chrysn
commented
3 years ago In the course of this, we'll also have to give a citation for the "x 3" (currently https://tools.ietf.org/html/draft-ietf-quic-transport-32#page-50)
Closed chrysn closed 3 years ago
chrysn
commented
3 years ago In the course of this, we'll also have to give a citation for the "x 3" (currently https://tools.ietf.org/html/draft-ietf-quic-transport-32#page-50)
chrysn
commented
3 years ago Follow-up note to be factored into the resolution:
I have no strong opinion whether having a fixed number is good or bad, I can see reaons both ways. But if the WG decides to include an absolute number and you want people to implement that number, you should in my view include the calculation (perhaps in a short appendix) so that people recall how the number was determined. For example, you assume IPv4 (and not IPv6), you assume Ethernet (and not some other link layers or VLANs etc.). This may be OK but I think it is fair to document the assumptions.
In the response to https://datatracker.ietf.org/doc/review-ietf-core-echo-request-tag-11-opsdir-lc-schoenwaelder-2020-11-30/ I promised better wording for the 152 bytes -- but let's see whether anything gets back there first.
As Carsten pointed out, this is the derived number from the "three times" part, also accounting for the remainder of the UDP packet.
Assuming an attacker wants to maximize the amplification possible by the factor 3, they will send
allowsing the server to send Σ * 3 = 222 octets. Subtracting everything in the response including the UDP header, that gives 160 octets of UDP data. Given the token is variable length data of up to 8 octets the server implementer can't easily take into account, that leaves 152 octets. (Granted, that last step doesn't follow from the wording, and I'm looing to sharpen that).
Having some hard number there (and I'm happy to use better ways to come up with one) is important because for generic server applications, the transports may not be known and the implementer would have to make assumptions; we can't do much more, but at least ours get solid review.