(Note: Since VDAF preparation completes in a constant number of rounds, it will
never be the case that some reports are completed and others are not.)¶
+If the Leader fails to process the response from the Helper, for example because
+of a transient failure such as a network connection failure or process crash,
+the Leader SHOULD re-send the original request unmodified in order to attempt
+recovery (see Section 4.6.2.4).¶
@@ -3746,6 +3750,10 @@
When the Leader stores the out_share, it MUST also store the report ID for
replay protection.¶
+
If the Leader fails to process the response from the Helper, for example because
+of a transient failure such as a network connection failure or process crash,
+the Leader SHOULD re-send the original request unmodified in order to attempt
+recovery (see Section 4.6.2.4).¶
@@ -3781,15 +3789,16 @@
(Note that a report may be missing, in which case the Helper should assume the
Leader rejected it.)¶
Next, the Helper checks if the continuation step indicated by the request is
-correct. (For the first AggregationJobContinueReq the value should be 1;
-for the second the value should be 2; and so on.) If the Leader is one step
-behind (e.g., the Leader has resent the previous HTTP request), then the Helper
-MAY attempt to recover by sending the same response as it did for the previous
+correct. (For the first AggregationJobContinueReq the value should be 1; for
+the second the value should be 2; and so on.) If the Leader is one step behind
+(e.g., the Leader has resent the previous HTTP request), then the Helper MAY
+attempt to recover by sending the same response as it did for the previous
AggregationJobContinueReq, without performing any additional work on the
aggregation job. In this case it SHOULD verify that the contents of the
AggregationJobContinueReq are identical to the previous message (see
-Section 4.6.2.4). Otherwise, if the step is incorrect, the
-Helper MUST abort with error stepMismatch.¶
+
Section 4.6.2.4). Otherwise, if the step is incorrect or if
+the Helper does not wish to attempt recovery, the Helper
MUST abort with error
+
stepMismatch.
¶
Let inbound denote the payload of the prep step. For each report, the Helper
computes the following:¶
diff --git a/draft-ietf-ppm-dap.txt b/draft-ietf-ppm-dap.txt
index 493b4e45..7a946990 100644
--- a/draft-ietf-ppm-dap.txt
+++ b/draft-ietf-ppm-dap.txt
@@ -1766,6 +1766,12 @@ Table of Contents
rounds, it will never be the case that some reports are completed and
others are not.)
+ If the Leader fails to process the response from the Helper, for
+ example because of a transient failure such as a network connection
+ failure or process crash, the Leader SHOULD re-send the original
+ request unmodified in order to attempt recovery (see
+ Section 4.6.2.4).
+
4.6.1.2. Helper Initialization
The Helper begins an aggregation job when it receives an
@@ -2142,6 +2148,12 @@ Table of Contents
When the Leader stores the out_share, it MUST also store the report
ID for replay protection.
+ If the Leader fails to process the response from the Helper, for
+ example because of a transient failure such as a network connection
+ failure or process crash, the Leader SHOULD re-send the original
+ request unmodified in order to attempt recovery (see
+ Section 4.6.2.4).
+
4.6.2.2. Helper Continuation
The Helper begins each step of continuation with a sequence of state
@@ -2182,8 +2194,9 @@ Table of Contents
AggregationJobContinueReq, without performing any additional work on
the aggregation job. In this case it SHOULD verify that the contents
of the AggregationJobContinueReq are identical to the previous
- message (see Section 4.6.2.4). Otherwise, if the step is incorrect,
- the Helper MUST abort with error stepMismatch.
+ message (see Section 4.6.2.4). Otherwise, if the step is incorrect
+ or if the Helper does not wish to attempt recovery, the Helper MUST
+ abort with error stepMismatch.
Let inbound denote the payload of the prep step. For each report,
the Helper computes the following: