[quicwg/base-drafts] How many datagrams can a client send prior to validating the path? (#2135)

Kazuho Oku <notifications@github.com> Thu, 13 December 2018 01:19 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EA7B3129BBF for <quic-issues@ietfa.amsl.com>; Wed, 12 Dec 2018 17:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.056
X-Spam-Status: No, score=-8.056 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id P6uPK3C8ir7W for <quic-issues@ietfa.amsl.com>; Wed, 12 Dec 2018 17:19:17 -0800 (PST)
Received: from out-7.smtp.github.com (out-7.smtp.github.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA786128B14 for <quic-issues@ietf.org>; Wed, 12 Dec 2018 17:19:16 -0800 (PST)
Date: Wed, 12 Dec 2018 17:19:15 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1544663955; bh=6FNUriuYkQFDVeEsgdK6i6U4C0IXwSE0rnGotkRSyxI=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=inphr+epXFGsnZgnD61gyLIoCwasncgG06rCaURSoEo25MmA0zcM6Muv50EA8Mz78 mGdIgT1ZLhk6EzciT2fSXGG1gIDJwb5HhfsehHiVdjAxGiOE5eTvLcjYdvwCAD6PaX pgDjraC7hWama/WW1yWITIKnhYr8pXG5gj/Cs/OA=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abbe71dbc8f822898eff5c44895275be294cfbc15192cf000000011829759392a169ce174638d4@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2135@github.com>
Subject: [quicwg/base-drafts] How many datagrams can a client send prior to validating the path? (#2135)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5c11b39396501_42483fdaef4d45b81335fb"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/dFpx2bfZCUnaGTftLQTWIF0ocZU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 01:19:19 -0000

To avoid it being used as a DDoS attack vector, we forbid the server from sending more than three datagrams before the path is validated during the handshake.

Do we need similar safeguard for the number of datagrams that a client may emit before it sees a packet from the server? IMO, it might be worth considering, due to the following reasons:

* The attack vector exists. For example, an attacker can inject a DNS response for a huge website to a DNS server. Then, clients would start sending 0-RTT packets to the victim.
* The number of packets that the client can send prior to path being validated was one for TCP. The QUIC transport draft is silent about the limit (though INITCWND would practically become in play here).

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: