-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarify CID length requirements for VN packets #4187
Conversation
draft-ietf-quic-transport.md
Outdated
limit, Version Negotiation packets could carry Connection IDs that are longer | ||
than 20 bytes. | ||
Future versions of QUIC may have different requirements for the lengths of | ||
connection IDs larger than version 1. In particular, connection IDs might not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Edit: old suggestion
connection IDs. Other versions might allow connection IDs to be longer. Other
versions might permit shorter or longer connection IDs to be included in packets
sent by a client to open a connection. A server MUST send a Version Negotiation
packet in response to a packet containing a connection ID smaller than 8 bytes
or larger than 20 bytes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinthomson Isn't the second sentence (i.e., "Other versions might allow connection IDs to be longer.") excessive? The next sentence covers that, I think.
draft-ietf-quic-transport.md
Outdated
connection IDs larger than version 1. In particular, connection IDs might not | ||
be required to have a minimum lengths, and might be longer than 20 bytes. A | ||
server therefore MUST respond with a Version Negotiation packets for all | ||
lengths of connection IDs allowed by the layout defined here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if "MUST send" is the correct phrase here. This would be a contradiction to what we already have in section 5.2.2, quote: if a server receives a packet that indicates an unsupported version but is large enough to initiate a new connection for any supported version, the server SHOULD send a Version Negotiation packet as described in Section 6.1.
I think what we need to say here is that the CID length rules do not apply to other protocol versions, and no more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PS. Therefore I think that this paragraph can be as simple as something like: Note that version-specific rules for QUIC packets (e.g., limits on connection ID lengths) SHOULD NOT influence the decision of whether or not to send Version Negotiation packets, because they might change between the versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That works for me also. (I wasn't sure about the "MUST" for that reason, but I couldn't find the right words.) A "MUST NOT" would work for your suggestion:
Version-specific rules for QUIC packets MUST NOT influence a server decision about whether to send a Version Negotiation packet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should say a server MUST send a VN. Makes it sound like it's a protocol violation if I don't respond to a flood of packets, each with their own VN packet. For instance, if MsQuic receives a burst of packets from an endpoint, it generally sends a single VN packet in response.
draft-ietf-quic-transport.md
Outdated
Future versions of QUIC may have different requirements for the lengths of | ||
connection IDs larger than version 1. In particular, connection IDs might not | ||
be required to have a minimum lengths, and might be longer than 20 bytes. A | ||
server therefore MUST respond with a Version Negotiation packets for all | ||
lengths of connection IDs allowed by the layout defined here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Future versions of QUIC may have different requirements for the lengths of | |
connection IDs larger than version 1. In particular, connection IDs might not | |
be required to have a minimum lengths, and might be longer than 20 bytes. A | |
server therefore MUST respond with a Version Negotiation packets for all | |
lengths of connection IDs allowed by the layout defined here. | |
Future versions of QUIC may have different requirements for the lengths of | |
connection IDs. Version-specific rules for QUIC packets MUST NOT influence a | |
server decision about whether to send a Version Negotiation packet. |
Could we also maybe add a pointer to the requirement that a DCID in an Initial must be eight bytes to Section 17.2? Because at the moment, it's buried in Section 7.2, where I didn't find it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a good improvement, but some wordsmithing could still be done.
draft-ietf-quic-transport.md
Outdated
connection IDs larger than version 1. In particular, connection IDs might not | ||
be required to have a minimum lengths, and might be longer than 20 bytes. A |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
connection IDs larger than version 1. In particular, connection IDs might not | |
be required to have a minimum lengths, and might be longer than 20 bytes. A | |
connection IDs. In particular, connection IDs might have a smaller minimum | |
length or a greater maximum length. A |
draft-ietf-quic-transport.md
Outdated
connection IDs larger than version 1. In particular, connection IDs might not | ||
be required to have a minimum lengths, and might be longer than 20 bytes. A | ||
server therefore MUST respond with a Version Negotiation packets for all | ||
lengths of connection IDs allowed by the layout defined here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lengths of connection IDs allowed by the layout defined here. | |
lengths of connection IDs allowed by the layout defined in Section 5.1 | |
of {{QUIC-INVARIANTS}}. |
@@ -316,6 +316,9 @@ connection IDs gives clients some assurance that the server received the packet | |||
and that the Version Negotiation packet was not generated by an off-path | |||
attacker. | |||
|
|||
Version-specific rules for QUIC packets MUST NOT influence a server decision |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The text in the transport doc is fine; this is, as David says, a little sketchy without the minimum length constraint. A prefix of "other than the minimum packet size, ..." might work, I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or scope the MUST NOT specifically to CID interpretation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think this proposal is unclear on what the "MUST NOT" is for.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the CID specific aspect is fine. It is unclear what other aspects that are specified by the protocol and are not invariant here.
@@ -316,6 +316,9 @@ connection IDs gives clients some assurance that the server received the packet | |||
and that the Version Negotiation packet was not generated by an off-path | |||
attacker. | |||
|
|||
Version-specific rules for QUIC packets MUST NOT influence a server decision |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think this proposal is unclear on what the "MUST NOT" is for.
than 20 bytes. | ||
Future versions of QUIC may have different requirements for the lengths of | ||
connection IDs. In particular, connection IDs might have a smaller minimum | ||
length or a greater maximum length. Version-specific rules for QUIC packets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the context of the first new sentence the second sentence is clearly apply to CIDs, but it indicates that there might be other aspects. What aspects are not invariant here?
I've taken this change manually, after reverting the change to the invariants doc. After looking at this more closely, the invariants doc does not include specifics of how to generate a Version Negotiation packet and this takes an awkward step in that direction. Rather than start to import the rules into invariants piecemeal like this, I think that it is cleaner to leave the rules for generating a Version Negotiation packet as version-specific, which is already clearly the case. |
Addendum: I missed the bit about this being a blanket "version-specific rules for packets". I've changed this to "version-specific rules for connection IDs", to reflect the context better. And to avoid tripping up on the packet size rules in version 1. |
Fixes #4186.