New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Immediately close with INVALID_TOKEN #3107
Changes from 1 commit
1a563f2
24d4b63
8c46914
6cf5de8
b43b5bf
f827ca3
9617e1d
97ed821
85bac67
70aef67
887c909
c36760d
b16c4cf
3ab9f77
474291a
4cf3ff9
1396f07
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1641,12 +1641,12 @@ of connection establishment. By giving the client a different connection ID to | |
use, a server can cause the connection to be routed to a server instance with | ||
more resources available for new connections. | ||
|
||
If a server receives a client Initial with an invalid Retry token, | ||
it knows the client will not accept another Retry token. It can either | ||
proceed with the handshake without verifying the token or immediately close | ||
({{immediate-close}}) the connection with an connection error of | ||
INVALID_TOKEN to cause the handshake to fail quickly instead of waiting | ||
for the client to timeout. | ||
If a server receives a client Initial that can be unprotected but contains an | ||
invalid Retry token, it knows the client will not accept another Retry token. | ||
It can either proceed with the handshake without verifying the token or | ||
immediately close ({{immediate-close}}) the connection with an connection | ||
error of INVALID_TOKEN to cause the handshake to fail quickly instead of | ||
ianswett marked this conversation as resolved.
Show resolved
Hide resolved
|
||
waiting for the client to timeout. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This suggests 2 options at the server, when there are 3: it can simply drop the packet and let the client time out. You may want to call out all three options. Suggestion: "If a server receives a client Initial that can be unprotected but contains an invalid Retry token, it knows the client will not accept another Retry token. The server can drop such a packet and allow the client to time out to detect loss of this connection, but that is a significant latency penalty to the client. If possible, the server SHOULD either immediately close the connection with an INVALID_TOKEN error or proceed with the handshake without verifying the token." There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree that listing all the three options would be an improvement. At the same time, I have a concern regarding the suggestion of doing either an immediate close or proceeding the handshake. Those two options both require the server to retain state that cannot be delayed by providing a Retry to token to the client. I think it we might want to downgrade the SHOULD to MAY, or, suggest that a server can send a CONNECTION_CLOSE frame (with INVALID_TOKEN) without retaining state. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It should be possible to detect an invalid token without per-connection state, right? That said, I realized that I don't think we should recommend that a server that might be getting DoSsed SHOULD send out another packet in response. How about "A server that is able to maintain enough state MAY either ..." There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. By saying state, I mean the closing and the draining state that gets built and retained once you invoke {immediate-close}. We should not recommend such behavior as it would create a DoS vector. But if it is not going to be a SHOULD but instead “can” or MAY, I think we can be less precise and therefor the text we have now is fine. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added a sentence about not creating any state in this case. PTAL. |
||
|
||
A flow showing the use of a Retry packet is shown in {{fig-retry}}. | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This only applies if the token is a Retry token (and not a NEW_TOKEN token).
When the client uses a NEW_TOKEN token, it would exchange this token for the Retry token when it receives a Retry packet, wouldn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the text explicitly says "Retry token", so I don't see how this is a problem.