Re: [quicwg/base-drafts] Limit RCID state (#3547)

Kazuho Oku <notifications@github.com> Fri, 27 March 2020 23:34 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDF7B3A0E22 for <quic-issues@ietfa.amsl.com>; Fri, 27 Mar 2020 16:34:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6J20pjW0Ma4 for <quic-issues@ietfa.amsl.com>; Fri, 27 Mar 2020 16:34:34 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FA503A0DAD for <quic-issues@ietf.org>; Fri, 27 Mar 2020 16:34:34 -0700 (PDT)
Received: from github-lowworker-5825cd4.ac4-iad.github.net (github-lowworker-5825cd4.ac4-iad.github.net [10.52.22.68]) by smtp.github.com (Postfix) with ESMTP id 7074A6A0E65 for <quic-issues@ietf.org>; Fri, 27 Mar 2020 16:34:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1585352073; bh=yxPYruaJAtZV9QqHNaX2nyjwkoA30EAcjk9yz2lrAxo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=0fKe6Yn2eX2kO3ZMug/mHQegrB6+4gLr5a3SJd4Xxau/nIUKC0VHTWBoaI8dFIf93 bLZTqS3X2OqrlAsqgSXjzzeLk+9Bcmy5rWZul+s93Va9/pMcxS8fcsgURjLMhI29El 05Z3PWq7lwvGxbNtKHfCBfzR4sSJ8/HI4CViW2HY=
Date: Fri, 27 Mar 2020 16:34:33 -0700
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZRVDJFMNDVQDGRE5N4RJXITEVBNHHCGFYIAU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3547/review/383250846@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3547@github.com>
References: <quicwg/base-drafts/pull/3547@github.com>
Subject: Re: [quicwg/base-drafts] Limit RCID state (#3547)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e7e8d8960468_1df3fe214ccd9641587e"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/qExOOeYYclKD1eNZNAzBZkwTW_g>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2020 23:34:45 -0000

@kazuho commented on this pull request.



> @@ -1069,6 +1069,17 @@ to cease using the connection IDs when requested can result in connection
 failures, as the issuing endpoint might be unable to continue using the
 connection IDs with the active connection.
 
+An endpoint MAY elect to limit the number of outstanding RETIRE_CONNECTION_ID

I think this should be a SHOULD.

In case of a client-driven attack using path probes, an innocent server without this type of bound would end up holding infinite amount of state.

> @@ -1069,6 +1069,17 @@ to cease using the connection IDs when requested can result in connection
 failures, as the issuing endpoint might be unable to continue using the
 connection IDs with the active connection.
 
+An endpoint MAY elect to limit the number of outstanding RETIRE_CONNECTION_ID
+frames to bound the necessary state. In order to allow a peer to retire all
+previously issued connection IDs, this limit SHOULD be at least the
+active_connection_id_limit. Within this limit, endpoints SHOULD prioritize
+sending frames which the peer is least likely to have received.
+
+Endpoints SHOULD NOT issue updates of the Retire Prior To field before receiving
+RETIRE_CONNECTION_ID frames for the previous update of Retire Prior To. Doing so
+may result in the peer being unwilling to immediately retire all the connection
+IDs, if retiring them would cause it to exceed its limit on outstanding
+RETIRE_CONNECTION_ID frames, as described above.

I think that the last sentence is inaccurate. As pointed out in my previous comments (https://github.com/quicwg/base-drafts/pull/3547#discussion_r399240482), an endpoint might receive a request to retire all the CIDs while it is already in the process of retiring some. In such case, *just* remembering `max_connection_id_limit` CIDs being retired is insufficient.

I think it would be better if we removed the recommendations from these two paragraphs, so that each of them becomes a problem statement, then in a new paragraph describe some of the measures that an endpoint SHOULD toke; e.g.:
* remember max_connection_id_limit CIDs, and also track those below RPT (as suggested by @ianswett in https://github.com/quicwg/base-drafts/pull/3547#discussion_r399248483)
* remember 2 * max_connection_id_limit

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3547#pullrequestreview-383250846