Skip to content

Comments

quic: gate connections before handshake#3283

Merged
sukunrt merged 12 commits intomasterfrom
push-qlvuzllukwpw
Jun 4, 2025
Merged

quic: gate connections before handshake#3283
sukunrt merged 12 commits intomasterfrom
push-qlvuzllukwpw

Conversation

@sukunrt
Copy link
Member

@sukunrt sukunrt commented May 5, 2025

We can only set a single ConnContext per quic-go Transport. So we cannot set a different ConnContext for listeners on the same address. To keep the API simple, theConnContext option on quicreuse.ConnManager is not configurable per listener.

Depends on quic-go/quic-go#5122 & #3279

@marten-seemann
Copy link
Contributor

We can only set a single ConnContext per quic-go Transport. So we cannot set a different ConnContext for listeners on the same address.

There's only one listener per Transport.

@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch 5 times, most recently from 8e5ae86 to 8db6131 Compare May 5, 2025 15:49
@sukunrt sukunrt force-pushed the push-vqqpzlmlwvry branch from b437e0b to ce994ca Compare May 15, 2025 09:03
We can only set a single `ConnContext` per quic-go Transport. So we
cannot set a different `ConnContext` for listeners on the same address.
To keep the API simple, the`ConnContext` option on quicreuse.ConnManager
is not configurable per listener.
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 8db6131 to ff6533b Compare May 15, 2025 09:13
return nil, fmt.Errorf("connections blocked")
})
if strings.HasPrefix(tc.Name, "QUIC") || strings.HasPrefix(tc.Name, "WebTransport") {
// QUIC and WebTransport may can OpenConnection multiple times depending on when the
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why isn't this a leak? Do all the times have a matching .Done?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We would have a matching Done.
We setup context.AfterFunc to close the scope when context completes. Having said that, I should debug this again to confirm that this is what's exactly happening. I've removed this change.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is correct.
We need to do this multiple times because quic-go will call OpenConnection multiple times if the TLS ClientHello is split into two and we reject the new connection in the first OpenConnection call.
Specifically in tests, it was happening because of this experimental keyshare extension that was increasing the size of the ClientHello:
golang/go@4b7f7cd
X25519Kyber768Draft00

sukunrt added 7 commits May 22, 2025 21:32
This uses source address verification to ensure that an attacker
cannot completely block connections from specific IPs by sending
tls ClientHellos with spoofed IP addresses.
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 91bd5e7 to dd4c1d7 Compare May 22, 2025 16:11
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch 2 times, most recently from e25f8d9 to b9b1ed8 Compare May 22, 2025 16:36
@sukunrt sukunrt changed the base branch from push-vqqpzlmlwvry to master May 22, 2025 16:39
@sukunrt sukunrt marked this pull request as ready for review May 22, 2025 16:39
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch 4 times, most recently from d087327 to 7c3d452 Compare May 27, 2025 16:52
Copy link
Collaborator

@MarcoPolo MarcoPolo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've talked about setting up address verification in QUIC forever. Thanks for tackling this!

@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 7c3d452 to 6f93fec Compare June 4, 2025 14:24
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from 6f93fec to 12b15ce Compare June 4, 2025 17:49
@sukunrt sukunrt force-pushed the push-qlvuzllukwpw branch from fe27edf to 162e665 Compare June 4, 2025 18:14
@sukunrt sukunrt merged commit b82a39c into master Jun 4, 2025
34 of 35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants