diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9e09b89050..823ec23162 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2558,20 +2558,38 @@ the packet other than the last 16 bytes for carrying data. ### Detecting a Stateless Reset -An endpoint detects a potential stateless reset when an incoming packet either -cannot be associated with a connection, cannot be decrypted, or is marked as a -duplicate packet. The endpoint MUST then compare the last 16 bytes of the -packet with all Stateless Reset Tokens corresponding to active connection IDs -that the endpoint has used for sending packets to the IP address and port on -which the datagram is received. This includes Stateless Reset Tokens from -NEW_CONNECTION_ID frames and the server's transport parameters. An endpoint -MUST NOT check for any Stateless Reset Tokens associated with connection IDs it -has not used or for connection IDs that have been retired. - -If the last 16 bytes of the packet values are identical to a Stateless Reset +An endpoint detects a potential stateless reset using the trailing 16 bytes of +the UDP datagram. An endpoint remembers all Stateless Reset Tokens associated +with the connection IDs and remote addresses for datagrams it has recently sent. +This includes Stateless Reset Tokens from NEW_CONNECTION_ID frames and the +server's transport parameters but excludes Stateless Reset Tokens associated +with connection IDs that are either unused or retired. The endpoint identifies +a received datagram as a stateless reset by comparing the last 16 bytes of the +datagram with all Stateless Reset Tokens associated with the remote address on +which the datagram was received. + +This comparison can be performed for every inbound datagram. Endpoints MAY skip +this check if any packet from a datagram is successfully processed. However, +the comparison MUST be performed when the first packet in an incoming datagram +either cannot be associated with a connection, or cannot be decrypted. + +An endpoint MUST NOT check for any Stateless Reset Tokens associated with +connection IDs it has not used or for connection IDs that have been retired. + +When comparing a datagram to Stateless Reset Token values, endpoints MUST +perform the comparison without leaking information about the value of the token. +For example, performing this comparison in constant time protects the value of +individual Stateless Reset Tokens from information leakage through timing side +channels. Another approach would be to store and compare the transformed values +of Stateless Reset Tokens instead of the raw token values, where the +transformation is defined as a cryptographically-secure pseudo-random function +using a secret key (e.g., block cipher, HMAC {{?RFC2104}}). An endpoint is not +expected to protect information about whether a packet was successfully +decrypted, or the number of valid Stateless Reset Tokens. + +If the last 16 bytes of the datagram are identical in value to a Stateless Reset Token, the endpoint MUST enter the draining period and not send any further -packets on this connection. If the comparison fails, the packet can be -discarded. +packets on this connection. ### Calculating a Stateless Reset Token {#reset-token}