacy @@ -98,8 +97,8 @@ proxied packets the target receives. target are not able to learn more about the client <-> target communication than if no proxy was used. -It is not a goal of forwarded mode to prevent correlation between client <-> -proxy and the proxy <-> target packets from an entity that can observe both +Forwarded mode does not prevent correlation of client <-> +proxy and proxy <-> target packets by an entity that can observe both links. See {{security}} for further discussion. Both clients and proxies can unilaterally choose to disable forwarded mode for @@ -146,6 +145,8 @@ the target. client that the proxy MUST use when sending QUIC packets in forwarded mode. - Virtual Target Connection ID: a fake QUIC Connection ID that is chosen by the proxy that the client MUST use when sending QUIC packets in forwarded mode. +- Packet Transform: the procedure used to modify packets before they enter the +client-proxy link. ## Virtual Connection IDs @@ -203,6 +204,7 @@ Each client <-> proxy HTTP stream MUST be mapped to a single target-facing socke Multiple streams can map to the same target-facing socket, but a single stream cannot be mapped to multiple target-facing sockets. +Each stream MUST also be associated with a single Packet Transform. This mapping guarantees that any HTTP Datagram using a stream sent from the client to the proxy in tunnelled mode can be sent to the correct @@ -454,7 +456,7 @@ The "Proxy-QUIC-Forwarding" is an Item Structured Header {{!RFC8941}}. Its value MUST be a Boolean. Its ABNF is: ~~~ - Proxy-QUIC-Forwarding = sf-boolean + Proxy-QUIC-Forwarding = sf-boolean parameters ~~~ If the client wants to enable QUIC packet forwarding for this request, it sets @@ -462,6 +464,10 @@ the value to "?1". If it doesn't want to enable forwarding, but instead only provide information about QUIC Connection IDs for the purpose of allowing the proxy to share a target-facing socket, it sets the value to "?0". +The client MUST add an "accept-transform" parameter whose value is an +`sf-string` containing the supported packet transforms ({{packet-transforms}}) +in order of descending preference, separated by commas. + If the proxy supports QUIC-aware proxying, it will include the "Proxy-QUIC-Forwarding" header in successful HTTP responses. The value indicates whether or not the proxy supports forwarding. If the client does @@ -599,6 +605,9 @@ by including a "Proxy-QUIC-Forwarding" header in a successful response. If it supports QUIC packet forwarding, it sets the value to "?1"; otherwise, it sets it to "?0". +The proxy MUST include a "transform" parameter whose value is an `sf-string` +indicating the selected transform. + Upon receipt of a REGISTER_CLIENT_CID or REGISTER_TARGET_CID capsule, the proxy validates the registration, tries to establish the appropriate mappings as described in {{mappings}}. @@ -734,6 +743,78 @@ headers does not apply. A proxy MAY additionally add ECN markings to signal congestion being experienced on the proxy itself. +# Packet Transforms + +A packet transform is the procedure applied to packets as they are sent on the +client-proxy link, and its inverse applied on receipt. Simple transforms can +be modelled as a function as follows: + +Inputs: + +1. A QUIC short header packet (after Connection ID remapping). +1. The mode (forward or inverse). +1. The direction (upstream or downstream). +1. Any configuration info negotiated at startup. + +Output: + +* A UDP payload that conforms to the QUIC invariants {{?RFC8999}} and does not + modify the Connection ID. + +More complex transform behaviors could have internal state, but no such transforms +are presented here. + +Packet transforms are identified by an IANA-registered name, and negotiated in +the HTTP headers (see {{client-behavior}}). This document defines two initial +transforms: "null" and "scramble". + +> QUESTION: Should one or both of these be Mandatory To Implement? + +## "null" + +The "null" transform does not modify the packet in any way. When this transform +is in use, a global passive adversary can trivially correlate pairs of packets +that crossed the forwarder, providing a compact proof that a specific client +was communicating to a specific target. + +Use of this transform is NOT RECOMMENDED if "scramble" can be deployed. + +## "scramble" + +The "scramble" transform implements length-preserving unauthenticated encryption +of QUIC packets while preserving the QUIC invariants. When "scramble" is in use, +a global passive adversary cannot select any small set of packets that +conclusively links the client and target. However, "scramble" does not defend +against statistical analysis of large numbers of packets, nor does it protect +privacy against an active attacker. + +The "scramble" transform is initialized using a 32-byte random symmetric key. +When offering or selecting this transform, each party MUST select the key that +they will use to encrypt scrambled packets and add it to the +Proxy-QUIC-Transform header in a parameter named "scramble-key" whose value is +`sf-binary`. + +The forward transform operates as follows: + +1. Let `k1, k2 = scramble_key[:16], scramble_key[16:32]`. +1. Instantiate an AES-CTR stream cipher `S` with key `k1`, using a 128-bit counter. + * We represent `S` here as a stateful encryption function. +1. Instantiate an AES-ECB block cipher `B` with key `k2`. +1. Let `L` be the Connection ID length. +1. Let `sample = packet[L+1:L+17]`, i.e., the 16 bytes following the + Connection ID. +1. Set the stream cipher counter to the sample in network byte order: + `S.counter = sample`. +1. Encrypt the first byte: `packet[:1] = S(packet[:1])`. +1. Restore the Header Form bit: `packet[0] &= 0x7F`. +1. Encrypt the packet contents after `sample`: `packet[L+17:] = S(packet[L+17:])`. +1. Encrypt `sample` using a block cipher: `packet[L+1:L+17] = B(sample)`. + +NOTE: The security of this arrangement relies on the QUIC payload containing a +16-byte `sample` that is pseudorandom. This is guaranteed in QUICv1, but future +versions of QUIC could in principle produce packets that cannot safely be +processed by the "scramble" transform. + # Example Consider a client that is establishing a new QUIC connection through the proxy. @@ -873,6 +954,8 @@ integrity check, it is possible that these packets are either malformed, replays, or otherwise malicious. This may result in proxy targets rate limiting or decreasing the reputation of a given proxy. +> TODO: Update security considerations to mention the impact of packet transforms. + [comment1]: # OPEN ISSUE: Figure out how clients and proxies could interact to [comment2]: # learn whether an adversary is injecting malicious forwarded [comment3]: # packets to induce rate limiting. @@ -893,6 +976,9 @@ Header Field Names" <[](https://www.iana.org/assignments/message-headers)>. ~~~ {: #iana-header-type-table title="Registered HTTP Header"} +> TODO: Create a registry for the parameter names ("accept-transform", "transform", +> "scramble-key"). + ## Capsule Types {#iana-capsule-types} This document registers six new values in the "HTTP Capsule Types" From 217489c8060e78dec26d5e1395fe8175602f884d Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Wed, 18 Oct 2023 11:09:56 -0400 Subject: [PATCH 02/46] Expand pseudocode and other minor updates --- draft-ietf-masque-quic-proxy.md | 85 ++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 28 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 7387c4c..82f9652 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -97,9 +97,10 @@ proxied packets the target receives. target are not able to learn more about the client <-> target communication than if no proxy was used. -Forwarded mode does not prevent correlation of client <-> -proxy and proxy <-> target packets by an entity that can observe both -links. See {{security}} for further discussion. +Forwarded mode does not prevent correlation of client <-> proxy and proxy <-> +target packets by an entity that can observe both links. The precise risks +depend on the negotiated transform ({{packet-transforms}}). See {{security}} for +further discussion. Both clients and proxies can unilaterally choose to disable forwarded mode for any client <-> target connection. @@ -781,34 +782,55 @@ Use of this transform is NOT RECOMMENDED if "scramble" can be deployed. ## "scramble" -The "scramble" transform implements length-preserving unauthenticated encryption -of QUIC packets while preserving the QUIC invariants. When "scramble" is in use, -a global passive adversary cannot select any small set of packets that -conclusively links the client and target. However, "scramble" does not defend -against statistical analysis of large numbers of packets, nor does it protect -privacy against an active attacker. +The "scramble" transform implements length-preserving unauthenticated +re-encryption of QUIC packets while preserving the QUIC invariants. When +"scramble" is in use, a global passive adversary cannot use the packet contents +to link the client and target. However, "scramble" does not defend against +analysis of packet sizes and timing, nor does it protect privacy against an +active attacker. The "scramble" transform is initialized using a 32-byte random symmetric key. -When offering or selecting this transform, each party MUST select the key that -they will use to encrypt scrambled packets and add it to the -Proxy-QUIC-Transform header in a parameter named "scramble-key" whose value is -`sf-binary`. +When offering or selecting this transform, the client and server MUST each +generate the key that they will use to encrypt scrambled packets and add it to the +Proxy-QUIC-Transform header in an `sf-binary` parameter named "scramble-key". -The forward transform operates as follows: +This transform relies on the AES-128 block cipher, which is represented by the +syntax `AES-ECB(key, plaintext_block)` as in {{?RFC9001}}. The corresponding +decryption operation is written here as `AES-ECB-inv(key, ciphertext_block)`. +In brief, the transform applies AES in counter mode (AES-CTR) using an +initialization vector drawn from the packet, then encrypts the initialization +vector with AES-ECB. The detailed procedure is as follows: 1. Let `k1, k2 = scramble_key[:16], scramble_key[16:32]`. -1. Instantiate an AES-CTR stream cipher `S` with key `k1`, using a 128-bit counter. - * We represent `S` here as a stateful encryption function. -1. Instantiate an AES-ECB block cipher `B` with key `k2`. 1. Let `L` be the Connection ID length. -1. Let `sample = packet[L+1:L+17]`, i.e., the 16 bytes following the - Connection ID. -1. Set the stream cipher counter to the sample in network byte order: - `S.counter = sample`. -1. Encrypt the first byte: `packet[:1] = S(packet[:1])`. -1. Restore the Header Form bit: `packet[0] &= 0x7F`. -1. Encrypt the packet contents after `sample`: `packet[L+17:] = S(packet[L+17:])`. -1. Encrypt `sample` using a block cipher: `packet[L+1:L+17] = B(sample)`. +1. Let `counter = copy(packet[L+1:L+17])`, i.e., the 16 bytes following the + Connection ID. This is the AES-CTR initialization vector and counter. +1. Let `aesctr0 = AES-ECB(k1, counter)`. (`len(aesctr0) == 16`.) +1. Encrypt the lower 7 bits of the first byte:\\ + `packet[0] ^= aesctr0[0] & 0x7F`. + * Here "`^`" represents bitwise XOR and "`&`" represents bitwise AND. +1. Encrypt up to 15 bytes following the sample:\\ + `packet[L+17:L+32] ^= aesctr0[1:]`. +1. Encrypt the remainder of the packet (if any) using AES-CTR: + 1. Let `i = L + 32`. + 1. `while i < len(packet)` + 1. Set `counter = increment(counter)`, where `increment()` represents + incrementing a 128-bit integer (e.g., uint128) in network byte order. + 1. Encrypt the next chunk of the packet:\\ + `packet[i:i+16] ^= AES-ECB(k1, counter)`. + 1. Set `i = i + 16`. +1. Encrypt the sample used to initialize `counter` using the block cipher:\\ + `packet[L+1:L+17] = AES-ECB(k2, packet[L+1:L+17])`. + +The inverse transform operates as follows: + +1. Decrypt the 16 bytes after the Connection ID:\\ + `packet[L+1:L+17] = AES-ECB-inv(k2, packet[L+1:L+17])`. +1. Process the remainder of the packet exactly as in the forward transform. + (AES-CTR encryption and decryption are identical.) + +The encryption keys used in this procedure do not depend on the packet contents, +so each party only needs to perform AES initialization once for each connection. NOTE: The security of this arrangement relies on the QUIC payload containing a 16-byte `sample` that is pseudorandom. This is guaranteed in QUICv1, but future @@ -818,6 +840,7 @@ processed by the "scramble" transform. # Example Consider a client that is establishing a new QUIC connection through the proxy. +In this example, the client prefers the "scramble" transform, but also offers "null". It has selected a Client Connection ID of 0x31323334. In order to inform a proxy of the new QUIC Client Connection ID, the client also sends a REGISTER_CLIENT_CID capsule. @@ -834,7 +857,8 @@ STREAM(44): HEADERS --------> :scheme = https :path = /target.example.com/443/ :authority = proxy.example.org - proxy-quic-forwarding = ?1 + proxy-quic-forwarding = ?1; accept-transform=scramble,null \ + scramble-key=":abc...789=:" capsule-protocol = ?1 STREAM(44): DATA --------> @@ -850,7 +874,8 @@ DATAGRAM --------> <-------- STREAM(44): HEADERS :status = 200 - proxy-quic-forwarding = ?1 + proxy-quic-forwarding = ?1; transform=scramble \ + scramble-key=":ABC...321=:" capsule-protocol = ?1 <-------- STREAM(44): DATA @@ -883,7 +908,11 @@ receive forwarded mode packets from the proxy with a Virtual Client Connection ID of 0x62646668 which it will replace with the real Client Connection ID of 0x31323334. All forwarded mode packets sent by the proxy will have been modified to contain the Virtual Client Connection ID instead -of the Client Connection ID. +of the Client Connection ID, and processed by the negotiated "scramble" +packet transform. However, in the unlikely event that a forwarded packet +arrives before the proxy's HTTP response, the client will not know which +transform the proxy selected. In this case, the client will have to ignore +the packet or buffer it until the HTTP response is received. Once the client learns which Connection ID has been selected by the target server, it can send a new request to the proxy to establish a mapping for From 23ee057542abdaa6cc47415565e14f2fef2a7694 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 18 Oct 2023 09:34:43 -0700 Subject: [PATCH 03/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 82f9652..4cfc79c 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -832,10 +832,11 @@ The inverse transform operates as follows: The encryption keys used in this procedure do not depend on the packet contents, so each party only needs to perform AES initialization once for each connection. -NOTE: The security of this arrangement relies on the QUIC payload containing a -16-byte `sample` that is pseudorandom. This is guaranteed in QUICv1, but future -versions of QUIC could in principle produce packets that cannot safely be -processed by the "scramble" transform. +NOTE: The security of this arrangement relies on the 16 bytes following the +Connection ID (i.e., the `sample`) being pseudorandom. This is guaranteed +in QUICv1, but future versions of QUIC might not maintain this arrangement. +The "scramble" transform MUST NOT be used with any QUIC version that +does not guarantee this property. # Example From 491a931648b5398632f99788e00d5ec0ea43167c Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Wed, 18 Oct 2023 14:42:53 -0400 Subject: [PATCH 04/46] Replace MTI with negotiation rules and address the CCM_8 problem --- draft-ietf-masque-quic-proxy.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 82f9652..9afb443 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -607,7 +607,11 @@ If it supports QUIC packet forwarding, it sets the value to "?1"; otherwise, it sets it to "?0". The proxy MUST include a "transform" parameter whose value is an `sf-string` -indicating the selected transform. +indicating the selected transform. If the proxy does not recognize or accept +any of the transforms offered by the client, it MUST omit this parameter. When +the "transform" parameter is omitted, forwarding mode is not enabled but +Connection IDs can still be registered to support sharing of proxy-origin +5-tuples. Upon receipt of a REGISTER_CLIENT_CID or REGISTER_TARGET_CID capsule, the proxy validates the registration, tries to establish the appropriate @@ -769,8 +773,6 @@ Packet transforms are identified by an IANA-registered name, and negotiated in the HTTP headers (see {{client-behavior}}). This document defines two initial transforms: "null" and "scramble". -> QUESTION: Should one or both of these be Mandatory To Implement? - ## "null" The "null" transform does not modify the packet in any way. When this transform @@ -832,10 +834,13 @@ The inverse transform operates as follows: The encryption keys used in this procedure do not depend on the packet contents, so each party only needs to perform AES initialization once for each connection. -NOTE: The security of this arrangement relies on the QUIC payload containing a -16-byte `sample` that is pseudorandom. This is guaranteed in QUICv1, but future -versions of QUIC could in principle produce packets that cannot safely be -processed by the "scramble" transform. +NOTE: The security of this arrangement relies on every short-header QUIC packet +containing a distinct 16 bytes following the Connection ID. This is true +for the original ciphersuites of QUICv1, but it is not guaranteed by the QUIC +Invariants. Future ciphersuites and QUIC versions could in principle produce +packets that are too short or repeat the values at this location. When using the +"scramble" transform, clients MUST NOT offer any configuration that could +cause the client or origin to violate this requirement. # Example From f009a66cad6c1f912644aca05614b9b42e8e9fc7 Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Wed, 18 Oct 2023 22:09:37 -0400 Subject: [PATCH 05/46] Add semicolons --- draft-ietf-masque-quic-proxy.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 9afb443..5ceec06 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -862,7 +862,7 @@ STREAM(44): HEADERS --------> :scheme = https :path = /target.example.com/443/ :authority = proxy.example.org - proxy-quic-forwarding = ?1; accept-transform=scramble,null \ + proxy-quic-forwarding = ?1; accept-transform=scramble,null; \ scramble-key=":abc...789=:" capsule-protocol = ?1 @@ -879,7 +879,8 @@ DATAGRAM --------> <-------- STREAM(44): HEADERS :status = 200 - proxy-quic-forwarding = ?1; transform=scramble \ + proxy-quic-forwarding = ?1; \ + transform=scramble; \ scramble-key=":ABC...321=:" capsule-protocol = ?1 From 2fde7062ae3c05863549e52e006a080473d8666e Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Thu, 19 Oct 2023 09:16:34 -0400 Subject: [PATCH 06/46] Adjust negotiation failure text --- draft-ietf-masque-quic-proxy.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 5ceec06..5db6f4e 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -608,10 +608,8 @@ it sets it to "?0". The proxy MUST include a "transform" parameter whose value is an `sf-string` indicating the selected transform. If the proxy does not recognize or accept -any of the transforms offered by the client, it MUST omit this parameter. When -the "transform" parameter is omitted, forwarding mode is not enabled but -Connection IDs can still be registered to support sharing of proxy-origin -5-tuples. +any of the transforms offered by the client, it MUST omit this parameter and +set the header field value to "?0", or omit the header entirely. Upon receipt of a REGISTER_CLIENT_CID or REGISTER_TARGET_CID capsule, the proxy validates the registration, tries to establish the appropriate From d56f8b89082ecab06dc3ed565273f1a75c2ca388 Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Thu, 19 Oct 2023 11:27:20 -0400 Subject: [PATCH 07/46] Improve formatting, expand IANA text, correct terminology --- draft-ietf-masque-quic-proxy.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 5db6f4e..d9c10e7 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -762,7 +762,7 @@ Inputs: Output: * A UDP payload that conforms to the QUIC invariants {{?RFC8999}} and does not - modify the Connection ID. + modify the Connection ID. More complex transform behaviors could have internal state, but no such transforms are presented here. @@ -813,12 +813,12 @@ vector with AES-ECB. The detailed procedure is as follows: `packet[L+17:L+32] ^= aesctr0[1:]`. 1. Encrypt the remainder of the packet (if any) using AES-CTR: 1. Let `i = L + 32`. - 1. `while i < len(packet)` - 1. Set `counter = increment(counter)`, where `increment()` represents - incrementing a 128-bit integer (e.g., uint128) in network byte order. - 1. Encrypt the next chunk of the packet:\\ - `packet[i:i+16] ^= AES-ECB(k1, counter)`. - 1. Set `i = i + 16`. + 1. `while i < len(packet)`: + 1. Set `counter = increment(counter)`, where `increment()` represents + incrementing a 128-bit integer (e.g., uint128) in network byte order. + 1. Encrypt the next chunk of the packet:\\ + `packet[i:i+16] ^= AES-ECB(k1, counter)`. + 1. Set `i = i + 16`. 1. Encrypt the sample used to initialize `counter` using the block cipher:\\ `packet[L+1:L+17] = AES-ECB(k2, packet[L+1:L+17])`. @@ -838,7 +838,7 @@ for the original ciphersuites of QUICv1, but it is not guaranteed by the QUIC Invariants. Future ciphersuites and QUIC versions could in principle produce packets that are too short or repeat the values at this location. When using the "scramble" transform, clients MUST NOT offer any configuration that could -cause the client or origin to violate this requirement. +cause the client or target to violate this requirement. # Example @@ -1010,7 +1010,7 @@ Header Field Names" <[](https://www.iana.org/assignments/message-headers)>. {: #iana-header-type-table title="Registered HTTP Header"} > TODO: Create a registry for the parameter names ("accept-transform", "transform", -> "scramble-key"). +> "scramble-key"), and possibly also the transform names ("scramble", "null"). ## Capsule Types {#iana-capsule-types} From 16ecc888a46fc296c2860024ecf208df62a4d630 Mon Sep 17 00:00:00 2001 From: "Benjamin M. Schwartz" Date: Wed, 25 Oct 2023 13:12:40 -0400 Subject: [PATCH 08/46] Remove extraneous quotes for sf-binary Co-authored-by: David Schinazi --- draft-ietf-masque-quic-proxy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index d9c10e7..51dfbbf 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -861,7 +861,7 @@ STREAM(44): HEADERS --------> :path = /target.example.com/443/ :authority = proxy.example.org proxy-quic-forwarding = ?1; accept-transform=scramble,null; \ - scramble-key=":abc...789=:" + scramble-key=:abc...789=: capsule-protocol = ?1 STREAM(44): DATA --------> @@ -879,7 +879,7 @@ DATAGRAM --------> :status = 200 proxy-quic-forwarding = ?1; \ transform=scramble; \ - scramble-key=":ABC...321=:" + scramble-key=:ABC...321=: capsule-protocol = ?1 <-------- STREAM(44): DATA From be7a9025e22ce7b7ee5678f1f64f709849ca2850 Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Wed, 25 Oct 2023 16:32:44 -0400 Subject: [PATCH 09/46] Define a syntax for AES-CTR --- draft-ietf-masque-quic-proxy.md | 51 +++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 21 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 51dfbbf..b1381e0 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -39,6 +39,16 @@ author: country: "United States of America" email: dschinazi.ietf@gmail.com +normative: + SP800-38A: + author: + name: Morris Dworkin + org: National Institute of Standards and Technology + title: > + Recommendation for Block Cipher Modes of Operation: Methods and Techniques + date: 2001-12-01 + target: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38a.pdf + --- abstract This document defines an extension to UDP Proxying over HTTP @@ -797,37 +807,36 @@ Proxy-QUIC-Transform header in an `sf-binary` parameter named "scramble-key". This transform relies on the AES-128 block cipher, which is represented by the syntax `AES-ECB(key, plaintext_block)` as in {{?RFC9001}}. The corresponding decryption operation is written here as `AES-ECB-inv(key, ciphertext_block)`. +It also uses AES in Counter Mode ({{SP800-38A}}, Section 6.5), which is +represented by the syntax `AES-CTR(key, iv, input)` for encryption and +decryption (which are identical). In this syntax, `iv` is an array of 16 bytes +containing the initial counter block. The counter is incremented by the +standard incrementing function ({{SP800-38A}}, Appendix B.1) on the full block +width. + In brief, the transform applies AES in counter mode (AES-CTR) using an initialization vector drawn from the packet, then encrypts the initialization vector with AES-ECB. The detailed procedure is as follows: 1. Let `k1, k2 = scramble_key[:16], scramble_key[16:32]`. 1. Let `L` be the Connection ID length. -1. Let `counter = copy(packet[L+1:L+17])`, i.e., the 16 bytes following the - Connection ID. This is the AES-CTR initialization vector and counter. -1. Let `aesctr0 = AES-ECB(k1, counter)`. (`len(aesctr0) == 16`.) -1. Encrypt the lower 7 bits of the first byte:\\ - `packet[0] ^= aesctr0[0] & 0x7F`. - * Here "`^`" represents bitwise XOR and "`&`" represents bitwise AND. -1. Encrypt up to 15 bytes following the sample:\\ - `packet[L+17:L+32] ^= aesctr0[1:]`. -1. Encrypt the remainder of the packet (if any) using AES-CTR: - 1. Let `i = L + 32`. - 1. `while i < len(packet)`: - 1. Set `counter = increment(counter)`, where `increment()` represents - incrementing a 128-bit integer (e.g., uint128) in network byte order. - 1. Encrypt the next chunk of the packet:\\ - `packet[i:i+16] ^= AES-ECB(k1, counter)`. - 1. Set `i = i + 16`. -1. Encrypt the sample used to initialize `counter` using the block cipher:\\ - `packet[L+1:L+17] = AES-ECB(k2, packet[L+1:L+17])`. +1. Let `cid = packet[1:L+1]`, i.e., the Connection ID. +1. Let `iv = packet[L+1:L+17]`, i.e., the 16 bytes following the Connection ID. +1. Let `ctr_input = packet[0] | packet[L+17:]`. +1. Let `ctr_output = AES-CTR(k1, iv, ctr_input)`. +1. Let `header = ctr_output[0] & 0x7F`. This ensures that the "QUIC bit" is + always zero. +1. Encrypt `iv` with the block cipher: `encrypted_iv = AES-ECB(k2, iv)`. +1. Produce the output packet as:\\ + `header | cid | encrypted_iv | ctr_output[1:]`. The inverse transform operates as follows: -1. Decrypt the 16 bytes after the Connection ID:\\ - `packet[L+1:L+17] = AES-ECB-inv(k2, packet[L+1:L+17])`. -1. Process the remainder of the packet exactly as in the forward transform. +1. Decrypt the AES-CTR initialization vector:\\ + `iv = AES-ECB-inv(k2, packet[L+1:L+17])`. +1. Compute the other variables exactly as in the forward transform. (AES-CTR encryption and decryption are identical.) +1. Produce the output: `header | cid | iv | ctr_output[1:]`. The encryption keys used in this procedure do not depend on the packet contents, so each party only needs to perform AES initialization once for each connection. From c9a45dc8aed5a2bdd81c1cdae8a9277c12512860 Mon Sep 17 00:00:00 2001 From: Ben Schwartz Date: Thu, 26 Oct 2023 12:34:44 -0400 Subject: [PATCH 10/46] s/QUIC bit/Header Form bit/ --- draft-ietf-masque-quic-proxy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index b1381e0..b8eef21 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -824,8 +824,8 @@ vector with AES-ECB. The detailed procedure is as follows: 1. Let `iv = packet[L+1:L+17]`, i.e., the 16 bytes following the Connection ID. 1. Let `ctr_input = packet[0] | packet[L+17:]`. 1. Let `ctr_output = AES-CTR(k1, iv, ctr_input)`. -1. Let `header = ctr_output[0] & 0x7F`. This ensures that the "QUIC bit" is - always zero. +1. Let `header = ctr_output[0] & 0x7F`. This ensures that the Header Form bit + is zero, as required by the QUIC invariants ({{?RFC8999}}, Section 5.2). 1. Encrypt `iv` with the block cipher: `encrypted_iv = AES-ECB(k2, iv)`. 1. Produce the output packet as:\\ `header | cid | encrypted_iv | ctr_output[1:]`. From aa04a1d13f5d388c68f00a0a86d4197c5be9abdd Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 6 Dec 2023 08:31:11 -0800 Subject: [PATCH 11/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index b8eef21..6f64445 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -464,11 +464,7 @@ If this header is not included, the client MUST NOT send any connection ID capsules. The "Proxy-QUIC-Forwarding" is an Item Structured Header {{!RFC8941}}. Its -value MUST be a Boolean. Its ABNF is: - -~~~ - Proxy-QUIC-Forwarding = sf-boolean parameters -~~~ +value MUST be a Boolean. If the client wants to enable QUIC packet forwarding for this request, it sets the value to "?1". If it doesn't want to enable forwarding, but instead only From de7097d10786409a1292b0758c67bf6ca5eebdda Mon Sep 17 00:00:00 2001 From: mirjak Date: Tue, 12 Dec 2023 15:36:24 +0100 Subject: [PATCH 12/46] IANA registries for parameter names and transform names fixes #94 This PR creates two registries, however, not sure we really need the parameter names one? Both registrations are proposed with Specification Requires Policy but I could also see reasons to actually go for IETF Review. Any views? Following the model in https://www.iana.org/assignments/http-parameters/http-parameters.xhtml both registries have a "Description" and "Notes" section, however, not sure we really need those. --- draft-ietf-masque-quic-proxy.md | 38 +++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 6f64445..1c30423 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -777,7 +777,7 @@ Packet transforms are identified by an IANA-registered name, and negotiated in the HTTP headers (see {{client-behavior}}). This document defines two initial transforms: "null" and "scramble". -## "null" +## "null" {#null-transform} The "null" transform does not modify the packet in any way. When this transform is in use, a global passive adversary can trivially correlate pairs of packets @@ -786,7 +786,7 @@ was communicating to a specific target. Use of this transform is NOT RECOMMENDED if "scramble" can be deployed. -## "scramble" +## "scramble" {#scramble-transform} The "scramble" transform implements length-preserving unauthenticated re-encryption of QUIC packets while preserving the QUIC invariants. When @@ -1017,6 +1017,26 @@ Header Field Names" <[](https://www.iana.org/assignments/message-headers)>. > TODO: Create a registry for the parameter names ("accept-transform", "transform", > "scramble-key"), and possibly also the transform names ("scramble", "null"). +## QUIC Proxy Parameter Names + +This document establishes a new registry for QUIC proxy parameter names +in <[](https://www.iana.org/assignments/masque/masque.xhtml)>. +Registrations in this registry are assigned using the +Specification Required policy (Section 4.6 of [IANA-POLICY]). + +~~~ + +-----------------------+-------------------------------------+---------------+--------------------------------+ + | Parameter Name | Description | Reference | Notes | + +-----------------------+-------------------------------------+---------------+--------------------------------+ + | accept-transform | contains supported transforms | This document | Section {{client-behavior}} | + +-----------------------+-------------------------------------+---------------+--------------------------------+ + | transform | indicates selected transforms | This document | Section {{proxy-behavior}} | + +-----------------------+-------------------------------------+---------------+--------------------------------+ + | scramble-key | contains key for scramble transform | This document | Section {{scramble-transform}} | + +-----------------------+-------------------------------------+---------------+--------------------------------+ +~~~ +{: #iana-parameter-names-table title="Initial QUIC Proxy Parameter Names"} + ## Capsule Types {#iana-capsule-types} This document registers six new values in the "HTTP Capsule Types" @@ -1032,6 +1052,20 @@ registry established by {{HTTP-DGRAM}}. | CLOSE_TARGET_CID | 0xffe405 | This Document | {: #iana-capsule-type-table title="Registered Capsule Types"} +## Packet Transform Names + +This document establishes a new registry for packet transform names +in <[](https://www.iana.org/assignments/masque/masque.xhtml)> +and defines two initial transforms: "null" and "scramble". +Registrations in