Re: [quicwg/base-drafts] Required state for retaining unacked RETIRE_CONNECTION_ID frames is unbound (#3509)

Martin Thomson <> Mon, 30 March 2020 04:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D6E303A0CB3 for <>; Sun, 29 Mar 2020 21:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u8_8xMyjeqzZ for <>; Sun, 29 Mar 2020 21:45:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5003C3A0CBA for <>; Sun, 29 Mar 2020 21:45:47 -0700 (PDT)
Date: Sun, 29 Mar 2020 21:45:46 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1585543546; bh=8NBBDuPOXddHe41/R3khvU+GAYnbSwBopMbGFs8S3g8=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=15bykW1M7/vZghyk4512bOfnYMvGHyQhHLzGG7zQGy3xF3Io1+FmrdSxjbvYySPjq 3JephbICutz7f50xVWHTbD/PGOspnU+91poQpo2OihwE8fq+lwAmx6XR4SZKr8LHBk 5XZ3nBSEtOomv7hxOBwNAvSKVavHe37S3TzrWVU8=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3509/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Required state for retaining unacked RETIRE_CONNECTION_ID frames is unbound (#3509)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e81797a8418f_61133fd86becd9604497d4"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 30 Mar 2020 04:45:58 -0000

I think that I understand your point; thanks for your patience.

I didn't really classify it as a leak though, so the choice of words threw me a little, it's more of a lag.

Let's say that you have a pathological endpoint that sends an infinite series of NEW_CONNECTION_ID frames with Sequence Number N and Retire Prior To of (N-1).  That's legal and will never violate any limits.  But unless they maintain acknowledgments for RETIRE_CONNECTION_ID frames at a similar rate (which, to be fair should be easy as `sizeof(NEW_CONNECTION_ID) > sizeof(RETIRE_CONNECTION_ID) > sizeof(ACK)` for the same values), they could get far ahead of their peer.

I don't think that it is strictly a leak, just a lag between the connection IDs being pushed and the connection IDs being successfully retired.  Without #3547 or something else this could be problematic.  And I now understand why #3550 is really just an orthogonal refinement, though it might make other defenses less likely to be required by making `sizeof(sum(RETIRE_CONNECTION_ID))` zero in cases where an endpoint isn't using discretionary retirement.

The defense in #3553 is to make `sizeof(sum(RETIRE_CONNECTION_ID))` effectively constant, no matter how many frames need to be retired.  My main objection is really that it is a maximal design where only a minimal one is warranted.

It's probably worth pointing out that there is also the simplest defense:  If you can't keep up with RETIRE_CONNECTION_ID, stop talking to the peer that does this to you.  This is just another example from that category of abuse we don't have specific protocol mechanisms to mitigate.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: