From e9dd5b8eb51639e39ff3a88466dbcc9e81f9e237 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Mon, 13 Jul 2020 13:50:08 +1000 Subject: [PATCH 1/3] Don't reset an active connection It's not that great that this text never said this so directly before. Closes #3832. --- draft-ietf-quic-transport.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 9632c72e15..382d604935 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -6369,14 +6369,17 @@ endpoints that share a static key for stateless reset (see {{reset-token}}) MUST be arranged so that packets with a given connection ID always arrive at an instance that has connection state, unless that connection is no longer active. +More generally, servers MUST NOT generate a stateless reset if a connection with +the corresponding connection ID could be active. + In the case of a cluster that uses dynamic load balancing, it's possible that a -change in load balancer configuration could happen while an active instance -retains connection state; even if an instance retains connection state, the +change in load balancer configuration could occur while an active instance +retains connection state. Even if an instance retains connection state, the change in routing and resulting stateless reset will result in the connection being terminated. If there is no chance in the packet being routed to the -correct instance, it is better to send a stateless reset than wait for -connections to time out. However, this is acceptable only if the routing cannot -be influenced by an attacker. +correct instance in this new configuration, it is better to send a stateless +reset than wait for connections to time out. However, this is acceptable only +if the routing cannot be influenced by an attacker. ## Version Downgrade {#version-downgrade} From c197894db65f3611f97f25fadaabf986e504634b Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 14 Jul 2020 11:48:31 +1000 Subject: [PATCH 2/3] Scope this more. Co-authored-by: Mike Bishop --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 382d604935..e4e59be31d 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -6370,7 +6370,7 @@ be arranged so that packets with a given connection ID always arrive at an instance that has connection state, unless that connection is no longer active. More generally, servers MUST NOT generate a stateless reset if a connection with -the corresponding connection ID could be active. +the corresponding connection ID could be active on any endpoint using the same static key. In the case of a cluster that uses dynamic load balancing, it's possible that a change in load balancer configuration could occur while an active instance From f91ecf0bffcc5fd34a1070c90fbd56c8b266c4d1 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 14 Jul 2020 11:50:01 +1000 Subject: [PATCH 3/3] wrap --- draft-ietf-quic-transport.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index e4e59be31d..b3f750bdc1 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -6370,7 +6370,8 @@ be arranged so that packets with a given connection ID always arrive at an instance that has connection state, unless that connection is no longer active. More generally, servers MUST NOT generate a stateless reset if a connection with -the corresponding connection ID could be active on any endpoint using the same static key. +the corresponding connection ID could be active on any endpoint using the same +static key. In the case of a cluster that uses dynamic load balancing, it's possible that a change in load balancer configuration could occur while an active instance