Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_migration.c @ 8913:40445fc7c403 quic
QUIC: fixed migration during NAT rebinding.
The RFC 9000 allows a packet from known CID arrive from unknown path:
These requirements regarding connection ID reuse apply only to the
sending of packets, as unintentional changes in path without a change
in connection ID are possible. For example, after a period of
network inactivity, NAT rebinding might cause packets to be sent on a
new path when the client resumes sending.
Before the patch, such packets were rejected with an error in the
ngx_quic_check_migration() function. Removing the check makes the
separate function excessive - remaining checks are early migration
check and "disable_active_migration" check. The latter is a transport
parameter sent to client and it should not be used by server.
The server should send "disable_active_migration" "if the endpoint does
not support active connection migration" (18.2). The support status depends
on nginx configuration: to have migration working with multiple workers,
you need bpf helper, available on recent Linux systems. The patch does
not set "disable_active_migration" automatically and leaves it for the
administrator. By default, active migration is enabled.
RFC 900 says that it is ok to migrate if the peer violates
"disable_active_migration" flag requirements:
If the peer violates this requirement,
the endpoint MUST either drop the incoming packets on that path without
generating a Stateless Reset
OR
proceed with path validation and allow the peer to migrate. Generating a
Stateless Reset or closing the connection would allow third parties in the
network to cause connections to close by spoofing or otherwise manipulating
observed traffic.
So, nginx adheres to the second option and proceeds to path validation.
Note:
The ngtcp2 may be used for testing both active migration and NAT rebinding:
ngtcp2/client --change-local-addr=200ms --delay-stream=500ms <ip> <port> <url>
ngtcp2/client --change-local-addr=200ms --delay-stream=500ms --nat-rebinding \
<ip> <port> <url>
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 29 Nov 2021 11:51:14 +0300 |
parents | 50d73bf20e73 |
children | bb1d1d9d76e2 |
comparison
equal
deleted
inserted
replaced
8912:50d73bf20e73 | 8913:40445fc7c403 |
---|---|
277 return NULL; | 277 return NULL; |
278 } | 278 } |
279 | 279 |
280 | 280 |
281 ngx_int_t | 281 ngx_int_t |
282 ngx_quic_check_migration(ngx_connection_t *c, ngx_quic_header_t *pkt) | |
283 { | |
284 ngx_quic_path_t *path; | |
285 ngx_quic_socket_t *qsock; | |
286 ngx_quic_connection_t *qc; | |
287 | |
288 qc = ngx_quic_get_connection(c); | |
289 | |
290 qsock = ngx_quic_get_socket(c); | |
291 | |
292 if (c->udp->dgram == NULL) { | |
293 /* 2nd QUIC packet in first UDP datagram */ | |
294 return NGX_OK; | |
295 } | |
296 | |
297 path = ngx_quic_find_path(c, c->udp->dgram->sockaddr, | |
298 c->udp->dgram->socklen); | |
299 if (path == NULL) { | |
300 /* packet comes from unknown path, possibly migration */ | |
301 | |
302 if (qc->tp.disable_active_migration) { | |
303 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
304 "quic migration disabled, dropping packet " | |
305 "from unknown path"); | |
306 return NGX_DECLINED; | |
307 } | |
308 | |
309 if (pkt->level != ssl_encryption_application) { | |
310 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
311 "quic too early migration attempt"); | |
312 return NGX_DECLINED; | |
313 } | |
314 | |
315 return NGX_OK; | |
316 } | |
317 | |
318 /* packet from known path */ | |
319 | |
320 if (qsock->path == NULL) { | |
321 /* client switched to previously unused server id */ | |
322 return NGX_OK; | |
323 } | |
324 | |
325 if (path == qsock->path) { | |
326 /* regular packet to expected path */ | |
327 return NGX_OK; | |
328 } | |
329 | |
330 /* client is trying to use server id already used on other path */ | |
331 | |
332 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
333 "quic attempt to use socket #%uL:%uL:%uL with path #%uL", | |
334 qsock->sid.seqnum, qsock->cid->seqnum, | |
335 qsock->path->seqnum, path->seqnum); | |
336 | |
337 return NGX_DECLINED; | |
338 } | |
339 | |
340 | |
341 ngx_int_t | |
342 ngx_quic_update_paths(ngx_connection_t *c, ngx_quic_header_t *pkt) | 282 ngx_quic_update_paths(ngx_connection_t *c, ngx_quic_header_t *pkt) |
343 { | 283 { |
344 off_t len; | 284 off_t len; |
345 ngx_quic_path_t *path; | 285 ngx_quic_path_t *path; |
346 ngx_quic_socket_t *qsock; | 286 ngx_quic_socket_t *qsock; |
347 ngx_quic_client_id_t *cid; | 287 ngx_quic_client_id_t *cid; |
348 ngx_quic_connection_t *qc; | 288 ngx_quic_connection_t *qc; |
349 | 289 |
350 qsock = ngx_quic_get_socket(c); | 290 qsock = ngx_quic_get_socket(c); |
351 path = qsock->path; | 291 |
352 | 292 if (c->udp->dgram == NULL && qsock->path) { |
353 if (path) { | 293 /* 1st ever packet in connection, path already exists */ |
294 path = qsock->path; | |
354 goto update; | 295 goto update; |
355 } | 296 } |
356 | 297 |
357 path = ngx_quic_find_path(c, c->udp->dgram->sockaddr, | 298 path = ngx_quic_find_path(c, c->udp->dgram->sockaddr, |
358 c->udp->dgram->socklen); | 299 c->udp->dgram->socklen); |
361 path = ngx_quic_add_path(c, c->udp->dgram->sockaddr, | 302 path = ngx_quic_add_path(c, c->udp->dgram->sockaddr, |
362 c->udp->dgram->socklen); | 303 c->udp->dgram->socklen); |
363 if (path == NULL) { | 304 if (path == NULL) { |
364 return NGX_ERROR; | 305 return NGX_ERROR; |
365 } | 306 } |
307 | |
308 if (qsock->path) { | |
309 /* NAT rebinding case: packet to same CID, but from new address */ | |
310 | |
311 ngx_quic_unref_path(c, qsock->path); | |
312 | |
313 qsock->path = path; | |
314 path->refcnt++; | |
315 | |
316 goto update; | |
317 } | |
318 | |
319 } else if (qsock->path) { | |
320 goto update; | |
366 } | 321 } |
367 | 322 |
368 /* prefer unused client IDs if available */ | 323 /* prefer unused client IDs if available */ |
369 cid = ngx_quic_next_client_id(c); | 324 cid = ngx_quic_next_client_id(c); |
370 if (cid == NULL) { | 325 if (cid == NULL) { |