Write down spoofed packet guarantees #1347
Conversation
We agreed to this a while back, but never got around to putting the conclusions in the document. We've done some of the work by writing down the rules for use of CONNECTION_CLOSE and TLS alerts, and the related changes, but the basic principles never got articulated. This attempts to outline what we do to authenticate packets that we receive. * Once the handshake is done, it's mostly simple: if the AEAD fails, drop it. * We have a small carve-out for some types of ICMP, with some strong limitations on what that information can be used for. @igorlord might expand the PMTU usage to cover DestUnreach, but these uses permit a very narrow range of actions. * We also have stateless reset, which is another snowflake. * The bulk of the text here concerns the handshake. I've covered the two mechanisms we tie into the use of connection IDs: ** Echoing the value (the only protection we have for Version Negotiation, for instance). ** The AEAD that uses the connection ID as input. And then it explains that our only defense against an on-path attacker is to fail to establish a connection. I think that covers all the necessary points. Closes #645.
draft-ietf-quic-transport.md
Outdated
|
|
||
| As an encrypted and authenticated transport QUIC provides a range of protections | ||
| against denial of service. Once the cryptographic handshake is complete, QUIC | ||
| endpoints discard packets that are not authenticated, greatly limiting the |
There was a problem hiding this comment.
how about "most packets", since there clearly are unauthenticated packets that are accepted.
There was a problem hiding this comment.
Sure. I was hoping that we could ultimately authenticate even those packets that don't have packet protection in some way. For instance, by ensuring that the ICMP unreachable includes bytes from a packet we sent. But maybe that's stretching the definition too far.
draft-ietf-quic-transport.md
Outdated
|
|
||
| The first mechanism used is the source and destination connection IDs, which are | ||
| required to match those set by a peer. Except for an Initial packet and | ||
| stateless reset, an endpoint only accepts packets that include a destination |
There was a problem hiding this comment.
"Except for Initial and Stateless Reset packets"
draft-ietf-quic-transport.md
Outdated
| The destination connection ID in an Initial packet is selected by a client to be | ||
| unpredictable, which serves an additional purpose. The packets that carry the | ||
| cryptographic handshake are protected with a key that is derived from the | ||
| connection ID and salt specific to the QUIC version. This allows endpoints to |
There was a problem hiding this comment.
s/the connection ID/this connection ID/
draft-ietf-quic-transport.md
Outdated
| use the same process for authenticating packets that they receive as they use | ||
| after the cryptographic handshake completes. Packets that cannot be | ||
| authenticated are discarded. Protecting packets in this fashion provides a | ||
| strong assurance that the sender of the packet saw previous packets and |
There was a problem hiding this comment.
s/saw previous packets and understood them/saw the Initial packet and understood it/
draft-ietf-quic-transport.md
Outdated
| These protections are not intended to be effective against an attacker that is | ||
| able to receive QUIC packets. Such an attacker can potentially send packets | ||
| that will be accepted by QUIC clients or servers. This version of QUIC only | ||
| attempts to detect this sort of attack. Interference with the handshake is |
There was a problem hiding this comment.
s/only attempts to detect/attempts to only detect/
There was a problem hiding this comment.
I've reworded this to be a little clearer (I hope). I think that it is important to say that we don't expect endpoints to do anything other than fail when an attacker tampers with the handshake. I realize that the lead-in to this paragraph didn't scope that properly though. Have another look.
draft-ietf-quic-transport.md
Outdated
|
|
||
| Endpoints are permitted to use other methods to detect and attempt to recover | ||
| from interference with the handshake. For instance, if invalid packets can be | ||
| identified then they can be discarded. This can be complex or difficult and so |
There was a problem hiding this comment.
Suggested replacement for the last two sentences: "Invalid packets may be identified and discarded using other methods, but no specific method is mandated in this document."
draft-ietf-quic-transport.md
Outdated
|
|
||
| As an encrypted and authenticated transport QUIC provides a range of protections | ||
| against denial of service. Once the cryptographic handshake is complete, QUIC | ||
| endpoints discard packets that are not authenticated, greatly limiting the |
There was a problem hiding this comment.
Sure. I was hoping that we could ultimately authenticate even those packets that don't have packet protection in some way. For instance, by ensuring that the ICMP unreachable includes bytes from a packet we sent. But maybe that's stretching the definition too far.
draft-ietf-quic-transport.md
Outdated
| These protections are not intended to be effective against an attacker that is | ||
| able to receive QUIC packets. Such an attacker can potentially send packets | ||
| that will be accepted by QUIC clients or servers. This version of QUIC only | ||
| attempts to detect this sort of attack. Interference with the handshake is |
There was a problem hiding this comment.
I've reworded this to be a little clearer (I hope). I think that it is important to say that we don't expect endpoints to do anything other than fail when an attacker tampers with the handshake. I realize that the lead-in to this paragraph didn't scope that properly though. Have another look.
draft-ietf-quic-transport.md
Outdated
| use the same process for authenticating packets that they receive as they use | ||
| after the cryptographic handshake completes. Packets that cannot be | ||
| authenticated are discarded. Protecting packets in this fashion provides a | ||
| strong assurance that the sender of the packet saw the Initial packets and |
There was a problem hiding this comment.
yeah, this should be "packet"
draft-ietf-quic-transport.md
Outdated
| required to match those set by a peer. Except for an Initial packet and | ||
| stateless reset, an endpoint only accepts packets that include a destination | ||
| required to match those set by a peer. Except for an Initial and stateless | ||
| reset packets, an endpoint only accepts packets that include a destination |
There was a problem hiding this comment.
capitalize stateless reset
There was a problem hiding this comment.
That would be a first. It's lowercase everywhere else.
draft-ietf-quic-transport.md
Outdated
| use the same process for authenticating packets that they receive as they use | ||
| after the cryptographic handshake completes. Packets that cannot be | ||
| authenticated are discarded. Protecting packets in this fashion provides a | ||
| strong assurance that the sender of the packet saw the Initial packets and |
There was a problem hiding this comment.
yeah, this should be "packet"
draft-ietf-quic-transport.md
Outdated
| property that the cryptographic handshake protocol {{QUIC-TLS}} is required to | ||
| provide, though additional validation is required for version negotiation (see | ||
| able to receive QUIC packets prior to the connection being established. Such an | ||
| attacker can potentially send packets that will be accepted by QUIC clients or |
There was a problem hiding this comment.
s/QUIC clients or servers/the QUIC endpoints/ ?
draft-ietf-quic-transport.md
Outdated
| attacker can potentially send packets that will be accepted by QUIC clients or | ||
| servers. This version of QUIC attempts to detect this sort of attack, but it | ||
| expects that endpoints will fail to establish a connection rather than | ||
| recovering. For the most part, the cryptographic handshake protocol |
We agreed to this a while back, but never got around to putting the conclusions in the document. We've done some of the work by writing down the rules for use of CONNECTION_CLOSE and TLS alerts, and the related changes, but the basic principles never got articulated.
This attempts to outline what we do to authenticate packets that we receive.
** Echoing the value (the only protection we have for Version Negotiation, for instance).
** The AEAD that uses the connection ID as input.
And then it explains that our only defense against an on-path attacker is to fail to establish a connection. I think that covers all the necessary points.
Closes #645.