Skip to content

Comments

quic: gate connections before handshake#3283

Merged
sukunrt merged 12 commits intomasterfrom
push-qlvuzllukwpw
Jun 4, 2025
Merged

quic: gate connections before handshake#3283
sukunrt merged 12 commits intomasterfrom
push-qlvuzllukwpw

Conversation

@sukunrt
Copy link
Member

@sukunrt sukunrt commented May 5, 2025

We can only set a single ConnContext per quic-go Transport. So we cannot set a different ConnContext for listeners on the same address. To keep the API simple, theConnContext option on quicreuse.ConnManager is not configurable per listener.

Depends on quic-go/quic-go#5122 & #3279

@sukunrt sukunrt mentioned this pull request May 5, 2025
Merged
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from d715149 to 2559c5e Compare May 5, 2025 14:09
@marten-seemann
Copy link
Contributor

marten-seemann commented May 5, 2025

We can only set a single ConnContext per quic-go Transport. So we cannot set a different ConnContext for listeners on the same address.

There's only one listener per Transport.

@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch 5 times, most recently from 8e5ae86 to 8db6131 Compare May 5, 2025 15:49
@sukunrt sukunrt force-pushed the push-vqqpzlmlwvry branch from b437e0b to ce994ca Compare May 15, 2025 09:03
@sukunrt
quic: gate connections before handshake
ff6533b 
We can only set a single `ConnContext` per quic-go Transport. So we
cannot set a different `ConnContext` for listeners on the same address.
To keep the API simple, the`ConnContext` option on quicreuse.ConnManager
is not configurable per listener.
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 8db6131 to ff6533b Compare May 15, 2025 09:13
MarcoPolo
MarcoPolo reviewed May 16, 2025
View reviewed changes
MarcoPolo
MarcoPolo reviewed May 20, 2025
View reviewed changes
p2p/test/transport/transport_test.go Outdated
return nil, fmt.Errorf("connections blocked")
})
if strings.HasPrefix(tc.Name, "QUIC") || strings.HasPrefix(tc.Name, "WebTransport") {
// QUIC and WebTransport may can OpenConnection multiple times depending on when the
Copy link
Collaborator

@MarcoPolo MarcoPolo May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why isn't this a leak? Do all the times have a matching .Done?

Copy link
Member Author

@sukunrt sukunrt May 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would have a matching Done.
We setup context.AfterFunc to close the scope when context completes. Having said that, I should debug this again to confirm that this is what's exactly happening. I've removed this change.

Copy link
Member Author

@sukunrt sukunrt Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is correct.
We need to do this multiple times because quic-go will call OpenConnection multiple times if the TLS ClientHello is split into two and we reject the new connection in the first OpenConnection call.
Specifically in tests, it was happening because of this experimental keyshare extension that was increasing the size of the ClientHello:
golang/go@4b7f7cd
X25519Kyber768Draft00

sukunrt added 7 commits May 22, 2025 21:32
@sukunrt
update quic-go
bc0307c
@sukunrt
add source address verification
9fc9099
@sukunrt
move rate limiter to /x
e4601e0
@sukunrt
rcmgr: add rate limiting for connections
bd748ea
@sukunrt
add source address verification to rate limiting
ef6be44 
This uses source address verification to ensure that an attacker
cannot completely block connections from specific IPs by sending
tls ClientHellos with spoofed IP addresses.
@sukunrt
review comments
e432ee9
@sukunrt
merge master
dd4c1d7
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 91bd5e7 to dd4c1d7 Compare May 22, 2025 16:11
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch 2 times, most recently from e25f8d9 to b9b1ed8 Compare May 22, 2025 16:36
@sukunrt sukunrt changed the base branch from push-vqqpzlmlwvry to master May 22, 2025 16:39
@sukunrt sukunrt marked this pull request as ready for review May 22, 2025 16:39
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch 4 times, most recently from d087327 to 7c3d452 Compare May 27, 2025 16:52
MarcoPolo
MarcoPolo approved these changes May 29, 2025
View reviewed changes
Copy link
Collaborator

@MarcoPolo MarcoPolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've talked about setting up address verification in QUIC forever. Thanks for tackling this!

marten-seemann
marten-seemann reviewed May 30, 2025
View reviewed changes
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 7c3d452 to 6f93fec Compare June 4, 2025 14:24
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 6f93fec to 12b15ce Compare June 4, 2025 17:49
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from fe27edf to 162e665 Compare June 4, 2025 18:14
@sukunrt sukunrt merged commit b82a39c into master Jun 4, 2025
34 of 35 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jul 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MarcoPolo MarcoPolo MarcoPolo approved these changes

@marten-seemann marten-seemann marten-seemann left review comments

@guillaumemichel guillaumemichel Awaiting requested review from guillaumemichel

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sukunrt @marten-seemann @MarcoPolo