Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amplification and 0-RTT #40

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Amplification and 0-RTT #40

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7e19244
Move amplification and 0RTT topic in from issue tracker
chrysn Sep 25, 2024
03e069e
Update amplification/0RTT
chrysn Sep 25, 2024
5f38ab3
amplification/0rtt: Reword, structure
chrysn Sep 25, 2024
05d250b
amplification/0rtt: Point out feature differences with RRC
chrysn Sep 25, 2024
6b04ff7
fixup!
chrysn Oct 23, 2024
0a4d974
Merge branch 'main' into checkmerge
cabo Oct 23, 2024
e108475
Merge remote-tracking branch 'chrysn-pull-requests/amplification-and-…
cabo Oct 23, 2024
f031d52
replay protection: Replace "long-term idempotent" with more general s…
chrysn Oct 23, 2024
859900e
replay: Clarify
chrysn Oct 23, 2024
8570598
replay: Clarify around "Metadata are"
chrysn Oct 23, 2024
4163536
Merge remote-tracking branch 'origin/amplification-and-0rtt' into amp…
chrysn Oct 23, 2024
240af3b
replay: s/resumed/continued/ as suggested by Achim
chrysn Oct 23, 2024
50ecfb0
replay: Editorial changes
chrysn Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions draft-ietf-core-corr-clar.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -488,6 +488,64 @@ issue include:
* <https://github.com/core-wg/corrclar/issues/9>\\
("Clarify/revise language around epochs in section 9.1.1 #9")

## RFC 7252-9.1/11.3: Handling outdated addresses and security contexts {#amp-0rtt}

INCOMPLETE:
: Tools for mitigating these scenarios were unavailable when specified, and are now explained.

PENDING.

Established security contexts and established return addresses can become obsolete.
For example, this happens when a DTLS session is continued via CIDs, when the client's IP address changes, or when the replay window of an OSCORE context is lost and recovered through the mechanism of [Appendix B.1.2 of RFC8613].
In those situations, a server still needs to maintain its security and amplification mitigation properties,
which are generally independent concerns but can be addressed using the same tools.

A safe option is always to reject the initial request and request confirmation.
The RECOMMENDED way to do that is using CoAP's mechanism of sending a 4.01 (Unauthorized) response with an Echo option
(where a subsequent request with the same Echo value proves to the server that the destination was reachable);
clients SHOULD act to the Echo option as specified in {{?RFC9175}}.
Tools specific to a security protocol, such as RRC ({{?I-D.ietf-tls-dtls-rrc}}) in case of DTLS, may be used. However, their use may depend on successful negotiation.

### Amplification mitigation and return routability

If it is not certain that the client is reachable on the request's sender address,
but the response does not exceed the request's size by a factor of 3 ({{Section 2.4 of RFC9175}}, item 3),
the server can answer the request.
It should still include an Echo value, whose presence in the next request serves to confirm the client's address.

This situation can happen at any time, especially after a prolonged period of quiescence, regardless of the security protocol.

Verifying the client's address is not only crucial for mitigating amplification attacks ({{?I-D.irtf-t2trg-amplification-attacks}}), but also to avoid traffic misdirection.
{{Section 7 of ?I-D.ietf-tls-dtls-rrc}} describes options for how to use RRC messages to distinguish different cases.
A 4.01 response with Echo can perform some of the same functions, with the Echo value replacing the RRC cookie. However, it does not offer a way to distinguish between non-preferred and preferred paths.

Where that distinction matters,
RRC provides the right tools to make it.

### Replay protection

If it is not certain that the request is not a replay,
but the request handler is safe
and there is no risk of metadata revealing data,
the server can answer the request.
Kinds of metadata to look out for are the size of the response
(which, in a replay situation, can give an active attacker additional data)
as well as any processing delays.
(Side effects would also fall into that category, but there should not be any effects for safe requests).

If nothing else, GET requests to constant resources,
such as queries to /.well-known/core,
can often be responded to safely on the CoAP layer even without any replay protection.

There are resources for which more requests than those with safe codes may be handled without replay protection,
but as that assessment is hard to make, it is prudent to err at the side of caution.

Uncertainty about whether a request might be a replay can happen in OSCORE after a partial loss of context.
Currently, this cannot happen in DTLS because 0-RTT Data is not allowed for CoAP (cf. {{Section 14 of ?I-D.ietf-uta-tls13-iot-profile-09}}). However, that may change if a future document defines a profile for using early data with CoAP.

Implementers of OSCORE should be aware that answering potential replays is only safe from the CoAP application's point of view.
As always, unless the sequence number in the request has just been removed from an initialized replay window,
the response can not reuse the request's nonce, but needs to be sent with a new sequence number from the server's space.

## RFC 7252-12.3: Content-Format Registry {#ct}

Expand Down
Loading