From 1a563f23d8de25376eb56fcb54133968fe72a88d Mon Sep 17 00:00:00 2001 From: ianswett Date: Wed, 16 Oct 2019 22:38:24 -0400 Subject: [PATCH 01/17] Immediately close with INVALID_TOKEN If the Retry token is known to be invalid by the server, then the server can close the connection with INVALID_TOKEN instead of waiting for a timeout. --- draft-ietf-quic-transport.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9e09b89050..9885fa54e4 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1641,6 +1641,13 @@ of connection establishment. By giving the client a different connection ID to use, a server can cause the connection to be routed to a server instance with more resources available for new connections. +If a server receives a client Initial with a unverifiable Retry token, +it knows the client will not accept another Retry token. It can either +proceed with the handshake without verifying the token or immediately close +({{immediate-close}}) the connection with an connection error of +INVALID_TOKEN to cause the handshake to fail quickly instead of waiting +for the client to timeout. + A flow showing the use of a Retry packet is shown in {{fig-retry}}. ~~~~ From 24d4b635a6348565fe16e8ee20b0e0e34ad5b590 Mon Sep 17 00:00:00 2001 From: ianswett Date: Wed, 16 Oct 2019 22:43:07 -0400 Subject: [PATCH 02/17] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9885fa54e4..568c544361 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1644,7 +1644,7 @@ more resources available for new connections. If a server receives a client Initial with a unverifiable Retry token, it knows the client will not accept another Retry token. It can either proceed with the handshake without verifying the token or immediately close -({{immediate-close}}) the connection with an connection error of +({{immediate-close}}) the connection with an connection error of INVALID_TOKEN to cause the handshake to fail quickly instead of waiting for the client to timeout. @@ -5980,6 +5980,7 @@ The initial contents of this registry are shown in {{iana-error-table}}. | 0x7 | FRAME_ENCODING_ERROR | Frame encoding error | {{error-codes}} | | 0x8 | TRANSPORT_PARAMETER_ERROR | Error in transport parameters | {{error-codes}} | | 0xA | PROTOCOL_VIOLATION | Generic protocol violation | {{error-codes}} | +| 0xB | INVALID_TOKEN | Invalid Token Received | {{error-codes}} | | 0xD | CRYPTO_BUFFER_EXCEEDED | CRYPTO data buffer overflowed | {{error-codes}} | {: #iana-error-table title="Initial QUIC Transport Error Codes Entries"} From 8c4691476c3cd896f74ff58402b48c650ac032e6 Mon Sep 17 00:00:00 2001 From: ianswett Date: Wed, 16 Oct 2019 22:48:17 -0400 Subject: [PATCH 03/17] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 568c544361..b695dfa6c5 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1646,7 +1646,8 @@ it knows the client will not accept another Retry token. It can either proceed with the handshake without verifying the token or immediately close ({{immediate-close}}) the connection with an connection error of INVALID_TOKEN to cause the handshake to fail quickly instead of waiting -for the client to timeout. +for the client to timeout. When a client receives a CONNECTION_CLOSE +with an error of INVALID_TOKEN, it MAY create a new connection. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From 6cf5de8b6bce8470f614918cf149429ed327cf1a Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 21 Oct 2019 23:22:16 -0400 Subject: [PATCH 04/17] Kazuho and MTs comments --- draft-ietf-quic-transport.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index b695dfa6c5..120d0130d3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1641,13 +1641,12 @@ of connection establishment. By giving the client a different connection ID to use, a server can cause the connection to be routed to a server instance with more resources available for new connections. -If a server receives a client Initial with a unverifiable Retry token, +If a server receives a client Initial with an invalid Retry token, it knows the client will not accept another Retry token. It can either proceed with the handshake without verifying the token or immediately close ({{immediate-close}}) the connection with an connection error of INVALID_TOKEN to cause the handshake to fail quickly instead of waiting -for the client to timeout. When a client receives a CONNECTION_CLOSE -with an error of INVALID_TOKEN, it MAY create a new connection. +for the client to timeout. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From b43b5bfb6962bfa87054ae8ed0eb96e18ce5be2a Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 21 Oct 2019 23:25:28 -0400 Subject: [PATCH 05/17] Define the error --- draft-ietf-quic-transport.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 120d0130d3..2aa1780cdb 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -5584,6 +5584,9 @@ PROTOCOL_VIOLATION (0xA): : An endpoint detected an error with protocol compliance that was not covered by more specific error codes. + +INVALID_TOKEN (0xB): +: A server received a Retry Token in a client Initial that is invalid. CRYPTO_BUFFER_EXCEEDED (0xD): From f827ca30b70e4ccffcd5f94ce884b0c26584d37f Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 21 Oct 2019 23:27:57 -0400 Subject: [PATCH 06/17] whitespace --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 2aa1780cdb..e66bb5e6f3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -5584,7 +5584,7 @@ PROTOCOL_VIOLATION (0xA): : An endpoint detected an error with protocol compliance that was not covered by more specific error codes. - + INVALID_TOKEN (0xB): : A server received a Retry Token in a client Initial that is invalid. From 9617e1da29cda2a6230e7e59e9ae62a257087d73 Mon Sep 17 00:00:00 2001 From: ianswett Date: Fri, 1 Nov 2019 13:20:52 -0400 Subject: [PATCH 07/17] Kazuho's suggestion About being able to unprotect the Initial packet --- draft-ietf-quic-transport.