this registry are assigned using the +Specification Required policy (Section 4.6 of [IANA-POLICY]). + +| Transform Name | Description | Specification | Notes | +|:---------------|:------------------|:--------------|--------------------------------| +| null | no transformation | This Document | Section {{null-transform}} | +| scramble | simples scramble | This Document | Section {{scramble-transform}} | +{: #iana-packet-transforms-table title="Initial Packet Transform Names"} + --- back # Acknowledgments {#acknowledgments} From 9f4582331524030db12501d47ba94d0c9660625a Mon Sep 17 00:00:00 2001 From: mirjak Date: Tue, 12 Dec 2023 15:37:32 +0100 Subject: [PATCH 13/46] remove Todo and switch order --- draft-ietf-masque-quic-proxy.md | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 1c30423..112b335 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1014,9 +1014,6 @@ Header Field Names" <[](https://www.iana.org/assignments/message-headers)>. ~~~ {: #iana-header-type-table title="Registered HTTP Header"} -> TODO: Create a registry for the parameter names ("accept-transform", "transform", -> "scramble-key"), and possibly also the transform names ("scramble", "null"). - ## QUIC Proxy Parameter Names This document establishes a new registry for QUIC proxy parameter names @@ -1037,6 +1034,20 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). ~~~ {: #iana-parameter-names-table title="Initial QUIC Proxy Parameter Names"} +## Packet Transform Names + +This document establishes a new registry for packet transform names +in <[](https://www.iana.org/assignments/masque/masque.xhtml)> +and defines two initial transforms: "null" and "scramble". +Registrations in this registry are assigned using the +Specification Required policy (Section 4.6 of [IANA-POLICY]). + +| Transform Name | Description | Specification | Notes | +|:---------------|:------------------|:--------------|--------------------------------| +| null | no transformation | This Document | Section {{null-transform}} | +| scramble | simples scramble | This Document | Section {{scramble-transform}} | +{: #iana-packet-transforms-table title="Initial Packet Transform Names"} + ## Capsule Types {#iana-capsule-types} This document registers six new values in the "HTTP Capsule Types" @@ -1052,20 +1063,6 @@ registry established by {{HTTP-DGRAM}}. | CLOSE_TARGET_CID | 0xffe405 | This Document | {: #iana-capsule-type-table title="Registered Capsule Types"} -## Packet Transform Names - -This document establishes a new registry for packet transform names -in <[](https://www.iana.org/assignments/masque/masque.xhtml)> -and defines two initial transforms: "null" and "scramble". -Registrations in this registry are assigned using the -Specification Required policy (Section 4.6 of [IANA-POLICY]). - -| Transform Name | Description | Specification | Notes | -|:---------------|:------------------|:--------------|--------------------------------| -| null | no transformation | This Document | Section {{null-transform}} | -| scramble | simples scramble | This Document | Section {{scramble-transform}} | -{: #iana-packet-transforms-table title="Initial Packet Transform Names"} - --- back # Acknowledgments {#acknowledgments} From 86ab8eb937793f5b9c0f93e51e3c4a1adc056380 Mon Sep 17 00:00:00 2001 From: mirjak Date: Tue, 12 Dec 2023 16:19:04 +0100 Subject: [PATCH 14/46] whitespace...! --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 112b335..f57293b 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1037,7 +1037,7 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). ## Packet Transform Names This document establishes a new registry for packet transform names -in <[](https://www.iana.org/assignments/masque/masque.xhtml)> +in <[](https://www.iana.org/assignments/masque/masque.xhtml)> and defines two initial transforms: "null" and "scramble". Registrations in this registry are assigned using the Specification Required policy (Section 4.6 of [IANA-POLICY]). From 6c15326362a7499c80f6eb3a8ee7647de62ab665 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 3 Jan 2024 08:05:44 -0800 Subject: [PATCH 15/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index f57293b..71396a4 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1045,7 +1045,7 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). | Transform Name | Description | Specification | Notes | |:---------------|:------------------|:--------------|--------------------------------| | null | no transformation | This Document | Section {{null-transform}} | -| scramble | simples scramble | This Document | Section {{scramble-transform}} | +| scramble | AES-128 size-maintaining scramble of bytes | This Document | Section {{scramble-transform}} | {: #iana-packet-transforms-table title="Initial Packet Transform Names"} ## Capsule Types {#iana-capsule-types} From 84b3c98186ca3ccb79fd1e7abc837afd75f36007 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 3 Jan 2024 08:09:54 -0800 Subject: [PATCH 16/46] Apply suggestions from code review --- draft-ietf-masque-quic-proxy.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 71396a4..c5ed711 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1014,9 +1014,10 @@ Header Field Names" <[](https://www.iana.org/assignments/message-headers)>. ~~~ {: #iana-header-type-table title="Registered HTTP Header"} -## QUIC Proxy Parameter Names +## Proxy QUIC Forwarding Parameter Names -This document establishes a new registry for QUIC proxy parameter names +This document establishes a new registry, "Proxy QUIC Forwarding Parameter Names", +for parameter names to use with the `Proxy-QUIC-Forwarding` header field, in <[](https://www.iana.org/assignments/masque/masque.xhtml)>. Registrations in this registry are assigned using the Specification Required policy (Section 4.6 of [IANA-POLICY]). @@ -1032,7 +1033,7 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). | scramble-key | contains key for scramble transform | This document | Section {{scramble-transform}} | +-----------------------+-------------------------------------+---------------+--------------------------------+ ~~~ -{: #iana-parameter-names-table title="Initial QUIC Proxy Parameter Names"} +{: #iana-parameter-names-table title="Initial Proxy QUIC Forwarding Parameter Names"} ## Packet Transform Names From 28159932716d75bd2e5ff684227110026386423d Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 3 Jan 2024 09:00:34 -0800 Subject: [PATCH 17/46] Handle versioning of scramble Closes #96 --- draft-ietf-masque-quic-proxy.md | 41 ++++++++++++++++++++------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index c5ed711..d9d1891 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -775,27 +775,34 @@ are presented here. Packet transforms are identified by an IANA-registered name, and negotiated in the HTTP headers (see {{client-behavior}}). This document defines two initial -transforms: "null" and "scramble". +transforms: the null transform and the scramble transform. -## "null" {#null-transform} +## The null transform {#null-transform} -The "null" transform does not modify the packet in any way. When this transform +The null transform does not modify the packet in any way. When this transform is in use, a global passive adversary can trivially correlate pairs of packets that crossed the forwarder, providing a compact proof that a specific client was communicating to a specific target. -Use of this transform is NOT RECOMMENDED if "scramble" can be deployed. +The null transform is identified by the value "null" {{iana-transforms}}. -## "scramble" {#scramble-transform} +Use of this transform is NOT RECOMMENDED if the scramble transform can be +deployed. -The "scramble" transform implements length-preserving unauthenticated +## The scramble transform {#scramble-transform} + +The scramble transform implements length-preserving unauthenticated re-encryption of QUIC packets while preserving the QUIC invariants. When -"scramble" is in use, a global passive adversary cannot use the packet contents -to link the client and target. However, "scramble" does not defend against +the scramble transform is in use, a global passive adversary cannot use the packet contents +to link the client and target. However, the scramble transform does not defend against analysis of packet sizes and timing, nor does it protect privacy against an active attacker. -The "scramble" transform is initialized using a 32-byte random symmetric key. +Deployments that implement the version of the scramble transform defined in this +document MUST use the value "scramble-dt". The finalized version is expected +to use the reserved value "scramble" {{iana-transforms}}. + +The scramble transform is initialized using a 32-byte random symmetric key. When offering or selecting this transform, the client and server MUST each generate the key that they will use to encrypt scrambled packets and add it to the Proxy-QUIC-Transform header in an `sf-binary` parameter named "scramble-key". @@ -842,14 +849,14 @@ containing a distinct 16 bytes following the Connection ID. This is true for the original ciphersuites of QUICv1, but it is not guaranteed by the QUIC Invariants. Future ciphersuites and QUIC versions could in principle produce packets that are too short or repeat the values at this location. When using the -"scramble" transform, clients MUST NOT offer any configuration that could +scramble transform, clients MUST NOT offer any configuration that could cause the client or target to violate this requirement. # Example Consider a client that is establishing a new QUIC connection through the proxy. -In this example, the client prefers the "scramble" transform, but also offers "null". -It has selected a Client Connection ID of 0x31323334. In order to inform a proxy +In this example, the client prefers the scramble transform, but also offers the null +transform. It has selected a Client Connection ID of 0x31323334. In order to inform a proxy of the new QUIC Client Connection ID, the client also sends a REGISTER_CLIENT_CID capsule. @@ -917,7 +924,7 @@ receive forwarded mode packets from the proxy with a Virtual Client Connection ID of 0x62646668 which it will replace with the real Client Connection ID of 0x31323334. All forwarded mode packets sent by the proxy will have been modified to contain the Virtual Client Connection ID instead -of the Client Connection ID, and processed by the negotiated "scramble" +of the Client Connection ID, and processed by the negotiated the scramble packet transform. However, in the unlikely event that a forwarded packet arrives before the proxy's HTTP response, the client will not know which transform the proxy selected. In this case, the client will have to ignore @@ -1035,18 +1042,20 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). ~~~ {: #iana-parameter-names-table