Consider three ways handshake for new paths #1749
Labels
-transport
design
An issue that affects the design of the protocol; resolution requires consensus.
has-consensus
An issue that the Chairs have determined has consensus, by canvassing the mailing list.
For privacy reasons, we want that communication between peers happens on path defined by a pair of addresses and identified by a pair of connection ID. For security reasons, we also want to not use paths before their continuity has been tested. Implementations end up doing that with an "ad hoc" three ways handshake:
Developers can make that work, and in fact it works in my code. But it is very brittle. It will fail if:
The first condition is unavoidable -- the client needs a fresh ID, and the server needs accept packets through it. But the other failure modes could be avoided, and a slight redesign would make the whole process more robust. The idea would be to recognize that this is a 3-ways handshake, and treat it as such:
Recognizing the probes as such makes bookkeeping much easier. It also allows enforcement of privacy rules: use exactly one CID for each of the peer CID. But of course, it requires three or four new frames; PATH_PROBE, PATH_RESPONSE, PATH_CONFIRM. And maybe something like PATH_RESET.
The text was updated successfully, but these errors were encountered: