-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Amplification and 0-RTT #40
base: main
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -488,6 +488,39 @@ issue include: | |||||
* <https://github.com/core-wg/corrclar/issues/9>\\ | ||||||
("Clarify/revise language around epochs in section 9.1.1 #9") | ||||||
|
||||||
## RFC 7252-9.1/11.3: Handling outdated addresses and security contexts {#amp-0rtt} | ||||||
|
||||||
Established security contexts and established return addresses can become obsolete. | ||||||
For example, this happens when a DTLS session is resumed via CIDs, when the client's IP address changes, or when the replay window of an OSCORE context is lost and recovered through the mechanism of [Appendix B.1.2 of RFC8613]. | ||||||
In those situations, a server still needs to maintain its security and and amplification mitigation properties, | ||||||
which are generally independent but can be addressed using the same tools. | ||||||
|
||||||
A safe option is always to reject the initial request and request confirmation, | ||||||
either using CoAP's mechanism of sending a 4.01 (Unauthorized) response with an Echo option | ||||||
(where a subsequent request with the same Echo value proves to the server that the destination was reachable) | ||||||
or by using a more security mechanism specific tool such as RRC ({{?I-D.ietf-tls-dtls-rrc}}. | ||||||
|
||||||
If it is not certain that the client is reachable on the request's sender address, | ||||||
but the response does not exceed the request's size by a factor of 3 ({{Section 2.4 of RFC9175}}, item 3), | ||||||
the server can answer the request. | ||||||
It should still include an Echo value, whose presence in the next request serves to confirm the client's address. | ||||||
|
||||||
If it is not certain that the request is not a replay, | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How can the server achieve "certainty that the request is not a replay?" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It can't => (see comment) |
||||||
but the request handler is safe or long-term idempotent | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What is the meaning of "long-term idempotent"? I have never heard of it :-) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. but if the same request applied later ("long-term") does the same ("idempotent"), it's not required, that the server know about the replay attack. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's a vague field and will need better terminology. In 7252 (or HTTP below it), idempotent requests are requests that, once executed, have no further effect. But the term does not distinguish between whether that's just if they're executed right after another or whether anything else may happen between their executions (maybe from the same client / user, maybe from a different one). As it is used in 7252, it's about duplication, so there it's about whether a request is processed again within EXCHANGE_LIFETIME, but that doesn't tell much about what else might have changed. It may well be that the best course of action is to just talk about safe requests, and leave idempotency at most to a footnote. |
||||||
and there is no risk of metadata revealing data, | ||||||
the server can answer the request. | ||||||
Metadata that can reveal data are the size of the response | ||||||
(which, in a replay situation, can give an active attacker additional data) | ||||||
as well as any processing delays. | ||||||
Comment on lines
+536
to
+538
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am struggling with the semantics of this paragraph. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I guess, that means, a server "can answer", if there no other security issues, e.g. the size of the response or the time to process the request, which may be considered to be used as "metadata" for an attack. |
||||||
(There should be no observable side effects for safe or previously processed idempotent requests). | ||||||
Assessing whether a resource is long-term idempotent is not always trivial, and it is prudent to err at the side of caution. | ||||||
If nothing else, GET requests to constant resources, | ||||||
such as queries to /.well-known/core, | ||||||
can often be responded to safely on the CoAP layer even without any replay protection. | ||||||
|
||||||
Implementors of OSCORE beware answering potential replays is only safe from the CoAP application's point of view. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. grammar
Suggested change
|
||||||
As always, unless the sender sequence number of the request has just been removed from a correctly initialized replay window, | ||||||
the response can not reuse the request's nonce, but needs to take an own sequence number from the server's space. | ||||||
Comment on lines
+552
to
+553
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||||||
|
||||||
## RFC 7252-12.3: Content-Format Registry {#ct} | ||||||
|
||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix ref typo.
Also, the TLS purist might turn his nose up at the use of resume - session resumption completely separate from CID.
Also, I suggest splitting the two conditions and pairing them with their respective examples.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the term "resumed" is in my opinion misleading. Maybe "continued" is better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be frank I have little knowledge of either session resumptions and CID. My guess is that both can lead to 0RTT situations. If so, is there a general term covering both?