-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discarding connection state at server on unvalidated client #2656
Comments
I think idle timeout might be too long depending on have cheaply a rogue client can initiate new connection attempts, possibly from spoofed source addresses, but that needs more analysis. |
I agree there should be a handshake timeout, which I believe is what you're discussing. But if so, that seems like a transport issue? |
I agree with @ianswett that this is a transport issue, and doesn't belong in the recovery document. There we are only talking about the timers needed for loss recovery, and I would find it confusing to talk about closing connections there. |
More generally on idle timeout - would it be OK to do a periodic GC scan risking up to 100% later timeout than the advertised idle timeout? Avoiding timers in passive connections is much cheaper. |
Yes, idle timeout on a periodic sweep is likely better than assuming that a timer is in play. As @marten-seemann says, anything we say here is in optimization territory. It is likely a very useful optimization, but we don't need to say too much in the spec unless there is an interop or security hazard. Offhand, I can't see anything other than a resource exhaustion problem, but that's clearly something that the periodic sweep should address. |
Am I correct in assuming that the PTO timer is not generally armed when data is transmitted actively on quality connections, or a while after data has been delivered? Combined with idle timeout scans this would mean that most long running connections would likely not have an active timer. This is a highly desirable property since a precise timer is O(log N). As far as I can tell theoretically O(1) timer wheels are no more effective than a good O(log N) implementation, including foregoing ordering below a certain resolution. There is a big difference between 1,000 entries and 100,000 timer entries. |
This seems somewhat related to Issue #2602 |
Fair point, @ianswett (and others) -- this should be against transport. It's probably worth clarifying that last sentence so it's not confusing to implementers. |
Discussed in Montreal, decision is to flip to editorial |
After reviewing this, I'm inclined to do nothing. The idle timeout covers this already. Servers are always permitted to drop connections sooner, but we don't need to specify anything. My primitive server doesn't have a problem with this as connections eventually drop based on the idle timeout. |
The originally quoted section has been substantially rewritten and now specifies the PTO alarm, so there's no confusion about which alarm. So I support @martinthomson suggestion to close this with no further action/OBE. |
@janaiyengar, if you agree with the previous suggestions, we could have one fewer open issue with very little effort. |
My experience with this suggests that things work fine with just the idle timeout, so closing this. |
The recovery draft says:
@mikkelfj notes in #2655 that the sender should discard connection state after some time.
This should probably happen after the idle timeout. In which case, the idle timeout timer ought to be armed.
The text was updated successfully, but these errors were encountered: