-
Notifications
You must be signed in to change notification settings - Fork 203
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CONNECTION_CLOSE for unpadded Initial #3269
Comments
Note that our principles here mean that we aren't obligated to defend against this style of attack, but rewording here is probably a good idea. |
I agree that we've decided not to try to protect against attacks in the first flight, but this seems open up an extremely trivial attack vector that we can easily shutdown. I believe we should prevent it. |
Why would a server want to send a CONNECTION_CLOSE in the first place? I think dropping the packet is a perfectly valid thing to do, and in fact is preferable at such an early state in the connection. |
This is trickier than I had imagined. Sending CONNECTION_CLOSE is probably fine, but it's harder to do this correctly now. You can't just send an unauthenticated CONNECTION_CLOSE because that might disrupt a real connection. So there are two goals in tension: 1. Don't kill an active connection (attempt) unnecessarily. 2. Provide feedback about errors. The observation is that an attacker can disrupt connections by eliciting a CONNECTION_CLOSE, so feedback naturally leads to an exposure to a DoS attack. That's unfortunate, but we have established that we don't care about DoS by an on-path attacker prior to handshake completion. Anything we do here has got to be best effort. DoS prevention would say that you just discard junk, and that is probably the right answer. But we have a number of cases where the robustness of the system depends on getting feedback. Either way, we agreed to allow CONNECTION_CLOSE in Initial, so the exposure exists anyway. So this contains advice. Maybe too much advice, but I thought that I'd see what people thought. Closes #3269.
I'm going to request that this go for a consensus call. It's borderline, but I think that it is worth running the process here. And it isn't critical that this get fixed right now. |
The draft requires that if an Initial packet is not padded, the server sends a CONNECTION_CLOSE. I think that the goal was to have the server drop those packets and optionally send a signal. But that only applies if the server hasn't established state. We should reword that.
@nibanks says:
Originally posted by @nibanks in #3262
The text was updated successfully, but these errors were encountered: