diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md index 4932e29103..fca52325bc 100644 --- a/draft-ietf-quic-transport.md +++ b/draft-ietf-quic-transport.md @@ -749,9 +749,9 @@ increase by at least one after sending any packet, unless otherwise specified A QUIC endpoint MUST NOT reuse a packet number within the same connection (that is, under the same cryptographic keys). If the packet number for sending -reaches 2^64 - 1, the sender MUST close the connection by sending a -CONNECTION_CLOSE frame with the error code QUIC_SEQUENCE_NUMBER_LIMIT_REACHED -(connection termination is described in {{termination}}.) +reaches 2^64 - 1, the sender MUST close the connection without sending a +CONNECTION_CLOSE frame or any further packets; the sender MAY send a Public +Reset packet in response to further packets that it receives. To reduce the number of bits required to represent the packet number over the wire, only the least significant bits of the packet number are transmitted over @@ -1192,7 +1192,7 @@ The client includes two fields in the transport parameters: MUST be identical to the value that is on the packet that carries the ClientHello. A server that receives a negotiated_version that does not match the version of QUIC that is in use MUST terminate the connection with a - QUIC_VERSION_NEGOTIATION_MISMATCH error code. + VERSION_NEGOTIATION_ERROR error code. * The initial_version is the version that the client initially attempted to use. If the server did not send a version negotiation packet {{packet-version}}, @@ -1210,7 +1210,7 @@ server MUST check that it would have sent a version negotiation packet if it had received a packet with the indicated initial_version. If a server would have accepted the version included in the initial_version and the value differs from the value of negotiated_version, the server MUST terminate the connection with a -QUIC_VERSION_NEGOTIATION_MISMATCH error. +VERSION_NEGOTIATION_ERROR error. The server includes a list of versions that it would send in any version negotiation packet ({{packet-version}}) in supported_versions. This value is @@ -1219,9 +1219,9 @@ set even if it did not send a version negotiation packet. The client can validate that the negotiated_version is included in the supported_versions list and - if version negotiation was performed - that it would have selected the negotiated version. A client MUST terminate the -connection with a QUIC_VERSION_NEGOTIATION_MISMATCH error code if the +connection with a VERSION_NEGOTIATION_ERROR error code if the negotiated_version value is not included in the supported_versions list. A -client MUST terminate with a QUIC_VERSION_NEGOTIATION_MISMATCH error code if +client MUST terminate with a VERSION_NEGOTIATION_ERROR error code if version negotiation occurred but it would have selected a different version based on the value of the supported_versions list. @@ -1355,8 +1355,7 @@ protection can be delegated to the cryptographic handshake protocol, avoiding redundant protection. If integrity protection is delegated to the cryptographic handshake, an integrity failure will result in immediate cryptographic handshake failure. If integrity protection is performed by QUIC, QUIC MUST abort the -connection if the integrity check fails with a QUIC_ADDRESS_VALIDATION_FAILURE -error code. +connection if the integrity check fails with a PROTOCOL_VIOLATION error code. ## Connection Migration {#migration} @@ -1900,9 +1899,9 @@ might not increase the largest received offset. The data sent on a stream MUST NOT exceed the largest maximum stream data value advertised by the receiver. An endpoint MUST terminate a connection with a -QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA error if it receives more data than the -largest maximum stream data that it has sent for the affected stream, unless -this is a result of a change in the initial limits (see {{zerortt-parameters}}). +FLOW_CONTROL_ERROR error if it receives more data than the largest maximum +stream data that it has sent for the affected stream, unless this is a result of +a change in the initial limits (see {{zerortt-parameters}}). ## MAX_STREAM_ID Frame {#frame-max-stream-id} @@ -1932,9 +1931,9 @@ ignored. A