s2n-quic icon indicating copy to clipboard operation
s2n-quic copied to clipboard

Published 20 hours ago verified publisher icon aws

Support CID for Address Validation

Open rday opened this issue 4 years ago • 1 comments

Problem Draft 30 introduced the option for servers to use the connection ID to validate clients if the CID contains enough entropy.

This change PR is here.

Possible Solution

  • Add a field to the token provider and format that allows validation by CID, something like allow_cid_validation: bool which defaults to false.
  • Verify our default Connection ID provider has at least 64 bits of entropy.
  • If allow_cid_validation is set, mark the path as verified conforming to the QUIC draft update.
  • Document the option to let customers know about the 64 bit requirement.

Cons Customers have the ability to write their own Connection ID provider. If customers write their own provider, they must make sure their CIDs have enough entropy if allow_cid_validation is enabled.

rday avatar Oct 07 '20 15:10 rday

Additionally, a server MAY consider the client address validated if the client uses a connection ID chosen by the server and the connection ID contains at least 64 bits of entropy.

WesleyRosenblum avatar Oct 19 '23 17:10 WesleyRosenblum