title="Initial Proxy QUIC Forwarding Parameter Names"} -## Packet Transform Names +## Packet Transform Names {#iana-transforms} This document establishes a new registry for packet transform names in <[](https://www.iana.org/assignments/masque/masque.xhtml)> and defines two initial transforms: "null" and "scramble". -Registrations in this registry are assigned using the +Prior to finalization, deployments that implement the version of +the scramble transform defined in this document should use the value +"scramble-dt". Registrations in this registry are assigned using the Specification Required policy (Section 4.6 of [IANA-POLICY]). | Transform Name | Description | Specification | Notes | |:---------------|:------------------|:--------------|--------------------------------| | null | no transformation | This Document | Section {{null-transform}} | -| scramble | AES-128 size-maintaining scramble of bytes | This Document | Section {{scramble-transform}} | +| Reserved (will be "scramble") | AES-128 size-maintaining scramble of bytes | This Document | Section {{scramble-transform}} | {: #iana-packet-transforms-table title="Initial Packet Transform Names"} ## Capsule Types {#iana-capsule-types} From db959b06fdf59042250e146e9537c64b96c7263e Mon Sep 17 00:00:00 2001 From: Eric Rosenberg Date: Mon, 8 Jan 2024 20:20:10 +0000 Subject: [PATCH 18/46] draft text for security considerations --- draft-ietf-masque-quic-proxy.md | 54 ++++++++++++++++++++++++--------- 1 file changed, 40 insertions(+), 14 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index c5ed711..7f28202 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -979,20 +979,46 @@ or restrict clients from opening an excessive number of proxied connections, so as to limit abuse or use of proxies to launch Denial-of-Service attacks. Sending QUIC packets by forwarding through a proxy without tunnelling exposes -some QUIC header metadata to onlookers, and can be used to correlate packet -flows if an attacker is able to see traffic on both sides of the proxy. -Tunnelled packets have similar inference problems. An attacker on both sides -of the proxy can use the size of ingress and egress packets to correlate packets -belonging to the same connection. (Absent client-side padding, tunnelled packets -will typically have a fixed amount of overhead that is removed before their -HTTP Datagram contents are written to the target.) - -Since proxies that forward QUIC packets do not perform any cryptographic -integrity check, it is possible that these packets are either malformed, -replays, or otherwise malicious. This may result in proxy targets rate limiting -or decreasing the reputation of a given proxy. - -> TODO: Update security considerations to mention the impact of packet transforms. +clients to additional deanonymization attacks which need to be carefully +considered. Analysis should consider both passive and active attackers which +may be global or localized to the network paths used on each side of a proxy. +The following highlights deanonymization risks with using forwarded mode. + +## Passive Attacks + +A passive attacker aims to deanonymize a client by correlating traffic across +both sides of the proxy. When using forwarded mode with the null packet +transform (see {{null-transform}}), such correlation is trivial by matching +a subset of QUIC packet bytes as packets enter the proxy on one side and exit +on the other. Packet transforms such as scramble mitigate this by +cryptographically preventing such byte comparisons +(see {{!scramble-transform=scramble-transform}}). + +Regardless of which packet transform is used, both tunneled and forwarded mode +are still vulnerable to size and timing attacks. + +TODO(ER): do we want to describe CID many->one, on->many? In practice, it'll be +one per network path which seems no different than tunneled mode. + +## Active Attacks + +An active attacker is an adversary that can inject, modify, drop, and view +packets in the network. + +Both tunneled mode and forwarded mode (regardless of packet transform) are +vulnerable to packet injection in the target to client direction. An attacker +can inject a burst of packets with a known QUIC Connection ID and see which +Connection ID bytes are used on the proxy to client network path. + +Packet injection with a known QUIC Connection ID can also happen in the client +to proxy direction, however, this only affects forwarded mode since tunneled +mode leverages QUIC packet authentication (see {{?RFC9001}}). None +of the packet transforms defined in this document provide packet authentication. +Even if a packet transform did provide packet authentication, attackers may +inject replayed packets which would satisfy authentication checks. Protection +against replayed packets is similarly provided by QUIC in tunneled mode, but +not provided by any of the forwarded mode packet transforms defined in this +document. [comment1]: # OPEN ISSUE: Figure out how clients and proxies could interact to [comment2]: # learn whether an adversary is injecting malicious forwarded From 332e6972e2b6d208556c82068e4be21405f296c0 Mon Sep 17 00:00:00 2001 From: Eric Rosenberg Date: Mon, 8 Jan 2024 20:44:34 +0000 Subject: [PATCH 19/46] many to many --- draft-ietf-masque-quic-proxy.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 7f28202..ee437c7 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -979,10 +979,11 @@ or restrict clients from opening an excessive number of proxied connections, so as to limit abuse or use of proxies to launch Denial-of-Service attacks. Sending QUIC packets by forwarding through a proxy without tunnelling exposes -clients to additional deanonymization attacks which need to be carefully -considered. Analysis should consider both passive and active attackers which -may be global or localized to the network paths used on each side of a proxy. -The following highlights deanonymization risks with using forwarded mode. +clients to additional information exposure and deanonymization attacks which +need to be carefully considered. Analysis should consider both passive and +active attackers which may be global or localized to the network paths used +on each side of a proxy. The following highlights deanonymization risks with +using forwarded mode. ## Passive Attacks @@ -997,8 +998,10 @@ cryptographically preventing such byte comparisons Regardless of which packet transform is used, both tunneled and forwarded mode are still vulnerable to size and timing attacks. -TODO(ER): do we want to describe CID many->one, on->many? In practice, it'll be -one per network path which seems no different than tunneled mode. +Unlike tunnelled mode where packets are fully encapsulated in the client to +proxy connection, clients using forwarded mode to access multiple target servers +over the same client to proxy connection expose the number of target servers +they are communicating with on each connection. ## Active Attacks From 77d3ec2d32a33f93c100b36b1c99b0efe970cefe Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Mon, 8 Jan 2024 16:00:53 -0800 Subject: [PATCH 20/46] Apply suggestions from code review Co-authored-by: David Schinazi --- draft-ietf-masque-quic-proxy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index ee437c7..d6150c0 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1009,12 +1009,12 @@ An active attacker is an adversary that can inject, modify, drop, and view packets in the network. Both tunneled mode and forwarded mode (regardless of packet transform) are -vulnerable to packet injection in the target to client direction. An attacker +vulnerable to packet injection in the target-to-client direction. An attacker can inject a burst of packets with a known QUIC Connection ID and see which Connection ID bytes are used on the proxy to client network path. -Packet injection with a known QUIC Connection ID can also happen in the client -to proxy direction, however, this only affects forwarded mode since tunneled +Packet injection with a known QUIC Connection ID can also happen in the +client-to-proxy direction, however, this only affects forwarded mode since tunneled mode leverages QUIC packet authentication (see {{?RFC9001}}). None of the packet transforms defined in this document provide packet authentication. Even if a packet transform did provide packet authentication, attackers may From c28b4473a8e36aaf69e394b48bfa973acd27765a Mon Sep 17 00:00:00 2001 From: Eric Rosenberg Date: Tue, 9 Jan 2024 17:23:11 +0000 Subject: [PATCH 21/46] tunnelled --- draft-ietf-masque-quic-proxy.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index d6150c0..efffba4 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -403,7 +403,7 @@ Stateless Reset Token Length Stateless Reset Token : The target-provided Stateless Reset token allowing the proxy to correctly -recognize Stateless Reset packets to be tunneled to the client. +recognize Stateless Reset packets to be tunnelled to the client. The REGISTER_CLIENT_CID and ACK_TARGET_CID capsule types include a Virtual Connection ID and Stateless Reset Token. @@ -995,7 +995,7 @@ on the other. Packet transforms such as scramble mitigate this by cryptographically preventing such byte comparisons (see {{!scramble-transform=scramble-transform}}). -Regardless of which packet transform is used, both tunneled and forwarded mode +Regardless of which packet transform is used, both tunnelled and forwarded mode are still vulnerable to size and timing attacks. Unlike tunnelled mode where packets are fully encapsulated in the client to @@ -1008,18 +1008,18 @@ they are communicating with on each connection. An active attacker is an adversary that can inject, modify, drop, and view packets in the network. -Both tunneled mode and forwarded mode (regardless of packet transform) are +Both tunnelled mode and forwarded mode (regardless of packet transform) are vulnerable to packet injection in the target-to-client direction. An attacker can inject a burst of packets with a known QUIC Connection ID and see which Connection ID bytes are used on the proxy to client network path. Packet injection with a known QUIC Connection ID can also happen in the -client-to-proxy direction, however, this only affects forwarded mode since tunneled +client-to-proxy direction, however, this only affects forwarded mode since tunnelled mode leverages QUIC packet authentication (see {{?RFC9001}}). None of the packet transforms defined in this document provide packet authentication. Even if a packet transform did provide packet authentication, attackers may inject replayed packets which would satisfy authentication checks. Protection -against replayed packets is similarly provided by QUIC in tunneled mode, but +against replayed packets is similarly provided by QUIC in tunnelled mode, but not provided by any of the forwarded mode packet transforms defined in this document. From 33d963fd4bd2f0ccd752f82abaf6ebe349c146a8 Mon Sep 17 00:00:00 2001 From: Eric Rosenberg Date: Tue, 9 Jan 2024 09:24:07 -0800 Subject: [PATCH 22/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: Tommy Pauly --- draft-ietf-masque-quic-proxy.