New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document why one might want to pad ACKS #4252
Conversation
...or alter the idle timeout behavior when unpadded ACK-only packets are received.
As I said privately, I don't think that we need to say anything more on this point. The case we are interested in is Initial packets from a server that contain only ACK. If those are getting through, then they will be in response to Initial packets from the client. Given that the client has received an acknowledgement, it will only be sending Initial packets on PTO. As the PTO count doesn't reset at this stage, the PTO timeout increases exponentially. Eventually the PTO will be larger than the idle timeout. So - worst case - the idle timeout is doubled. If you are relying on idle timeout to abandon the connection attempt, then this isn't great, but you can still rely on that being hit. |
I agree with @martinthomson here. If we are going to add a note, I'd rather add one about the fact that smaller-than-1200-byte non-ack-eliciting packets can cause unpredicted side-effects. Given that we don't have anything actionable here for an implementer however, I don't see the value in this. |
Possibly this is not the right text, but @marten-seemann wanted to pad ACKs and I think there are valid reasons, so I'm attempting to describe the one possible issue with not doing so. I'm happy to close this and accept someone else's PR instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am concerned that the note is a bit too specific regarding behaviors around timeout. We do assume endpoints to have timeouts other than idle timeouts (e.g. handshake timeout).
I'd rather add one about the fact that smaller-than-1200-byte non-ack-eliciting packets can cause unpredicted side-effects.
I'm not sure if giving such advice makes sense. As pointed out in #4253, size of datagram is not authenticated, and therefore endpoints should be prepared against MOTS attackers injecting spoofed datagrams that do not meet the padding requirement.
It might be true that we can have exceptions for Initial packets, but I do not think having such exception is worthwhile when we cannot have such an exception for connection migration.
Not a lot of interest in this, so closing. |
...or alter the idle timeout behavior when unpadded ACK-only packets are received.
Fixes #4183