From fd4d5d5ba9c085d198b8510193fa9dacf62fa517 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Tue, 22 Sep 2020 15:41:44 +0700 Subject: [PATCH 1/5] fix order of PATH_CHALLENGE and PATH_RESPONSE --- draft-ietf-quic-transport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 94a5395049..fb5cc4a69a 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2154,8 +2154,8 @@ here. An endpoint MAY include other frames with the PATH_CHALLENGE and PATH_RESPONSE frames used for path validation. In particular, an endpoint can include PADDING frames with a PATH_CHALLENGE frame for Path Maximum Transfer Unit (PMTU) -discovery (see {{pmtud}}); it can also include a PATH_CHALLENGE frame with its -own PATH_RESPONSE frame. +discovery (see {{pmtud}}); it can also include its own PATH_CHALLENGE frame with +a PATH_RESPONSE frame. An endpoint uses a new connection ID for probes sent from a new local address; see {{migration-linkability}}. When probing a new path, an endpoint expecting From f549671b18f9ce7714cc8974b65d09d546319a79 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Tue, 22 Sep 2020 15:42:48 +0700 Subject: [PATCH 2/5] point out that NCID can only be sent if the peer's limit allows it --- draft-ietf-quic-transport.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index fb5cc4a69a..c01d622717 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2160,16 +2160,15 @@ a PATH_RESPONSE frame. An endpoint uses a new connection ID for probes sent from a new local address; see {{migration-linkability}}. When probing a new path, an endpoint expecting responses on the new path needs to ensure that its peer has an unused connection -ID. Sending NEW_CONNECTION_ID and PATH_CHALLENGE frames in the same packet -ensures that an unused connection ID will be available to the peer when sending -a response. +ID. Sending NEW_CONNECTION_ID and PATH_CHALLENGE frames in the same packet, if +the peer's active_connection_id_limit permits, ensures that an unused connection +ID will be available to the peer when sending a response. An endpoint can choose to simultaneously probe multiple paths. The number of simultaneous paths used for probes is limited by the number of extra connection IDs its peer has previously supplied, since each new local address used for a probe requires a previously unused connection ID. - ### Initiating Path Validation To initiate path validation, an endpoint sends a PATH_CHALLENGE frame containing From 0dea9d5d8901b07f27946bfa51b19b22b243f54a Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Tue, 22 Sep 2020 15:45:35 +0700 Subject: [PATCH 3/5] clarify encryption of values in NEW_TOKEN --- draft-ietf-quic-transport.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index c01d622717..d030c45481 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2013,8 +2013,8 @@ expiration time or include it in an encrypted form in the token. A token issued with NEW_TOKEN MUST NOT include information that would allow values to be linked by an observer to the connection on which it was -issued, unless the values are encrypted. For example, it cannot include the -previous connection ID or addressing information. A server MUST ensure that +issued. For example, it cannot include the previous connection ID or addressing +information, unless the values are encrypted. A server MUST ensure that every NEW_TOKEN frame it sends is unique across all clients, with the exception of those sent to repair losses of previously sent NEW_TOKEN frames. Information that allows the server to distinguish between tokens from Retry and NEW_TOKEN From bc73697431b12e54e8bcf5e213cf016f06890675 Mon Sep 17 00:00:00 2001 From: Jana Iyengar Date: Tue, 22 Sep 2020 15:32:51 -0700 Subject: [PATCH 4/5] Update draft-ietf-quic-transport.md Co-authored-by: Mike Bishop --- draft-ietf-quic-transport.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index d030c45481..3cba2b7139 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2158,11 +2158,11 @@ discovery (see {{pmtud}}); it can also include its own PATH_CHALLENGE frame with a PATH_RESPONSE frame. An endpoint uses a new connection ID for probes sent from a new local address; -see {{migration-linkability}}. When probing a new path, an endpoint expecting -responses on the new path needs to ensure that its peer has an unused connection -ID. Sending NEW_CONNECTION_ID and PATH_CHALLENGE frames in the same packet, if -the peer's active_connection_id_limit permits, ensures that an unused connection -ID will be available to the peer when sending a response. +see {{migration-linkability}}. When probing a new path, an endpoint needs to +ensure that its peer has an unused connection ID available for +responses. Sending NEW_CONNECTION_ID and PATH_CHALLENGE frames in the same +packet, if the peer's active_connection_id_limit permits, ensures that an unused +connection ID will be available to the peer when sending a response. An endpoint can choose to simultaneously probe multiple paths. The number of simultaneous paths used for probes is limited by the number of extra connection From 16f614af9ce9fd025e24a5d8178b24599ca9ee47 Mon Sep 17 00:00:00 2001 From: Jana Iyengar Date: Tue, 22 Sep 2020 15:54:17 -0700 Subject: [PATCH 5/5] Update draft-ietf-quic-transport.md Co-authored-by: Martin Thomson --- draft-ietf-quic-transport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 3cba2b7139..126e5daa8d 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -2158,7 +2158,7 @@ discovery (see {{pmtud}}); it can also include its own PATH_CHALLENGE frame with a PATH_RESPONSE frame. An endpoint uses a new connection ID for probes sent from a new local address; -see {{migration-linkability}}. When probing a new path, an endpoint needs to +see {{migration-linkability}}. When probing a new path, an endpoint can ensure that its peer has an unused connection ID available for responses. Sending NEW_CONNECTION_ID and PATH_CHALLENGE frames in the same packet, if the peer's active_connection_id_limit permits, ensures that an unused