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index efffba4..38ca8ee 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -996,7 +996,8 @@ cryptographically preventing such byte comparisons (see {{!scramble-transform=scramble-transform}}). Regardless of which packet transform is used, both tunnelled and forwarded mode -are still vulnerable to size and timing attacks. +are still vulnerable to size and timing attacks, without the addition of techniques that go beyond the analysis +in this document, such as padding and adding chaff packets. Unlike tunnelled mode where packets are fully encapsulated in the client to proxy connection, clients using forwarded mode to access multiple target servers From 352cf843cdc310db16c1ad3222513fe96fbedec3 Mon Sep 17 00:00:00 2001 From: Eric Rosenberg Date: Wed, 10 Jan 2024 15:55:35 +0000 Subject: [PATCH 23/46] packet authentication -> integrity --- draft-ietf-masque-quic-proxy.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 38ca8ee..202fe8f 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1015,14 +1015,14 @@ can inject a burst of packets with a known QUIC Connection ID and see which Connection ID bytes are used on the proxy to client network path. Packet injection with a known QUIC Connection ID can also happen in the -client-to-proxy direction, however, this only affects forwarded mode since tunnelled -mode leverages QUIC packet authentication (see {{?RFC9001}}). None -of the packet transforms defined in this document provide packet authentication. -Even if a packet transform did provide packet authentication, attackers may -inject replayed packets which would satisfy authentication checks. Protection -against replayed packets is similarly provided by QUIC in tunnelled mode, but -not provided by any of the forwarded mode packet transforms defined in this -document. +client-to-proxy direction, however, this only affects forwarded mode since +tunnelled mode sends packets within an authenticated and integrity protected +QUIC connection to the proxy (see {{?RFC9001}}). None of the packet transforms +defined in this document provide integrity protection. Even if a packet +transform did provide integrity protection, attackers may inject replayed +packets. Protection against replayed packets is similarly provided by QUIC in +tunnelled mode, but not provided by any of the forwarded mode packet transforms +defined in this document. [comment1]: # OPEN ISSUE: Figure out how clients and proxies could interact to [comment2]: # learn whether an adversary is injecting malicious forwarded From 95fe8f10326947d02fbb8591752a56ffb454f85a Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 08:17:15 -0800 Subject: [PATCH 24/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index d9d1891..e3e2459 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1055,7 +1055,7 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). | Transform Name | Description | Specification | Notes | |:---------------|:------------------|:--------------|--------------------------------| | null | no transformation | This Document | Section {{null-transform}} | -| Reserved (will be "scramble") | AES-128 size-maintaining scramble of bytes | This Document | Section {{scramble-transform}} | +| scramble | Reserved (will be used for final version) | This Document | Section {{scramble-transform}} | {: #iana-packet-transforms-table title="Initial Packet Transform Names"} ## Capsule Types {#iana-capsule-types} From df7da924c5e82392eb7f022614fdd851394057f9 Mon Sep 17 00:00:00 2001 From: Eric Rosenberg Date: Wed, 10 Jan 2024 08:20:24 -0800 Subject: [PATCH 25/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: Tommy Pauly --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 202fe8f..f6c39a8 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1019,7 +1019,7 @@ client-to-proxy direction, however, this only affects forwarded mode since tunnelled mode sends packets within an authenticated and integrity protected QUIC connection to the proxy (see {{?RFC9001}}). None of the packet transforms defined in this document provide integrity protection. Even if a packet -transform did provide integrity protection, attackers may inject replayed +transform did provide integrity protection, attackers can inject replayed packets. Protection against replayed packets is similarly provided by QUIC in tunnelled mode, but not provided by any of the forwarded mode packet transforms defined in this document. From c20f96806bceb569e2bdae178c066a7705e0f52f Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 08:23:07 -0800 Subject: [PATCH 26/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: David Schinazi --- draft-ietf-masque-quic-proxy.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index e3e2459..97aa4d0 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1049,7 +1049,9 @@ in <[](https://www.iana.org/assignments/masque/masque.xhtml)> and defines two initial transforms: "null" and "scramble". Prior to finalization, deployments that implement the version of the scramble transform defined in this document should use the value -"scramble-dt". Registrations in this registry are assigned using the +"scramble-dt". Once the design team PR is merged and a new draft is submitted, +the wire identifier will become "scramble-XX" where XX is the draft number. +Registrations in this registry are assigned using the Specification Required policy (Section 4.6 of [IANA-POLICY]). | Transform Name | Description | Specification | Notes | From b28e37da25a8a8ba8a829deb5cad37af73b5c90f Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 08:23:29 -0800 Subject: [PATCH 27/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 97aa4d0..49ddb77 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1049,7 +1049,7 @@ in <[](https://www.iana.org/assignments/masque/masque.xhtml)> and defines two initial transforms: "null" and "scramble". Prior to finalization, deployments that implement the version of the scramble transform defined in this document should use the value -"scramble-dt". Once the design team PR is merged and a new draft is submitted, +"scramble-dt". Once the design team proposal is adopted and a new draft is submitted, the wire identifier will become "scramble-XX" where XX is the draft number. Registrations in this registry are assigned using the Specification Required policy (Section 4.6 of [IANA-POLICY]). From c554de4874a31493223c6b90b7bd6c143c2cdeca Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 09:36:00 -0800 Subject: [PATCH 28/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index f6c39a8..fa30625 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -997,7 +997,8 @@ cryptographically preventing such byte comparisons Regardless of which packet transform is used, both tunnelled and forwarded mode are still vulnerable to size and timing attacks, without the addition of techniques that go beyond the analysis -in this document, such as padding and adding chaff packets. +in this document, such as padding and adding chaff packets. Such techniques could be supported +in a future packet transform, subject to additional security analysis. Unlike tunnelled mode where packets are fully encapsulated in the client to proxy connection, clients using forwarded mode to access multiple target servers From caeaf851e8e0ddcf3ce7c581a4e0d6a582196ac6 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 09:36:21 -0800 Subject: [PATCH 29/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index fa30625..b94d7db 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -998,7 +998,7 @@ cryptographically preventing such byte comparisons Regardless of which packet transform is used, both tunnelled and forwarded mode are still vulnerable to size and timing attacks, without the addition of techniques that go beyond the analysis in this document, such as padding and adding chaff packets. Such techniques could be supported -in a future packet transform, subject to additional security analysis. +in future packet transforms, subject to additional security analysis. Unlike tunnelled mode where packets are fully encapsulated in the client to proxy connection, clients using forwarded mode to access multiple target servers From 0f65d08c0e7438e5ad479ac25b08cc108e49547c Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 09:37:50 -0800 Subject: [PATCH 30/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index b94d7db..6989f82 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1002,7 +1002,7 @@ in future packet transforms, subject to additional security analysis. Unlike tunnelled mode where packets are fully encapsulated in the client to proxy connection, clients using forwarded mode to access multiple target servers -over the same client to proxy connection expose the number of target servers +over the same client-to-proxy connection expose the number of target servers they are communicating with on each connection. ## Active Attacks From 51b2c54f59739614872c7bbf9cb6183de4ce2384 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 09:38:35 -0800 Subject: [PATCH 31/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 6989f82..da8e933 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1013,7 +1013,7 @@ packets in the network. Both tunnelled mode and forwarded mode (regardless of packet transform) are vulnerable to packet injection in the target-to-client direction. An attacker can inject a burst of packets with a known QUIC Connection ID and see which -Connection ID bytes are used on the proxy to client network path. +Connection ID is used for the corresponding burst on the proxy to client network path. Packet injection with a known QUIC Connection ID can also happen in the client-to-proxy direction, however, this only affects forwarded mode since From 288832904cd4dea74d2c798b394ac49338162d2f Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 10 Jan 2024 09:39:27 -0800 Subject: [PATCH 32/46] Apply suggestions from code review --- draft-ietf-masque-quic-proxy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index da8e933..43775c9 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1000,8 +1000,8 @@ are still vulnerable to size and timing attacks, without the addition of techniq in this document, such as padding and adding chaff packets. Such techniques could be supported in future packet transforms, subject to additional security analysis. -Unlike tunnelled mode where packets are fully encapsulated in the client to -proxy connection, clients using forwarded mode to access multiple target servers +Unlike tunnelled mode where packets are fully encapsulated in the client-to-proxy +connection, clients using forwarded mode to access multiple target servers over the same client-to-proxy connection expose the number of target servers they are communicating with on each connection. @@ -1013,7 +1013,7 @@ packets in the network. Both tunnelled mode and forwarded mode (regardless of packet transform) are vulnerable to packet injection in the target-to-client direction. An attacker can inject a burst of packets with a known QUIC Connection ID and see which -Connection ID is used for the corresponding burst on the proxy to client network path. +Connection ID is used for the corresponding burst on the proxy-to-client network path. Packet injection with a known QUIC Connection ID can also happen in the client-to-proxy direction, however, this only affects forwarded mode since From 9b9cf001415d5ab564c00240b1e06b5927192d93 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:52:36 -0800 Subject: [PATCH 33/46] Apply suggestions from code review Co-authored-by: mirjak --- draft-ietf-masque-quic-proxy.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 7101890..9f58ec5 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -473,7 +473,10 @@ the proxy to share a target-facing socket, it sets the value to "?0". The client MUST add an "accept-transform" parameter whose value is an `sf-string` containing the supported packet transforms ({{packet-transforms}}) -in order of descending preference, separated by commas. +in order of descending preference, separated by commas. If the proxy receives a +"Proxy-QUIC-Forwarding" header without the "accept-transform" parameters, it +MUST ignore the header and respond as if the client had not sent the +"Proxy-QUIC-Forwarding" header. If the proxy supports QUIC-aware proxying, it will include the "Proxy-QUIC-Forwarding" header in successful HTTP responses. The value @@ -609,7 +612,7 @@ in {{Section 10.1.1 of QUIC}}. Upon receipt of a CONNECT request that includes the "Proxy-QUIC-Forwarding" header, the proxy indicates to the client that it supports QUIC-aware proxying by including a "Proxy-QUIC-Forwarding" header in a successful response. -If it supports QUIC packet forwarding, it sets the value to "?1"; otherwise, +If it supports QUIC packet proxying in forwarded mode, it sets the value to "?1"; otherwise, it sets it to "?0". The proxy MUST include a "transform" parameter whose value is an `sf-string` From da682e9bd751e43d1083c61618f23ac264dd1fda Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:52:48 -0800 Subject: [PATCH 34/46] Apply suggestions from code review Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 9f58ec5..4b23131 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -463,7 +463,7 @@ header to indicate whether or not the request should support forwarding. If this header is not included, the client MUST NOT send any connection ID capsules. -The "Proxy-QUIC-Forwarding" is an Item Structured Header {{!RFC8941}}. Its +"Proxy-QUIC-Forwarding" is an Item Structured Header {{!RFC8941}}. Its value MUST be a Boolean. If the client wants to enable QUIC packet forwarding for this request, it sets From aa099d2ee155f43e4bfcf7985dc971a5936cc9ab Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:54:23 -0800 Subject: [PATCH 35/46] Apply suggestions from code review Co-authored-by: David Schinazi --- draft-ietf-masque-quic-proxy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 4b23131..a679701 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -765,8 +765,8 @@ Inputs: 1. A QUIC short header packet (after Connection ID remapping). 1. The mode (forward or inverse). -1. The direction (upstream or downstream). -1. Any configuration info negotiated at startup. +1. The direction (client-to-proxy or proxy-to-client). +1. Any configuration information negotiated at startup. Output: From c856f0bc7cc5aecbecc2f29c146d297affb496e7 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:57:17 -0800 Subject: [PATCH 36/46] Apply suggestions from code review --- draft-ietf-masque-quic-proxy.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index a679701..c0443a6 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -757,14 +757,14 @@ on the proxy itself. # Packet Transforms -A packet transform is the procedure applied to packets as they are sent on the -client-proxy link, and its inverse applied on receipt. Simple transforms can -be modelled as a function as follows: +A packet transform is the procedure applied to encode packets as they are sent +on the link between the client and proxy, along with the inverse decode step applied +on receipt. Simple transforms can be modeled as a function as follows: Inputs: 1. A QUIC short header packet (after Connection ID remapping). -1. The mode (forward or inverse). +1. The mode (encode or decode). 1. The direction (client-to-proxy or proxy-to-client). 1. Any configuration information negotiated at startup. From c0260dec596a52c4a5948b0c6a8f695e5657969b Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:57:45 -0800 Subject: [PATCH 37/46] Apply suggestions from code review Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index c0443a6..7573218 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -927,7 +927,7 @@ receive forwarded mode packets from the proxy with a Virtual Client Connection ID of 0x62646668 which it will replace with the real Client Connection ID of 0x31323334. All forwarded mode packets sent by the proxy will have been modified to contain the Virtual Client Connection ID instead -of the Client Connection ID, and processed by the negotiated the scramble +of the Client Connection ID, and processed by the negotiated "scramble" packet transform. However, in the unlikely event that a forwarded packet arrives before the proxy's HTTP response, the client will not know which transform the proxy selected. In this case, the client will have to ignore From 8557e02257ef8a4930aafa11b3dee2245c16631b Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:58:31 -0800 Subject: [PATCH 38/46] Apply suggestions from code review Co-authored-by: mirjak --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 7573218..a34f4a8 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1013,7 +1013,7 @@ in future packet transforms, subject to additional security analysis. Unlike tunnelled mode where packets are fully encapsulated in the client-to-proxy connection, clients using forwarded mode to access multiple target servers over the same client-to-proxy connection expose the number of target servers -they are communicating with on each connection. +they are communicating with on each connection to passive attackers that can observe the client-to-proxy traffic. ## Active Attacks From 308eb37400441319fee7ea0237ac105e01bb5a3e Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:58:59 -0800 Subject: [PATCH 39/46] Apply suggestions from code review --- draft-ietf-masque-quic-proxy.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index a34f4a8..12373a3 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1013,7 +1013,9 @@ in future packet transforms, subject to additional security analysis. Unlike tunnelled mode where packets are fully encapsulated in the client-to-proxy connection, clients using forwarded mode to access multiple target servers over the same client-to-proxy connection expose the number of target servers -they are communicating with on each connection to passive attackers that can observe the client-to-proxy traffic. +they are communicating with on each connection to passive attackers that can +observe the client-to-proxy traffic. This additional metadata revealed on each +packet simplifies size and timing attacks. ## Active Attacks From 5a254ee49aeb925e74d00b768459e15dde74c81b Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 08:59:25 -0800 Subject: [PATCH 40/46] Apply suggestions from code review Co-authored-by: Benjamin M. Schwartz --- draft-ietf-masque-quic-proxy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 12373a3..08221c7 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -992,7 +992,7 @@ Sending QUIC packets by forwarding through a proxy without tunnelling exposes clients to additional information exposure and deanonymization attacks which need to be carefully considered. Analysis should consider both passive and active attackers which may be global or localized to the network paths used -on each side of a proxy. The following highlights deanonymization risks with +on one side of the proxy. The following sections highlight deanonymization risks with using forwarded mode. ## Passive Attacks From 20eb591c7ee28488fefce39eae4a04a2e8acd3b1 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 09:02:06 -0800 Subject: [PATCH 41/46] Update draft-ietf-masque-quic-proxy.md Co-authored-by: mirjak --- draft-ietf-masque-quic-proxy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 08221c7..e2fa757 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -806,8 +806,8 @@ document MUST use the value "scramble-dt". The finalized version is expected to use the reserved value "scramble" {{iana-transforms}}. The scramble transform is initialized using a 32-byte random symmetric key. -When offering or selecting this transform, the client and server MUST each -generate the key that they will use to encrypt scrambled packets and add it to the +When offering or selecting this transform, the client and server each +generate the key that they will use to encrypt scrambled packets and MUST add it to the Proxy-QUIC-Transform header in an `sf-binary` parameter named "scramble-key". This transform relies on the AES-128 block cipher, which is represented by the From e171951d6dcc926b56716122d76265f433ebc47b Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 09:03:08 -0800 Subject: [PATCH 42/46] Apply suggestions from code review --- draft-ietf-masque-quic-proxy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index e2fa757..0b36a40 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -809,6 +809,8 @@ The scramble transform is initialized using a 32-byte random symmetric key. When offering or selecting this transform, the client and server each generate the key that they will use to encrypt scrambled packets and MUST add it to the Proxy-QUIC-Transform header in an `sf-binary` parameter named "scramble-key". +If either side receives a scramble transform without the "scramble-key" parameter, +forwarding mode MUST be disabled. This transform relies on the AES-128 block cipher, which is represented by the syntax `AES-ECB(key, plaintext_block)` as in {{?RFC9001}}. The corresponding From 0447af580d58f550591150e4ff5b50b711d6baac Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 09:03:59 -0800 Subject: [PATCH 43/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 0b36a40..63e9e4c 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -796,7 +796,8 @@ deployed. The scramble transform implements length-preserving unauthenticated re-encryption of QUIC packets while preserving the QUIC invariants. When -the scramble transform is in use, a global passive adversary cannot use the packet contents +the scramble transform is in use, a global passive adversary cannot simply compare the packet +contents on both sides of the proxy to link the client and target. However, the scramble transform does not defend against analysis of packet sizes and timing, nor does it protect privacy against an active attacker. From b4ef816df5b71100d04fedcb9bd9c0e81f702325 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 24 Jan 2024 09:06:21 -0800 Subject: [PATCH 44/46] Update draft-ietf-masque-quic-proxy.md --- draft-ietf-masque-quic-proxy.