Re: [quicwg/base-drafts] Can Initial/0-RTT CIDs safely be used for routing? (#2026)

MikkelFJ <> Tue, 20 November 2018 21:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70AA712785F for <>; Tue, 20 Nov 2018 13:15:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.47
X-Spam-Status: No, score=-8.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uwyhpr5G3p0T for <>; Tue, 20 Nov 2018 13:15:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6E7F5126DBF for <>; Tue, 20 Nov 2018 13:15:54 -0800 (PST)
Date: Tue, 20 Nov 2018 13:15:53 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1542748553; bh=fKJYbZAJW7+/OsgOZFQurBNlSDzkf5O+pYKavKG9e3I=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=e92kyNJ5sAC5rGeCr+2r2qME1f5qKFH7V2U+ovAAjVt7BgsimEkIZ2YAYNrFKfj+q SDyeVYgzuDGiXCP1LfSJ+/01EIYGXqhy4I9HvJeDocm3otHhRscyX/9wQcl6E8952d yQTWbyvP8v82qew7LuLgve2eeww36qzeo8+JrCYA=
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2026/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Can Initial/0-RTT CIDs safely be used for routing? (#2026)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5bf479896fd82_373f3fb2a1ad45c4320188"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Nov 2018 21:15:57 -0000

If a middlebox can tell the difference between and original and a Retry driven Initial packet, it would be possible configure the middlebox to a) route randomly on first initial, or b) route consistently on first initial, and for both a) and b) route consistently after a retry.

In the case b) the middlebox could force a retry when it thinks there is overload either accidentally, or through an attack.

If the Retry is verified properly, it is not possible to forge a successful CID in this case.

All of this should be possible, and trivial to do, but need some reading up to see what is the current state of affairs. I think middleboxes might not be able to detect a Retry driven initial but endpoints are since a Retry can only happen once.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: