quant icon indicating copy to clipboard operation
quant copied to clipboard
verified publisher icon NTAP

Quant server process Handshake packet with an unmatched Destination Connection ID.

Open QUICTester opened this issue 2 years ago • 4 comments

Hi,

During our tests involving a Quant (https://github.com/NTAP/quant/commit/511d91c3c60f622a20746b1f30186a9d51c3ba68) implementation, we identified a protocol violation on the Quiche server implementation.

Quant server process Handshake packet with an unmatched Destination Connection ID. You can reproduce this behaviour by:

  1. Sending a Initial packet carrying a Client Hello message.
  2. Sending a Handshake packet carrying a Finished message with the original_destination_connection_id in the packet's Destination Connection ID field.

According to (Section 17.2.4, RFC 9000), the Destination Connection ID field in a Handshake packet contains a connection ID that is chosen by the recipient of the packet. However, the server does not conform to the specification and still process the Handshake packet that does not has the Destination Connection ID matched to the connection ID chosen by itself. Nobaly, the Source and Destination Connection ID fields are the primary means of protection against an off-path attack during the handshake (Section 21.2, RFC 9000).

In our experiment, this behaviour will only happen prior to the handshake completion. Once the connection is established. the server will not process 1-RTT packet from an unmatched Destination Connection ID.

Please let me know if you require any additional information.

QUICTester avatar Sep 08 '23 07:09 QUICTester

Thanks for the report. It's very likely that you identified a bug. Quant isn't under active maintenance anymore, since it was meant as a proof-of-concept to validate the evolving QUIC spec during its standardization. So it's unlikely I'll fix this.

Also, who are you? Your profile does not have any contact information.

larseggert avatar Sep 08 '23 07:09 larseggert

We are doing research on testing QUIC and our work is currently under double-blind reviewing process. We will add our contact information once our work is published.

QUICTester avatar Sep 08 '23 07:09 QUICTester

Thanks. (That would have been helpful to say somewhere, like on your profile page.)

larseggert avatar Sep 08 '23 07:09 larseggert

You are welcome. We will also publish our tool on our GitHub (hopefully soon).

QUICTester avatar Sep 08 '23 07:09 QUICTester