From f4ef38a26a8fc64277204ab4b066e38a82e5ea35 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 28 Oct 2019 14:02:52 -0400 Subject: [PATCH 1/6] Server sends a PING-only packet if it's limited If a server is limited by the amplification factor when the PTO expires, send a PING-only packet instead of sending nothing. This also removes the client complexity of continuing to arm the PTO and send even when there's nothing in flight and nothing to send. --- draft-ietf-quic-recovery.md | 33 ++++++++++----------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/draft-ietf-quic-recovery.md b/draft-ietf-quic-recovery.md index 2d585a94da..047fdc5768 100644 --- a/draft-ietf-quic-recovery.md +++ b/draft-ietf-quic-recovery.md @@ -494,19 +494,16 @@ A connection MAY use the delay between sending a PATH_CHALLENGE and receiving a PATH_RESPONSE to seed initial_rtt for a new path, but the delay SHOULD NOT be considered an RTT sample. -Until the server has validated the client's address on the path, the amount of -data it can send is limited, as specified in Section 8.1 of {{QUIC-TRANSPORT}}. Data at Initial encryption MUST be retransmitted before Handshake data and data at Handshake encryption MUST be retransmitted before any ApplicationData -data. If no data can be sent, then the PTO alarm MUST NOT be armed until -data has been received from the client. +data. -Since the server could be blocked until more packets are received from the -client, it is the client's responsibility to send packets to unblock the server -until it is certain that the server has finished its address validation -(see Section 8 of {{QUIC-TRANSPORT}}). That is, the client MUST set the -probe timer if the client has not received an acknowledgement for one of its -Handshake or 1-RTT packets. +Until the server has validated the client's address on the path, the amount of +data it can send is limited, as specified in Section 8.1 of {{QUIC-TRANSPORT}}. +If the limit has been reached when the PTO expires, a PING with no PADDING MUST +be sent. This packet elicits a full-sized Initial packet from the client, +allowing the server to send any data in need of transmission or +re-transmission. Prior to handshake completion, when few to none RTT samples have been generated, it is possible that the probe timer expiration is due to an @@ -560,7 +557,6 @@ or sending different payloads. Sending the same payload may be simpler and ensures the highest priority frames arrive first. Sending different payloads each time reduces the chances of spurious retransmission. - ### Loss Detection {#pto-loss} Delivery or loss of packets in flight is established when an ACK frame is @@ -1150,18 +1146,9 @@ OnLossDetectionTimeout(): SetLossDetectionTimer() return - if (endpoint is client without 1-RTT keys): - // Client sends an anti-deadlock packet: Initial is padded - // to earn more anti-amplification credit, - // a Handshake packet proves address ownership. - if (has Handshake keys): - SendOneAckElicitingHandshakePacket() - else: - SendOneAckElicitingPaddedInitialPacket() - else: - // PTO. Send new data if available, else retransmit old data. - // If neither is available, send a single PING frame. - SendOneOrTwoAckElicitingPackets() + // PTO. Send new data if available, else retransmit old data. + // If neither is available, send a single PING frame. + SendOneOrTwoAckElicitingPackets() pto_count++ SetLossDetectionTimer() From efae6564080e5c07190b3a08c3132db68d727d1e Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 28 Oct 2019 14:04:43 -0400 Subject: [PATCH 2/6] Update draft-ietf-quic-recovery.md --- draft-ietf-quic-recovery.