Merge pull request #4241 from quicwg/pad-path-validation

Pad path validation in both directions
quicwg · Oct 20, 2020 · 739a6cc · 739a6cc
2 parents 8a665eb + 1e95cb2
commit 739a6cc
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
@@ -2205,16 +2205,29 @@ connection.
 The endpoint MUST use unpredictable data in every PATH_CHALLENGE frame so that
 it can associate the peer's response with the corresponding PATH_CHALLENGE.
 
+An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame to at
+least the smallest allowed maximum datagram size of 1200 bytes.  Sending UDP
+datagrams of this size ensures that the network path from the endpoint to the
+peer can be used for QUIC; see {{datagram-size}}.
+
 
 ### Path Validation Responses
 
 On receiving a PATH_CHALLENGE frame, an endpoint MUST respond by echoing the
-data contained in the PATH_CHALLENGE frame in a PATH_RESPONSE frame. A
-PATH_RESPONSE frame does not need to be sent on the network path where the
-PATH_CHALLENGE was received; a PATH_RESPONSE can be sent on any network path.
-An endpoint MUST NOT delay transmission of a packet containing a PATH_RESPONSE
+data contained in the PATH_CHALLENGE frame in a PATH_RESPONSE frame.  An
+endpoint MUST NOT delay transmission of a packet containing a PATH_RESPONSE
 frame unless constrained by congestion control.
 
+A PATH_RESPONSE frame MUST be sent on the network path where the
+PATH_CHALLENGE was received.  This ensures that path validation by a peer only
+succeeds if the path is functional in both directions.  This requirement MUST
+NOT be enforced by the endpoint that initiates path validation as that would
+enable an attack on migration; see {{off-path-forward}}.
+
+An endpoint MUST expand datagrams that contain a PATH_RESPONSE frame to at
+least the smallest allowed maximum datagram size of 1200 bytes. This verifies
+that the path is able to carry datagrams of this size in both directions.
+
 An endpoint MUST NOT send more than one PATH_RESPONSE frame in response to one
 PATH_CHALLENGE frame; see {{retransmission-of-information}}.  The peer is
 expected to send more PATH_CHALLENGE frames as necessary to evoke additional
@@ -2224,8 +2237,9 @@ PATH_RESPONSE frames.
 ### Successful Path Validation
 
 Path validation succeeds when a PATH_RESPONSE frame is received that contains
-the data that was sent in a previous PATH_CHALLENGE frame. This validates the
-path on which the PATH_CHALLENGE was sent.
+the data that was sent in a previous PATH_CHALLENGE frame.  A PATH_RESPONSE
+frame received on any network path validates the path on which the
+PATH_CHALLENGE was sent.
 
 Receipt of an acknowledgment for a packet containing a PATH_CHALLENGE frame is
 not adequate validation, since the acknowledgment can be spoofed by a malicious