IETF Logo Mail Archive

Re: [quicwg/base-drafts] Move connection ID change to only Server Cleartext (#589)

Jānis <notifications@github.com> Tue, 06 June 2017 15:10 UTC

Return-Path: <bounces+848413-a050-quic-issues=ietf.org@sgmail.github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AE33129477 for <quic-issues@ietfa.amsl.com>; Tue, 6 Jun 2017 08:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBJWxx-LUduZ for <quic-issues@ietfa.amsl.com>; Tue, 6 Jun 2017 08:10:16 -0700 (PDT)
Received: from o10.sgmail.github.com (o10.sgmail.github.com [167.89.101.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C8C612944C for <quic-issues@ietf.org>; Tue, 6 Jun 2017 08:10:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=mqMeoCXbM8rlvVbbeEtEh054qgo=; b=WbhnVx2XpvbZ7uPX 0pe8KI2XN4+h6g+4rxKmWp3mKY4BnEt9TzGCv+E2+hCm9Rt8VS+uAgcu6rsks2Yr OBuwnoqDSF9cKSmE21UJAQqBisTxL8eHoxC1/aBTn8lKrOf/SxbGl7OGfIg9Acz2 paLhz5XK7xE2kz4G6Gk3my/E3M4=
Received: by filter1092p1mdw1.sendgrid.net with SMTP id filter1092p1mdw1-14665-5936C5D7-9 2017-06-06 15:10:15.107993756 +0000 UTC
Received: from github-smtp2a-ext-cp1-prd.iad.github.net (github-smtp2a-ext-cp1-prd.iad.github.net [192.30.253.16]) by ismtpd0001p1iad1.sendgrid.net (SG) with ESMTP id _CXgBlxbTyOHXLKUktNv_g for <quic-issues@ietf.org>; Tue, 06 Jun 2017 15:10:14.975 +0000 (UTC)
Date: Tue, 06 Jun 2017 08:10:13 -0700
From: Jānis <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abe9e989e4828953bdeb9b28d48c22f1050a6999a592cf00000001154e87d492a169ce0df019e0@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/589/c306517012@github.com>
In-Reply-To: <quicwg/base-drafts/pull/589@github.com>
References: <quicwg/base-drafts/pull/589@github.com>
Subject: Re: [quicwg/base-drafts] Move connection ID change to only Server Cleartext (#589)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5936c5d55fe_63ed3ffbed29fc388783"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: chocis
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
X-SG-EID: l64QuQ2uJCcEyUykJbxN122A6QRmEpucztpreh3Pak2LTO1xtV/5U4otPSM7L47SPnWWsahTSX2ThL tx6M8GEn962DzRREwCnFsQIRJuO1oGGdK4I35GECPdp93GA0tcu+b0B/lUvNWV7jVLsjUeNaK1zZ0O /8C6gp052MOi5H5PngK0Am1hVCX1s9/qGdaq1m3jmDaMjHNriKlKRRLPiP6tVoZn9InRmIuzYcNFjT I=
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/PSHyL6u1OVVPo70t-KCPEg1aB6I>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2017 15:10:18 -0000

Well then I would like to propose to reconsider that. Is there any reason why Server Stateless Retry couldn't change CID?

1) Firstly, in my opininon server without using Server Stateless Retry (without verifying src address/port) is simply asking to be DOS attacked. I could fill server's RAM with Raspberry Pi by simply spoofing src address. Thats why I am talking about situation where that check is enabled.

2) Secondly, imageine that you want to use CID for load balancing your clients. In current solution you would have to support accepting TLS handshake on all backends and when initial request is validated the partial TLS and QUIC state must be serialized and somehow transported to decided loadbalanced server (with the new CID) - and thats not easy AT ALL. I think, that this can be solved by simply returning new CID in Server Stateless Retry without doing any work or state transportation on backend.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/589#issuecomment-306517012

v2.46.0 | Report a Bug | By Email | System Status