From 8b1d53f27a638bbc9f5a5b4bc0dac53616aea171 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 8 Jul 2020 16:44:32 +1000 Subject: [PATCH 1/5] More about authenticating Version Negotiation This clarifies that it is a mechanism in the target QUIC version that authenticates the information. This also lifts the strong requirement on authenticating the contents of Version Negotiation. QUIC version 1 does not do this and so does not comply with this requirement. The intent was always that only information that is used needs to be authenticated in this way. (This is a tiny bit of evasion as Version Negotiation is used in QUIC version 1 as a signal that a version is not supported, which results in clients abandoning connections.) Closes #3828. --- draft-ietf-quic-invariants.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index 39f99d7ff2..294288a60d 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -298,8 +298,8 @@ contains no other fields. An endpoint MUST ignore a packet that contains no Supported Version fields, or a truncated Supported Version. Version Negotiation packets do not use integrity or confidentiality protection. -Specific QUIC versions define mechanisms to authenticate the packet as part of -the connection establishment process. +Specific QUIC versions might include protocol elements that allow endpoints to +detect when the set of supported versions is modified or corrupted. An endpoint MUST include the value from the Source Connection ID field of the packet it receives in the Destination Connection ID field. The value for Source @@ -334,8 +334,8 @@ requires that middleboxes retain state for every connection ID they see. The Version Negotiation packet described in this document is not integrity-protected; it only has modest protection against insertion by off-path -attackers. QUIC versions MUST define a mechanism that authenticates the values -it contains. +attackers. QUIC versions that use Version Negotiation packets MUST define a +mechanism that authenticates the values it contains. # IANA Considerations From 0f0c2ccc3d606e62bac1fa77e71709d9416330b8 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 8 Jul 2020 16:50:05 +1000 Subject: [PATCH 2/5] Reword --- draft-ietf-quic-invariants.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index 294288a60d..4a583409b5 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -334,8 +334,8 @@ requires that middleboxes retain state for every connection ID they see. The Version Negotiation packet described in this document is not integrity-protected; it only has modest protection against insertion by off-path -attackers. QUIC versions that use Version Negotiation packets MUST define a -mechanism that authenticates the values it contains. +attackers. A QUIC version that uses a Version Negotiation packet MUST define a +mechanism to verify authenticate the values the packet contains. # IANA Considerations From 4ac2b341f40beb5a0a939fcf19b85a3184b89de4 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 15 Jul 2020 08:08:16 +1000 Subject: [PATCH 3/5] authenticate but verify --- draft-ietf-quic-invariants.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index 4a583409b5..b9f493bcb8 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -335,7 +335,7 @@ requires that middleboxes retain state for every connection ID they see. The Version Negotiation packet described in this document is not integrity-protected; it only has modest protection against insertion by off-path attackers. A QUIC version that uses a Version Negotiation packet MUST define a -mechanism to verify authenticate the values the packet contains. +mechanism to authenticate the values the packet contains. # IANA Considerations From 38a50a59c03b62bf602ce03153dbe8e56bb1fe67 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 15 Jul 2020 08:15:20 +1000 Subject: [PATCH 4/5] Only authenticate if you change --- draft-ietf-quic-invariants.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index b9f493bcb8..66d32b14c5 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -334,8 +334,8 @@ requires that middleboxes retain state for every connection ID they see. The Version Negotiation packet described in this document is not integrity-protected; it only has modest protection against insertion by off-path -attackers. A QUIC version that uses a Version Negotiation packet MUST define a -mechanism to authenticate the values the packet contains. +attackers. An endpoint MUST authenticate the contents of a Version Negotiation +packet if it attempts a different QUIC version as a result. # IANA Considerations From 51c526569736209bef98caf749e02e7e302b38c5 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 15 Jul 2020 08:16:49 +1000 Subject: [PATCH 5/5] modification/corruption reword Co-authored-by: Jana Iyengar --- draft-ietf-quic-invariants.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index 66d32b14c5..ed6b7582de 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -299,7 +299,7 @@ Supported Version fields, or a truncated Supported Version. Version Negotiation packets do not use integrity or confidentiality protection. Specific QUIC versions might include protocol elements that allow endpoints to -detect when the set of supported versions is modified or corrupted. +detect modification or corruption in the set of supported versions. An endpoint MUST include the value from the Source Connection ID field of the packet it receives in the Destination Connection ID field. The value for Source