Mercurial > hg > nginx
comparison src/event/quic/ngx_event_quic.h @ 8686:dffb66fb783b quic
QUIC: stateless retry.
Previously, quic connection object was created when Retry packet was sent.
This is neither necessary nor convenient, and contradicts the idea of retry:
protecting from bad clients and saving server resources.
Now, the connection is not created, token is verified cryptographically
instead of holding it in connection.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Fri, 29 Jan 2021 15:53:47 +0300 |
parents | 046c951e393a |
children | cef042935003 |
comparison
equal
deleted
inserted
replaced
8685:dbe33ef9cd9a | 8686:dffb66fb783b |
---|---|
27 | 27 |
28 #define NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT 3 | 28 #define NGX_QUIC_DEFAULT_ACK_DELAY_EXPONENT 3 |
29 #define NGX_QUIC_DEFAULT_MAX_ACK_DELAY 25 | 29 #define NGX_QUIC_DEFAULT_MAX_ACK_DELAY 25 |
30 #define NGX_QUIC_DEFAULT_SRT_KEY_LEN 32 | 30 #define NGX_QUIC_DEFAULT_SRT_KEY_LEN 32 |
31 | 31 |
32 #define NGX_QUIC_RETRY_TIMEOUT 3000 | 32 #define NGX_QUIC_RETRY_LIFETIME 3 /* seconds */ |
33 #define NGX_QUIC_RETRY_LIFETIME 30000 | 33 #define NGX_QUIC_NEW_TOKEN_LIFETIME 600 /* seconds */ |
34 #define NGX_QUIC_RETRY_BUFFER_SIZE 128 | 34 #define NGX_QUIC_RETRY_BUFFER_SIZE 256 |
35 /* 1 flags + 4 version + 3 x (1 + 20) s/o/dcid + itag + token(44) */ | 35 /* 1 flags + 4 version + 3 x (1 + 20) s/o/dcid + itag + token(64) */ |
36 #define NGX_QUIC_MAX_TOKEN_SIZE 32 | 36 #define NGX_QUIC_MAX_TOKEN_SIZE 64 |
37 /* sizeof(struct in6_addr) + sizeof(ngx_msec_t) up to AES-256 block size */ | 37 /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */ |
38 | 38 |
39 /* quic-recovery, section 6.2.2, kInitialRtt */ | 39 /* quic-recovery, section 6.2.2, kInitialRtt */ |
40 #define NGX_QUIC_INITIAL_RTT 333 /* ms */ | 40 #define NGX_QUIC_INITIAL_RTT 333 /* ms */ |
41 | 41 |
42 /* quic-recovery, section 6.1.1, Packet Threshold */ | 42 /* quic-recovery, section 6.1.1, Packet Threshold */ |