Allow packets with impossible CIDs to be ignored rather than reset

quinn-rs · Apr 6, 2024 · 0b81fe1 · 0b81fe1
1 parent 7e8e0ad
commit 0b81fe1
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/quinn-proto/src/cid_generator.rs b/quinn-proto/src/cid_generator.rs
@@ -14,6 +14,14 @@ pub trait ConnectionIdGenerator: Send {
     /// issuer) to correlate them with other connection IDs for the same
     /// connection.
     fn generate_cid(&mut self) -> ConnectionId;
+
+    /// Quickly determine whether `cid` could have been generated by this generator
+    ///
+    /// False positives are permitted, but increase the cost of handling invalid packets.
+    fn validate(&self, _cid: &ConnectionId) -> Result<(), InvalidCid> {
+        Ok(())
+    }
+
     /// Returns the length of a CID for connections created by this generator
     fn cid_len(&self) -> usize;
     /// Returns the lifetime of generated Connection IDs
@@ -22,6 +30,10 @@ pub trait ConnectionIdGenerator: Send {
     fn cid_lifetime(&self) -> Option<Duration>;
 }
 
+/// The connection ID was not recognized by the [`ConnectionIdGenerator`]
+#[derive(Debug, Copy, Clone)]
+pub struct InvalidCid;
+
 /// Generates purely random connection IDs of a certain length
 #[derive(Debug, Clone, Copy)]
 pub struct RandomConnectionIdGenerator {

diff --git a/quinn-proto/src/config.rs b/quinn-proto/src/config.rs
@@ -706,7 +706,9 @@ impl EndpointConfig {
     ///
     /// Defaults to 20ms. Limits the impact of attacks which flood an endpoint with garbage packets,
     /// e.g. [ISAKMP/IKE amplification]. Larger values provide a stronger defense, but may delay
-    /// detection of some error conditions by clients.
+    /// detection of some error conditions by clients. Using a [`ConnectionIdGenerator`] with a low
+    /// rate of false positives in [`validate`](ConnectionIdGenerator::validate) reduces the risk
+    /// incurred by a small minimum reset interval.
     ///
     /// [ISAKMP/IKE
     /// amplification]: https://bughunters.google.com/blog/5960150648750080/preventing-cross-service-udp-loops-in-quic#isakmp-ike-amplification-vs-quic

diff --git a/quinn-proto/src/endpoint.rs b/quinn-proto/src/endpoint.rs
@@ -271,6 +271,17 @@ impl Endpoint {
         // If we got this far, we're a server receiving a seemingly valid packet for an unknown
         // connection. Send a stateless reset if possible.
         //
+
+        if !first_decode.is_initial()
+            && self
+                .local_cid_generator
+                .validate(first_decode.dst_cid())
+                .is_err()
+        {
+            debug!("dropping packet with invalid CID");
+            return None;
+        }
+
         if !dst_cid.is_empty() {
             return self
                 .stateless_reset(now, datagram_len, addresses, dst_cid, buf)

diff --git a/quinn-proto/src/lib.rs b/quinn-proto/src/lib.rs
@@ -74,7 +74,7 @@ pub use crate::transport_error::{Code as TransportErrorCode, Error as TransportE
 pub mod congestion;
 
 mod cid_generator;
-pub use crate::cid_generator::{ConnectionIdGenerator, RandomConnectionIdGenerator};
+pub use crate::cid_generator::{ConnectionIdGenerator, InvalidCid, RandomConnectionIdGenerator};
 
 mod token;
 use token::{ResetToken, RetryToken};