peer MUST NOT initiate a stream with a higher stream ID than the greatest maximum stream ID it has received. An endpoint MUST terminate a connection with -a QUIC_TOO_MANY_OPEN_STREAMS error if a peer initiates a stream with a higher -stream ID than it has sent, unless this is a result of a change in the initial -limits (see {{zerortt-parameters}}). +a STREAM_ID_ERROR error if a peer initiates a stream with a higher stream ID +than it has sent, unless this is a result of a change in the initial limits (see +{{zerortt-parameters}}). ## BLOCKED Frame {#frame-blocked} @@ -2337,7 +2336,7 @@ Stream IDs are usually encoded as a 32-bit integer, though the STREAM frame stream ID are zero. -## Life of a Stream +## Life of a Stream {#stream-states} The semantics of QUIC streams is based on HTTP/2 streams, and the lifecycle of a QUIC stream therefore closely follows that of an HTTP/2 stream {{?RFC7540}}, @@ -2534,9 +2533,8 @@ regardless of whether it is permitted to initiated new streams. Endpoints MUST NOT exceed the limit set by their peer. An endpoint that receives a STREAM frame with an ID greater than the limit it has sent MUST treat -this as a stream error of type QUIC_TOO_MANY_OPEN_STREAMS ({{error-handling}}), -unless this is a result of a change in the initial offsets (see -{{zerortt-parameters}}). +this as a stream error of type STREAM_ID_ERROR ({{error-handling}}), unless this +is a result of a change in the initial offsets (see {{zerortt-parameters}}). A receiver MUST NOT renege on an advertisement; that is, once a receiver advertises a stream ID via a MAX_STREAM_ID frame, it MUST NOT subsequently @@ -2637,9 +2635,9 @@ smaller offset. A sender could receive MAX_DATA or MAX_STREAM_DATA frames out of order; a sender MUST therefore ignore any flow control offset that does not move the window forward. -A receiver MUST close the connection with a -QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA error ({{error-handling}}) if the -peer violates the advertised connection or stream data limits. +A receiver MUST close the connection with a FLOW_CONTROL_ERROR error +({{error-handling}}) if the peer violates the advertised connection or stream +data limits. A sender MUST send BLOCKED frames to indicate it has data to write but is blocked by lack of connection or stream flow control credit. BLOCKED frames are @@ -2764,13 +2762,12 @@ An endpoint MUST NOT send data on a stream at or beyond the final offset. Once a final offset for a stream is known, it cannot change. If a RST_STREAM or STREAM frame causes the final offset to change for a stream, an endpoint SHOULD -respond with a QUIC_STREAM_DATA_AFTER_TERMINATION error (see -{{error-handling}}). A receiver SHOULD treat receipt of data at or beyond the -final offset as a QUIC_STREAM_DATA_AFTER_TERMINATION error, even after a stream -is closed. Generating these errors is not mandatory, but only because -requiring that an endpoint generate these errors also means that the endpoint -needs to maintain the final offset state for closed streams, which could mean a -significant state commitment. +respond with a FINAL_OFFSET_ERROR error (see {{error-handling}}). A receiver +SHOULD treat receipt of data at or beyond the final offset as a +FINAL_OFFSET_ERROR error, even after a stream is closed. Generating these +errors is not mandatory, but only because requiring that an endpoint generate +these errors also means that the endpoint needs to maintain the final offset +state for closed streams, which could mean a significant state commitment. # Error Handling @@ -2807,6 +2804,9 @@ risks a peer missing the first such packet. The only mechanism available to an endpoint that continues to receive data for a terminated connection is to send a Public Reset packet. +An endpoint that receives an invalid CONNECTION_CLOSE frame MUST NOT signal the +existence of the error to its peer. + ## Stream Errors @@ -2817,7 +2817,7 @@ affected stream. Stream 0 is critical to the functioning of the entire connection. If stream 0 is closed with either a RST_STREAM or STREAM frame bearing the FIN flag, an -endpoint MUST generate a connection error of type QUIC_CLOSED_CRITICAL_STREAM. +endpoint MUST generate a connection error of