ACK validation during handshake #624
Labels
-transport
design
An issue that affects the design of the protocol; resolution requires consensus.
has-consensus
An issue that the Chairs have determined has consensus, by canvassing the mailing list.
How to ignore early packets without getting in conflict with requirement to drop connection on invalid ACKS:
During handshake a lot of packets may be silently ignored - either because they do not match the current state and could be from an adversary but could also be spurious retransmissions no longer relevant, or because of races where future protected packets races in front of a handshake and we dont' want to reserve a lot of, or any, state to packets we cannot verify immediately.
Keeping state of the dropped packets might be counter-productive - notably an adversary might shadow out valid packets by simply having a cleartext packer ignored. On the other hand dropped packets might be perfectly valid such as 1RTT protected, we just don't know it yet, and don't want to allocate a lot of state to find out later.
I suggest that ACK ranges received for untracked packets are ignored (not the entire ACK frame or packet). This means RTT estimation will remain unaffected and the connection will be vulnerable to attempts to suppress connection establishment.
A related issue is how to count MAX_DATA in this scenario, but I haven't thought much about this.
This very lengthy discussion on pull request is about when a connection SHOULD be upset with receiving unexpected ACKS, but does not really deal with the above issue: #565
The text was updated successfully, but these errors were encountered: