Comments (6)
I'm not sure how we could come up with a good one-size fits all limit. Different deployment environments may be more or less capable of generating amplification attacks. There are things we can do with the design of QUIC, such as add the ability to pair a connection id to a resumption token, to make these less practical.
from base-drafts.
Is this amplification any worse than TFO + TLS1.3?
from base-drafts.
To @ianswett's point, if there isn't a one-size fits all number, then we need a set of guidelines. I explicitly didn't say that we needed a number in the problem description for that reason.
Is this amplification any worse than TFO + TLS1.3?
I don't know, no one has deployed that yet and so we don't know what we can do with the first flight with TFO (in TLS 1.3 or any other protocol for that matter). I expect that whatever guideline/number we arrive at will probably apply there.
TFO has a really unsatisfactory response to this problem: https://tools.ietf.org/html/rfc7413#section-5.2 I guess that's what you get with experimental RFCs.
from base-drafts.
@martinthomson I don't think this is a problem with TFO being experimental, I think it's a problem with too few security people paying attention to TFO. Either ways, yeah, let's make sure we solve this problem well in QUIC.
from base-drafts.
Not going to disagree with that!
(I will disagree with the potential implication that security is the responsibility of security people, but I'm sure that was not what you intended.)
from base-drafts.
@martinthomson Yes, didn't mean to imply that. I don't consider myself a "security person" but I've been quite bothered by the wishy-washy security requirements around TFO.
from base-drafts.
Related Issues (20)
- Auth48: Combined internal references HOT 3
- Solidarity bot: Invalid HOT 4
- auth48 http/3: cite http2bis HOT 1
- Auth48: Keywords HOT 1
- Is "to the encoder" intended? (comment 2) HOT 4
- Auth48: Artwork types HOT 2
- Auth48: Difficult to parse sentence / duplicated words HOT 2
- Auth48: Huffman-coded versus Huffman encoded HOT 1
- To avoid awkward hyphenation, may we rephrase this text? Original (comment 6) HOT 2
- Should the following text be formatted using <aside>? (comment 7) HOT 2
- RFC Editor comment 8 HOT 1
- Auth48: SETTING_ => SETTINGS_ HOT 1
- Auth48: Capitalization and terminology consistency HOT 5
- Auth48: Servers and non-0-RTT clients HOT 1
- Stale contact information for Buck HOT 1
- STOP_SENDING to QPACK streams HOT 7
- CONTRIBUTING.md has out-of-date URLs HOT 1
- Marking packets as lost on PTO
- Add text on flow control deadlocks HOT 3
- Wiki: Implementations overview "destroyed" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from base-drafts.