Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic_migration.c @ 8797:4715f3e669f1 quic
QUIC: updated specification references.
This includes updating citations and further clarification.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Wed, 16 Jun 2021 11:55:12 +0300 |
| parents | 5186ee5a94b9 |
| children | ad046179eb91 |
comparison
equal
deleted
inserted
replaced
| 8796:1fec68e322d0 | 8797:4715f3e669f1 |
|---|---|
| 36 frame.level = ssl_encryption_application; | 36 frame.level = ssl_encryption_application; |
| 37 frame.type = NGX_QUIC_FT_PATH_RESPONSE; | 37 frame.type = NGX_QUIC_FT_PATH_RESPONSE; |
| 38 frame.u.path_response = *f; | 38 frame.u.path_response = *f; |
| 39 | 39 |
| 40 /* | 40 /* |
| 41 * RFC 9000, 8.2.2. Path Validation Responses | |
| 42 * | |
| 41 * A PATH_RESPONSE frame MUST be sent on the network path where the | 43 * A PATH_RESPONSE frame MUST be sent on the network path where the |
| 42 * PATH_CHALLENGE was received. | 44 * PATH_CHALLENGE frame was received. |
| 43 */ | 45 */ |
| 44 qsock = ngx_quic_get_socket(c); | 46 qsock = ngx_quic_get_socket(c); |
| 45 path = qsock->path; | 47 path = qsock->path; |
| 46 | 48 |
| 47 /* | 49 /* |
| 48 * An endpoint MUST NOT expand the datagram containing the PATH_RESPONSE | 50 * An endpoint MUST NOT expand the datagram containing the PATH_RESPONSE |
| 49 * if the resulting data exceeds the anti-amplification limit. | 51 * if the resulting data exceeds the anti-amplification limit. |
| 50 */ | 52 */ |
| 51 max = path->received * 3; | 53 max = path->received * 3; |
| 52 max = (path->sent >= max) ? 0 : max - path->sent; | 54 max = (path->sent >= max) ? 0 : max - path->sent; |
| 53 pad = ngx_min(1200, max); | 55 pad = ngx_min(1200, max); |
| 54 | 56 |
| 59 | 61 |
| 60 path->sent += sent; | 62 path->sent += sent; |
| 61 | 63 |
| 62 if (qsock == qc->socket) { | 64 if (qsock == qc->socket) { |
| 63 /* | 65 /* |
| 66 * RFC 9000, 9.3.3. Off-Path Packet Forwarding | |
| 67 * | |
| 64 * An endpoint that receives a PATH_CHALLENGE on an active path SHOULD | 68 * An endpoint that receives a PATH_CHALLENGE on an active path SHOULD |
| 65 * send a non-probing packet in response. | 69 * send a non-probing packet in response. |
| 66 */ | 70 */ |
| 67 | 71 |
| 68 fp = ngx_quic_alloc_frame(c); | 72 fp = ngx_quic_alloc_frame(c); |
| 89 ngx_quic_connection_t *qc; | 93 ngx_quic_connection_t *qc; |
| 90 | 94 |
| 91 qc = ngx_quic_get_connection(c); | 95 qc = ngx_quic_get_connection(c); |
| 92 | 96 |
| 93 /* | 97 /* |
| 98 * RFC 9000, 8.2.3. Successful Path Validation | |
| 99 * | |
| 94 * A PATH_RESPONSE frame received on any network path validates the path | 100 * A PATH_RESPONSE frame received on any network path validates the path |
| 95 * on which the PATH_CHALLENGE was sent. | 101 * on which the PATH_CHALLENGE was sent. |
| 96 */ | 102 */ |
| 97 | 103 |
| 98 for (q = ngx_queue_head(&qc->paths); | 104 for (q = ngx_queue_head(&qc->paths); |
| 118 return NGX_OK; | 124 return NGX_OK; |
| 119 | 125 |
| 120 valid: | 126 valid: |
| 121 | 127 |
| 122 /* | 128 /* |
| 129 * RFC 9000, 9.4. Loss Detection and Congestion Control | |
| 130 * | |
| 123 * On confirming a peer's ownership of its new address, | 131 * On confirming a peer's ownership of its new address, |
| 124 * an endpoint MUST immediately reset the congestion controller | 132 * an endpoint MUST immediately reset the congestion controller |
| 125 * and round-trip time estimator for the new path | 133 * and round-trip time estimator for the new path to initial values |
| 126 * to initial values | 134 * unless the only change in the peer's address is its port number. |
| 127 * ...unless the only change in the peer's address is its port number. | |
| 128 */ | 135 */ |
| 129 | 136 |
| 130 prev = qc->backup->path; | 137 prev = qc->backup->path; |
| 131 | 138 |
| 132 if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen, | 139 if (ngx_cmp_sockaddr(prev->sockaddr, prev->socklen, |
| 142 qc->congestion.ssthresh = (size_t) -1; | 149 qc->congestion.ssthresh = (size_t) -1; |
| 143 qc->congestion.recovery_start = ngx_current_msec; | 150 qc->congestion.recovery_start = ngx_current_msec; |
| 144 } | 151 } |
| 145 | 152 |
| 146 /* | 153 /* |
| 154 * RFC 9000, 9.3. Responding to Connection Migration | |
| 155 * | |
| 147 * After verifying a new client address, the server SHOULD | 156 * After verifying a new client address, the server SHOULD |
| 148 * send new address validation tokens (Section 8) to the client. | 157 * send new address validation tokens (Section 8) to the client. |
