Update with modified terminology and new text around active and passi…

…ve attacks
quicwg · Sep 23, 2019 · 510536d · 510536d
1 parent 5e14c63
commit 510536d
Showing 1 changed file with 80 additions and 18 deletions.
diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
@@ -5834,10 +5834,12 @@ ID can be selected to route later packets to the same server.
 ## Overview of Security Properties {#security-properties}
 
 A complete security analysis of QUIC is outside the scope of this document.
-This appendix provides an informal description of the desired security
-properties as an aid to implementors and to help guide protocol analysis.
+This section provides an informal description of the desired security properties
+as an aid to implementors and to help guide protocol analysis.
+
+Properties of the handshake, general transport, and connection migration are
+considered separately.
 
-Properties of the handshake, general transport, and migration separately.
 
 ### Handshake {#handshake-properties}
 
@@ -5851,22 +5853,82 @@ TBD.
 
 Connection Migration ({{migration}}) provides endpoints with the ability to
 transition between IP addresses and ports on multiple paths, using one path at a
-time for sending non-probing frames.  Path validation helps to establish that a
-peer is both willing and able to receive packets sent on a particular path.
-This helps reduce the effects of address spoofing, by limiting the number of
-packets sent to a spoofed address, unless an attacker is able to also receive
-packets sent to that address.
+time for transmission and receipt of non-probing frames.  Path validation helps
+to establish that a peer is both willing and able to receive packets sent on a
+particular path.  This helps reduce the effects of address spoofing, by limiting
+the number of packets sent to a spoofed address, unless an attacker is able to
+also receive packets sent to that address.
 
 This section describes the intended security properties of connection migration
-when under attack by the following attackers.  These attackers all mount active
-attacks, requiring injection of packets into the network, as described in
-{{?RFC3552}}.
+when under various types of attack, as described in more detail by {{?RFC3552}}.
+
+For this purpose, attacks are divided into passive and active attacks, passive
+attackers having the capability to read packets from the network and active
+attackers having the capability to write packets into the network.
+
+Attackers are additionally categorized as either on-path attackers or off-path
+attackers (see Section 3.5 of {{?RFC3552}}); an on-path attacker is on the
+critical path for a given connection and can read, modify, or remove any packet
+it observes such that it no longer reaches its destination, while an off-path
+attacker observes the packets, but cannot prevent the original packet from
+reaching its intended destination. An off-path attacker can transmit arbitrary
+packets, and it may be able to attack the network so as to place itself on-path.
+
+
+#### Passive Attacks
+
+A passive attack ({{?RFC3552}}) involves observing and potentially saving
+packets being sent over the network, but does not involve sending any packets.
+However, a passive attack may involve an attacker with the ability to cause a
+routing change or other modification in the path taken by packets that comprise
+a QUIC connection.
+
+Both on-path and off-path attackers can mount a passive attack in which they
+save observed QUIC packets for an offline attack against QUIC packet protection
+at a future time; this is true for any observer of any packet on any network.
+
+
+#### Active Attacks
+
+An active attack ({{?RFC3552}}) involves writing data to the network.  An
+attacker with such a capability might be in a position to additionally prevent
+the original packets it observes from reaching their intended destination.  If
+so, they are considered to be an on-path attacker.
+
+An active attacker may also choose to rewrite the source or destination IP
+addresses of packets that it forwards or injects. Such spoofing attacks are only
+effective against a QUIC connection if the attacker can still forward the
+contents of the packets to the original endpoint, since QUIC connections are
+both authenticated and encrypted.
+
+A blind attacker, one who injects packets without being able to observe valid
+packets for a QUIC connection, is unlikely to be successful, since QUIC packet
+protection ensures that valid packets are only generated by endpoints which
+possess the key material established during the handshake.  Similarly, any
+active attacker that observes QUIC packets and attempts to insert new data or
+modify existing data in those packets should not be able to generate packets
+deemed valid by the receiving endpoint.
+
+However, an attacker can modify the boundaries between QUIC packets and UDP
+datagrams, causing multiple packets to be coalesced into a single datagram, or
+splitting coalesced packets into multiple datagrams.  Such modification has no
+functional effect on a QUIC connection, however it might change the performance
+characteristics exhibited by the receiving endpoint.
+
+A spoofing attack, in which an attacker rewrites unprotected parts of a QUIC
+packet such as the source or destination address, is only effective if the
+attacker can forward packets to the original endpoint, as path validation
+({{migrate-validate}}) ensures that an endpoint's ability and willingness to
+decrypt QUIC packets is demonstrated before sending significant amounts of data
+to a new endpoint as part of an established QUIC connection.
+
 
-#### On-Path Attacker
+##### On-Path Active Attacks
 
-An on-path attacker is present between the QUIC client and server, and an
-endpoint is required to send packets through this attacker to establish
-connectivity on a given path.
+An attacker that can cause a packet it observes to no longer reach its intended
+destination is considered an on-path attacker.  Such an attacker generally is
+present between the QUIC client and server, and a QUIC endpoint is required to
+send packets through this attacker to establish connectivity on a given path.
 
 An on-path attacker can:
 
@@ -5883,7 +5945,7 @@ An on-path attacker cannot:
 
 An on-path attacker has the opportunity to modify the packets that it observes,
 however any modifications to an authenticated portion of a packet will cause it
-to be dropped by the receiving endpoint as invalid. QUIC payloads are both
+to be dropped by the receiving endpoint as invalid, as QUIC payloads are both
 authenticated and encrypted.
 
 In the presence of an on-path attacker, QUIC aims to provide the following
@@ -5907,7 +5969,7 @@ packets or dropping them.
 has modified an authenticated portion of that packet.
 
 
-#### Off-Path Attacker
+##### Off-Path Active Attacks
 
 An off-path attacker is not directly on the path between the QUIC client and
 server, but may be able to obtain copies of some or all packets sent between the
@@ -5963,7 +6025,7 @@ shared NAT state such that it sends packets to the server from the same IP
 address and port that the client originally used.
 
 
-#### Limited On-Path Attacker
+##### Limited On-Path Active Attacks
 
 A limited on-path attacker is an off-path attacker that has offered improved
 routing of packets by duplicating and forwarding original packets between the