Specify AEAD-based protection of cleartext packets #693
Comments
|
I think this obsoletes #554 |
|
I have no major issue with AES-GCM and the benefit is that it is already there - but please also consider AES-CMAC - it is much lighter and does the job for clear text - and would thus be more version neutral - e.g. implementations are not forced to carry GCM machinery if they want other crypto in a specific version. Notably, middle-boxes would have an easier time. https://tools.ietf.org/html/rfc4493 |
|
The rationale for GCM was that Ian wanted to encrypt the plaintext. |
|
Yes, I'm worried about the day when QUIC version N+1 wants to support TLS > 1.3 and I don't want to deal with all the old middleboxes that have ossified QUIC==TLS 1.3. |
|
ah I see |
|
How does this apply to the Version Negotiation packet? |
|
I had in mind the same way. You would use the client's version there too |
|
This is assigned to me, but I'm waiting on doing it until @martinthomson does some refactoring. Trying to avoid merge conflicts |
|
So for version negotiation, we would have:
Correct? |
|
Ian was suggesting that the version-specific key be predictable from the version, so no, you would just decrypt it. |
|
If it's predictable, won't the middleboxes just derive the key, decrypt it, and then do their usual ossifying thing? |
|
On Sun, Jul 30, 2017 at 4:37 PM, ekr ***@***.***> wrote:
Ian was suggesting that the version-specific key be predictable from the
version, so no, you would just decrypt it.
Decrypt which? The version negotiation packet? The version negotiation
packet has N versions in it, right?
|
|
I don't see the point of going to AEAD encryption if the key is entirely predictable from the packet. Doing so would not allow us to replace AES-GCM by something else in the future. It would also be a mere speed bump for ossifying NATs. I would rather stick to FNV1A-64. I see the point of a key that is specified as part of the document specifying a specific version. That mean that a NAT developer could not decrypt the data for version X without having read the spec for version X. It is not an iron-proof guarantee, because the NAT developers may decide to just read the part of the spec that specifies the key and ignore the other parts. But people who do that can be pointed out as misbehaving. The document that specifies the version would also specify the algorithm, which will allow for evolution. But then, that means that servers receiving an packet with the wrong version will only be able to understand the packet header. |
|
The idea here is to make the key (and algorithm) version-specific. Then you absolutely can't pretend to support a version you don't understand. The risk, as always, is that NATs latch on to one version and block all other versions. But that's preferable to the range of subtle and noxious stuff that they might otherwise do. @ekr, if the server sends a Version Negotiation packet, it can't know which version to choose - the only version it knows that the client supports is one that it doesn't. If I'm right, then Version Negotiation has to be unencrypted. I think that for consistency we should define version 0 for this purpose with a fixed algorithm, which might be f(x)=x. |
|
@martinthomson, I think we agree. But I don't think we need the version 0 hack. The base spec says that the clear text packets are integrity protected, but it does not mention anything of the kind for the version negotiation packet. The way I read the spec, the version negotiation packets are not protected at all. This means that the version can be spoofed. But then, the transport parameters repeat the content and results of the renegotiation, and the spoofing will be detected. So we are probably fine without any protection. |
|
:) The only hazard here is what you get when the Version Negotiation is indistinguishable from Internet-noise. I think that we can and should just decide that we're comfortable with that. |
|
Yes, we should be OK with the "Internet Noise" issue. Version Negotiation is sent to clients. It will only be accepted if the connection ID and Sequence Number match what the client expects. That, and the IP source address and UDP source port... |
|
There are two objectives here:
WRT to the various suggestions made above: I think the right approach here is a variant of @martinthomson's suggestion above.
The impact of this would be that:
|
|
Works for me. |
|
I like ekr's proposed approach. The VN packet currently echoes pieces of the client packet, which seems unnecessary with the "encrypted" VN. We could clean that up too if we want, but that should be a separate issue to deal with once this one is done.. |
|
I agree with Jana, adding Server Stateless Retry to that bucket of things that we might re-examine after this. |
|
The risk of an encrypted VN packet is that it moves the specifics of encrypting at least that packet into the "can't change between versions" realm. Do we want to codify something that requires keeping old moldy crypto around just to express what QUIC versions you support that no longer use that crypto? Whatever we do, Version Negotiation winds up being a one-off -- if we're consistent now, then it's a one-off when we eventually change. If we don't encrypt, it's a one-off from the start, which might be more honest. Though I agree the protection against off-path attackers is also interesting. |
|
On Wed, Aug 2, 2017 at 3:15 PM, Mike Bishop ***@***.***> wrote:
The risk of an encrypted VN packet is that it moves the specifics of
encrypting at least that packet into the "can't change between versions"
realm. Do we want to codify something that requires keeping old moldy
crypto around just to express what QUIC versions you support that no longer
use that crypto?
I completely agree with this point and think that a minimal VN packet
format is probably best.
|
|
Mike, Ryan: Are you suggesting that we treat VN as a special snowflake (which it undoubtedly is) and leave it unencrypted with an FNV-128a hash? We have nominal protection against off-path attackers already with a connection ID echo, so that's covered without the encryption. I am sympathetic to the idea of not wanting to have old crypto sitting around just to handle VN packets. I'd be happy to treat VN packets as special, and leave them unencrypted. I don't think I care enough about bit flips with the VN packet to need an FNV hash for this alone... we'll still have the (weak) UDP checksum to cover that. |
|
I suggest that it have no encryption and no fnv-128 hash.
…On Wed, Aug 2, 2017 at 4:07 PM, janaiyengar ***@***.***> wrote:
Mike, Ryan: Are you suggesting that we treat VN as a special snowflake
(which it undoubtedly is) and leave it unencrypted with an FNV-128a hash?
We have nominal protection against off-path attackers already with a
connection ID echo, so that's covered without the encryption.
I am sympathetic to the idea of not wanting to have old crypto sitting
around just to handle VN packets. I'd be happy to treat VN packets as
special, and leave them unencrypted. I don't think I care enough about bit
flips with the VN packet to need an FNV hash for this alone... we'll still
have the (weak) UDP checksum to cover that.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#693 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ASp6ymfKvman1rx2Ffo8rnM9meurafUgks5sUQEpgaJpZM4OfFhh>
.
|
|
SGTM. |
|
But now this is the only thing with some special snowflake anti-injection.
I don't see how that makes things better.
On Wed, Aug 2, 2017 at 7:57 PM, Ryan Hamilton <notifications@github.com>
wrote:
… Agreed. Echoing the connection id seems to provide sufficient entropy to
defend against off-path attackers.
On Wed, Aug 2, 2017 at 7:34 PM, janaiyengar ***@***.***>
wrote:
> That was my thinking. The protection is as good as the packet encrypted
> with the connection ID, since the information required to generate the VN
> is the same in both cases.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#693 (comment)
>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ASp6yl2Lr-
8KHUakdZ49tqGUtdBhlPk4ks5sUTG-gaJpZM4OfFhh>
> .
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#693 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABD1oRI2adgeAAd4bq4m3CijJmmlabgGks5sUTcHgaJpZM4OfFhh>
.
|
|
As Mike pointed out, VN and Stateless Reset are special snowflakes, no
matter what. The point is that since whatever we do now with them is going
to become stale sooner or later, leaving it as plaintext seems like the
cleanest approach. That makes sense to me, especially since there's no
additional protection that you get for encrypting them with a forever-fixed
key.
…On Thu, Aug 3, 2017 at 3:52 PM, ekr ***@***.***> wrote:
But now this is the only thing with some special snowflake anti-injection.
I don't see how that makes things better.
On Wed, Aug 2, 2017 at 7:57 PM, Ryan Hamilton ***@***.***>
wrote:
> Agreed. Echoing the connection id seems to provide sufficient entropy to
> defend against off-path attackers.
>
> On Wed, Aug 2, 2017 at 7:34 PM, janaiyengar ***@***.***>
> wrote:
>
> > That was my thinking. The protection is as good as the packet encrypted
> > with the connection ID, since the information required to generate the
VN
> > is the same in both cases.
> >
> > —
> > You are receiving this because you commented.
> > Reply to this email directly, view it on GitHub
> > <#693#
issuecomment-319851408
> >,
> > or mute the thread
> > <https://github.com/notifications/unsubscribe-auth/ASp6yl2Lr-
> 8KHUakdZ49tqGUtdBhlPk4ks5sUTG-gaJpZM4OfFhh>
>
> > .
> >
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#693 (comment)
>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/
ABD1oRI2adgeAAd4bq4m3CijJmmlabgGks5sUTcHgaJpZM4OfFhh>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#693 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AKjg1FDaaPr7OVpcDH9U1b0tGDo5LKYRks5sUezGgaJpZM4OfFhh>
.
|
|
I think it's valuable to have a consistent set of defenses that are easy to
reason about.
However, it seems that we have consensus to do this for all packets other
than VN and Stateless Reset, and VN doesn't have any integrity check at all
now. So why don't I send a PR that does this for the other packets and then
we can discuss VN in Seattle?
On Thu, Aug 3, 2017 at 5:34 PM, janaiyengar <notifications@github.com>
wrote:
… As Mike pointed out, VN and Stateless Reset are special snowflakes, no
matter what. The point is that since whatever we do now with them is going
to become stale sooner or later, leaving it as plaintext seems like the
cleanest approach. That makes sense to me, especially since there's no
additional protection that you get for encrypting them with a forever-fixed
key.
On Thu, Aug 3, 2017 at 3:52 PM, ekr ***@***.***> wrote:
> But now this is the only thing with some special snowflake
anti-injection.
> I don't see how that makes things better.
>
>
>
> On Wed, Aug 2, 2017 at 7:57 PM, Ryan Hamilton ***@***.***>
> wrote:
>
> > Agreed. Echoing the connection id seems to provide sufficient entropy
to
> > defend against off-path attackers.
> >
> > On Wed, Aug 2, 2017 at 7:34 PM, janaiyengar ***@***.***>
> > wrote:
> >
> > > That was my thinking. The protection is as good as the packet
encrypted
> > > with the connection ID, since the information required to generate
the
> VN
> > > is the same in both cases.
> > >
> > > —
> > > You are receiving this because you commented.
> > > Reply to this email directly, view it on GitHub
> > > <#693#
> issuecomment-319851408
> > >,
> > > or mute the thread
> > > <https://github.com/notifications/unsubscribe-auth/ASp6yl2Lr-
> > 8KHUakdZ49tqGUtdBhlPk4ks5sUTG-gaJpZM4OfFhh>
> >
> > > .
> > >
> >
> > —
> > You are receiving this because you were mentioned.
> > Reply to this email directly, view it on GitHub
> > <#693#
issuecomment-319854352
> >,
> > or mute the thread
> > <https://github.com/notifications/unsubscribe-auth/
> ABD1oRI2adgeAAd4bq4m3CijJmmlabgGks5sUTcHgaJpZM4OfFhh>
> > .
> >
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#693 (comment)
>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/
AKjg1FDaaPr7OVpcDH9U1b0tGDo5LKYRks5sUezGgaJpZM4OfFhh>
> .
>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#693 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABD1oQWsZvGLuMCKTAF6k9E48X5mBEcAks5sUmcVgaJpZM4OfFhh>
.
|
|
Sorry - I thought I had responded to this, but I dropped it. Yes, your plan SGTM. |
martinthomson
added
-transport
design
janaiyengar
added
the
needs-discussion
|
From discussion in Seattle: AEAD protect all cleartext packet types, leave Stateless Reset and Version Negotiation as they are. EKR to produce PR for AEAD protection. |
janaiyengar
added
editor-ready
and removed
design
|
does this mean we can get rid of the initial packet number randomization
now that this serves as proof-of-onpath?
…On Mon, Oct 9, 2017 at 8:02 PM, Martin Thomson ***@***.***> wrote:
Closed #693 <#693> via a0c571b
<a0c571b>
.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#693 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAP5s4o7Ge52eXAZOknJn8IRD65rB7xHks5sqrQngaJpZM4OfFhh>
.
|
|
On Tue, Oct 10, 2017 at 7:26 AM, Patrick McManus ***@***.***> wrote:
does this mean we can get rid of the initial packet number randomization
now that this serves as proof-of-onpath?
I love it!
|
|
But if we remove packet number randomization, do we start with SN=0 or SN=1? |
|
|
Ha, interesting. Removing randomization SGTM. And yes, please, please SN=1. 0 is special. |
Based on discussion in Prague:
The text was updated successfully, but these errors were encountered: