Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Better Terminology Alignment with QUIC #70

Closed
wants to merge 2 commits into from
+17 −9
Closed

Better Terminology Alignment with QUIC #70

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
742090b
Better Terminology Alignment with QUIC
hannestschofenig Feb 25, 2024
b4f527a
Update draft-ietf-tls-dtls-rrc.md
hannestschofenig Feb 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 17 additions & 9 deletions draft-ietf-tls-dtls-rrc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,18 +172,26 @@ layer specific address validation mechanism can be triggered instead (e.g., CoAP

# Attacker Model {#attacker}

We define two classes of attackers, off-path and on-path, with increasing
capabilities (see {{fig-attacker-capabilities}}) partly following terminology
Attacks are divided into passive and active attacks. Passive attackers have the ability
to read packets from the network, while active attackers also have the ability to write
packets into the network. However, a passive attack could involve an attacker with the
ability to cause a routing change or other modification in the path taken by packets that
comprise a connection.
Comment on lines +178 to +179
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attackers are not assumed to have control over L3 routing. Instead, they can observe packets on one network segment and make (modified) copies on another segment and win the race to the destination due to, e.g., better SLA.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what the original L179-182 try to convey.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I copied the text from of Section 21.1 of QUIC.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.rfc-editor.org/rfc/rfc9000#name-overview-of-security-proper

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok. Reading that bit from QUIC makes it seem the attacker is more powerful than it needs to be though. In my understanding, it is actually a very specific L4 routing manipulation that is assumed, rather than full-blown control over L3 paths.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Obviously, if the attacker is a router that can inject "better routes" through itself, it can be classified as an off-path attacker in our (i.e., QUIC) terminology. But, it's not necessary to be that powerful.


Attackers are additionally categorized as either on-path attackers or off-path attackers
(see {{fig-attacker-capabilities}}). This document follows the terminology
introduced in QUIC {{RFC9000}}:

* An off-path attacker is not on the original path between the DTLS peers, but
is able to observe packets on the original path and has faster routing
compared to the DTLS peers, which allows it to make copies of the observed
packets, race its copies to either peer and consistently win the race.
* An on-path attacker can read, modify, or remove any packet it observes such that the packet
no longer reaches its destination.

* An on-path attacker is on the original path between the DTLS peers and is
therefore capable, compared to the off-path attacker, to also drop and delay
records at will.
* An off-path attacker observes the packets but cannot prevent the original packet from
reaching its intended destination.

Both types of attackers can also transmit arbitrary packets.

This definition of on-path and off-path attackers differs from that of Section 3.5
of {{?RFC3552}} in that an off-path attacker is also able to observe packets.

Note that, in general, attackers cannot craft DTLS records in a way that would
successfully pass verification, due to the cryptographic protections applied by
Expand Down
Loading