| 149 */ | 158 */ |
| 150 | 159 |
| 151 if (ngx_quic_send_new_token(c, path) != NGX_OK) { | 160 if (ngx_quic_send_new_token(c, path) != NGX_OK) { |
| 472 } | 481 } |
| 473 | 482 |
| 474 ctx = ngx_quic_get_send_ctx(qc, pkt->level); | 483 ctx = ngx_quic_get_send_ctx(qc, pkt->level); |
| 475 | 484 |
| 476 /* | 485 /* |
| 486 * RFC 9000, 9.3. Responding to Connection Migration | |
| 487 * | |
| 477 * An endpoint only changes the address to which it sends packets in | 488 * An endpoint only changes the address to which it sends packets in |
| 478 * response to the highest-numbered non-probing packet. | 489 * response to the highest-numbered non-probing packet. |
| 479 */ | 490 */ |
| 480 if (pkt->pn != ctx->largest_pn) { | 491 if (pkt->pn != ctx->largest_pn) { |
| 481 return NGX_OK; | 492 return NGX_OK; |
| 484 /* switching connection to new path */ | 495 /* switching connection to new path */ |
| 485 | 496 |
| 486 ngx_quic_set_connection_path(c, next); | 497 ngx_quic_set_connection_path(c, next); |
| 487 | 498 |
| 488 /* | 499 /* |
| 500 * RFC 9000, 9.5. Privacy Implications of Connection Migration | |
| 501 * | |
| 489 * An endpoint MUST NOT reuse a connection ID when sending to | 502 * An endpoint MUST NOT reuse a connection ID when sending to |
| 490 * more than one destination address. | 503 * more than one destination address. |
| 491 */ | 504 */ |
| 492 | 505 |
| 493 /* preserve valid path we are migrating from */ | 506 /* preserve valid path we are migrating from */ |
| 576 frame.type = NGX_QUIC_FT_PATH_CHALLENGE; | 589 frame.type = NGX_QUIC_FT_PATH_CHALLENGE; |
| 577 | 590 |
| 578 ngx_memcpy(frame.u.path_challenge.data, path->challenge1, 8); | 591 ngx_memcpy(frame.u.path_challenge.data, path->challenge1, 8); |
| 579 | 592 |
| 580 /* | 593 /* |
| 594 * RFC 9000, 8.2.1. Initiating Path Validation | |
| 595 * | |
| 581 * An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame | 596 * An endpoint MUST expand datagrams that contain a PATH_CHALLENGE frame |
| 582 * to at least the smallest allowed maximum datagram size of 1200 bytes, | 597 * to at least the smallest allowed maximum datagram size of 1200 bytes, |
| 583 * unless the anti-amplification limit for the path does not permit | 598 * unless the anti-amplification limit for the path does not permit |
| 584 * sending a datagram of this size. | 599 * sending a datagram of this size. |
| 585 */ | 600 */ |
| 673 /* found expired path */ | 688 /* found expired path */ |
| 674 | 689 |
| 675 path->state = NGX_QUIC_PATH_NEW; | 690 path->state = NGX_QUIC_PATH_NEW; |
| 676 | 691 |
| 677 /* | 692 /* |
| 693 * RFC 9000, 9.4. Loss Detection and Congestion Control | |
| 694 * | |
| 678 * If the timer fires before the PATH_RESPONSE is received, the | 695 * If the timer fires before the PATH_RESPONSE is received, the |
| 679 * endpoint might send a new PATH_CHALLENGE, and restart the timer for | 696 * endpoint might send a new PATH_CHALLENGE and restart the timer for |
| 680 * a longer period of time. This timer SHOULD be set as described in | 697 * a longer period of time. This timer SHOULD be set as described in |
| 681 * Section 6.2.1 of [QUIC-RECOVERY] and MUST NOT be more aggressive. | 698 * Section 6.2.1 of [QUIC-RECOVERY] and MUST NOT be more aggressive. |
| 682 */ | 699 */ |
| 683 | 700 |
| 684 if (qc->socket->path != path) { | 701 if (qc->socket->path != path) { |
| 685 /* the path was not actually used */ | 702 /* the path was not actually used */ |
| 706 ngx_quic_socket_t *qsock; | 723 ngx_quic_socket_t *qsock; |
| 707 ngx_quic_connection_t *qc; | 724 ngx_quic_connection_t *qc; |
| 708 | 725 |
| 709 qc = ngx_quic_get_connection(c); | 726 qc = ngx_quic_get_connection(c); |
| 710 | 727 |
| 711 /* Failure to validate a path does not cause the connection to end */ | 728 /* |
| 712 | 729 * RFC 9000, 9.1. Probing a New Path |
| 713 /* | 730 * |
| 731 * Failure to validate a path does not cause the connection to end | |
| 732 * | |
| 733 * RFC 9000, 9.3.2. On-Path Address Spoofing | |
| 734 * | |
| 714 * To protect the connection from failing due to such a spurious | 735 * To protect the connection from failing due to such a spurious |
| 715 * migration, an endpoint MUST revert to using the last validated | 736 * migration, an endpoint MUST revert to using the last validated |
| 716 * peer address when validation of a new peer address fails. | 737 * peer address when validation of a new peer address fails. |
| 717 */ | 738 */ |
| 718 | 739 |