From 1095dcbf18ce30003a76bffdc26d135f2ea3ffb1 Mon Sep 17 00:00:00 2001 From: Eric Kinnear Date: Fri, 12 Jul 2019 15:38:04 -0700 Subject: [PATCH 1/4] Remove connection error response to a packets from a different source address when an endpoint has sent disable_migration, clarify an endpoints options when prohibited packets are received, rename disable_migration to disable_active_migration, and remove INVALID_MIGRATION error code. --- draft-ietf-quic-transport.md | 47 ++++++++++++++++++------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index cb3f8c522d..ae274690b3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1809,19 +1809,24 @@ The design of QUIC relies on endpoints retaining a stable address for the duration of the handshake. An endpoint MUST NOT initiate connection migration before the handshake is confirmed, as defined in section 4.1.2 of {{QUIC-TLS}}. -An endpoint also MUST NOT initiate connection migration if the peer sent the -`disable_migration` transport parameter during the handshake. An endpoint which -has sent this transport parameter, but detects that a peer has nonetheless -migrated to a different network MAY treat this as a connection error of type -INVALID_MIGRATION. Similarly, an endpoint MUST NOT initiate migration if its -peer supplies a zero-length connection ID as packets without a Destination -Connection ID cannot be attributed to a connection based on address tuple. - -Not all changes of peer address are intentional migrations. The peer could -experience NAT rebinding: a change of address due to a middlebox, usually a NAT, -allocating a new outgoing port or even a new outgoing IP address for a flow. An -endpoint MUST perform path validation ({{migrate-validate}}) if it detects any -change to a peer's address, unless it has previously validated that address. +An endpoint also MUST NOT send packets from a different local address, actively +initiating migration, if the peer sent the `disable_active_migration` transport +parameter during the handshake. An endpoint which has sent this transport +parameter, but detects that a peer has nonetheless migrated to a different +network MUST either drop the incoming packets on that path without generating a +stateless reset or proceed with path validation and allow the peer to migrate. +This helps to prevent third parties in the network causing connections to close +due to spoofed addresses or other manipulation of observed traffic. An endpoint +MUST NOT actively initiate migration if its peer supplies a zero-length +connection ID as packets without a Destination Connection ID cannot be +attributed to a connection based on address tuple. + +Not all changes of peer address are intentional, or active, migrations. The peer +could experience NAT rebinding: a change of address due to a middlebox, usually +a NAT, allocating a new outgoing port or even a new outgoing IP address for a +flow. An endpoint MUST perform path validation ({{migrate-validate}}) if it +detects any change to a peer's address, unless it has previously validated that +address. When an endpoint has no validated path on which to send packets, it MAY discard connection state. An endpoint capable of connection migration MAY wait for a @@ -4159,7 +4164,7 @@ language from Section 3 of {{!TLS13=RFC8446}}. initial_max_streams_uni(9), ack_delay_exponent(10), max_ack_delay(11), - disable_migration(12), + disable_active_migration(12), preferred_address(13), active_connection_id_limit(14), (65535) @@ -4295,10 +4300,10 @@ max_ack_delay (0x000b): of 6ms. If this value is absent, a default of 25 milliseconds is assumed. Values of 2^14 or greater are invalid. -disable_migration (0x000c): +disable_active_migration (0x000c): -: The disable migration transport parameter is included if the endpoint does not - support connection migration ({{migration}}). Peers of an endpoint that sets +: The disable active migration transport parameter is included if the endpoint + does not support active connection migration ({{migration}}). Peers of an endpoint that sets this transport parameter MUST NOT send any packets, including probing packets ({{probing}}), from a local address or port other than that used to perform the handshake. This parameter is a zero-length value. @@ -5353,11 +5358,6 @@ PROTOCOL_VIOLATION (0xA): : An endpoint detected an error with protocol compliance that was not covered by more specific error codes. -INVALID_MIGRATION (0xC): - -: A peer has migrated to a different network when the endpoint had disabled - migration. - CRYPTO_BUFFER_EXCEEDED (0xD): : An endpoint has received more data in CRYPTO frames than it can buffer. @@ -5617,7 +5617,7 @@ The initial contents of this registry are shown in {{iana-tp-table}}. | 0x0009 | initial_max_streams_uni | {{transport-parameter-definitions}} | | 0x000a | ack_delay_exponent | {{transport-parameter-definitions}} | | 0x000b | max_ack_delay | {{transport-parameter-definitions}} | -| 0x000c | disable_migration | {{transport-parameter-definitions}} | +| 0x000c | disable_active_migration | {{transport-parameter-definitions}} | | 0x000d | preferred_address | {{transport-parameter-definitions}} | | 0x000e | active_connection_id_limit | {{transport-parameter-definitions}} | {: #iana-tp-table title="Initial QUIC Transport Parameters Entries"} @@ -5715,7 +5715,6 @@ The initial contents of this registry are shown in {{iana-error-table}}. | 0x7 | FRAME_ENCODING_ERROR | Frame encoding error | {{error-codes}} | | 0x8 | TRANSPORT_PARAMETER_ERROR | Error in transport parameters | {{error-codes}} | | 0xA | PROTOCOL_VIOLATION | Generic protocol violation | {{error-codes}} | -| 0xC | INVALID_MIGRATION | Violated disabled migration | {{error-codes}} | {: #iana-error-table title="Initial QUIC Transport Error Codes Entries"} From b1bd4ac46dbcb0081c8ba46d4250c1cdf38688f8 Mon Sep 17 00:00:00 2001 From: Eric Kinnear Date: Fri, 12 Jul 2019 15:41:21 -0700 Subject: [PATCH 2/4] Rewrap long line --- draft-ietf-quic-transport.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index ae274690b3..19771b8b44 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -4303,10 +4303,11 @@ max_ack_delay (0x000b): disable_active_migration (0x000c): : The disable active migration transport parameter is included if the endpoint - does not support active connection migration ({{migration}}). Peers of an endpoint that sets - this transport parameter MUST NOT send any packets, including probing packets - ({{probing}}), from a local address or port other than that used to perform - the handshake. This parameter is a zero-length value. + does not support active connection migration ({{migration}}). Peers of an + endpoint that sets this transport parameter MUST NOT send any packets, + including probing packets ({{probing}}), from a local address or port other + than that used to perform the handshake. This parameter is a zero-length + value. preferred_address (0x000d): From 5a7293da9be6061ded0a277fe019a48235dff2d8 Mon Sep 17 00:00:00 2001 From: Eric Kinnear Date: Wed, 17 Jul 2019 10:44:05 -0700 Subject: [PATCH 3/4] Remove sentence that's no longer necessary --- draft-ietf-quic-transport.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 19771b8b44..8291dbacd7 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1816,10 +1816,7 @@ parameter, but detects that a peer has nonetheless migrated to a different network MUST either drop the incoming packets on that path without generating a stateless reset or proceed with path validation and allow the peer to migrate. This helps to prevent third parties in the network causing connections to close -due to spoofed addresses or other manipulation of observed traffic. An endpoint -MUST NOT actively initiate migration if its peer supplies a zero-length -connection ID as packets without a Destination Connection ID cannot be -attributed to a connection based on address tuple. +due to spoofed addresses or other manipulation of observed traffic. Not all changes of peer address are intentional, or active, migrations. The peer could experience NAT rebinding: a change of address due to a middlebox, usually From e7d22976811f810ac5e0cb5d8927d659e5a3ad09 Mon Sep 17 00:00:00 2001 From: Eric Kinnear Date: Mon, 22 Jul 2019 16:42:13 -0400 Subject: [PATCH 4/4] Reword per Ian's suggestion --- draft-ietf-quic-transport.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 8291dbacd7..bae14aca11 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1815,8 +1815,9 @@ parameter during the handshake. An endpoint which has sent this transport parameter, but detects that a peer has nonetheless migrated to a different network MUST either drop the incoming packets on that path without generating a stateless reset or proceed with path validation and allow the peer to migrate. -This helps to prevent third parties in the network causing connections to close -due to spoofed addresses or other manipulation of observed traffic. +Generating a stateless reset or closing the connection would allow third parties +in the network to cause connections to close by spoofing or otherwise +manipulating observed traffic. Not all changes of peer address are intentional, or active, migrations. The peer could experience NAT rebinding: a change of address due to a middlebox, usually