Mercurial > hg > nginx-quic
comparison src/event/quic/ngx_event_quic_migration.c @ 8798:077a1e403446 quic
QUIC: additional limit for probing packets.
RFC 9000, 9.3. Responding to Connection Migration:
An endpoint only changes the address to which it sends packets in
response to the highest-numbered non-probing packet.
The patch extends this requirement to probing packets. Although it may
seem excessive, it helps with mitigation of reply attacks (when an off-path
attacker has copied packet with PATH_CHALLENGE and uses different
addresses to exhaust available connection ids).
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Thu, 20 Jan 2022 22:00:25 +0300 |
parents | 1e2f4e9c8195 |
children | da24a78720eb |
comparison
equal
deleted
inserted
replaced
8797:1e2f4e9c8195 | 8798:077a1e403446 |
---|---|
253 { | 253 { |
254 off_t len; | 254 off_t len; |
255 ngx_queue_t *q; | 255 ngx_queue_t *q; |
256 ngx_quic_path_t *path, *probe; | 256 ngx_quic_path_t *path, *probe; |
257 ngx_quic_socket_t *qsock; | 257 ngx_quic_socket_t *qsock; |
258 ngx_quic_send_ctx_t *ctx; | |
258 ngx_quic_client_id_t *cid; | 259 ngx_quic_client_id_t *cid; |
259 ngx_quic_connection_t *qc; | 260 ngx_quic_connection_t *qc; |
260 | 261 |
261 qc = ngx_quic_get_connection(c); | 262 qc = ngx_quic_get_connection(c); |
262 qsock = ngx_quic_get_socket(c); | 263 qsock = ngx_quic_get_socket(c); |
288 probe = path; | 289 probe = path; |
289 } | 290 } |
290 } | 291 } |
291 | 292 |
292 /* packet from new path, drop current probe, if any */ | 293 /* packet from new path, drop current probe, if any */ |
294 | |
295 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | |
296 | |
297 /* | |
298 * only accept highest-numbered packets to prevent connection id | |
299 * exhaustion by excessive probing packets from unknown paths | |
300 */ | |
301 if (pkt->pn != ctx->largest_pn) { | |
302 return NGX_DONE; | |
303 } | |
293 | 304 |
294 if (probe && ngx_quic_free_path(c, probe) != NGX_OK) { | 305 if (probe && ngx_quic_free_path(c, probe) != NGX_OK) { |
295 return NGX_ERROR; | 306 return NGX_ERROR; |
296 } | 307 } |
297 | 308 |