Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

If the peer does not reply with a path_abandon frame, state can never be removed #471

Open
mirjak opened this issue Nov 28, 2024 · 8 comments · May be fixed by #475
Open

If the peer does not reply with a path_abandon frame, state can never be removed #471

mirjak opened this issue Nov 28, 2024 · 8 comments · May be fixed by #475
Labels

Comments

@mirjak
Copy link
Collaborator

mirjak commented Nov 28, 2024

Currently the draft only says:

"knowledge of the connection identifiers received from the peer and of the state of the number space associated to the path SHOULD be retained while packets from the peer might still be in transit, i.e., for a delay of 3 PTO after the PATH_ABANDON frame has been received from the peer"

Therefore state removal is triggered by reception of the path abandon frame. There is MUST in the text that my peer must send me a path_abandon frame if it has received mine. What if it doesn't send a path_abandon frame ever?

The sentence above is only a SHOULD, so I guess you could remove state any reasonable time after sending the path_abandon frame, however, maybe we should say more explicitly that it makes sense to also start a timer after the ACK for the path_abandon frame was received, or stop retransmitting the path_abandon frame after X tries and then just remove state?

@huitema
Copy link
Contributor

huitema commented Nov 29, 2024

If a peer misbehaves, as in "doesn't send a path_abandon frame ever", you should treat that as an attack. Very much a variant of the Slow loris attack described in the security section of RFC 9000. Closing the connection would be appropriate.

@mirjak
Copy link
Collaborator Author

mirjak commented Dec 3, 2024

It's a bit hard to enforce as the PATH_ABANDON frame can get lost and need to be retransmitted. So you basically would need to start a timer after sending the PATH_ABANDON frame and the close the connection after N x 3 PTOs where N is the number of expected retransmission approaches. That seems a bit to radical for me. However, I think we either need to specify this or re-define when state can be finally removed.

@qdeconinck
Copy link
Contributor

While a peer may indeed misbehave, there may be specific pattern losses making the PATH_ABANDON frame never reach the peer. While the reception of the PATH_ABANDON frame will lead to removal of path state after some delay, it would make sense to me to apply this 3 PTO delay when the PATH_ABANDON is sent. At some point, the peer that has sent the PATH_ABANDON will abandon the path anyway, and dropping state related to the path will just, in the case the PATH_ABANDON does not reach the peer, make the host ignore all incoming packets mapping to that path, such that the peer would interpret this as a completely lossy path that it can eventually abandon. Note that if a PATH_ABANDON is deemed lost, the sender should always resend it, even if the related path state is no more present.

@mirjak
Copy link
Collaborator Author

mirjak commented Dec 6, 2024

You have start a start a timer after sending the PATH_ABANDON frame anyway because you may have to retransmit it. I think what we need is to also start a timer after the ACK for the PATH_ABANDON has been received and also specify that the PATH_ABANDON should not be retransmitted more than X time and when you stop retransmitting you also remove all path state.

I guess we could also say that you can remove most path state after the first PTO and then only keep information about the PATH_ABANDON in order to retransmit it. But not sure if that makes a big difference.

@huitema
Copy link
Contributor

huitema commented Dec 8, 2024

I think that we should point out the issue and leave the implementers a choice.

As discussed in the WG, we do not have a lot of experience with deployment. This is kind of a research area, and we are exhausting ourselves trying to provide operational guidance or implementation guidance. There are indeed multiple choices:

  1. Start a timer after sending the first path Abandon, then close the connection with an error code if the path abandon from the peer is not received in time. Of course, all solutions based on timers introduce some fragility, so the timer will have to be large.

  2. Same, but start the timer after the Path Abandon frame is acknowledged. More complicated than 1 because you need to track ACKs, and same fragility.

  3. Do nothing. After all, the only effect of having a path lingering in limbo is to reduce the number of path-id available for path creation. If you don't need to create a new path, there is no real issue. This is the option with the least side effects.

  4. Put the path in some explicit limbo state after the Abandon is acked or after a short timer. In that state, drop all incoming packets, never ack them. Kinda like doing nothing, but with fewer resource allocated locally.

@michael-eriksson
Copy link

FWIW, I think choice number 3 is the correct one. An endpoint should however be allowed to ignore any incoming packets after some (unspecified) time.

Setting a timer to abort the connection is needlessly complex and brutal, and can easily have false positives if the peer's PATH_ABANDON frame is retransmitted.

@mirjak
Copy link
Collaborator Author

mirjak commented Dec 11, 2024

@michael-eriksson if you say the endpoint should be allow to ignore incoming packets that is option 4.

Anyway, I think we agree that we want to note the issue but don't specify anything normatively. So I created PR #475. Please have a look!

@michael-eriksson
Copy link

@michael-eriksson if you say the endpoint should be allow to ignore incoming packets that is option 4.

My view is that the endpoint MAY do option 4, but shouldn't have to.

Anyway, I think we agree that we want to note the issue but don't specify anything normatively. So I created PR #475. Please have a look!

Looks good to me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants