> On Tuesday, September 26, att 2023 2:30 PM Christian Huitema wtote: > > There was quite a bit of discussion about the usage of CID in the > context of QUIC Multipath, which uses CID to identify paths. The basic > rules for managing incoming packets are: > > 1) Packet arrives with a new CID: > - if same four tuple as an existing path, treat as CID renewal > - if different four tuple, process as new path > 2) Packet arrives with already used CID: > - if same four tuple as an existing path, process on that path. > - if different four tuple, process NAT rebinding as new path > > If client would keeps sending packets with the same CID and different IP > addresses, it will cause a lot of "NAT rebinding", causing a lot of > overhead on the server. Servers may well treat that as an attack and > drop the connection.
Does it mean that an on-path observer that is able to race packets to the server is able to force any connection to close by racing copies of the packets with random source addresses? I believe in similar cases, we've decided that servers should not close connections due to unexpected source addresses, but they can drop packets with unexpected source addresses. Best, - Igor > -- Christian Huitema > > On 9/26/2023 10:25 AM, Eric Kinnear wrote: > > That said, if the server notices that the client is coming from a different > address and using the same destination CID, which would not be allowed if > the client knew that it was using a different network path, it’s nice if it > does > change CID. This provides a signal to a client that a NAT rebinding may have > occurred, and the client might choose to take action on that in some way. > > > > Since you’re allowed to change CID at any time on the same path, there’s no > need for additional text that explicitly allows this, but the most > straightforward > implementation that just says “yup, you’re on a different remote address, I’ll > use a different CID” and doesn’t check whether the remote peer rotated CID is > likely the best answer. > > > > Thanks, > > Eric > > > > > >> On Sep 25, 2023, at 8:37 PM, Willy Tarreau <w...@1wt.eu> wrote: > >> > >> On Tue, Sep 26, 2023 at 11:04:40AM +0800, "???(Personal)" wrote: > >>> Is it allowed for a server to reuse the current CID when it notices a NAT > >>> rebinding? I wonder if the text ("...., in which case it MAY continue to > >>> use > >>> the current connection ID with the new remote address while still sending > >>> from the same local address.") indicates that the server can reuse the > >>> current CID? > >> > >> If the spec says "MAY", then yes, it's allowed to. > >> > >> Willy > >> > >