Add initial threat model to security considerations

draft-ietf-quic-transport.md

@@ -5568,6 +5568,184 @@ SHOULD NOT be used by themselves to make routing decisions.  Ideally, routing
 decisions are made independently of client-selected values; a Source Connection
 ID can be selected to route later packets to the same server.
 
+## Overview of Security Properties {#security-properties}
+
+A complete security analysis of QUIC is outside the scope of this document.
+This appendix provides an informal description of the desired security
+properties as an aid to implementors and to help guide protocol analysis.
+
+Properties of the handshake, general transport, and migration separately.
+
+### Handshake {#handshake-properties}
+
+TBD.
+
+### Short Headers {#short-headers-properties}
+
+TBD.
+
+### Connection Migration {#migration-properties}
+
+Connection Migration ({{migration}}) provides endpoints with the ability to
+transition between IP addresses and ports on multiple paths, using one path at a
+time for sending non-probing frames.  Path validation helps to establish that a
+peer is both willing and able to receive packets sent on a particular path.
+This helps reduce the effects of address spoofing, by limiting the number of
+packets sent to a spoofed address, unless an attacker is able to also receive
+packets sent to that address.
+
+This section describes the intended security properties of connection migration
+when under attack by the following attackers.  These attackers all mount active
+attacks, requiring injection of packets into the network, as described in
+{{?RFC3552}}.
+
+#### On-Path Attacker
+
+An on-path attacker is present between the QUIC client and server, and an
+endpoint is required to send packets through this attacker to establish
+connectivity on a given path.
+
+An on-path attacker can:
+
+- Inspect packets
+- Modify IP and UDP packet headers
+- Inject new packets
+- Delay packets
+- Drop packets
+- Split and merge datagrams along packet boundaries
+
+An on-path attacker cannot:
+
+- Modify authenticated portions of a packet
+
+An on-path attacker has the opportunity to modify the packets that it observes,
+however any modifications to an authenticated portion of a packet will cause it
+to be dropped by the receiving endpoint as invalid. QUIC payloads are both
+authenticated and encrypted.
+
+In the presence of an on-path attacker, QUIC aims to provide the following
+properties.
+
+1. An on-path attacker can prevent use of a path for a QUIC connection, causing
+it to fail if it cannot migrate to a new path that does not contain the
+attacker.  This can be achieved by dropping all packets, modifying them so that
+they fail to decrypt, or other methods.
+
+2. An on-path attacker can prevent migration to a new path for which the
+attacker is also on-path by causing path validation to fail on the new path.
+
+3. An on-path attacker cannot prevent a client from migrating to a path for
+which the attacker is not on-path.
+
+4. An on-path attacker can reduce the throughput of a connection by delaying
+packets or dropping them.
+
+5. An on-path attacker cannot cause an endpoint to accept a packet for which it
+has modified an authenticated portion of that packet.
+
+
+#### Off-Path Attacker
+
+An off-path attacker is not directly on the path between the QUIC client and
+server, but may be able to obtain copies of some or all packets sent between the
+client and the server.  It is also able to send copies of those packets to
+either endpoint.
+
+An off-path attacker can:
+
+- Inspect packets
+- Inject new packets
+
+An off-path attacker cannot:
+
+- Modify any part of a packet
+- Delay packets
+- Drop packets
+
+An off-path attacker can, however, modify packets that it has observed and
+inject them back into the network, potentially with spoofed source and
+destination addresses.
+
+For the purposes of this discussion, it is assumed that an off-path attacker has
+the ability to observe, modify, and re-inject a packet into the network that
+will reach the destination endpoint prior to the arrival of the original packet
+observed by the attacker.  In other words, an attacker has the ability to
+consistently "win" a race with the legitimate packets between the endpoints,
+potentially causing the original packet to be ignored by the recipient.
+
+It is also assumed that an attacker has the resources necessary to affect NAT
+state, potentially both causing an endpoint to lose its NAT binding, and an
+attacker to obtain the same port for use with its traffic.
+
+In the presence of an off-path attacker, QUIC aims to provide the following
+properties.
+
+1. An off-path attacker can race packets and attempt to become a "limited"
+on-path attacker.
+
+2. An off-path attacker can cause path validation to succeed for forwarded
+packets with the source address listed as the off-path attacker as long as it
+can provide improved connectivity between the client and the server.
+
+3. An off-path attacker cannot cause a connection to close.
+
+4. An off-path attacker cannot cause migration to a new path to fail if it
+cannot observe the new path.
+
+5. An off-path attacker can become a limited on-path attacker during migration
+to a new path for which it is also an off-path attacker.
+
+6. An off-path attacker can become a limited on-path attacker by affecting
+shared NAT state such that it sends packets to the server from the same IP
+address and port that the client originally used.
+
+
+#### Limited On-Path Attacker
+
+A limited on-path attacker is an off-path attacker that has offered improved
+routing of packets by duplicating and forwarding original packets between the
+server and the client, causing those packets to arrive before the original
+copies such that the original packets are dropped by the destination endpoint.
+
+A limited on-path attacker differs from an on-path attacker in that it is not on
+the original path between endpoints, and therefore the original packets sent by
+an endpoint are still reaching their destination.  This means that a future
+failure to route copied packets to the destination faster than their original
+path will not prevent the original packets from reaching the destination.
+
+A limited on-path attacker can:
+
+- Inspect packets
+- Inject new packets
+- Modify unencrypted packet headers
+
+A limited on-path attacker cannot:
+
+- Delay packets beyond the original packet duration
+- Drop packets
+- Modify encrypted packet payloads
+
+A limited on-path attacker can only delay packets up to the point that the
+original packets arrive before the duplicate packets, meaning that it cannot
+offer worse routing than the original path, only improved routing.  If a limited
+on-path attacker drops packets, the original copy will still arrive at the
+destination endpoint.
+
+In the presence of a limited on-path attacker, QUIC aims to provide the
+following properties.
+
+1. A limited on-path attacker cannot cause an active connection to close.
+
+2. A limited on-path attacker cannot cause an idle connection to close if the
+client is first to resume activity.
+
+3. A limited on-path attacker can cause an idle connection to be deemed lost if
+the server is the first to resume activity.
+
+Note that these guarantees are the same guarantees provided for any NAT, for the
+same reasons.
+
+
 # IANA Considerations
 
 ## QUIC Transport Parameter Registry {#iana-transport-parameters}
@@ -5753,172 +5931,6 @@ DecodePacketNumber(largest_pn, truncated_pn, pn_nbits):
    return candidate_pn
 ~~~
 
-# Overview of Security Properties {#security-properties}
-
-A complete security analysis of QUIC is outside the scope of this document.  In
-this appendix, we provide an informal description of the desired security
-properties as an aid to implementors and to help guide protocol analysis.
-
-We cover properties of the handshake, general transport, and migration
-separately.
-
-## Handshake {#handshake-properties}
-
-TBD.
-
-## Short Headers {#short-headers-properties}
-
-TBD.
-
-## Connection Migration {#migration-properties}
-
-Connection Migration ({{migration}}) provides endpoints with the ability to
-transition between IP addresses and ports on multiple paths, using one path at a
-time for sending non-probing frames.  Path validation helps to establish
-bidirectional connectivity with the peer over a new path and prevents source
-address spoofing from being used in a denial-of-service attack.  Migration is
-further restricted to be initiated only by QUIC clients.
-
-This section describes the intended security properties of connection migration
-when under attack by the following attackers.  These attackers all mount active
-attacks, requiring injection of packets into the network, as described in
-{{?RFC3552}}.
-
-### On-Path Attacker
-
-An on-path attacker is present between the QUIC client and server, and an
-endpoint is required to send packets through this attacker to establish
-connectivity on a given path.
-
-An on-path attacker can:
-
-- Inspect packets
-- Modify unencrypted packet headers
-- Inject new packets
-- Delay packets
-- Drop packets
-
-An on-path attacker cannot:
-
-- Modify encrypted packet payloads
-
-In the presence of an on-path attacker, QUIC aims to provide the following
-properties.
-
-1. An on-path attacker can interrupt a QUIC connection, causing it to fail if it
-cannot migrate to a new path that does not contain the attacker.  This can be
-achieved by dropping all packets, modifying them so that they fail to decrypt,
-or other methods.
-
-2. An on-path attacker can prevent migration to a new path for which the
-attacker is also on-path by causing path validation to fail on the new path.
-
-3. An on-path attacker cannot prevent a client from migrating to a path for
-which the attacker is not on-path.
-
-4. An on-path attacker can reduce the throughput of a connection by delaying
-packets or dropping them.
-
-
-### Off-Path Attacker
-
-An off-path attacker is not directly on the path between the QUIC client and
-server, but is able to obtain copies of all packets sent between the client and
-the server.  It is also able to send copies of those packets to either endpoint.
-
-An off-path attacker can:
-
-- Inspect packets
-- Inject new packets
-
-An off-path attacker cannot:
-
-- Modify any part of a packet
-- Delay packets
-- Drop packets
-
-An off-path attacker can, however, modify packets that it has observed and
-inject them back into the network, potentially with spoofed source and
-destination addresses.
-
-For the purposes of this discussion, we assume that an off-path attacker has the
-ability to observe, modify, and re-inject a packet into the network that will
-reach the destination endpoint prior to the arrival of the original packet
-observed by the attacker.  In other words, the attacker has the ability to
-consistently "win" a race with the legitimate packets between the endpoints,
-potentially causing the original packet to be ignored by the recipient.
-
-We also assume that the attacker has the resources necessary to affect NAT
-state, potentially both causing an endpoint to lose its NAT binding, and an
-attacker to obtain the same port for use with its traffic.
-
-In the presence of an off-path attacker, QUIC aims to provide the following
-properties.
-
-1. An off-path attacker can race packets and attempt to become a "limited"
-on-path attacker.
-
-2. An off-path attacker can cause path validation to succeed for forwarded
-packets with the source address listed as the off-path attacker as long as it
-can provide improved connectivity between the client and the server.
-
-3. An off-path attacker cannot cause a connection to close.
-
-4. An off-path attacker cannot cause migration to a new path to fail if it
-cannot observe the new path.
-
-5. An off-path attacker can become a limited on-path attacker during migration
-to a new path for which it is also an off-path attacker.
-
-6. An off-path attacker can become a limited on-path attacker by affecting
-shared NAT state such that it sends packets to the server from the same IP
-address and port that the client originally used.
-
-
-### Limited On-Path Attacker
-
-A limited on-path attacker is an off-path attacker that has offered improved
-routing of packets by duplicating and forwarding original packets between the
-server and the client, causing those packets to arrive before the original
-copies such that the original packets are dropped by the destination endpoint.
-
-A limited on-path attacker differs from an on-path attacker in that it is not on
-the original path between endpoints, and therefore the original packets sent by
-an endpoint are still reaching their destination.  This means that a future
-failure to route copied packets to the destination faster than their original
-path will not prevent the original packets from reaching the destination.
-
-A limited on-path attacker can:
-
-- Inspect packets
-- Inject new packets
-- Modify unencrypted packet headers
-
-A limited on-path attacker cannot:
-
-- Delay packets beyond the original packet duration
-- Drop packets
-- Modify encrypted packet payloads
-
-A limited on-path attacker can only delay packets up to the point that the
-original packets arrive before the duplicate packets, meaning that it cannot
-offer worse routing than the original path, only improved routing.  If a limited
-on-path attacker drops packets, the original copy will still arrive at the
-destination endpoint.
-
-In the presence of a limited on-path attacker, QUIC aims to provide the
-following properties.
-
-1. A limited on-path attacker cannot cause an active connection to close.
-
-2. A limited on-path attacker cannot cause an idle connection to close if the
-client is first to resume activity.
-
-3. A limited on-path attacker can cause an idle connection to be deemed lost if
-the server is the first to resume activity.
-
-Note that these guarantees are the same guarantees provided for any NAT, for the
-same reasons.
 
 # Change Log