type PROTOCOL_VIOLATION. Some application protocols make other streams critical to that protocol. An application protocol does not need to inform the transport that a stream is @@ -2853,173 +2853,77 @@ CONNECTION_CLOSE or RST_STREAM frame. Error codes share a common code space. Some error codes apply only to either streams or the entire connection and have no defined semantics in the other context. -QUIC_INTERNAL_ERROR (0x80000001): -: Connection has reached an invalid state. - -QUIC_STREAM_DATA_AFTER_TERMINATION (0x80000002): -: There were data frames after the a fin or reset. - -QUIC_INVALID_PACKET_HEADER (0x80000003): -: Control frame is malformed. - -QUIC_INVALID_FRAME_DATA (0x80000004): -: Frame data is malformed. - -QUIC_MULTIPLE_TERMINATION_OFFSETS (0x80000005): -: Multiple final offset values were received on the same stream - -QUIC_STREAM_CANCELLED (0x80000006): -: The stream was cancelled - -QUIC_CLOSED_CRITICAL_STREAM (0x80000007): -: A stream that is critical to the protocol was closed. - -QUIC_MISSING_PAYLOAD (0x80000030): -: The packet contained no payload. - -QUIC_INVALID_STREAM_DATA (0x8000002E): -: STREAM frame data is malformed. - -QUIC_UNENCRYPTED_STREAM_DATA (0x8000003D): -: Received STREAM frame data is not encrypted. - -QUIC_MAYBE_CORRUPTED_MEMORY (0x80000059): -: Received a frame which is likely the result of memory corruption. - -QUIC_INVALID_RST_STREAM_DATA (0x80000006): -: RST_STREAM frame data is malformed. - -QUIC_INVALID_CONNECTION_CLOSE_DATA (0x80000007): -: CONNECTION_CLOSE frame data is malformed. - -QUIC_INVALID_GOAWAY_DATA (0x80000008): -: GOAWAY frame data is malformed. - -QUIC_INVALID_WINDOW_UPDATE_DATA (0x80000039): -: WINDOW_UPDATE frame data is malformed. - -QUIC_INVALID_BLOCKED_DATA (0x8000003A): -: BLOCKED frame data is malformed. - -QUIC_INVALID_PATH_CLOSE_DATA (0x8000004E): -: PATH_CLOSE frame data is malformed. - -QUIC_INVALID_ACK_DATA (0x80000009): -: ACK frame data is malformed. - -QUIC_INVALID_VERSION_NEGOTIATION_PACKET (0x8000000A): -: Version negotiation packet is malformed. - -QUIC_INVALID_PUBLIC_RST_PACKET (0x8000000b): -: Public RST packet is malformed. - -QUIC_DECRYPTION_FAILURE (0x8000000c): -: There was an error decrypting. - -QUIC_ENCRYPTION_FAILURE (0x8000000d): -: There was an error encrypting. - -QUIC_PACKET_TOO_LARGE (0x8000000e): -: The packet exceeded kMaxPacketSize. - -QUIC_PEER_GOING_AWAY (0x80000010): -: The peer is going away. May be a client or server. - -QUIC_INVALID_STREAM_ID (0x80000011): -: A stream ID was invalid. - -QUIC_INVALID_PRIORITY (0x80000031): -: A priority was invalid. - -QUIC_TOO_MANY_OPEN_STREAMS (0x80000012): -: Too many streams already open. - -QUIC_TOO_MANY_AVAILABLE_STREAMS (0x8000004c): -: The peer created too many available streams. - -QUIC_PUBLIC_RESET (0x80000013): -: Received public reset for this connection. - -QUIC_INVALID_VERSION (0x80000014): -: Invalid protocol version. - -QUIC_INVALID_HEADER_ID (0x80000016): -: The Header ID for a stream was too far from the previous. - -QUIC_INVALID_NEGOTIATED_VALUE (0x80000017): -: Negotiable parameter received during handshake had invalid value. +NO_ERROR (0x80000000): -QUIC_DECOMPRESSION_FAILURE (0x80000018): -: There was an error decompressing data. +: An endpoint uses this with CONNECTION_CLOSE to signal that the connection is + being closed abruptly in the absence of any error. An endpoint uses this with + RST_STREAM to signal that the stream is no longer wanted or in response to the + receipt of a RST_STREAM for that stream. -QUIC_NETWORK_IDLE_TIMEOUT (0x80000019): -: The connection timed out due to no network activity. +INTERNAL_ERROR (0x80000001): -QUIC_HANDSHAKE_TIMEOUT (0x80000043): -: The connection timed out waiting for the handshake to complete. +: The endpoint encountered an internal error and cannot continue with the + connection. -QUIC_ERROR_MIGRATING_ADDRESS (0x8000001a): -: There was an error encountered migrating addresses. +CANCELLED (0x80000002): -QUIC_ERROR_MIGRATING_PORT (0x80000056): -: There was an error encountered migrating port only. +: An endpoint sends this with RST_STREAM to indicate that the stream is not + wanted and that no application action was taken for the stream. This