From 441465c2a30febcfe8bced144315eec37ce868dd Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 1 Apr 2019 08:30:04 +0200 Subject: [PATCH 1/8] Allow use of long header for stateless reset --- draft-ietf-quic-transport.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 6838f96091..66234b9ab9 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2350,11 +2350,13 @@ valid QUIC packets. With the set of AEAD functions defined in {{QUIC-TLS}}, packets that are smaller than 21 bytes are never valid. An endpoint MAY send a stateless reset in response to a packet with a long -header. This would not be effective if the stateless reset token was not yet -available to a peer. In this QUIC version, packets with a long header are only -used during connection establishment. Because the stateless reset token is not -available until connection establishment is complete or near completion, -ignoring an unknown packet with a long header might be more effective. +header and MAY send a stateless reset that is formatted to appear as a packet +with a long header. Sending a stateless reset is not effective prior to the +stateless reset token being available to a peer. In this QUIC version, packets +with a long header are only used during connection establishment. Because the +stateless reset token is not available until connection establishment is +complete or near completion, ignoring an unknown packet with a long header might +be more effective. An endpoint cannot determine the Source Connection ID from a packet with a short header, therefore it cannot set the Destination Connection ID in the stateless From 0bfe4c5c503295e7b008741032cc95e5c3e6acb4 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 1 Apr 2019 08:34:15 +0200 Subject: [PATCH 2/8] Move the mandatory check to the detecting section --- draft-ietf-quic-transport.md | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 66234b9ab9..df4304c8b3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2328,12 +2328,6 @@ of the packet header. The remainder of the first byte and an arbitrary number of bytes following it that are set to unpredictable values. The last 16 bytes of the datagram contain a Stateless Reset Token. -An endpoint that receives a packet where removal of packet protection fails MUST -check the last 16 bytes of that packet. If the last 16 bytes of the packet are -identical to a stateless reset token corresponding to a packet that was recently -sent, the endpoint MUST NOT send any further packets; all state for the -connection can then be discarded. - To entities other than its intended recipient, a stateless reset will be appear to be a packet with a short header. For the packet to appear as valid, the Unpredictable Bits field needs to include at least 182 bits of data (or 23 @@ -2393,13 +2387,16 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset -An endpoint detects a potential stateless reset when a incoming packet -with a short header either cannot be associated with a connection, -cannot be decrypted, or is marked as a duplicate packet. The endpoint -then compares the last 16 bytes of the packet with the Stateless Reset -Token provided by its peer, either in a NEW_CONNECTION_ID frame or -the server's transport parameters. If these values are identical, -the endpoint MUST enter the draining period and not send any further +An endpoint detects a potential stateless reset when a incoming packet with a +short header either cannot be associated with a connection, cannot be decrypted, +or is marked as a duplicate packet. The endpoint MUST then compare the last 16 +bytes of the packet with all Stateless Reset Tokens provided by its peer, either +in a NEW_CONNECTION_ID frame or the server's transport parameters. An endpoint +MUST NOT check for any Stateless Reset Tokens associated with connection IDs it +has not used. + +If the last 16 bytes of the packet values are identical to a Stateless Reset +Token, the endpoint MUST enter the draining period and not send any further packets on this connection. If the comparison fails, the packet can be discarded. From 6c0f157c2bc99d20be5ae7b31db96d673a7bbc68 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 1 Apr 2019 08:37:02 +0200 Subject: [PATCH 3/8] Use normative language about CID reuse --- draft-ietf-quic-transport.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index df4304c8b3..970bbf8a98 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2427,17 +2427,17 @@ This design relies on the peer always sending a connection ID in its packets so that the endpoint can use the connection ID from a packet to reset the connection. An endpoint that uses this design MUST either use the same connection ID length for all connections or encode the length of the connection -ID such that it can be recovered without state. In addition, it cannot -provide a zero-length connection ID. +ID such that it can be recovered without state. In addition, it cannot provide +a zero-length connection ID. Revealing the Stateless Reset Token allows any entity to terminate the connection, so a value can only be used once. This method for choosing the Stateless Reset Token means that the combination of connection ID and static key -cannot occur for another connection. A denial of service attack is possible if -the same connection ID is used by instances that share a static key, or if an +MUST NOT be used for another connection. A denial of service attack is possible +if the same connection ID is used by instances that share a static key, or if an attacker can cause a packet to be routed to an instance that has no state but the same static key (see {{reset-oracle}}). A connection ID from a connection -that is reset by revealing the Stateless Reset Token cannot be reused for new +that is reset by revealing the Stateless Reset Token MUST NOT be reused for new connections at nodes that share a static key. Note that Stateless Reset packets do not have any cryptographic protection. From 43a7b94d19cbe28bb02c67cbb5cfb35f73cfa1f2 Mon Sep 17 00:00:00 2001 From: MikkelFJ Date: Mon, 1 Apr 2019 08:55:08 +0200 Subject: [PATCH 4/8] a an Co-Authored-By: martinthomson --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 970bbf8a98..db0eb059a9 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2387,7 +2387,7 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset -An endpoint detects a potential stateless reset when a incoming packet with a +An endpoint detects a potential stateless reset when an incoming packet with a short header either cannot be associated with a connection, cannot be decrypted, or is marked as a duplicate packet. The endpoint MUST then compare the last 16 bytes of the packet with all Stateless Reset Tokens provided by its peer, either From 4367e0f6213cd877d9b165d7cfb057b9367438a8 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 1 Apr 2019 08:58:10 +0200 Subject: [PATCH 5/8] Mention retired connection IDs too --- draft-ietf-quic-transport.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index db0eb059a9..211d915f04 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2390,10 +2390,11 @@ the packet other than the last 16 bytes for carrying data. An endpoint detects a potential stateless reset when an incoming packet with a short header either cannot be associated with a connection, cannot be decrypted, or is marked as a duplicate packet. The endpoint MUST then compare the last 16 -bytes of the packet with all Stateless Reset Tokens provided by its peer, either -in a NEW_CONNECTION_ID frame or the server's transport parameters. An endpoint -MUST NOT check for any Stateless Reset Tokens associated with connection IDs it -has not used. +bytes of the packet with all Stateless Reset Tokens that are associated with +connection IDs that are currently in use. This includes Stateless Reset Tokens +from NEW_CONNECTION_ID frames and the server's transport parameters. An +endpoint MUST NOT check for any Stateless Reset Tokens associated with +connection IDs it has not used or for connection IDs that have been retired. If the last 16 bytes of the packet values are identical to a Stateless Reset Token, the endpoint MUST enter the draining period and not send any further From 9b60422d7f1bcfe6e55b9bedf3610cd97a9d70c4 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 10 Apr 2019 08:21:19 +1000 Subject: [PATCH 6/8] Review comments --- draft-ietf-quic-transport.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 211d915f04..76d61adbf6 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2350,7 +2350,7 @@ stateless reset token being available to a peer. In this QUIC version, packets with a long header are only used during connection establishment. Because the stateless reset token is not available until connection establishment is complete or near completion, ignoring an unknown packet with a long header might -be more effective. +be more effective than sending a stateless reset. An endpoint cannot determine the Source Connection ID from a packet with a short header, therefore it cannot set the Destination Connection ID in the stateless @@ -2387,14 +2387,14 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset -An endpoint detects a potential stateless reset when an incoming packet with a -short header either cannot be associated with a connection, cannot be decrypted, -or is marked as a duplicate packet. The endpoint MUST then compare the last 16 -bytes of the packet with all Stateless Reset Tokens that are associated with -connection IDs that are currently in use. This includes Stateless Reset Tokens -from NEW_CONNECTION_ID frames and the server's transport parameters. An -endpoint MUST NOT check for any Stateless Reset Tokens associated with -connection IDs it has not used or for connection IDs that have been retired. +An endpoint detects a potential stateless reset when an incoming packet either +cannot be associated with a connection, cannot be decrypted, or is marked as a +duplicate packet. The endpoint MUST then compare the last 16 bytes of the +packet with all Stateless Reset Tokens that are associated with connection IDs +that are currently in use. This includes Stateless Reset Tokens from +NEW_CONNECTION_ID frames and the server's transport parameters. An endpoint +MUST NOT check for any Stateless Reset Tokens associated with connection IDs it +has not used or for connection IDs that have been retired. If the last 16 bytes of the packet values are identical to a Stateless Reset Token, the endpoint MUST enter the draining period and not send any further From 9d83262ed55aa5b2f62d8a6af05529b1f5b63541 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 10 Apr 2019 08:32:35 +1000 Subject: [PATCH 7/8] Mandate the use of short header for stateless reset Closes #2599. --- draft-ietf-quic-transport.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 76d61adbf6..e8f46722cd 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2343,14 +2343,18 @@ the packet it receives. Endpoints MUST discard packets that are too small to be valid QUIC packets. With the set of AEAD functions defined in {{QUIC-TLS}}, packets that are smaller than 21 bytes are never valid. +Endpoints MUST send stateless reset packets formatted as a packet with a short +header. However, endpoints MUST treat any packet ending in a valid stateless +reset token as a stateless reset, as other QUIC versions might allow the use of +a long header. + An endpoint MAY send a stateless reset in response to a packet with a long -header and MAY send a stateless reset that is formatted to appear as a packet -with a long header. Sending a stateless reset is not effective prior to the -stateless reset token being available to a peer. In this QUIC version, packets -with a long header are only used during connection establishment. Because the -stateless reset token is not available until connection establishment is -complete or near completion, ignoring an unknown packet with a long header might -be more effective than sending a stateless reset. +header. Sending a stateless reset is not effective prior to the stateless reset +token being available to a peer. In this QUIC version, packets with a long +header are only used during connection establishment. Because the stateless +reset token is not available until connection establishment is complete or near +completion, ignoring an unknown packet with a long header might be more +effective than sending a stateless reset. An endpoint cannot determine the Source Connection ID from a packet with a short header, therefore it cannot set the Destination Connection ID in the stateless From 8160b284fe668d00d0a2227a937a3e458752b8b2 Mon Sep 17 00:00:00 2001 From: ianswett Date: Thu, 11 Apr 2019 11:11:22 +1000 Subject: [PATCH 8/8] as effective, not necessarily more Co-Authored-By: martinthomson --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index e8f46722cd..608f8f5689 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2353,7 +2353,7 @@ header. Sending a stateless reset is not effective prior to the stateless reset token being available to a peer. In this QUIC version, packets with a long header are only used during connection establishment. Because the stateless reset token is not available until connection establishment is complete or near -completion, ignoring an unknown packet with a long header might be more +completion, ignoring an unknown packet with a long header might be as effective than sending a stateless reset. An endpoint cannot determine the Source Connection ID from a packet with a short