Re: [quicwg/base-drafts] Does a Retry really need to change the CID? (#2837)

Mike Bishop <> Wed, 07 August 2019 18:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 61346120602 for <>; Wed, 7 Aug 2019 11:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.454
X-Spam-Status: No, score=-6.454 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1GqDJOtEpVjU for <>; Wed, 7 Aug 2019 11:46:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7736D120152 for <>; Wed, 7 Aug 2019 11:46:42 -0700 (PDT)
Date: Wed, 07 Aug 2019 11:46:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1565203601; bh=5ux8pXNh38XXkqX3hydckLpwnj6NExlE31ubxQlVBTM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=M7v3wNcv2f05wNXzrl6Ycd7Ey2+91ZewPcVVehPz1ofjQaJ6U0CIFs3d6EDT6Txtx dvaZOvddU1rgIajx3uXphdG3/rbQWe9VqDuJ6hp8rsfzCpCvTqLE3PzHL4KVZyJ9Kf NExXxNO7SQAhFT1XsdVFIfUs0ZmQfrR4/wm2L2nE=
From: Mike Bishop <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/2837/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Does a Retry really need to change the CID? (#2837)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d4b1c9169ea6_59f03fed1eacd9602913aa"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Aug 2019 18:46:45 -0000

Another reason, I think:  By requiring it to change, the ODCID becomes something that the server can include in the TPs to ensure than an on-path attacker didn't inject a Retry before the Initial reached the server.  It proves that the sender of the Retry was, if not the server itself, affiliated with it.  Otherwise, the ODCID is potentially still in the client's Initial for the server to echo back without coordination.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: