New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply the 3x amplification-limit to migration too #4264
Merged
Merged
Changes from 1 commit
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
51423d0
Add a blanket 3x anti-amplification limit
martinthomson 3bf6b2f
Some stuff I missed
martinthomson 97ba8a6
MUST be consistent
martinthomson 59f5a3a
Small corrections
martinthomson 2df832a
Reword the second validation requirement slightly
martinthomson 549564f
Make it clearer
martinthomson 8c0c1f9
Wrap stuff
martinthomson fb033df
Jana's comments
martinthomson fb253e9
Merge branch 'master' into migration-amplification
martinthomson 66b7c2a
Merge branch 'master' into migration-amplification
martinthomson 593d552
Reword and use addresses, not paths
martinthomson 4769dbe
Add an error code for when the path fails
martinthomson 3527972
moar
martinthomson 2ffb2ab
Fewer words = good
martinthomson bbc0711
Merge pull request #4331 from quicwg/no-viable-path
martinthomson 54f48ce
use parentheses for adjunct citations
martinthomson fae20ab
A section reference is all we really need here.
martinthomson 3e5b0fd
Merge branch 'master' into migration-amplification
martinthomson 8324d82
No-enforcement clause for path validation datagram size
martinthomson c549aee
gramma
martinthomson 07989a2
Suggestion
martinthomson File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it is late in the process, but I would much prefer the paragraph to say that "An endpoint SHOULD expand datagrams that contain a PATH_CHALLENGE frame..." The reason is that if we say MUST, picky implementations will account the number of bytes sent and discard un-padded path challenges if they sent 400 bytes of data or more. Such measurements are very hard to get right, so we will end up with interoperability issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is specifically an issue for server responses to NAT traversal. A man on the side could trigger a number "fake" NAT traversal, and it makes sense for servers to avoid sending large packets in response to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In practice, these fake NAT traversals don't seem so concerning because most ports on a NAT are going to be unused and dropped by the NAT itself. And I believe most Large(ie: Carrier Grade) NATs are symmetric, so even if the port was open, the traffic would be dropped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem happens when the attacker is not behind a NAT, say is using IPv6. Suppose the attacker is an evil client, intent on targeting IPv6 address X, or maybe IPv6 prefix X/64. It can set up a connection, then manufacture a series of short packets with faked source addresses and ports -- packets less than 100 bytes including the IP header, each triggering a 1200 byte response. The evil client can set up an arbitrary number of good connections to do that, effectively getting a factor 12 amplification for a large stream of data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that if the IP changes, assuming it is a NAT migration is a bit dangerous, so I only had port in mind.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinthomson the padding enforcement rule says "an endpoint MUST NOT close a connection when it receives a datagram that does not meet size constraints; the endpoint MAY however discard such datagrams." The latter behavior, discarding the datagram, is exactly what leads to interop failure when the server does not pad because of amplification concerns, and the client drops because it interprets the clause as "MUST pad".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to add text specific to this instance that prohibits enforcement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some text that prohibits dropping. I will note that at the point that you detect this violation, you have likely already started to process the packet, so enforcement of the requirement is a little dangerous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO the added text prohibiting dropping resolves this problem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The added text solves my issue.