From 6ca8b5908f473b83aea51de16ed2f6633c69a117 Mon Sep 17 00:00:00 2001
From: ID Bot
authenticated. Packet protection keys MUST NOT be used for removing packet
protection after authentication fails on more than a per-AEAD limit. Endpoints
MUST initiate a key update before reaching this limit. Applying a limit reduces
-the probability than attacker is able to successfully forge a packet; see
+the probability that an attacker is able to successfully forge a packet; see
[AEBounds] and [ROBUST].ΒΆ
For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305 the number of packets that fail authentication MUST NOT exceed 2^36. Note that the diff --git a/forgery-limit/draft-ietf-quic-tls.txt b/forgery-limit/draft-ietf-quic-tls.txt index 40fda2e747..37c29dc174 100644 --- a/forgery-limit/draft-ietf-quic-tls.txt +++ b/forgery-limit/draft-ietf-quic-tls.txt @@ -2022,8 +2022,9 @@ Internet-Draft Using TLS to Secure QUIC May 2020 cannot be authenticated. Packet protection keys MUST NOT be used for removing packet protection after authentication fails on more than a per-AEAD limit. Endpoints MUST initiate a key update before reaching - this limit. Applying a limit reduces the probability than attacker - is able to successfully forge a packet; see [AEBounds] and [ROBUST]. + this limit. Applying a limit reduces the probability that an + attacker is able to successfully forge a packet; see [AEBounds] and + [ROBUST]. For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305 the number of packets that fail authentication MUST NOT exceed 2^36. @@ -2065,7 +2066,6 @@ Internet-Draft Using TLS to Secure QUIC May 2020 For example, an attacker could inject a packet containing an ACK frame that makes it appear that a packet had not been received or to create a false impression of the state of the connection (e.g., by - modifying the ACK Delay). Note that such a packet could cause a @@ -2074,6 +2074,7 @@ Thomson & Turner Expires 8 November 2020 [Page 37] Internet-Draft Using TLS to Secure QUIC May 2020 + modifying the ACK Delay). Note that such a packet could cause a legitimate packet to be dropped as a duplicate. Implementations SHOULD use caution in relying on any data which is contained in Initial packets that is not otherwise authenticated. @@ -2124,7 +2125,6 @@ Internet-Draft Using TLS to Secure QUIC May 2020 - Thomson & Turner Expires 8 November 2020 [Page 38] Internet-Draft Using TLS to Secure QUIC May 2020 diff --git a/forgery-limit/draft-ietf-quic-transport.html b/forgery-limit/draft-ietf-quic-transport.html index cf1b058534..178a6834c8 100644 --- a/forgery-limit/draft-ietf-quic-transport.html +++ b/forgery-limit/draft-ietf-quic-transport.html @@ -9196,7 +9196,7 @@