Re: [quicwg/base-drafts] Allow connections to share a port by adding restrictions on zero-length connection IDs (#2851)
Martin Thomson <notifications@github.com> Tue, 09 July 2019 05:12 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CDCC120100 for <quic-issues@ietfa.amsl.com>; Mon, 8 Jul 2019 22:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ptbw8Xg3d1mG for <quic-issues@ietfa.amsl.com>; Mon, 8 Jul 2019 22:11:59 -0700 (PDT)
Received: from out-14.smtp.github.com (out-14.smtp.github.com [192.30.254.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30B681200EC for <quic-issues@ietf.org>; Mon, 8 Jul 2019 22:11:59 -0700 (PDT)
Date: Mon, 08 Jul 2019 22:11:58 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1562649118; bh=+avyR43LBjk5bxqtzV3t1FHq0Q4NyEGhV8POnTqrtGw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=fHA+Am/PUG2iIysrZV84xkPd3N/ESVmpYGqbvLAZ7P40CrlrXa/mYvSGusVgTSYvY 6ba+MOykfzVMkh99RqVTr1UtbAJZBwLm/7cNfYj8iZB0MmRHD210oc90sExmBOEjmj ArkxlH4dTujX52zSyGmkBYQur5ZbzotrMyyZvRdU=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK5NFCVJZ3LJ3IY7AIF3GFKJ5EVBNHHBW7JPKY@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/2851/review/259270833@github.com>
In-Reply-To: <quicwg/base-drafts/pull/2851@github.com>
References: <quicwg/base-drafts/pull/2851@github.com>
Subject: Re: [quicwg/base-drafts] Allow connections to share a port by adding restrictions on zero-length connection IDs (#2851)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d24221e43709_d593ffc89acd968175448b"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/H3ZJ_5U-CcNbdKBm5Ttw6KAeZ0w>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 05:12:01 -0000
martinthomson approved this pull request. I like this. It makes sense. I've suggested a rewording of the text you proposed, but I think that this the right insight. Namely, you can only use a zero-length connection ID if other information **that is under your control** is sufficient to identify a connection. My only reservation is over the potential for an endpoint to be willing to use trial decryption here. In theory, you could demux using trial decryption. It seems crazy, but we've already got cases for ESNI where that turns out to be a useful concept. > @@ -924,11 +924,14 @@ selected by the client, both to ensure correct routing toward the client and to allow the client to validate that the packet is in response to an Initial packet. -A zero-length connection ID MAY be used when the connection ID is not needed for -routing and the address/port tuple of packets is sufficient to identify a -connection. An endpoint whose peer has selected a zero-length connection ID MUST -continue to use a zero-length connection ID for the lifetime of the connection -and MUST NOT send packets from any other local address. +A zero-length connection ID MAY be used when the connection ID is not needed +for routing and the destination address and port of incoming packets is +sufficient to identify a connection (e.g., when there is a single connection +on a given local port). Note that it is not possible to use the source address +and port of incoming packets to demultiplex them across connections because a +peer might multiplex multiple connections on a single address and port and rely +on its connection IDs for demultiplexing, and the peer's connection IDs are not +transmitted in the short header packets they send. Suggestion: A zero-length connection ID can be used when a connection ID is not needed to correctly route to the correct endpoint. An endpoint MUST NOT use a zero-length connection ID unless it can use only its IP address and port to identify a connection. The IP address and port used by a peer cannot be used for routing as these values can change or be used for additional connections. > -If the Destination Connection ID is zero length and the packet matches the -address/port tuple of a connection where the host did not require connection -IDs, QUIC processes the packet as part of that connection. Endpoints SHOULD -either reject connection attempts that use the same addresses as existing -connections, or use a non-zero-length Destination Connection ID so that packets -can be correctly attributed to connections. +If the Destination Connection ID is zero-length and the packet matches the +local address and port of a connection where the host used zero-length +connection IDs, QUIC processes the packet as part of that connection. +Endpoints that share a local address and port across multiple connections MUST I think that we can drop this final sentence here. The text above (L933-ish) will do. > @@ -1793,9 +1796,7 @@ An endpoint also MUST NOT initiate connection migration if the peer sent the `disable_migration` transport parameter during the handshake. An endpoint which has sent this transport parameter, but detects that a peer has nonetheless migrated to a different network MAY treat this as a connection error of type -INVALID_MIGRATION. Similarly, an endpoint MUST NOT initiate migration if its -peer supplies a zero-length connection ID as packets without a Destination -Connection ID cannot be attributed to a connection based on address tuple. Nice. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/2851#pullrequestreview-259270833
- [quicwg/base-drafts] Allow connections to share a… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… MikkelFJ
- Re: [quicwg/base-drafts] Allow connections to sha… MikkelFJ
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… MikkelFJ
- Re: [quicwg/base-drafts] Allow connections to sha… MikkelFJ
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… MikkelFJ
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… ianswett
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Kazuho Oku
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Igor Lubashev
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… Mike Bishop
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Jana Iyengar
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Eric Kinnear
- Re: [quicwg/base-drafts] Allow connections to sha… ianswett
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… David Schinazi
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson
- Re: [quicwg/base-drafts] Allow connections to sha… Martin Thomson