Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_migration.c @ 8797:4715f3e669f1 quic
QUIC: updated specification references.
This includes updating citations and further clarification.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 16 Jun 2021 11:55:12 +0300 |
parents | 5186ee5a94b9 |
children | ad046179eb91 |
comparison
equal
deleted
inserted
replaced
8796:1fec68e322d0 | 8797:4715f3e669f1 |
---|---|
36 frame.level = ssl_encryption_application; | 36 frame.level = ssl_encryption_application; |
37 frame.type = NGX_QUIC_FT_PATH_RESPONSE; | 37 frame.type = NGX_QUIC_FT_PATH_RESPONSE; |
38 frame.u.path_response = *f; | 38 frame.u.path_response = *f; |
39 | 39 |
40 /* | 40 /* |
41 * RFC 9000, 8.2.2. Path Validation Responses | |
42 * | |
41 * A PATH_RESPONSE frame MUST be sent on the network path where the | 43 * A PATH_RESPONSE frame MUST be sent on the network path where the |
42 * PATH_CHALLENGE was received. | 44 * PATH_CHALLENGE frame was received. |
43 */ | 45 */ |
44 qsock = ngx_quic_get_socket(c); | 46 qsock = ngx_quic_get_socket(c); |
45 path = qsock->path; | 47 path = qsock->path; |
46 | 48 |
47 /* | 49 /* |
48 * An endpoint MUST NOT expand the datagram containing the PATH_RESPONSE | 50 * An endpoint MUST NOT expand the datagram containing the PATH_RESPONSE |
49 * if the resulting data exceeds the anti-amplification limit. | 51 * if the resulting data exceeds the anti-amplification limit. |
50 */ | 52 */ |
51 max = path->received * 3; | 53 max = path->received * 3; |
52 max = (path->sent >= max) ? 0 : max - path->sent; | 54 max = (path->sent >= max) ? 0 : max - path->sent; |
53 pad = ngx_min(1200, max); | 55 pad = ngx_min(1200, max); |
54 | 56 |
59 | 61 |
60 path->sent += sent; | 62 path->sent += sent; |
61 | 63 |
62 if (qsock == qc->socket) { | 64 if (qsock == qc->socket) { |
63 /* | 65 /* |
66 * RFC 9000, 9.3.3. Off-Path Packet Forwarding | |
67 * | |
64 * An endpoint that receives a PATH_CHALLENGE on an active path SHOULD | 68 * An endpoint that receives a PATH_CHALLENGE on an active path SHOULD |
65 * send a non-probing packet in response. | 69 * send a non-probing packet in response. |
66 */ | 70 */ |
67 | 71 |
68 fp = ngx_quic_alloc_frame(c); | 72 fp = ngx_quic_alloc_frame(c); |
89 ngx_quic_connection_t *qc; | 93 ngx_quic_connection_t *qc; |
90 | 94 |
91 qc = ngx_quic_get_connection(c); | 95 qc = ngx_quic_get_connection(c); |
92 | 96 |
93 /* | 97 /* |
98 * RFC 9000, 8.2.3. Successful Path Validation | |
99 * | |
94 * A PATH_RESPONSE frame received on any network path validates the path | 100 * A PATH_RESPONSE frame received on any network path validates the path |
95 * on which the PATH_CHALLENGE was sent. | 101 * on which the PATH_CHALLENGE was sent. |
96 */ | 102 */ |
97 | 103 |
98 for (q = ngx_queue_head(&qc->paths); | 104 for (q = ngx_queue_head(&qc->paths); |
118 return NGX_OK; | 124 return NGX_OK; |
119 | 125 |
120 valid: | 126 valid: |
121 | 127 |
122 /* | 128 /* |
129 * RFC 9000, 9.4. Loss Detection and Congestion Control | |
130 * | |
123 * On confirming a peer's ownership of its new address, | 131 * On confirming a peer's ownership of its new address, |
124 * an endpoint MUST immediately reset the congestion controller | 132 * an endpoint MUST immediately reset the congestion controller |
125 * and round-trip time estimator for the new path | 133 * and round-trip time estimator for the new path to initial values |
126 * to initial values | 134 * unless the only change in the peer's address is its port number. |
127 * ...unless the only change in the peer's address is its port number. | |
128 */ | 135 */ |
129 | 136 |
130 prev = qc->backup->path; | 137 prev = qc->backup->path; |
131 | 138 |
132 if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen, | 139 if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen, |
142 qc->congestion.ssthresh = (size_t) -1; | 149 qc->congestion.ssthresh = (size_t) -1; |
143 qc->congestion.recovery_start = ngx_current_msec; | 150 qc->congestion.recovery_start = ngx_current_msec; |
144 } | 151 } |
145 | 152 |
146 /* | 153 /* |
154 * RFC 9000, 9.3. Responding to Connection Migration | |
155 * | |
147 * After verifying a new client address, the server SHOULD | 156 * After verifying a new client address, the server SHOULD |
148 * send new address validation tokens (Section 8) to the client. | 157 * send new address validation tokens (Section 8) to the client. |