error + code is not valid for use with CONNECTION_CLOSE. -QUIC_EMPTY_STREAM_FRAME_NO_FIN (0x80000032): -: We received a STREAM_FRAME with no data and no fin flag set. +FLOW_CONTROL_ERROR (0x80000003): -QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA (0x8000003b): -: The peer received too much data, violating flow control. +: An endpoint received more data than it permitted in its advertised data limits + (see {{flow-control}}). -QUIC_FLOW_CONTROL_SENT_TOO_MUCH_DATA (0x8000003f): -: The peer sent too much data, violating flow control. +STREAM_ID_ERROR (0x80000004): -QUIC_FLOW_CONTROL_INVALID_WINDOW (0x80000040): -: The peer received an invalid flow control window. +: An endpoint received a frame for a stream identifier that exceeded its + advertised maximum stream ID. -QUIC_CONNECTION_IP_POOLED (0x8000003e): -: The connection has been IP pooled into an existing connection. +STREAM_STATE_ERROR (0x80000005): -QUIC_TOO_MANY_OUTSTANDING_SENT_PACKETS (0x80000044): -: The connection has too many outstanding sent packets. +: An endpoint received a frame for a stream that was not in a state that + permitted that frame (see {{stream-states}}). -QUIC_TOO_MANY_OUTSTANDING_RECEIVED_PACKETS (0x80000045): -: The connection has too many outstanding received packets. +FINAL_OFFSET_ERROR (0x80000006): -QUIC_CONNECTION_CANCELLED (0x80000046): -: The QUIC connection has been cancelled. +: An endpoint received a STREAM frame containing data that exceeded the + previously established final offset. Or an endpoint received a RST_STREAM + frame containing a final offset that was lower than the maximum offset of data + that was already received. Or an endpoint received a RST_STREAM frame + containing a different final offset to the one already established. -QUIC_BAD_PACKET_LOSS_RATE (0x80000047): -: Disabled QUIC because of high packet loss rate. +FRAME_FORMAT_ERROR (0x80000007): -QUIC_PUBLIC_RESETS_POST_HANDSHAKE (0x80000049): -: Disabled QUIC because of too many PUBLIC_RESETs post handshake. +: An endpoint received a frame that was badly formatted. For instance, an empty + STREAM frame that omitted the FIN flag, or an ACK frame that has more + acknowledgment ranges than the remainder of the packet could carry. This is a + generic error code; an endpoint SHOULD use the more specific frame format + error codes (0x800001XX) if possible. -QUIC_TIMEOUTS_WITH_OPEN_STREAMS (0x8000004a): -: Disabled QUIC because of too many timeouts with streams open. +TRANSPORT_PARAMETER_ERROR (0x80000008): -QUIC_TOO_MANY_RTOS (0x80000055): -: QUIC timed out after too many RTOs. +: An endpoint received transport parameters that were badly formatted, included + an invalid value, was absent even though it is mandatory, was present though + it is forbidden, or is otherwise in error. -QUIC_ENCRYPTION_LEVEL_INCORRECT (0x8000002c): -: A packet was received with the wrong encryption level (i.e. it should - have been encrypted but was not.) +VERSION_NEGOTIATION_ERROR (0x80000009): -QUIC_VERSION_NEGOTIATION_MISMATCH (0x80000037): -: This connection involved a version negotiation which appears to have been - tampered with. +: An endpoint received transport parameters that contained version negotiation + parameters that disagreed with the version negotiation that it performed. + This error code indicates a potential version downgrade attack. -QUIC_IP_ADDRESS_CHANGED (0x80000050): -: IP address changed causing connection close. +PROTOCOL_VIOLATION (0x8000000A): -QUIC_ADDRESS_VALIDATION_FAILURE (0x80000051): -: Client address validation failed. +: An endpoint detected an error with protocol compliance that was not covered by + more specific error codes. -QUIC_TOO_MANY_FRAME_GAPS (0x8000005d): -: Stream frames arrived too discontiguously so that stream sequencer buffer - maintains too many gaps. +FRAME_ERROR (0x800001XX): -QUIC_TOO_MANY_SESSIONS_ON_SERVER (0x80000060): -: Connection closed because server hit max number of sessions allowed. +: An endpoint detected an error in a specific frame type. The frame type is + included as the last octet of the error code. For example, an error in a + MAX_STREAM_ID frame would be indicated with the code (0x80000106). # Security and Privacy Considerations