Change connection ID with Transport Parameters #1041
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -639,7 +639,7 @@ A Handshake packet uses long headers with a type value of 0x7D. It is | |
| used to carry acknowledgments and cryptographic handshake messages from the | ||
| server and client. | ||
|
|
||
| The connection ID field in a Handshake packet may contain a connection ID | ||
| that is chosen by the server (see {{connection-id}}). | ||
|
|
||
| The first Handshake packet sent by a server contains a randomized packet number. | ||
|
|
@@ -690,14 +690,16 @@ The client MUST choose a random connection ID and use it in Initial packets | |
| ({{packet-initial}}) and 0-RTT packets ({{packet-protected}}). | ||
|
|
||
| When the server receives a Initial packet and decides to proceed with the | ||
| handshake, it may chooses a new value for the connection ID and sends that in | ||
| the server_connection_id transport parameter ({{transport-parameter-definitions}}) | ||
| of the Handshake packet ({{packet-handshake}}). | ||
|
There was a problem hiding this comment. A transport parameter can't be "of the Handshake packet". You can drop from "of" onward. |
||
|
|
||
| If the client receives a new connection ID that the server has chosen, it MUST | ||
|
There was a problem hiding this comment. Transport parameters are only really available once the handshake completes. For one, they are in TLS EncryptedExtensions, which isn't necessarily right up front. More importantly, though we could release them before the handshake completes, it makes it harder to reason about their authenticity. Given that transport parameters are used for client address validation, that's problematic. There was a problem hiding this comment. Aren't they available at the server side when a CHLO is received? And shouldn't they be available in the stateless retry? |
||
| use it for all subsequent Handshake ({{packet-handshake}}) and 1-RTT | ||
| ({{packet-protected}}) packets but not for 0-RTT packets ({{packet-protected}}). | ||
|
|
||
| The server MUST NOT switch to the new connection ID until has received a | ||
| packet containing the connection ID from the client. In particular, the | ||
|
There was a problem hiding this comment. I think that it is easier to make the switch with the change to 1-RTT protected packets. Creating another mini-protocol here complicates things considerably. Outside of cases with packet loss (where you can't rely on the client being able to recover the transport parameters), the only real difference is that you are changing the connection ID sent with the client's second flight (it's set of Handshake packets). Now, I agree that there is potentially some value in having the right markings on the client Handshake packets, but maybe the right answer here is to use NEW_CONNECTION_ID. There was a problem hiding this comment. One of the goals of this change is to allow connection ID changes to occur before switching to 1RTT, so only allowing the switch with 1RTT packets defeats half the point. NEW_CONNECTION_ID wouldn't change the encryption level issues. And we'd have to allow it during the handshake, which we don't today. It seems more complex than this approach, but it's probably doable. There was a problem hiding this comment. I agree with @ianswett, that the client should be the one that starts using the new connection ID first. Otherwise, you are back to one of the original problems of multiple clients on the same 4-tuple and it is impossible to determine which of them to deliver the newly received packet to. |
||
| Server's Version Negotiation ({{packet-version}}) and Retry ({{packet-retry}}) | ||
| packets MUST use connection ID selected by the client. | ||
|
|
||
|
|
@@ -1078,6 +1080,7 @@ language from Section 3 of {{!I-D.ietf-tls-tls13}}. | |
| stateless_reset_token(6), | ||
| ack_delay_exponent(7), | ||
| initial_max_stream_id_uni(8), | ||
| server_connection_id(9), | ||
| (65535) | ||
| } TransportParameterId; | ||
|
|
||
|
|
@@ -1215,6 +1218,11 @@ ack_delay_exponent (0x0007): | |
| value is also used for ACK frames that are sent in Initial, Handshake, and | ||
| Retry packets. Values above 20 are invalid. | ||
|
|
||
| server_connection_id (0x0009): | ||
| : An 8 byte value to be used by the client on all future packets sent to the | ||
| server. The server will switch to sending this connection ID once it | ||
| receives a packet using the connection ID from the client. | ||
|
|
||
|
|
||
| ### Values of Transport Parameters for 0-RTT {#zerortt-parameters} | ||
|
|
||
|
|
@@ -3776,6 +3784,7 @@ The initial contents of this registry are shown in {{iana-tp-table}}. | |
| | 0x0006 | stateless_reset_token | {{transport-parameter-definitions}} | | ||
| | 0x0007 | ack_delay_exponent | {{transport-parameter-definitions}} | | ||
| | 0x0008 | initial_max_stream_id_uni | {{transport-parameter-definitions}} | | ||
| | 0x0009 | server_connection_id | {{transport-parameter-definitions}} | | ||
| {: #iana-tp-table title="Initial QUIC Transport Parameters Entries"} | ||
|
|
||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MAY choose I think