Retry Source Connection ID included in token

Question

Retry Source Connection ID included in token

nqv opened this issue 3 years ago · comments

Retry Source Connection ID: The server or Retry service copies this from the Source Connection ID of the Retry packet.

I have read #31 but still don't understand why we need to include it again in token. I'd thought that that server or retry service can read it from the Initial packet (invariant long header packet).

What happen if they are different? Which one server should take to initiate the connection?

Martin Duke · Answer 1 · Tue Jul 27 2021 00:14:29 GMT+0800 (China Standard Time)

I recommend Section 7.3 of RFC 9000 to understand this:

"The values provided by a peer for these transport parameters MUST match the values that an endpoint used in the Destination and Source Connection ID fields of Initial packets that it sent (and received, for servers). Endpoints MUST validate that received transport parameters match received connection ID values."

The connection IDs in Retry and Initial packets are not effectively authenticated unless they are included in transport parameters, which are included in key computation. If the server doesn't have a trustworthy record of the CID it picked (this token), it has no way of confirming that the Retry's SCID wasn't modified in flight.

Quoc-Viet Nguyen · Answer 2 · Tue Jul 27 2021 10:42:05 GMT+0800 (China Standard Time)

yeah, I get that server needs to verify SCID in Retry packet. I still do not get why we need to include Retry SCID again in the token.

Martin Duke · Answer 3 · Wed Jul 28 2021 01:44:26 GMT+0800 (China Standard Time)

How would it verify the SCID was unchanged if it wasn't in the token?

Quoc-Viet Nguyen · Answer 4 · Fri Jul 30 2021 05:45:07 GMT+0800 (China Standard Time)

I think it'd be authenticated by including in the associated data, i.e

Shared-State Retry Service Token Pseudoheader {
  IP Address (128),
  Unique Token Number (96),
  Key Sequence (8),
  Retry Source Connection ID (0..160),
}

Martin Duke · Answer 5 · Fri Jul 30 2021 09:15:19 GMT+0800 (China Standard Time)

Hmm, this is a clever proposal. I'll reopen to reconsider properly.

Christian Huitema · Answer 6 · Sat Jul 31 2021 03:35:15 GMT+0800 (China Standard Time)

Trying to wrap my head around this. The server wants to verify that the RSCID is correct, so the current solution is to copy that in the token. If the client messes up, the server compares the value in the token to the value sent by the client.

Yes, putting that in the pseudo header will mostly work. If the client does not use the specified RSCID, the token will just not decode. But there are two potential issues:

Debugging is harder. For example, there will not be any way to differentiate between wrong RSCID and wrong IP
If the token came as "NEW TOKEN", there is no RSCID specified. There will need to be a special case for constructing the pseudo header, but that means exposing the difference between Retry Token and New Token in clear text.

In any case, we would need additional text for the New Token case.

Martin Duke · Answer 7 · Sat Jul 31 2021 05:37:41 GMT+0800 (China Standard Time)

Christian, good point on (2). The NSS Token already distinguishes the types in cleartext, so perhaps that's not such a big deal. But yes, we'd need to take a bit from the key sequence to indicate the token type.

Martin Duke · Answer 8 · Thu Aug 19 2021 05:35:02 GMT+0800 (China Standard Time)

I filed #128, please take a look.