Igor, in theory, you are right. In practice, it would be interesting to
test how various servers react to this kind of attacks, racing copies of
packets with different addresses.
-- Christian Huitema
On 9/26/2023 11:39 AM, Lubashev, Igor wrote:
On Tuesday, September 26, att 2023 2:30 PM Christian Huitema wtote:
There was quite a bit of discussion about the usage of CID in the
context of QUIC Multipath, which uses CID to identify paths. The basic
rules for managing incoming packets are:
1) Packet arrives with a new CID:
- if same four tuple as an existing path, treat as CID renewal
- if different four tuple, process as new path
2) Packet arrives with already used CID:
- if same four tuple as an existing path, process on that path.
- if different four tuple, process NAT rebinding as new path
If client would keeps sending packets with the same CID and different IP
addresses, it will cause a lot of "NAT rebinding", causing a lot of
overhead on the server. Servers may well treat that as an attack and
drop the connection.
Does it mean that an on-path observer that is able to race packets to the
server is able to force any connection to close by racing copies of the packets
with random source addresses? I believe in similar cases, we've decided that
servers should not close connections due to unexpected source addresses, but
they can drop packets with unexpected source addresses.
Best,
- Igor
-- Christian Huitema
On 9/26/2023 10:25 AM, Eric Kinnear wrote:
That said, if the server notices that the client is coming from a different
address and using the same destination CID, which would not be allowed if
the client knew that it was using a different network path, it’s nice if it does
change CID. This provides a signal to a client that a NAT rebinding may have
occurred, and the client might choose to take action on that in some way.
Since you’re allowed to change CID at any time on the same path, there’s no
need for additional text that explicitly allows this, but the most
straightforward
implementation that just says “yup, you’re on a different remote address, I’ll
use a different CID” and doesn’t check whether the remote peer rotated CID is
likely the best answer.
Thanks,
Eric
On Sep 25, 2023, at 8:37 PM, Willy Tarreau <[email protected]> wrote:
On Tue, Sep 26, 2023 at 11:04:40AM +0800, "???(Personal)" wrote:
Is it allowed for a server to reuse the current CID when it notices a NAT
rebinding? I wonder if the text ("...., in which case it MAY continue to use
the current connection ID with the new remote address while still sending
from the same local address.") indicates that the server can reuse the
current CID?
If the spec says "MAY", then yes, it's allowed to.
Willy
