Why are stateless reset tokens 16 bytes long? #2018
Comments
|
If the concern is about the overhead of the Stateless Reset Token field of the NEW_CONNECTION_ID frame, the other option might be to make the field optional. I am not sure why the field is mandatory, even though not all endpoints are required to send Stateless Resets. Conveniently, once #2006 gets merged, the Length field of the Stateless Reset Token field would be the only field we use a 8-bit encoding for Connection ID Length. We can change it to a 4-bit encoding for consistency, and will have 4 bits to encode flags... |
|
Due to birthday problem a reset could affect the wrong connection with a real world probability if it is too short. Especially when servers do not coordinate and when state is lost between reboots. |
|
@mikkelfj: I don't see how the birthday problem comes into play here. |
|
Generally speaking, I prefer having the same level of protection for resets as we have for other types of injection; i.e. I think we should use a token that is as large as the AEAD tag. I am not sure if there is a reason strong enough to shorten the token; after all, QUIC v1’s model is to use a stable CID rather than rotating very frequently, therfore the overhead does not matter. |
|
@kazuho's reasoning is what drove the decision here. It might be the case that 16 octets is overkill, but there isn't a huge advantage in shaving this down. The cost isn't significant. |
|
I think the real question is whether they are too small. If you build them with self-encryption, you might want more room. |
|
Self-encryption isn't useful here. Self-encryption of a connection ID, sure, but the producer and consumer of a stateless reset token are different. |
|
Kind-of related, but by rereading #1041 I notice that a Stateless Reset is considered valid even for packets that arrive from a non-validated path (see section 10.4.1). Is that intentional? Or should we limit the detection of Stateless Resets to packets that arrive from a pre-validated path? I ask this because the current design of CID allows 218*8 of space to identify a connection (because CID is generated by the endpoint that uses it to identify the connection), whereas a stateless reset token only provides 28*8 space (because token is generated by peer and therefore be suspected to birthday attacks. |
|
It is intentional. Even if 264 was insufficient, I don't think that it's that bad. Birthday bounds only come into play when you want to kill one connection from many. That is, you are willing to send 264 packets and there are 264 connection IDs live. Standard DoS mitigation techniques probably start to apply before the birthday bound is threatened. |
|
Thank you for the clarification. Makes sense to me. |
|
Oh, yes, sorry. Long day and I was thinking retry token.
…On Sun, Nov 25, 2018 at 7:35 PM Martin Thomson ***@***.***> wrote:
Self-encryption isn't useful here. Self-encryption of a connection ID,
sure, but the producer and consumer of a stateless reset token is different.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2018 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABD1ofWDKDVXAo3LxuvusAVxuhL46Rjcks5uy2F7gaJpZM4YnRg3>
.
|
|
Time to close this bug? The question has been answered. |
|
Yep. |
mnot
added
the
invalid
We chose the stateless reset token to be 16 bytes long, but I don't remember the reason. It matches the tag size of the AEADs we use, although, as @kazuho points out in #2006 (comment), this might not be true for all TLS cipher suites.
In general, the probability for an attacker to correctly guess a stateless reset token is 2^(-token length). It seems like a 64 bit token would be sufficient to provide protection against an attack like that. Using a shorter token would make rotating connection IDs significantly cheaper.
The text was updated successfully, but these errors were encountered: