New connection IDs are mandatory for intentional migration

[martinthomson]

Based on #2386, which should merge soon.

Closes #2413.

[ianswett]

Suggested change

	inactivity, where NAT rebinding might occur when the client begins sending data
	inactivity, NAT rebinding may cause an unintentional change in path when the client begins sending data

[janaiyengar]

I would move the conditional clause to the beginning, otherwise it's not clear what the "This" in the next sentence refers to.

"Unless the peer has selected a zero-length connection ID, an endpoint MUST use ..."

Also, how about adding something about what the endpoint needs to do if it has nothing from the peer? Something like: "If no new connection IDs are available, the endpoint MUST NOT migrate. The endpoint MAY close the connection, but MUST NOT send any packets on a new path with the same connection ID as that used on an earlier path." I can't find any text that says as much. I wonder if this is a new non-editorial issue, since we currently do not have normative text about this (maybe I just can't find it yet).

[martinthomson]

I've just updated the text below to cover the MUST NOT migrate case (I used "cannot" before).

[janaiyengar]

This text is good, but still doesn't have normatives, and I think we should have MUST NOT.

[ianswett]

I think it makes sense to put this 3rd sentence first, and then say, "Otherwise, an endpoint cannot migrate..."

The current text reads in a somewhat self-contradictory way.

[janaiyengar]

Suggested change

	endpoint can always migrate - zero-length connection IDs provide no significant
	endpoint can always migrate, since zero-length connection IDs provide no significant

[MikeBishop]

As noted in #2413, this PR permits something that's currently prohibited intentionally -- migrating with a zero-length CID. Do we have consensus to make that change?

If there's no CID and the packet is coming from an unknown remote address, how does the server know what keys to use to remove packet protection in that case? We've previously said we need to avoid trial decryption, and that seems like the only option if migration is permitted.

[mikkelfj]

I think this strikes a good balance. It isn't practical to forbid migration without CID when NAT's do it behind your back, but allowing it for intentional migration would work against networks attempting to move towards safer modes of operation in the future, some which might only make sense if QUIC does indeed require new CID's on migration.

At some point with IPv6, NAT rebinding might be seen the same way as older insecure WLAN standards.

[ianswett]

Above we say you can't migrate if you use a zero-length connection ID, so I don't understand the purpose of "unless the peer has selected a zero-length connection ID."

[martinthomson]

Yep, trimmed it down.

[ianswett]

This sentence seems duplicative of the paragraph above starting with "An endpoint MUST use a new connection ID ..."

[ianswett]

One small suggestion, but I think this LG.

[ianswett]

Nit: move to may not be clear. How about "Endpoints MAY change the Destination Connection ID they send in short header packets at any time." assuming that statement is correct.

[erickinnear]

Looks like good clarification, just one minor wording comment

[erickinnear]

It would probably be worth indicating that this is intentional migration, just to keep everything clear. Elsewhere I think we've said an endpoint must not "initiate" migration, since of course its peer may think it migrated due to a NAT.

[larseggert]

This seems to have consensus, tagging as such and reassigning.

[mnot]

Removing has-consensus tag as it needs to be canvassed on-list (and attached to an issue, not a PR).

[larseggert]

I'm sorry if I misunderstood the new process, but I don't think your PR says that an issue must be discussed on the mailing list? Doesn't it say that the discussion can happen on the list or on the issue?

[mnot]

@larseggert discussion can happen in either place, but we've always checked with the list before declaring consensus (which is what has-consensus records). In the currently operative process, that's happening (admittedly sporadically) after the drafts are published.

[janaiyengar]

@mnot @larseggert : The associated issue is #2413 and there's been a mailing list discussion. There seems to be some disagreement on what needs to happen next.

Specifically, some folks think this PR is an editorial one, and some want to open up the issue as a design issue for discussion.

[mnot]

#2413 is a design issue. If this is just editorial and no one disputes that, you can apply it as that, but it can't close #2413.

[martinthomson]

#2413 is only marked design because there is debate, therefore, I conclude that we need chairs to help us. I requested that close to 2 weeks ago.

[MikeBishop]

The requirement previously existed, but was accidentally dropped during one of the CID rewrites. The underlying question is whether we had consensus to remove the requirement previously -- if so, then reversing ourselves requires consensus. If not, then it's just fixing an accidental deletion.

[ianswett]

If the PR that removed it doesn't have a note about removing it, I'd consider it an accidental deletion(which is what I suspect).

[erickinnear]

I thought the overall requirement for changing CIDs was still in the text, so it doesn't seem like the issue is around adding/removing a requirement, but rather the rest of the accompanying text here?
Otherwise, not sure how this isn't entirely editorial, since the main requirement is already in place.