From 13cfae81cd06270203423bbf93d6ce294dbc676e Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 20 Jul 2020 10:34:13 -0400 Subject: [PATCH 1/5] May use 64+bit CIDs as address validation Fixes #3834 --- draft-ietf-quic-transport.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 716d0f668b..f7d3d5a0a6 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1876,7 +1876,9 @@ Connection establishment implicitly provides address validation for both endpoints. In particular, receipt of a packet protected with Handshake keys confirms that the client received the Initial packet from the server. Once the server has successfully processed a Handshake packet from the client, it can -consider the client address to have been validated. +consider the client address to have been validated. Servers MAY treat the +receipt of a server generated destination connection ID with at least 64 bits +of entropy as address validation. Prior to validating the client address, servers MUST NOT send more than three times as many bytes as the number of bytes they have received. This limits the From 918e823125d0111b7ab1c62268d2a8df880f1178 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 20 Jul 2020 12:50:14 -0400 Subject: [PATCH 2/5] Update draft-ietf-quic-transport.md Co-authored-by: Marten Seemann --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index f7d3d5a0a6..da56bca6ed 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1877,7 +1877,7 @@ endpoints. In particular, receipt of a packet protected with Handshake keys confirms that the client received the Initial packet from the server. Once the server has successfully processed a Handshake packet from the client, it can consider the client address to have been validated. Servers MAY treat the -receipt of a server generated destination connection ID with at least 64 bits +receipt of a packet using a server generated destination connection ID with at least 64 bits of entropy as address validation. Prior to validating the client address, servers MUST NOT send more than three From c2d50c6f103af8f66f2985f4d82861772b37fc99 Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 20 Jul 2020 13:33:29 -0400 Subject: [PATCH 3/5] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index da56bca6ed..0a7b544e7a 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1877,8 +1877,8 @@ endpoints. In particular, receipt of a packet protected with Handshake keys confirms that the client received the Initial packet from the server. Once the server has successfully processed a Handshake packet from the client, it can consider the client address to have been validated. Servers MAY treat the -receipt of a packet using a server generated destination connection ID with at least 64 bits -of entropy as address validation. +receipt of a packet using a server generated destination connection ID with +at least 64 bits of entropy as address validation. Prior to validating the client address, servers MUST NOT send more than three times as many bytes as the number of bytes they have received. This limits the From 7590ad3639cfb3cabd918498cad2ee93d90d25fa Mon Sep 17 00:00:00 2001 From: ianswett Date: Mon, 20 Jul 2020 17:27:22 -0400 Subject: [PATCH 4/5] Update draft-ietf-quic-transport.md --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 0a7b544e7a..5e772d416d 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1877,7 +1877,7 @@ endpoints. In particular, receipt of a packet protected with Handshake keys confirms that the client received the Initial packet from the server. Once the server has successfully processed a Handshake packet from the client, it can consider the client address to have been validated. Servers MAY treat the -receipt of a packet using a server generated destination connection ID with +receipt of a packet using a server-generated destination connection ID with at least 64 bits of entropy as address validation. Prior to validating the client address, servers MUST NOT send more than three From 6874d0047957ab40acba32937cc915fb2fb47a8a Mon Sep 17 00:00:00 2001 From: ianswett Date: Tue, 21 Jul 2020 15:05:47 -0400 Subject: [PATCH 5/5] Updates from MT, Jana and Kazuho's suggestions --- draft-ietf-quic-transport.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 5e772d416d..b332431fce 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -1876,9 +1876,11 @@ Connection establishment implicitly provides address validation for both endpoints. In particular, receipt of a packet protected with Handshake keys confirms that the client received the Initial packet from the server. Once the server has successfully processed a Handshake packet from the client, it can -consider the client address to have been validated. Servers MAY treat the -receipt of a packet using a server-generated destination connection ID with -at least 64 bits of entropy as address validation. +consider the client address to have been validated. + +Additionally, a server MAY consider the client address valididated if the +client uses a connection ID chosen by the server and the connection ID contains +at least 64 bits of entropy. Prior to validating the client address, servers MUST NOT send more than three times as many bytes as the number of bytes they have received. This limits the