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index e66bb5e6f3..9b0e46d61c 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1641,12 +1641,12 @@ of connection establishment. By giving the client a different connection ID to use, a server can cause the connection to be routed to a server instance with more resources available for new connections. -If a server receives a client Initial with an invalid Retry token, -it knows the client will not accept another Retry token. It can either -proceed with the handshake without verifying the token or immediately close -({{immediate-close}}) the connection with an connection error of -INVALID_TOKEN to cause the handshake to fail quickly instead of waiting -for the client to timeout. +If a server receives a client Initial that can be unprotected but contains an +invalid Retry token, it knows the client will not accept another Retry token. +It can either proceed with the handshake without verifying the token or +immediately close ({{immediate-close}}) the connection with an connection +error of INVALID_TOKEN to cause the handshake to fail quickly instead of +waiting for the client to timeout. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From 97ed82152c5d9c0a40a87b7a324b2d5dc5c6909b Mon Sep 17 00:00:00 2001 From: ianswett Date: Fri, 1 Nov 2019 15:24:52 -0400 Subject: [PATCH 08/17] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9b0e46d61c..31dc6af43e 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1644,7 +1644,7 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. It can either proceed with the handshake without verifying the token or -immediately close ({{immediate-close}}) the connection with an connection +immediately close ({{immediate-close}}) the connection with a connection error of INVALID_TOKEN to cause the handshake to fail quickly instead of waiting for the client to timeout. From 85bac671b3282b7464a7b5b73a52ec5c34f2c62a Mon Sep 17 00:00:00 2001 From: ianswett Date: Sat, 2 Nov 2019 16:03:07 -0400 Subject: [PATCH 09/17] Update draft-ietf-quic-transport.md Co-Authored-By: Jana Iyengar --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 31dc6af43e..481f40bee5 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1644,7 +1644,7 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. It can either proceed with the handshake without verifying the token or -immediately close ({{immediate-close}}) the connection with a connection +immediately close ({{immediate-close}}) the connection with an INVALID_TOKEN error of INVALID_TOKEN to cause the handshake to fail quickly instead of waiting for the client to timeout. From 70aef67ee532cb6466e6bc1d485718782052de32 Mon Sep 17 00:00:00 2001 From: ianswett Date: Sat, 2 Nov 2019 16:03:15 -0400 Subject: [PATCH 10/17] Update draft-ietf-quic-transport.md Co-Authored-By: Jana Iyengar --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 481f40bee5..457677c855 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1645,7 +1645,7 @@ If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. It can either proceed with the handshake without verifying the token or immediately close ({{immediate-close}}) the connection with an INVALID_TOKEN -error of INVALID_TOKEN to cause the handshake to fail quickly instead of +error to cause the handshake to fail quickly instead of waiting for the client to timeout. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From 887c909e025d6d1c3a1f634cf13b62937d51ea37 Mon Sep 17 00:00:00 2001 From: ianswett Date: Sat, 2 Nov 2019 16:13:48 -0400 Subject: [PATCH 11/17] MAY close the connection without creating state --- draft-ietf-quic-transport.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 457677c855..1cf535cec5 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1643,10 +1643,12 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. -It can either proceed with the handshake without verifying the token or -immediately close ({{immediate-close}}) the connection with an INVALID_TOKEN -error to cause the handshake to fail quickly instead of -waiting for the client to timeout. +It can proceed with the handshake without verifying the token, drop the Initial +packet, or immediately close ({{immediate-close}}) the connection with an +INVALID_TOKEN error to cause the handshake to fail quickly instead of waiting +for the client to timeout. The server MAY close the connection without creating +connection state, including not adding the connection to those in the closing +state. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From c36760da1391e5cf66b10b4d9d699c5fda3c8e88 Mon Sep 17 00:00:00 2001 From: ianswett Date: Sat, 2 Nov 2019 16:19:31 -0400 Subject: [PATCH 12/17] Jana's suggestion --- draft-ietf-quic-transport.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 1cf535cec5..8d5d8a6660 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1643,12 +1643,18 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. -It can proceed with the handshake without verifying the token, drop the Initial -packet, or immediately close ({{immediate-close}}) the connection with an -INVALID_TOKEN error to cause the handshake to fail quickly instead of waiting -for the client to timeout. The server MAY close the connection without creating -connection state, including not adding the connection to those in the closing -state. + + + +If a server receives a client Initial that can be unprotected but contains an +invalid Retry token, it knows the client will not accept another Retry token. + +The server can drop such a packet and allow the client to time out to detect +handshake failure, but that is a significant latency penalty to the client. +If possible, the server SHOULD either immediately close ({{immediate-close}}) +the connection with an INVALID_TOKEN error or proceed with the handshake +without verifying the token. The server MAY close the connection without +creating connection state, including skipping the closing state. