QUIC: additional limit for probing packets.
RFC 9000, 9.3. Responding to Connection Migration: An endpoint only changes the address to which it sends packets in response to the highest-numbered non-probing packet. The patch extends this requirement to probing packets. Although it may seem excessive, it helps with mitigation of reply attacks (when an off-path attacker has copied packet with PATH_CHALLENGE and uses different addresses to exhaust available connection ids).
This commit is contained in:
parent
006a271f72
commit
9ff3d71a97
1 changed files with 11 additions and 0 deletions
|
@ -255,6 +255,7 @@ ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
||||||
ngx_queue_t *q;
|
ngx_queue_t *q;
|
||||||
ngx_quic_path_t *path, *probe;
|
ngx_quic_path_t *path, *probe;
|
||||||
ngx_quic_socket_t *qsock;
|
ngx_quic_socket_t *qsock;
|
||||||
|
ngx_quic_send_ctx_t *ctx;
|
||||||
ngx_quic_client_id_t *cid;
|
ngx_quic_client_id_t *cid;
|
||||||
ngx_quic_connection_t *qc;
|
ngx_quic_connection_t *qc;
|
||||||
|
|
||||||
|
@ -291,6 +292,16 @@ ngx_quic_set_path(ngx_connection_t *c, ngx_quic_header_t *pkt)
|
||||||
|
|
||||||
/* packet from new path, drop current probe, if any */
|
/* packet from new path, drop current probe, if any */
|
||||||
|
|
||||||
|
ctx = ngx_quic_get_send_ctx(qc, pkt->level);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* only accept highest-numbered packets to prevent connection id
|
||||||
|
* exhaustion by excessive probing packets from unknown paths
|
||||||
|
*/
|
||||||
|
if (pkt->pn != ctx->largest_pn) {
|
||||||
|
return NGX_DONE;
|
||||||
|
}
|
||||||
|
|
||||||
if (probe && ngx_quic_free_path(c, probe) != NGX_OK) {
|
if (probe && ngx_quic_free_path(c, probe) != NGX_OK) {
|
||||||
return NGX_ERROR;
|
return NGX_ERROR;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue