Lucas seems to have the magic touch with creating issues, so I'll stick to pull requests and emails.
On Wed, Dec 23, 2020, at 10:18, Martin Duke via Datatracker wrote: > - The third-to-last paragraph of Sec 4.1.3 implies that the transport > parameters are not delivered until the handshake is complete. In 8.2 it says > that the TPs are "available" but "not fully trusted" before completion. The > latter is certainly true; but the server can't send 0.5-RTT packets (e.g. a > SETTINGS frame) without any indication of the client transport parameters. I > would suggest a clarification in 4.1.3 and letting the language in 8.2 stand. I've opened https://github.com/quicwg/base-drafts/pull/4463 for this. I've done less in 4.1.3, but more in 8.2 than you suggest. I hope this helps. > - 5.8 says the ODCID field "mitigates an off-path attacker's ability to inject > a Retry". > > First, in quic-transport you defined an off-path attacker (21.1) as someone > who > can observe but not alter packets. I don't think that's what you mean here, so > please use another a term here or explicitly define what you mean in this > document. Come to think of it, there are some inconsistent usages of this term > in quic-transport as well (14.2.1,17.2.1, 17.2.2 ) This is an excellent point. My intuition regarding "off-path" matches that of RFC 3552, but the definition QUIC uses is subtly different. That means that some of our usage was inconsistent with our own definitions. Rather than try to find new terminology, which would be very disruptive, we went through and did the following things: 1. Clarify that off-path is slightly different than was is written in RFC 3552 (it is consistent only to the extent that 3552 contemplates the off-path attacker forcing its way on-path). 2. Tighten the language and make it clearer that the off-path attacker is only able to copy and inject packets. 3. Remove uses of off-path that were inconsistent with this definition in both -transport and -tls. There weren't many to fix. Changes are here: https://github.com/quicwg/base-drafts/pull/4462 > Secondly, it is not clear to me what protection this offers beyond the DCID > field in the actual Retry Packet (which corresponds to the SCID of the > Initial). The SCID of the Initial might be empty (it is in many cases), which doesn't provide enough entropy to prevent spoofing of Retry otherwise.