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From b16c4cfb6295dab73b45b234b7e20a1caff13de3 Mon Sep 17 00:00:00 2001 From: ianswett Date: Sat, 2 Nov 2019 16:20:17 -0400 Subject: [PATCH 13/17] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 8d5d8a6660..af3cec015d 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1643,12 +1643,6 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. - - - -If a server receives a client Initial that can be unprotected but contains an -invalid Retry token, it knows the client will not accept another Retry token. - The server can drop such a packet and allow the client to time out to detect handshake failure, but that is a significant latency penalty to the client. If possible, the server SHOULD either immediately close ({{immediate-close}}) From 3ab9f77f170dd89a902f52b4669035c7fab87add Mon Sep 17 00:00:00 2001 From: ianswett Date: Sat, 2 Nov 2019 16:22:15 -0400 Subject: [PATCH 14/17] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index af3cec015d..2299ccc007 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1645,7 +1645,7 @@ If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. The server can drop such a packet and allow the client to time out to detect handshake failure, but that is a significant latency penalty to the client. -If possible, the server SHOULD either immediately close ({{immediate-close}}) +If possible, the server SHOULD either immediately close ({{immediate-close}}) the connection with an INVALID_TOKEN error or proceed with the handshake without verifying the token. The server MAY close the connection without creating connection state, including skipping the closing state. From 474291a1da6b83e72105de556fa4ec4bd9fce39a Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 11 Nov 2019 20:40:30 -0500 Subject: [PATCH 15/17] Martin's suggestion --- draft-ietf-quic-transport.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 2299ccc007..ae181e1da9 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1643,12 +1643,14 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. -The server can drop such a packet and allow the client to time out to detect -handshake failure, but that is a significant latency penalty to the client. -If possible, the server SHOULD either immediately close ({{immediate-close}}) -the connection with an INVALID_TOKEN error or proceed with the handshake -without verifying the token. The server MAY close the connection without -creating connection state, including skipping the closing state. +The server can discard such a packet and allow the client to time out to +detect handshake failure, but that is a significant latency penalty to the +client. A server MAY proceed with the connection without verifying the token, +though the server MUST NOT consider the client address validated. If a server +chooses not to proceed with the handshake, it SHOULD immediately close +({{immediate-close}}) the connection with an INVALID_TOKEN error. Note that a +server has not established any state for the connection at this point and so +does not enter the closing period. A flow showing the use of a Retry packet is shown in {{fig-retry}}. From 4cf3ff91650a1731e37acd8dc50c4855acae0718 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 11 Nov 2019 21:43:22 -0500 Subject: [PATCH 16/17] Update draft-ietf-quic-transport.md Co-Authored-By: Martin Thomson --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index ae181e1da9..2d25a873f3 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1644,7 +1644,7 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. The server can discard such a packet and allow the client to time out to -detect handshake failure, but that is a significant latency penalty to the +detect handshake failure, but that could impose a significant latency penalty on the client. A server MAY proceed with the connection without verifying the token, though the server MUST NOT consider the client address validated. If a server chooses not to proceed with the handshake, it SHOULD immediately close From 1396f0742e572a6740a05c26cc92cc9deda8799a Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 11 Nov 2019 21:44:43 -0500 Subject: [PATCH 17/17] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 2d25a873f3..f672220134 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1644,10 +1644,10 @@ more resources available for new connections. If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. The server can discard such a packet and allow the client to time out to -detect handshake failure, but that could impose a significant latency penalty on the -client. A server MAY proceed with the connection without verifying the token, -though the server MUST NOT consider the client address validated. If a server -chooses not to proceed with the handshake, it SHOULD immediately close +detect handshake failure, but that could impose a significant latency penalty on +the client. A server MAY proceed with the connection without verifying the +token, though the server MUST NOT consider the client address validated. If a +server chooses not to proceed with the handshake, it SHOULD immediately close ({{immediate-close}}) the connection with an INVALID_TOKEN error. Note that a server has not established any state for the connection at this point and so does not enter the closing period.