New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The server needs to acknowledge that a Retry happened #1793
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the design such that the client validates instead of the server? Can we not have such a design where the client updates its TP to include the original CID, and the server validates this? It is the one that knows if it expected a Retry or not. In the case of a completely independent DoS protection device, that the server wants to allow for, it doesn't necessarily know the original CID, and could then just generally allow any changes. I just think the server should be the one doing the validation, as it know the deployment state; not the client.
To clarify, the server can't generate a retry itself IF there's also a DoS device in front of it. If the DoS device is the server, I don't see why that wouldn't work? |
To be specific, the server can't generate a Retry if the DoS device already generated one. If the DoS device is only present some of the time, the those other times, the server can still do it. |
It creates the right incentives. This way, server implementations can't cheap out and not implement the check or coordination. If servers didn't check, middleboxes could come to rely on them not checking. That leads to Retry coming from middleboxes, which I heard pretty firmly that we don't want. Given how easy this is to manage with a tiny bit of coordination (Azure could simply publish their scheme for encoding the connection ID into the token, for instance), this scheme seems like the best way to avoid that class of problem. |
This should prevent a MitM from generating a Retry without some level of coordination with a server.
Even with this change, the process for managing the use of a third-party DoS screening device can be straightforward. There are a few important tweaks that will ensure that this won't result in troubles:
Closes #1710, #1486.