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 63e9e4c..5f342b9 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -789,8 +789,10 @@ was communicating to a specific target. The null transform is identified by the value "null" {{iana-transforms}}. -Use of this transform is NOT RECOMMENDED if the scramble transform can be -deployed. +Use of this transform is NOT RECOMMENDED if the scramble transform is supported +by both the client and the proxy. Implementations MAY choose to not implement or +support the "null" transform, depending on the use cases and privacy requirements of +the deployment. ## The scramble transform {#scramble-transform} From d5854806c6aaef176748ebb175ed59e559842629 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 13 Mar 2024 13:43:53 -0700 Subject: [PATCH 45/46] null -> identity Closes #101 --- draft-ietf-masque-quic-proxy.md | 44 ++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 5f342b9..b802f41 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -778,41 +778,41 @@ are presented here. Packet transforms are identified by an IANA-registered name, and negotiated in the HTTP headers (see {{client-behavior}}). This document defines two initial -transforms: the null transform and the scramble transform. +transforms: the `identity` transform and the `scramble` transform. -## The null transform {#null-transform} +## The identify transform {#identity-transform} -The null transform does not modify the packet in any way. When this transform +The `identity` transform does not modify the packet in any way. When this transform is in use, a global passive adversary can trivially correlate pairs of packets that crossed the forwarder, providing a compact proof that a specific client was communicating to a specific target. -The null transform is identified by the value "null" {{iana-transforms}}. +The `identity` transform is identified by the value "identity" {{iana-transforms}}. -Use of this transform is NOT RECOMMENDED if the scramble transform is supported +Use of this transform is NOT RECOMMENDED if the `scramble` transform is supported by both the client and the proxy. Implementations MAY choose to not implement or -support the "null" transform, depending on the use cases and privacy requirements of +support the `identity` transform, depending on the use cases and privacy requirements of the deployment. ## The scramble transform {#scramble-transform} -The scramble transform implements length-preserving unauthenticated +The `scramble` transform implements length-preserving unauthenticated re-encryption of QUIC packets while preserving the QUIC invariants. When -the scramble transform is in use, a global passive adversary cannot simply compare the packet +the `scramble` transform is in use, a global passive adversary cannot simply compare the packet contents on both sides of the proxy -to link the client and target. However, the scramble transform does not defend against +to link the client and target. However, the `scramble` transform does not defend against analysis of packet sizes and timing, nor does it protect privacy against an active attacker. -Deployments that implement the version of the scramble transform defined in this +Deployments that implement the version of the `scramble` transform defined in this document MUST use the value "scramble-dt". The finalized version is expected to use the reserved value "scramble" {{iana-transforms}}. -The scramble transform is initialized using a 32-byte random symmetric key. +The `scramble` transform is initialized using a 32-byte random symmetric key. When offering or selecting this transform, the client and server each generate the key that they will use to encrypt scrambled packets and MUST add it to the Proxy-QUIC-Transform header in an `sf-binary` parameter named "scramble-key". -If either side receives a scramble transform without the "scramble-key" parameter, +If either side receives a `scramble` transform without the "scramble-key" parameter, forwarding mode MUST be disabled. This transform relies on the AES-128 block cipher, which is represented by the @@ -857,13 +857,13 @@ containing a distinct 16 bytes following the Connection ID. This is true for the original ciphersuites of QUICv1, but it is not guaranteed by the QUIC Invariants. Future ciphersuites and QUIC versions could in principle produce packets that are too short or repeat the values at this location. When using the -scramble transform, clients MUST NOT offer any configuration that could +`scramble` transform, clients MUST NOT offer any configuration that could cause the client or target to violate this requirement. # Example Consider a client that is establishing a new QUIC connection through the proxy. -In this example, the client prefers the scramble transform, but also offers the null +In this example, the client prefers the `scramble` transform, but also offers the `identity` transform. It has selected a Client Connection ID of 0x31323334. In order to inform a proxy of the new QUIC Client Connection ID, the client also sends a REGISTER_CLIENT_CID capsule. @@ -880,7 +880,7 @@ STREAM(44): HEADERS --------> :scheme = https :path = /target.example.com/443/ :authority = proxy.example.org - proxy-quic-forwarding = ?1; accept-transform=scramble,null; \ + proxy-quic-forwarding = ?1; accept-transform=scramble,identity; \ scramble-key=:abc...789=: capsule-protocol = ?1 @@ -1003,10 +1003,10 @@ using forwarded mode. ## Passive Attacks A passive attacker aims to deanonymize a client by correlating traffic across -both sides of the proxy. When using forwarded mode with the null packet -transform (see {{null-transform}}), such correlation is trivial by matching +both sides of the proxy. When using forwarded mode with the `identity` packet +transform (see {{identity-transform}}), such correlation is trivial by matching a subset of QUIC packet bytes as packets enter the proxy on one side and exit -on the other. Packet transforms such as scramble mitigate this by +on the other. Packet transforms such as `scramble` mitigate this by cryptographically preventing such byte comparisons (see {{!scramble-transform=scramble-transform}}). @@ -1087,9 +1087,9 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). This document establishes a new registry for packet transform names in <[](https://www.iana.org/assignments/masque/masque.xhtml)> -and defines two initial transforms: "null" and "scramble". +and defines two initial transforms: "identity" and "scramble". Prior to finalization, deployments that implement the version of -the scramble transform defined in this document should use the value +the `scramble` transform defined in this document should use the value "scramble-dt". Once the design team proposal is adopted and a new draft is submitted, the wire identifier will become "scramble-XX" where XX is the draft number. Registrations in this registry are assigned using the @@ -1097,8 +1097,8 @@ Specification Required policy (Section 4.6 of [IANA-POLICY]). | Transform Name | Description | Specification | Notes | |:---------------|:------------------|:--------------|--------------------------------| -| null | no transformation | This Document | Section {{null-transform}} | -| scramble | Reserved (will be used for final version) | This Document | Section {{scramble-transform}} | +| identity | no transformation | This Document | Section {{identity-transform}} | +| scramble | Reserved (will be used for final version) | This Document | Section {{scramble-transform}} | {: #iana-packet-transforms-table title="Initial Packet Transform Names"} ## Capsule Types {#iana-capsule-types} From 9d2c8474431d942d08a94c90932d5cb149903f52 Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Wed, 13 Mar 2024 14:04:20 -0700 Subject: [PATCH 46/46] Expand on active attack differences Closes #100 --- draft-ietf-masque-quic-proxy.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/draft-ietf-masque-quic-proxy.md b/draft-ietf-masque-quic-proxy.md index 5f342b9..c7f6151 100644 --- a/draft-ietf-masque-quic-proxy.md +++ b/draft-ietf-masque-quic-proxy.md @@ -1025,7 +1025,9 @@ packet simplifies size and timing attacks. ## Active Attacks An active attacker is an adversary that can inject, modify, drop, and view -packets in the network. +packets in the network. Some active attacks have different effects between +forwarded mode and tunnelled mode, but active attacks can be used to correlate +flows in either mode. Both tunnelled mode and forwarded mode (regardless of packet transform) are vulnerable to packet injection in the target-to-client direction. An attacker @@ -1033,7 +1035,7 @@ can inject a burst of packets with a known QUIC Connection ID and see which Connection ID is used for the corresponding burst on the proxy-to-client network path. Packet injection with a known QUIC Connection ID can also happen in the -client-to-proxy direction, however, this only affects forwarded mode since +client-to-proxy direction, which only affects forwarded mode since tunnelled mode sends packets within an authenticated and integrity protected QUIC connection to the proxy (see {{?RFC9001}}). None of the packet transforms defined in this document provide integrity protection. Even if a packet @@ -1042,6 +1044,11 @@ packets. Protection against replayed packets is similarly provided by QUIC in tunnelled mode, but not provided by any of the forwarded mode packet transforms defined in this document. +An active attacker can modify packets in the client-to-proxy direction, which +would cause a tunnelling proxy to silently drop packets, while a forwarding proxy +would forward the packets. In this way, forwarded mode is less vulnerable to +flow recognition based on corrupting a portion of packets in a burst. + [comment1]: # OPEN ISSUE: Figure out how clients and proxies could interact to [comment2]: # learn whether an adversary is injecting malicious forwarded [comment3]: # packets to induce rate limiting.