Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add an AddressVerified field to the ClientHelloInfo #4358

Closed
marten-seemann opened this issue Mar 10, 2024 · 0 comments · Fixed by #4360
Closed

add an AddressVerified field to the ClientHelloInfo #4358

marten-seemann opened this issue Mar 10, 2024 · 0 comments · Fixed by #4360
Labels
enhancement security
Milestone
v0.42

Comments

@marten-seemann
Copy link
Member

When implementing an IP-based blacklisting, it would be foolish to rely on unvalidated remote addresses: An attacker could easily prevent a legitimate client from connecting by just spoofing the source address.

The ClientHelloInfo should contain a field AddressVerified, and a blacklisting implementation would then only act on verified addresses. The number of unvalidated handshakes is limited by MaxUnvalidatesHandshakes, so this doesn’t pose an attack vector.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement security
Projects
None yet
Milestone
v0.42
Development

Successfully merging a pull request may close this issue.

add an AddrVerified field to the ClientHelloInfo quic-go/quic-go
1 participant
@marten-seemann