Re: Alternative ways to keeps ODCID on the server
Dmitri Tikhonov <dtikhonov@litespeedtech.com> Mon, 27 January 2020 13:15 UTC
Return-Path: <dtikhonov@litespeedtech.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7094A12004E for <quic@ietfa.amsl.com>; Mon, 27 Jan 2020 05:15:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.559
X-Spam-Level:
X-Spam-Status: No, score=-0.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_24_48=1.34, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=litespeedtech-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqSr0EKEoSxx for <quic@ietfa.amsl.com>; Mon, 27 Jan 2020 05:15:19 -0800 (PST)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FFA3120026 for <quic@ietf.org>; Mon, 27 Jan 2020 05:15:19 -0800 (PST)
Received: by mail-qt1-x82b.google.com with SMTP id e25so7258297qtr.13 for <quic@ietf.org>; Mon, 27 Jan 2020 05:15:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=litespeedtech-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ZXtACGKlFuE6JFRVYJUYNYe0eosprLPr+iOvOLHNjQw=; b=UBinmhKc0sfK6ya4/hNZdiZfo7c2gWk0PDuAd2uC1phtcbjlucn3vK1jLX3ULK7OsJ SXtA2WuWFZje7UUobZshKDKJ4bRrPdzkmopeDkhMoSh8efnImIYYuiObxhAQ4vWb5txU N/WG7ylwCWmTKpjR2FuBsjDpZHzPT0N/VkIBe+M9BK1uVm3Bgl4oROBIKIOiybCWNy8Z WKn/W8E5g+pNJeqHXRWKSmlRYrdqR0fRd+WqoLRrs7I4tl1orRzFFxYsl9GMWnNKBI5W 4TSkyG5nJe3tOz3stZP9keLKC0K7XuNJxmOPG63fZu4jWbdTlDKtDlAhAUqGWD9nTuxk 1JdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=ZXtACGKlFuE6JFRVYJUYNYe0eosprLPr+iOvOLHNjQw=; b=MCShdzMmuzEtE/RVJPwlipZWY/KQunrAdJ8t4GgL/Zp7HnExlu2wwNrg6Txqq4bN2T cG9AMe1s5j45o46MR3BqP5oK4BjqR1Wz9Eeo9SiVX/VvK6iE55hQGLak/Ir20TFuB19U aN2VbkR+NEmUZLG/LsEHG08WDtHgFPUvRwbufsWuzUUgjCOtGy9fVWO0ekVx1heRqYMW o17of0/Fhv3eKjA1PZj5L/1yBP2eLeilIezO3pRuil4gavQnKSLKDzM3RBfdns8ms8SM LbpT4OxJriC8vUMDzMm79cXFJeyxaEkynw4kz/4+wLhVoZAx5BMOHBiyOxuFyxJ9F05C lncQ==
X-Gm-Message-State: APjAAAUwntJsWvlVjK4mH6J97mFij4NPzpo9LRtPJslrGjwDmjtqolkW fgZ3XIrPdV6OKMZEagnlykwlYQ==
X-Google-Smtp-Source: APXvYqxreYwBpwkBm85SnMjYeBRRZomUqvNxGPkT7OyUYFd75yF72wZmSqprZHfYVOJ8kh51xGdR/g==
X-Received: by 2002:ac8:694f:: with SMTP id n15mr8923395qtr.372.1580130918331; Mon, 27 Jan 2020 05:15:18 -0800 (PST)
Received: from ubuntu-dmitri (ool-2f1636b6.static.optonline.net. [47.22.54.182]) by smtp.gmail.com with ESMTPSA id q7sm9537745qkc.43.2020.01.27.05.15.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Jan 2020 05:15:17 -0800 (PST)
Date: Sat, 25 Jan 2020 08:54:12 -0500
From: Dmitri Tikhonov <dtikhonov@litespeedtech.com>
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Cc: Christian Huitema <huitema@huitema.net>, Marten Seemann <martenseemann@gmail.com>, IETF QUIC WG <quic@ietf.org>
Subject: Re: Alternative ways to keeps ODCID on the server
Message-ID: <20200125135411.GA19655@ubuntu-dmitri>
Mail-Followup-To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Christian Huitema <huitema@huitema.net>, Marten Seemann <martenseemann@gmail.com>, IETF QUIC WG <quic@ietf.org>
References: <20200124222434.GA8279@ubuntu-dmitri> <7b228c14-c0d3-6458-77ab-945e713ef429@huitema.net> <CAOYVs2qhPBtbjrVEXE+oMXWUWRBqhzDfZsiOatRW5Zd67e1sWg@mail.gmail.com> <ee0f625b-b260-9e3d-12b6-80291fc110eb@huitema.net> <CAKcm_gNKu5b__cjy5212pWN=PKwdZKX23rXHs423-u8hZMjr+w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKcm_gNKu5b__cjy5212pWN=PKwdZKX23rXHs423-u8hZMjr+w@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/I9Da_TLQw-Iwj5yt6teNFFAixFc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jan 2020 13:15:20 -0000
After considering this for a few days, I now think that the "server MAY proceed" part should be removed from the draft. This is because it is impossible to get ODCID from an invalid Retry token. There is no other way reliably to associate an incoming packet with a previous packet (if the server were willing to stored ODCIDs in memory somewhere). Specifying that the server MAY proceed only makes the issue more confusing. - Dmitri. On Sat, Jan 25, 2020 at 04:36:51PM -0500, Ian Swett wrote: > This is a bit of an edge case, so spelling out what's required to proceed > seems reasonable to me. > > On Sat, Jan 25, 2020 at 12:11 AM Christian Huitema <huitema@huitema.net> > wrote: > > > > > On 1/24/2020 8:41 PM, Marten Seemann wrote: > > > > Then it's not a *Retry* token, then it's a NEW_TOKEN token. > > It's a kind of subtle distinction (as I noted in > > https://github.com/quicwg/base-drafts/pull/3107#discussion_r349859380). > > > > > > I understand that they are different. But look at the text in draft-25: > > > > If a server receives a client Initial that can be unprotected but > > contains an invalid Retry token, it knows the client will not accept > > another Retry token. The server can discard such a packet and allow > > the client to time out to detect handshake failure, but that could > > impose a significant latency penalty on the client. A server MAY > > proceed with the connection without verifying the token, though the > > server MUST NOT consider the client address validated. If a server > > chooses not to proceed with the handshake, it SHOULD immediately > > close (Section 10.3 <https://tools.ietf.org/html/draft-ietf-quic-transport-25#section-10.3>) the connection with an INVALID_TOKEN error. > > Note that a server has not established any state for the connection > > at this point and so does not enter the closing period. > > > > Invalid is invalid. An invalid token is something that the server cannot parse. > > The server does not know whether the client got the token from a retry packet > > or a new token frame, or just made it up with random bytes. > > > > -- Christian Huitema > > > >
- Re: Alternative ways to keeps ODCID on the server Christian Huitema
- Alternative ways to keeps ODCID on the server Dmitri Tikhonov
- Re: Alternative ways to keeps ODCID on the server Marten Seemann
- Re: Alternative ways to keeps ODCID on the server Christian Huitema
- Re: Alternative ways to keeps ODCID on the server Ian Swett
- Re: Alternative ways to keeps ODCID on the server Dmitri Tikhonov
- Re: Alternative ways to keeps ODCID on the server Dmitri Tikhonov
- Re: Alternative ways to keeps ODCID on the server Kazuho Oku
- Re: Alternative ways to keeps ODCID on the server Marten Seemann
- Re: Alternative ways to keeps ODCID on the server Christian Huitema
- Re: Alternative ways to keeps ODCID on the server Marten Seemann
- Re: Alternative ways to keeps ODCID on the server Kazuho Oku
- Re: Alternative ways to keeps ODCID on the server Christian Huitema
- Re: Alternative ways to keeps ODCID on the server Eric Rescorla