From 3feae87038a9c22e87e51ffc76ef3b1780569664 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 4 May 2017 14:03:23 +1000 Subject: [PATCH 1/3] Version validation fields can't move or change Closes #121. --- draft-ietf-quic-transport.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 22476f46aa..ca7a7b01e3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1232,6 +1232,13 @@ client MUST terminate with a VERSION_NEGOTIATION_ERROR error code if version negotiation occurred but it would have selected a different version based on the value of the supported_versions list. +The position and size of the version validation fields in the transport +parameters MUST NOT change between different versions of QUIC. If a version of +QUIC needs to define a new format for transport parameters, it MUST define and +use a new TLS extension rather than redefine the layout of the existing +extension. Confusion about the format of transport pararameters, especially the +version negotiation fields, could lead to version downgrade attacks. + ## Stateless Retries {#stateless-retry} From c48030d34993cda46314e5daaaeaa2896b16432b Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 31 Jul 2017 16:56:54 +1000 Subject: [PATCH 2/3] Better reasons for maintaining consistent version negotiation fields in transport parameters Thanks to @vasilvv for the text, which I only tweaked slightly. --- draft-ietf-quic-transport.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index ca7a7b01e3..dc734d9f01 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1232,12 +1232,14 @@ client MUST terminate with a VERSION_NEGOTIATION_ERROR error code if version negotiation occurred but it would have selected a different version based on the value of the supported_versions list. -The position and size of the version validation fields in the transport -parameters MUST NOT change between different versions of QUIC. If a version of -QUIC needs to define a new format for transport parameters, it MUST define and -use a new TLS extension rather than redefine the layout of the existing -extension. Confusion about the format of transport pararameters, especially the -version negotiation fields, could lead to version downgrade attacks. +When an endpoint accepts multiple QUIC versions, it can potentially interpret +transport parameters as they are defined by any of the QUIC versions it +supports. Since the QUIC protocol relies on transport parameters for +authenticating the version, the position and the format of the version fields in +transport parameters MUST be consistent across all QUIC versions supported by +the client. If a version of QUIC needs to define a new format for transport +parameters, it MUST define and use a new TLS extension for transport parameters +rather than redefining the layout of the existing extension. ## Stateless Retries {#stateless-retry} From 7b05603055fbe32047714a8b92cf0839761c6afc Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 3 Aug 2017 12:29:45 +1000 Subject: [PATCH 3/3] Attempt to address feedback --- draft-ietf-quic-transport.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index dc734d9f01..98c0185674 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1234,12 +1234,12 @@ based on the value of the supported_versions list. When an endpoint accepts multiple QUIC versions, it can potentially interpret transport parameters as they are defined by any of the QUIC versions it -supports. Since the QUIC protocol relies on transport parameters for -authenticating the version, the position and the format of the version fields in -transport parameters MUST be consistent across all QUIC versions supported by -the client. If a version of QUIC needs to define a new format for transport -parameters, it MUST define and use a new TLS extension for transport parameters -rather than redefining the layout of the existing extension. +supports. The version field in the QUIC packet header are only authenticated +using the transport parameters. The position and the format of the version +fields in transport parameters MUST either be identical across different QUIC +versions, or be unambiguously different in a way that ensures that there is no +possibility for confusion about their interpretation. One way that a new format +could be introduced is to define a TLS extension with a different codepoint. ## Stateless Retries {#stateless-retry}