clarify CID length requirements for VN packets #4187
Conversation
marten-seemann
requested review from
janaiyengar and
martinthomson
as code owners
draft-ietf-quic-transport.md
Outdated
| limit, Version Negotiation packets could carry Connection IDs that are longer | ||
| than 20 bytes. | ||
| Future versions of QUIC may have different requirements for the lengths of | ||
| connection IDs larger than version 1. In particular, connection IDs might not |
There was a problem hiding this comment.
Edit: old suggestion
connection IDs. Other versions might allow connection IDs to be longer. Other
versions might permit shorter or longer connection IDs to be included in packets
sent by a client to open a connection. A server MUST send a Version Negotiation
packet in response to a packet containing a connection ID smaller than 8 bytes
or larger than 20 bytes.
There was a problem hiding this comment.
@martinthomson Isn't the second sentence (i.e., "Other versions might allow connection IDs to be longer.") excessive? The next sentence covers that, I think.
draft-ietf-quic-transport.md
Outdated
| connection IDs larger than version 1. In particular, connection IDs might not | ||
| be required to have a minimum lengths, and might be longer than 20 bytes. A | ||
| server therefore MUST respond with a Version Negotiation packets for all | ||
| lengths of connection IDs allowed by the layout defined here. |
There was a problem hiding this comment.
I'm not sure if "MUST send" is the correct phrase here. This would be a contradiction to what we already have in section 5.2.2, quote: if a server receives a packet that indicates an unsupported version but is large enough to initiate a new connection for any supported version, the server SHOULD send a Version Negotiation packet as described in Section 6.1.
I think what we need to say here is that the CID length rules do not apply to other protocol versions, and no more.
There was a problem hiding this comment.
PS. Therefore I think that this paragraph can be as simple as something like: Note that version-specific rules for QUIC packets (e.g., limits on connection ID lengths) SHOULD NOT influence the decision of whether or not to send Version Negotiation packets, because they might change between the versions.
There was a problem hiding this comment.
That works for me also. (I wasn't sure about the "MUST" for that reason, but I couldn't find the right words.) A "MUST NOT" would work for your suggestion:
Version-specific rules for QUIC packets MUST NOT influence a server decision about whether to send a Version Negotiation packet.
There was a problem hiding this comment.
I don't think we should say a server MUST send a VN. Makes it sound like it's a protocol violation if I don't respond to a flood of packets, each with their own VN packet. For instance, if MsQuic receives a burst of packets from an endpoint, it generally sends a single VN packet in response.
draft-ietf-quic-transport.md
Outdated
| Future versions of QUIC may have different requirements for the lengths of | ||
| connection IDs larger than version 1. In particular, connection IDs might not | ||
| be required to have a minimum lengths, and might be longer than 20 bytes. A | ||
| server therefore MUST respond with a Version Negotiation packets for all | ||
| lengths of connection IDs allowed by the layout defined here. |
There was a problem hiding this comment.
| Future versions of QUIC may have different requirements for the lengths of | |
| connection IDs larger than version 1. In particular, connection IDs might not | |
| be required to have a minimum lengths, and might be longer than 20 bytes. A | |
| server therefore MUST respond with a Version Negotiation packets for all | |
| lengths of connection IDs allowed by the layout defined here. | |
| Future versions of QUIC may have different requirements for the lengths of | |
| connection IDs. Version-specific rules for QUIC packets MUST NOT influence a | |
| server decision about whether to send a Version Negotiation packet. |
|
Could we also maybe add a pointer to the requirement that a DCID in an Initial must be eight bytes to Section 17.2? Because at the moment, it's buried in Section 7.2, where I didn't find it. |
draft-ietf-quic-transport.md
Outdated
| connection IDs larger than version 1. In particular, connection IDs might not | ||
| be required to have a minimum lengths, and might be longer than 20 bytes. A |
There was a problem hiding this comment.
| connection IDs larger than version 1. In particular, connection IDs might not | |
| be required to have a minimum lengths, and might be longer than 20 bytes. A | |
| connection IDs. In particular, connection IDs might have a smaller minimum | |
| length or a greater maximum length. A |
draft-ietf-quic-transport.md
Outdated
| connection IDs larger than version 1. In particular, connection IDs might not | ||
| be required to have a minimum lengths, and might be longer than 20 bytes. A | ||
| server therefore MUST respond with a Version Negotiation packets for all | ||
| lengths of connection IDs allowed by the layout defined here. |
There was a problem hiding this comment.
| lengths of connection IDs allowed by the layout defined here. | |
| lengths of connection IDs allowed by the layout defined in Section 5.1 | |
| of {{QUIC-INVARIANTS}}. |
| @@ -316,6 +316,9 @@ connection IDs gives clients some assurance that the server received the packet | |||
| and that the Version Negotiation packet was not generated by an off-path | |||
| attacker. | |||
|
|
|||
| Version-specific rules for QUIC packets MUST NOT influence a server decision | |||
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
The text in the transport doc is fine; this is, as David says, a little sketchy without the minimum length constraint. A prefix of "other than the minimum packet size, ..." might work, I guess.
There was a problem hiding this comment.
Or scope the MUST NOT specifically to CID interpretation.
There was a problem hiding this comment.
Yes, I think this proposal is unclear on what the "MUST NOT" is for.
| @@ -316,6 +316,9 @@ connection IDs gives clients some assurance that the server received the packet | |||
| and that the Version Negotiation packet was not generated by an off-path | |||
| attacker. | |||
|
|
|||
| Version-specific rules for QUIC packets MUST NOT influence a server decision | |||
There was a problem hiding this comment.
Yes, I think this proposal is unclear on what the "MUST NOT" is for.
| than 20 bytes. | ||
| Future versions of QUIC may have different requirements for the lengths of | ||
| connection IDs. In particular, connection IDs might have a smaller minimum | ||
| length or a greater maximum length. Version-specific rules for QUIC packets |
There was a problem hiding this comment.
With the context of the first new sentence the second sentence is clearly apply to CIDs, but it indicates that there might be other aspects. What aspects are not invariant here?
|
I've taken this change manually, after reverting the change to the invariants doc. After looking at this more closely, the invariants doc does not include specifics of how to generate a Version Negotiation packet and this takes an awkward step in that direction. Rather than start to import the rules into invariants piecemeal like this, I think that it is cleaner to leave the rules for generating a Version Negotiation packet as version-specific, which is already clearly the case. |
martinthomson
added
-transport
editorial
|
Addendum: I missed the bit about this being a blanket "version-specific rules for packets". I've changed this to "version-specific rules for connection IDs", to reflect the context better. And to avoid tripping up on the packet size rules in version 1. |
Fixes #4186.