-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amplification and 0-RTT #40
base: main
Are you sure you want to change the base?
Conversation
This includes the changes from core-wg#39 (comment) Closes: core-wg#39
We had an action item in today's interim to inform the RRC authors of what we're doing, but thanks, you already took care of that yourselves :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I've left a few editorial comments and a request for a couple of clarifications in the anti-reply section.
Established security contexts and established return addresses can become obsolete. | ||
For example, this happens when a DTLS session is resumed via CIDs, when the client's IP address changes, or when the replay window of an OSCORE context is lost and recovered through the mechanism of [Appendix B.1.2 of RFC8613]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix ref typo.
Also, the TLS purist might turn his nose up at the use of resume - session resumption completely separate from CID.
Also, I suggest splitting the two conditions and pairing them with their respective examples.
Established security contexts and established return addresses can become obsolete. | |
For example, this happens when a DTLS session is resumed via CIDs, when the client's IP address changes, or when the replay window of an OSCORE context is lost and recovered through the mechanism of [Appendix B.1.2 of RFC8613]. | |
Established security contexts can become obsolete. | |
For example, when the replay window of an OSCORE context is lost and recovered through the mechanism described in {{Appendix B.1.2 of RFC8613}}. | |
Established return addresses can become obsolete. | |
For example, this happens when the use of Connection ID (CID) {{RFC9146}} allows the DTLS session to survive the client's IP address change. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the term "resumed" is in my opinion misleading. Maybe "continued" is better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be frank I have little knowledge of either session resumptions and CID. My guess is that both can lead to 0RTT situations. If so, is there a general term covering both?
In those situations, a server still needs to maintain its security and and amplification mitigation properties, | ||
which are generally independent topics but can be addressed using the same tools. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove duplicate "and"
s/topic/concern/
In those situations, a server still needs to maintain its security and and amplification mitigation properties, | |
which are generally independent topics but can be addressed using the same tools. | |
In those situations, a server still needs to maintain its security and amplification mitigation properties, | |
which are generally independent concerns but can be addressed using the same tools. |
Tools specific to a security mechanism such as RRC ({{?I-D.ietf-tls-dtls-rrc}} may be used instead, | ||
but their use may depend on successful negotiation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix missing parenthesis.
Also s/mechanism/protocol/
Also, split long sentence in two.
Tools specific to a security mechanism such as RRC ({{?I-D.ietf-tls-dtls-rrc}} may be used instead, | |
but their use may depend on successful negotiation. | |
Tools specific to a security protocol, such as RRC ({{?I-D.ietf-tls-dtls-rrc}}) in case of DTLS, may be used. However, their use may depend on successful negotiation. |
This situation can happen at any time in OSCORE, | ||
or in DTLS after a CID based resumption. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This situation can happen at any time in OSCORE, | |
or in DTLS after a CID based resumption. | |
This situation can happen at any time, especially after a prolonged period of quiescence, regardless of the security protocol. |
Verifying the client's address is not only relevant for amplification attacks | ||
(which addresses attacks described in {{?I-D.irtf-t2trg-amplification-attacks}}) | ||
but also for traffic misdirection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verifying the client's address is not only relevant for amplification attacks | |
(which addresses attacks described in {{?I-D.irtf-t2trg-amplification-attacks}}) | |
but also for traffic misdirection. | |
Verifying the client's address is not only crucial for mitigating amplification attacks ({{?I-D.irtf-t2trg-amplification-attacks}}), but also to avoid traffic misdirection. |
Metadata that can reveal data are the size of the response | ||
(which, in a replay situation, can give an active attacker additional data) | ||
as well as any processing delays. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am struggling with the semantics of this paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess, that means, a server "can answer", if there no other security issues, e.g. the size of the response or the time to process the request, which may be considered to be used as "metadata" for an attack.
such as queries to /.well-known/core, | ||
can often be responded to safely on the CoAP layer even without any replay protection. | ||
|
||
This situation can happen in OSCORE after a partial loss of context. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's unclear what "This situation" refers to.
It can currently not happen in DTLS because 0-RTT Data is not allowed for CoAP (cf. {{Section 14 of ?I-D.ietf-uta-tls13-iot-profile-09}}) | ||
at the time of writing | ||
(but that may change with a future document). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It can currently not happen in DTLS because 0-RTT Data is not allowed for CoAP (cf. {{Section 14 of ?I-D.ietf-uta-tls13-iot-profile-09}}) | |
at the time of writing | |
(but that may change with a future document). | |
Currently, this cannot happen in DTLS because 0-RTT Data is not allowed for CoAP (cf. {{Section 14 of ?I-D.ietf-uta-tls13-iot-profile-09}}). However, that may change if a future document defines a profile for using early data with CoAP. |
at the time of writing | ||
(but that may change with a future document). | ||
|
||
Implementors of OSCORE beware answering potential replays is only safe from the CoAP application's point of view. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
grammar
Implementors of OSCORE beware answering potential replays is only safe from the CoAP application's point of view. | |
Implementers of OSCORE should be aware that answering potential replays is only safe from the CoAP application's point of view. |
As always, unless the sender sequence number of the request has just been removed from a correctly initialized replay window, | ||
the response can not reuse the request's nonce, but needs to take an own sequence number from the server's space. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- "As always" can be removed.
- "sender sequence number of the request" => "request sequence number"
- Why is it important to qualify the anti-reply window as "correctly initialized"?
- "an own sequence number" => "its sequence number"
- spurious comma "nonce, but"
This adds text I suggested in #39 to close it.
Compared to the text discussed there, it also takes up the TBD item of covering the advanced return routability strategies (mainly by saying "apply what you can or just use RRC"). Unlike envisioned there I did not say that that doesn't work on OSCORE, because as long as it's all about flipping NATs and attacks sending the response through the old address will work, but I don't want to waste time on IPv4 stuff, and it kind of feels off to counter an attack by doing layering violations (sending the OSCORE response to the old address is one, as it affects the underlying CoAP layer). If there is a need to ensure that there are no proxies on an OSCORE hop (or that all are known), I'd rather discuss how to do that once-and-for-all than by probing around at address change time.
Slightly differently from the interim discussion the text is not marked as "this will go away", because it's more offering criteria for when a 0RTT response is good than saying that it can be done over DTLS (so it now only contains an unspec reference to whichever document will say that it is allowed, and that document can then defer to corrclar for criteria or take the text, depending on preferences and timelines).
CC'ing @boaks as per @thomas-fossati's suggestion