149 */ | 158 */ |
150 | 159 |
151 if (ngx_quic_send_new_token(c, path) != NGX_OK) { | 160 if (ngx_quic_send_new_token(c, path) != NGX_OK) { |
472 } | 481 } |
473 | 482 |
474 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 483 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
475 | 484 |
476 /* | 485 /* |
486 * RFC 9000, 9.3. Responding to Connection Migration | |
487 * | |
477 * An endpoint only changes the address to which it sends packets in | 488 * An endpoint only changes the address to which it sends packets in |
478 * response to the highest-numbered non-probing packet. | 489 * response to the highest-numbered non-probing packet. |
479 */ | 490 */ |
480 if (pkt->pn != ctx->largest_pn) { | 491 if (pkt->pn != ctx->largest_pn) { |
481 return NGX_OK; | 492 return NGX_OK; |
484 /* switching connection to new path */ | 495 /* switching connection to new path */ |
485 | 496 |
486 ngx_quic_set_connection_path(c, next); | 497 ngx_quic_set_connection_path(c, next); |
487 | 498 |
488 /* | 499 /* |
500 * RFC 9000, 9.5. Privacy Implications of Connection Migration | |
501 * | |
489 * An endpoint MUST NOT reuse a connection ID when sending to | 502 * An endpoint MUST NOT reuse a connection ID when sending to |
490 * more than one destination address. | 503 * more than one destination address. |
491 */ | 504 */ |
492 | 505 |
493 /* preserve valid path we are migrating from */ | 506 /* preserve valid path we are migrating from */ |
576 frame.type = NGX_QUIC_FT_PATH_CHALLENGE; | 589 frame.type = NGX_QUIC_FT_PATH_CHALLENGE; |
577 | 590 |
578 ngx_memcpy(frame.u.path_challenge.data, path->challenge1, 8); | 591 ngx_memcpy(frame.u.path_challenge.data, path->challenge1, 8); |
579 | 592 |
580 /* | 593 /* |
594 * RFC 9000, 8.2.1. Initiating Path Validation | |
595 * | |
581 * An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame | 596 * An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame |
582 * to at least the smallest allowed maximum datagram size of 1200 bytes, | 597 * to at least the smallest allowed maximum datagram size of 1200 bytes, |
583 * unless the anti-amplification limit for the path does not permit | 598 * unless the anti-amplification limit for the path does not permit |
584 * sending a datagram of this size. | 599 * sending a datagram of this size. |
585 */ | 600 */ |
673 /* found expired path */ | 688 /* found expired path */ |
674 | 689 |
675 path->state = NGX_QUIC_PATH_NEW; | 690 path->state = NGX_QUIC_PATH_NEW; |
676 | 691 |
677 /* | 692 /* |
693 * RFC 9000, 9.4. Loss Detection and Congestion Control | |
694 * | |
678 * If the timer fires before the PATH_RESPONSE is received, the | 695 * If the timer fires before the PATH_RESPONSE is received, the |
679 * endpoint might send a new PATH_CHALLENGE, and restart the timer for | 696 * endpoint might send a new PATH_CHALLENGE and restart the timer for |
680 * a longer period of time. This timer SHOULD be set as described in | 697 * a longer period of time. This timer SHOULD be set as described in |
681 * Section 6.2.1 of [QUIC-RECOVERY] and MUST NOT be more aggressive. | 698 * Section 6.2.1 of [QUIC-RECOVERY] and MUST NOT be more aggressive. |
682 */ | 699 */ |
683 | 700 |
684 if (qc->socket->path != path) { | 701 if (qc->socket->path != path) { |
685 /* the path was not actually used */ | 702 /* the path was not actually used */ |
706 ngx_quic_socket_t *qsock; | 723 ngx_quic_socket_t *qsock; |
707 ngx_quic_connection_t *qc; | 724 ngx_quic_connection_t *qc; |
708 | 725 |
709 qc = ngx_quic_get_connection(c); | 726 qc = ngx_quic_get_connection(c); |
710 | 727 |
711 /* Failure to validate a path does not cause the connection to end */ | 728 /* |
712 | 729 * RFC 9000, 9.1. Probing a New Path |
713 /* | 730 * |
731 * Failure to validate a path does not cause the connection to end | |
732 * | |
733 * RFC 9000, 9.3.2. On-Path Address Spoofing | |
734 * | |
714 * To protect the connection from failing due to such a spurious | 735 * To protect the connection from failing due to such a spurious |
715 * migration, an endpoint MUST revert to using the last validated | 736 * migration, an endpoint MUST revert to using the last validated |
716 * peer address when validation of a new peer address fails. | 737 * peer address when validation of a new peer address fails. |
717 */ | 738 */ |
718 | 739 |