Indeed, as long as the scope of the ticket <= scope of the nonce database, it appears that rerouting wont’ help the attacker. From: Colm MacCárthaigh [mailto:c...@allcosts.net] Sent: Thursday, May 4, 2017 11:33 AM To: Andrei Popov <andrei.po...@microsoft.com> Cc: Ilari Liusvaara <ilariliusva...@welho.com>; tls@ietf.org Subject: Re: [TLS] Security review of TLS1.3 0-RTT
On Thu, May 4, 2017 at 11:29 AM, Andrei Popov <andrei.po...@microsoft.com<mailto:andrei.po...@microsoft.com>> wrote: * Providers already work hard to maximize user affinity to a data center for other operational reasons; re-routing is relatively rare and quickly repaired by issuing a new ticket. Understood, but isn’t an attacker going to be able to re-route at will? Yes, but I don't see the significance. If the attacker reroutes the user, or replays a ticket, to a different data center - the ticket won't work, it'll degrade gracefully to a regular connection. Of course the attacker succeeded in slowing the user down, but that's possible anyway. Maybe you're thinking of a strike register that shares a global namespace? That would be an implementation error; tickets should be scoped to the location they are issued from, and checked against its strike register (or not used at all). -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