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/draft-ietf-quic-recovery.md b/draft-ietf-quic-recovery.md index 047fdc5768..655843aa4c 100644 --- a/draft-ietf-quic-recovery.md +++ b/draft-ietf-quic-recovery.md @@ -502,8 +502,7 @@ Until the server has validated the client's address on the path, the amount of data it can send is limited, as specified in Section 8.1 of {{QUIC-TRANSPORT}}. If the limit has been reached when the PTO expires, a PING with no PADDING MUST be sent. This packet elicits a full-sized Initial packet from the client, -allowing the server to send any data in need of transmission or -re-transmission. +allowing the server to send data again. Prior to handshake completion, when few to none RTT samples have been generated, it is possible that the probe timer expiration is due to an From 1a6d987374ccccb29b6008da5fde6b250c8d1374 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 28 Oct 2019 14:05:33 -0400 Subject: [PATCH 3/6] Update draft-ietf-quic-recovery.md --- draft-ietf-quic-recovery.md | 1 + 1 file changed, 1 insertion(+) diff --git a/draft-ietf-quic-recovery.md b/draft-ietf-quic-recovery.md index 655843aa4c..1873133171 100644 --- a/draft-ietf-quic-recovery.md +++ b/draft-ietf-quic-recovery.md @@ -558,6 +558,7 @@ payloads each time reduces the chances of spurious retransmission. ### Loss Detection {#pto-loss} + Delivery or loss of packets in flight is established when an ACK frame is received that newly acknowledges one or more packets. From 077f77265c2e192dd641f3557779ac607e0426a1 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 28 Oct 2019 14:05:59 -0400 Subject: [PATCH 4/6] Update draft-ietf-quic-recovery.md --- draft-ietf-quic-recovery.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-recovery.md b/draft-ietf-quic-recovery.md index 1873133171..cb76f5ece0 100644 --- a/draft-ietf-quic-recovery.md +++ b/draft-ietf-quic-recovery.md @@ -556,8 +556,8 @@ or sending different payloads. Sending the same payload may be simpler and ensures the highest priority frames arrive first. Sending different payloads each time reduces the chances of spurious retransmission. -### Loss Detection {#pto-loss} +### Loss Detection {#pto-loss} Delivery or loss of packets in flight is established when an ACK frame is received that newly acknowledges one or more packets. From 325920a2ee43499dc400cb133b5cd5c13b455eb8 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 28 Oct 2019 14:07:29 -0400 Subject: [PATCH 5/6] Update draft-ietf-quic-recovery.md --- draft-ietf-quic-recovery.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-recovery.md b/draft-ietf-quic-recovery.md index cb76f5ece0..89c8ab9b8f 100644 --- a/draft-ietf-quic-recovery.md +++ b/draft-ietf-quic-recovery.md @@ -500,9 +500,9 @@ data. Until the server has validated the client's address on the path, the amount of data it can send is limited, as specified in Section 8.1 of {{QUIC-TRANSPORT}}. -If the limit has been reached when the PTO expires, a PING with no PADDING MUST -be sent. This packet elicits a full-sized Initial packet from the client, -allowing the server to send data again. +If the limit has been reached when the PTO expires, a single packet containing +a PING with no PADDING MUST be sent. This packet elicits a full-sized Initial +packet from the client, allowing the server to send data again. Prior to handshake completion, when few to none RTT samples have been generated, it is possible that the probe timer expiration is due to an From ec7cf1dce6824eed3d3d69da33034e62a44ba9c6 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 28 Oct 2019 14:51:05 -0400 Subject: [PATCH 6/6] Update transport to allow a PING-only packet --- draft-ietf-quic-transport.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index eab7626fa1..142aeef4ea 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1592,10 +1592,11 @@ server has successfully processed a Handshake packet from the client, it can consider the client address to have been validated. Prior to validating the client address, servers MUST NOT send more than three -times as many bytes as the number of bytes they have received. This limits the -magnitude of any amplification attack that can be mounted using spoofed source -addresses. In determining this limit, servers only count the size of -successfully processed packets. +times as many bytes as the number of bytes they have received, except upon the +probe timeout expiring, when servers can send a single PING-only packet. +This limits the magnitude of any amplification attack that can be mounted +using spoofed source addresses. In determining this limit, servers only count +the size of successfully processed packets. Clients MUST ensure that UDP datagrams containing Initial packets have UDP payloads of at least 1200 bytes, adding padding to packets in the datagram as