From 9fc4a11047ea51cec8555b07d4942f2985461695 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Thu, 8 Oct 2020 08:48:10 +0700 Subject: [PATCH 1/5] add text about CID lengths to the invariants --- draft-ietf-quic-invariants.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index 3f47a0ee11..cb19430006 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -316,6 +316,10 @@ connection IDs gives clients some assurance that the server received the packet and that the Version Negotiation packet was not generated by an off-path attacker. +A server MUST NOT apply any restrictions to the length of the connection IDs +when deciding whether to send a Version Negotiation Packet, even if it only +supports QUIC versions that restrict the acceptable lengths of connection IDs. + An endpoint that receives a Version Negotiation packet might change the version that it decides to use for subsequent packets. The conditions under which an endpoint changes QUIC version will depend on the version of QUIC that it From ec1741271763e767181e63e1f9aa1e5034be63bf Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Thu, 8 Oct 2020 08:48:49 +0700 Subject: [PATCH 2/5] clarify that future QUIC versions might have different CID length requirements --- draft-ietf-quic-transport.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 4d5a5bf244..9a161c1066 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4554,9 +4554,11 @@ connection IDs gives clients some assurance that the server received the packet and that the Version Negotiation packet was not generated by an off-path attacker. -As future versions of QUIC may support Connection IDs larger than the version 1 -limit, Version Negotiation packets could carry Connection IDs that are longer -than 20 bytes. +Future versions of QUIC may have different requirements for the lengths of +connection IDs larger than version 1. In particular, connection IDs might not +be required to have a minimum lengths, and might be longer than 20 bytes. A +server therefore MUST respond with a Version Negotiation packets for all +lengths of connection IDs allowed by the layout defined here. The remainder of the Version Negotiation packet is a list of 32-bit versions that the server supports. From 05cc5d9af4c53185585ae682b8d0f12673a2ac53 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Fri, 9 Oct 2020 11:09:18 +0700 Subject: [PATCH 3/5] use @martinthomson's suggestion for the invariants --- draft-ietf-quic-invariants.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index cb19430006..673362e25e 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -316,9 +316,8 @@ connection IDs gives clients some assurance that the server received the packet and that the Version Negotiation packet was not generated by an off-path attacker. -A server MUST NOT apply any restrictions to the length of the connection IDs -when deciding whether to send a Version Negotiation Packet, even if it only -supports QUIC versions that restrict the acceptable lengths of connection IDs. +Version-specific rules for QUIC packets MUST NOT influence a server decision +about whether to send a Version Negotiation packet. An endpoint that receives a Version Negotiation packet might change the version that it decides to use for subsequent packets. The conditions under which an From 3fec711e7223249e4e7934deef4b8e0974cba8cd Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Fri, 9 Oct 2020 11:14:44 +0700 Subject: [PATCH 4/5] apply @martinthompson's and @MikeBishop's suggestions --- draft-ietf-quic-transport.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9a161c1066..9f7ac69ee3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4555,10 +4555,10 @@ and that the Version Negotiation packet was not generated by an off-path attacker. Future versions of QUIC may have different requirements for the lengths of -connection IDs larger than version 1. In particular, connection IDs might not -be required to have a minimum lengths, and might be longer than 20 bytes. A -server therefore MUST respond with a Version Negotiation packets for all -lengths of connection IDs allowed by the layout defined here. +connection IDs. In particular, connection IDs might have a smaller minimum +length or a greater maximum length. Version-specific rules for QUIC packets +therefore MUST NOT influence a server decision about whether to send a Version +Negotiation packet. The remainder of the Version Negotiation packet is a list of 32-bit versions that the server supports. From c7092bc1842b3dc3c03c263713aa9488aa95c8ad Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Fri, 16 Oct 2020 10:27:29 +1100 Subject: [PATCH 5/5] Remove invariants text --- draft-ietf-quic-invariants.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/draft-ietf-quic-invariants.md b/draft-ietf-quic-invariants.md index 673362e25e..3f47a0ee11 100644 --- a/draft-ietf-quic-invariants.md +++ b/draft-ietf-quic-invariants.md @@ -316,9 +316,6 @@ connection IDs gives clients some assurance that the server received the packet and that the Version Negotiation packet was not generated by an off-path attacker. -Version-specific rules for QUIC packets MUST NOT influence a server decision -about whether to send a Version Negotiation packet. - An endpoint that receives a Version Negotiation packet might change the version that it decides to use for subsequent packets. The conditions under which an endpoint changes QUIC version will depend on the version of QUIC that it