Re: [quicwg/base-drafts] Stateless Reset becomes a larger risk of amplification with longer CIDs (#2770)

Martin Thomson <> Tue, 04 June 2019 23:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BE7AF120120 for <>; Tue, 4 Jun 2019 16:06:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.605
X-Spam-Status: No, score=-6.605 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l5Vg1swxmVQz for <>; Tue, 4 Jun 2019 16:06:06 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 163691202E9 for <>; Tue, 4 Jun 2019 16:06:06 -0700 (PDT)
Date: Tue, 04 Jun 2019 16:06:04 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1559689565; bh=ulUhvBEhWHGtQvwnvu/FgHAbTMUh1XCbVpU42p4IllI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=P3gI41JzWOXTVyLf3wqmO8GNh91amg6c6toaEQlYZgd23ROUI41Scjfp/wrazgy5N DK6tXXYUcZECd4Ay9iu6mACdeKGEEEHANxq1Sr0XmqCDS9pt/u89E5hNaH2JHaFGvK Xdd7gz4WpwCS82NtglVuB4lMcwkVvnfdMd8MnCCc=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2770/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Stateless Reset becomes a larger risk of amplification with longer CIDs (#2770)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5cf6f95ce6d51_66ef3fa2930cd96823009"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Jun 2019 23:06:08 -0000

In many cases even largish connection IDs will be around 20 bytes, meaning that minimal (PING) packets come to around 40 bytes.  Adding 30 bytes of padding is a little annoying.

@ianswett, the error in your description is here:
> when we could decrease the minimum size of the stateless reset being processed by a client

We don't stipulate any size constraints on *processing* packets, just generating them.  The sending constraints exist to prevent indefinite looping of stateless reset. They also eliminate amplification as a side-effect.

The reason we have this recommendation is to keep the stateless reset indistinguishable from "real" packets.  Though it might be a little unusual, a 70 byte packet isn't implausible, no matter what the situation.  But sending a 23 byte packet when every other packet included the same 40 byte connection ID will stand out badly.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: