Mercurial > hg > nginx

diff src/event/quic/ngx_event_quic.h @ 8686:dffb66fb783b quic

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
QUIC: stateless retry. Previously, quic connection object was created when Retry packet was sent. This is neither necessary nor convenient, and contradicts the idea of retry: protecting from bad clients and saving server resources. Now, the connection is not created, token is verified cryptographically instead of holding it in connection.
author Vladimir Homutov <vl@nginx.com>
date Fri, 29 Jan 2021 15:53:47 +0300
parents 046c951e393a
children cef042935003
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@@ -29,12 +29,12 @@
 #define NGX_QUIC_DEFAULT_MAX_ACK_DELAY       25
 #define NGX_QUIC_DEFAULT_SRT_KEY_LEN         32
 
-#define NGX_QUIC_RETRY_TIMEOUT               3000
-#define NGX_QUIC_RETRY_LIFETIME              30000
-#define NGX_QUIC_RETRY_BUFFER_SIZE           128
-    /* 1 flags + 4 version + 3 x (1 + 20) s/o/dcid + itag + token(44) */
-#define NGX_QUIC_MAX_TOKEN_SIZE              32
-    /* sizeof(struct in6_addr) + sizeof(ngx_msec_t) up to AES-256 block size */
+#define NGX_QUIC_RETRY_LIFETIME              3   /* seconds */
+#define NGX_QUIC_NEW_TOKEN_LIFETIME          600 /* seconds */
+#define NGX_QUIC_RETRY_BUFFER_SIZE           256
+    /* 1 flags + 4 version + 3 x (1 + 20) s/o/dcid + itag + token(64) */
+#define NGX_QUIC_MAX_TOKEN_SIZE              64
+    /* SHA-1(addr)=20 + sizeof(time_t) + retry(1) + odcid.len(1) + odcid */
 
 /* quic-recovery, section 6.2.2, kInitialRtt */
 #define NGX_QUIC_INITIAL_RTT                 333 /* ms */