Re: [quicwg/base-drafts] Immediately close with INVALID_TOKEN (#3107)

Kazuho Oku <> Sat, 02 November 2019 05:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 32C9C12001A for <>; Fri, 1 Nov 2019 22:28:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DYsKQJLv95he for <>; Fri, 1 Nov 2019 22:28:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 94A73120074 for <>; Fri, 1 Nov 2019 22:27:30 -0700 (PDT)
Date: Fri, 01 Nov 2019 22:27:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572672449; bh=cKbR7MQCSzIPtFBpt87D6DU0qvVhwcB+1Sep7O1XQyc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=WsHkSUI3pX7dG8ttbx4IldelTngSS83INKYm2G+CRGfI3vZAh9Hv89y5gjhYpsry0 TEYBfLeGJHS2UznEUDX1Ym7X7Aeg8sItK/gaEa9uoMK/YzJW6Cfw4F3WozmI3NVSw2 ecFNclpJ5ZxIkPe6v4rNMkw5mQxMXTt//K3A8Rl0=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3107/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Immediately close with INVALID_TOKEN (#3107)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dbd13c1826a_1f553fd02fecd968185981"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 02 Nov 2019 05:28:19 -0000

kazuho commented on this pull request.

> @@ -1641,6 +1641,13 @@ of connection establishment.  By giving the client a different connection ID to
 use, a server can cause the connection to be routed to a server instance with
 more resources available for new connections.
+If a server receives a client Initial that can be unprotected but contains an
+invalid Retry token, it knows the client will not accept another Retry token.
+It can either proceed with the handshake without verifying the token or
+immediately close ({{immediate-close}}) the connection with a connection
+error of INVALID_TOKEN to cause the handshake to fail quickly instead of
+waiting for the client to timeout.

By state I mean the closing and the draining state that gets built and retained once you invoke {immediate-close}. We should not recommend such behavior as it would create a DoS vector. But if it is not going to be a SHOULD but instead “can” or MAY, I think we can be precise and therefor the text we have now is fine.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: