Re: [quicwg/base-drafts] Add Advice and Rules for CONN_CLOSE in Initial and Handshake (#1786)

Kazuho Oku <> Fri, 28 September 2018 09:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFA17130E01 for <>; Fri, 28 Sep 2018 02:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iqjr6N9JZFWR for <>; Fri, 28 Sep 2018 02:23:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 36181130DC8 for <>; Fri, 28 Sep 2018 02:23:21 -0700 (PDT)
Date: Fri, 28 Sep 2018 02:23:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1538126600; bh=/nK37sHnxMid/7L3Zn1qt1cRF7Qmzy92HeM4okuexqk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=BXzxFGBw1rl4AQFeVHs8Iy15jRWG6RLZvFKDtdwTzO8CsuofkvhvIdFeiCW6JeSZy w4kzgSUHiGPCSn+b/ftOFbU1rQkX+4i2m4oTwKprpXA5dW26kWBsh6PWRet+s01yCI rsbaK3Ch3m6q3U8XErXH110WSlEXtRkvAiU3oH3Y=
From: Kazuho Oku <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/1786/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Add Advice and Rules for CONN_CLOSE in Initial and Handshake (#1786)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5badf30844ad_5d573fdce06d45b4530465"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Sep 2018 09:23:23 -0000

> Well, the specs says that you MUST terminate the connection. You can't countermeasure that without not being QUIC.

You cannot process packets once you drop the keys, meaning that you would never see the CONNECTION_CLOSE packet, or anything else that might disrupt the handshake. Therefore, what an endpoint that is cautious of detecting attacks should do is drop the Initial key at the earliest moment. I simply do not see why we need to handle CONNECTION_CLOSE differently than other frames that we might see in a Initial packet that arrives at a later moment.

And in regard to the philosophical question of if ignoring a Initial packet that you detected and found a CONNECTION_CLOSE frame is against the spec., my argument would be that stacks are allowed to do whatever they want in these circumstances. In my view, it is the same as having a packet filter that drops suspicious TCP packets.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: