New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Write down spoofed packet guarantees #1347
Conversation
We agreed to this a while back, but never got around to putting the conclusions in the document. We've done some of the work by writing down the rules for use of CONNECTION_CLOSE and TLS alerts, and the related changes, but the basic principles never got articulated. This attempts to outline what we do to authenticate packets that we receive. * Once the handshake is done, it's mostly simple: if the AEAD fails, drop it. * We have a small carve-out for some types of ICMP, with some strong limitations on what that information can be used for. @igorlord might expand the PMTU usage to cover DestUnreach, but these uses permit a very narrow range of actions. * We also have stateless reset, which is another snowflake. * The bulk of the text here concerns the handshake. I've covered the two mechanisms we tie into the use of connection IDs: ** Echoing the value (the only protection we have for Version Negotiation, for instance). ** The AEAD that uses the connection ID as input. And then it explains that our only defense against an on-path attacker is to fail to establish a connection. I think that covers all the necessary points. Closes #645.
draft-ietf-quic-transport.md
Outdated
|
||
As an encrypted and authenticated transport QUIC provides a range of protections | ||
against denial of service. Once the cryptographic handshake is complete, QUIC | ||
endpoints discard packets that are not authenticated, greatly limiting the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about "most packets", since there clearly are unauthenticated packets that are accepted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. I was hoping that we could ultimately authenticate even those packets that don't have packet protection in some way. For instance, by ensuring that the ICMP unreachable includes bytes from a packet we sent. But maybe that's stretching the definition too far.
draft-ietf-quic-transport.md
Outdated
|
||
The first mechanism used is the source and destination connection IDs, which are | ||
required to match those set by a peer. Except for an Initial packet and | ||
stateless reset, an endpoint only accepts packets that include a destination |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Except for Initial and Stateless Reset packets"
draft-ietf-quic-transport.md
Outdated
The destination connection ID in an Initial packet is selected by a client to be | ||
unpredictable, which serves an additional purpose. The packets that carry the | ||
cryptographic handshake are protected with a key that is derived from the | ||
connection ID and salt specific to the QUIC version. This allows endpoints to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/the connection ID/this connection ID/
draft-ietf-quic-transport.md
Outdated
use the same process for authenticating packets that they receive as they use | ||
after the cryptographic handshake completes. Packets that cannot be | ||
authenticated are discarded. Protecting packets in this fashion provides a | ||
strong assurance that the sender of the packet saw previous packets and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/saw previous packets and understood them/saw the Initial packet and understood it/
draft-ietf-quic-transport.md
Outdated
These protections are not intended to be effective against an attacker that is | ||
able to receive QUIC packets. Such an attacker can potentially send packets | ||
that will be accepted by QUIC clients or servers. This version of QUIC only | ||
attempts to detect this sort of attack. Interference with the handshake is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/only attempts to detect/attempts to only detect/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reworded this to be a little clearer (I hope). I think that it is important to say that we don't expect endpoints to do anything other than fail when an attacker tampers with the handshake. I realize that the lead-in to this paragraph didn't scope that properly though. Have another look.
draft-ietf-quic-transport.md
Outdated
|
||
Endpoints are permitted to use other methods to detect and attempt to recover | ||
from interference with the handshake. For instance, if invalid packets can be | ||
identified then they can be discarded. This can be complex or difficult and so |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggested replacement for the last two sentences: "Invalid packets may be identified and discarded using other methods, but no specific method is mandated in this document."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review. I would like another for the new text about the handshake. I took your suggestions verbatim otherwise.
draft-ietf-quic-transport.md
Outdated
|
||
As an encrypted and authenticated transport QUIC provides a range of protections | ||
against denial of service. Once the cryptographic handshake is complete, QUIC | ||
endpoints discard packets that are not authenticated, greatly limiting the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. I was hoping that we could ultimately authenticate even those packets that don't have packet protection in some way. For instance, by ensuring that the ICMP unreachable includes bytes from a packet we sent. But maybe that's stretching the definition too far.
draft-ietf-quic-transport.md
Outdated
These protections are not intended to be effective against an attacker that is | ||
able to receive QUIC packets. Such an attacker can potentially send packets | ||
that will be accepted by QUIC clients or servers. This version of QUIC only | ||
attempts to detect this sort of attack. Interference with the handshake is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reworded this to be a little clearer (I hope). I think that it is important to say that we don't expect endpoints to do anything other than fail when an attacker tampers with the handshake. I realize that the lead-in to this paragraph didn't scope that properly though. Have another look.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
draft-ietf-quic-transport.md
Outdated
use the same process for authenticating packets that they receive as they use | ||
after the cryptographic handshake completes. Packets that cannot be | ||
authenticated are discarded. Protecting packets in this fashion provides a | ||
strong assurance that the sender of the packet saw the Initial packets and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
packets plural?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, this should be "packet"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nits, but LGTM
draft-ietf-quic-transport.md
Outdated
required to match those set by a peer. Except for an Initial packet and | ||
stateless reset, an endpoint only accepts packets that include a destination | ||
required to match those set by a peer. Except for an Initial and stateless | ||
reset packets, an endpoint only accepts packets that include a destination |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
capitalize stateless reset
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be a first. It's lowercase everywhere else.
draft-ietf-quic-transport.md
Outdated
use the same process for authenticating packets that they receive as they use | ||
after the cryptographic handshake completes. Packets that cannot be | ||
authenticated are discarded. Protecting packets in this fashion provides a | ||
strong assurance that the sender of the packet saw the Initial packets and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, this should be "packet"
draft-ietf-quic-transport.md
Outdated
property that the cryptographic handshake protocol {{QUIC-TLS}} is required to | ||
provide, though additional validation is required for version negotiation (see | ||
able to receive QUIC packets prior to the connection being established. Such an | ||
attacker can potentially send packets that will be accepted by QUIC clients or |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/QUIC clients or servers/the QUIC endpoints/ ?
draft-ietf-quic-transport.md
Outdated
attacker can potentially send packets that will be accepted by QUIC clients or | ||
servers. This version of QUIC attempts to detect this sort of attack, but it | ||
expects that endpoints will fail to establish a connection rather than | ||
recovering. For the most part, the cryptographic handshake protocol |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is fine.
We agreed to this a while back, but never got around to putting the conclusions in the document. We've done some of the work by writing down the rules for use of CONNECTION_CLOSE and TLS alerts, and the related changes, but the basic principles never got articulated.
This attempts to outline what we do to authenticate packets that we receive.
** Echoing the value (the only protection we have for Version Negotiation, for instance).
** The AEAD that uses the connection ID as input.
And then it explains that our only defense against an on-path attacker is to fail to establish a connection. I think that covers all the necessary points.
Closes #645.