Summary: The existing PacketDropReason values cover many branches in the code making it impossible to isolate the reason for a PARSE_ERROR, INVALID_PACKET, CONNECTION_NOT_FOUND. This change breaks them down into more values that are each used in a single branch.
Reviewed By: mjoras
Differential Revision: D39149490
fbshipit-source-id: 28cbe1ea6c4a06cf55960058edaa48c28ed4d2ef
Summary:
- continually issuing new connection ids to peer as old connections ids are retired through RETIRE_CONN_ID frames
- add logic to parse and act on receiving RETIRE_CONN_ID frame
Reviewed By: mjoras
Differential Revision: D38443561
fbshipit-source-id: 82fb679f482fd69c7b3a3385693d2e5575e92703
Summary: Returning nullptr indicates that it cannot support making a transport at the moment, so respond with a VN as a terminal signal.
Reviewed By: kvtsoy
Differential Revision: D37014231
fbshipit-source-id: e9905a97709cfcdb75d757b11258711c110077e9
Summary: This prevents the EventBase from being destroyed before the QuicServerWorker
Reviewed By: mjoras
Differential Revision: D36713788
fbshipit-source-id: b91f85de3b0bc5e16c5903c162a2f9640401a0fb
Summary:
Maine change is `MockConnectionCallback` -> `MockConnectionSetupCallback` + `MockConnectionCallbackNew`.
Everything else is changing tests to use the two new classes.
Differential Revision: D33076321
fbshipit-source-id: a938b63ce59f07f549b3e725caad8785348db7ed
Summary:
- Issuing NewTokenFrames to clients, allowing them to verify their address in subsequent connections by including the token.
- add NewTokenFrame struct in the union type QuicSimpleFrame.
- Issued only once when the crypto handshake is complete.
- Testing includes validating token serialization & deserialization and asserting that the NewTokenFrame is only issued once on handshake completeness.
Reviewed By: mjoras
Differential Revision: D31673160
fbshipit-source-id: 9401ab1a4b878d8b4380d55afa531ec768f5f4cd
Summary:
This implements a global (per process) limit on unfinished handshakes from unverified source addresses.
This limits the ability of an attacker to create connection state without also allocating connection state themselves. By default the limit is 1024.
Reviewed By: kvtsoy
Differential Revision: D32772165
fbshipit-source-id: 6c195169377a9f687c54bc9782cc58fe085e1275
Summary:
- Replacing VLOG with ODS counter for token decryption.
- Preparing for rollout of New Tokens
Reviewed By: lnicco
Differential Revision: D32780127
fbshipit-source-id: 6a947875e7f2d6ed88ce1e103a089fee5a295210
Summary: rename test local variables to be self documenting
Reviewed By: mjoras
Differential Revision: D32750782
fbshipit-source-id: 94ff5bbd34dbc804cd0229d8abd0ffd9891a44fc
Summary: - JK boolean flag to set rate limit to 0 for sending retry packets.
Reviewed By: mjoras
Differential Revision: D30496190
fbshipit-source-id: dfb8866922174bfd9f9e2d73420bb658ced8a264
Summary: We should not allow initials from known service ports.
Reviewed By: lnicco
Differential Revision: D30053174
fbshipit-source-id: a102ce694dc8b3c1e38587ab6d861ebbea2e2371
Summary: It is useful to do this with a function instead of just a bool.
Reviewed By: kvtsoy
Differential Revision: D30074756
fbshipit-source-id: 7d8c477efb85179ca9410c47218456be19dd2a3e
Summary: If we receive 0RTT packets before an Initial then we will effectively drop them all on the floor. This is not ideal. Instead, buffer them with an EvictingCacheMap per thread and process them when we do receive an Initial.
Reviewed By: lnicco
Differential Revision: D28853189
fbshipit-source-id: c2272be52d548d48a04dec71dca25c728f7801ca
Summary:
1) Allow calling QuicServer::initialize with evbs that are not yet running
2) Allow calling QuicServer::shutdown from within a worker EVB
Bonus:
Shut down the QuicServerWorker's pacing timer from shutdownAllConnections
Reviewed By: mjoras
Differential Revision: D28696428
fbshipit-source-id: 84b752caad662d2742db6948a6b8e1b8cbefe4e8
Summary: When multiple observers attached and one is removed, removal code can end up calling `observerDetach` on the wrong observer. Simplified and fixed removal logic and added new tests.
Reviewed By: yangchi
Differential Revision: D27033221
fbshipit-source-id: d200fd2243a678890758b2652b61d16887f073dd
Summary:
The util function used to create large packet in
NetworkTestResetLargePacket actually doesn't respect packet len limit
Reviewed By: lnicco
Differential Revision: D28255699
fbshipit-source-id: e4b546625773ec45cd36265ee5c201034e329e67
Summary: This change is needed so that `conn.transportStats` is defined when a new congestion controller is created (so we can update cc_type counters).
Reviewed By: lnicco
Differential Revision: D27156542
fbshipit-source-id: 8dd7613c4ea1f0e70aefc4a135a8c7f1d102fee2
Summary:
If QUIC rate-limiting is configured, do the following:
1) Check if the packet has a retry token. If it doesn't, send a retry packet back to the client
2) If the packet has a retry token, then validate that the packet is valid by comparing the client IP stored in the retry token with the packet's client IP
Reviewed By: mjoras
Differential Revision: D25095743
fbshipit-source-id: 51b67bf3f942f77b7f73c21d23cdda0014792183
Summary: It's useful to be able to use the v4-mapped addresses sometimes.
Reviewed By: avasylev
Differential Revision: D24371807
fbshipit-source-id: 74fe13fa4bef9c77cc51a18137559facda9bdbeb
Summary:
Summary of changes:
- In an earlier version of the draft, retry packets would contain the client's original destination connection id in the header. This is no longer the case. Therefore, we can remove it.
- Made modifications to the calculation of the header size in `encodeLongHeaderHelper` so that it's correct.
Reviewed By: mjoras
Differential Revision: D21465107
fbshipit-source-id: 662d2df42924d77c917f35566d0b1167fda53917
Summary:
We shouldn't send a VN on receiving a VN, as this can cause VN ping pong.
Also, we need to check earlier whether a packet meets the minimum Initial size.
Reviewed By: yangchi
Differential Revision: D24196884
fbshipit-source-id: 222f38b6f341702e7d2dbaa9030557cef6438ee6
Summary:
Adding setter for QuicServer to pass down connection ID version.
Also updating hostId setter to uint32 from uint16, I've udpated ServerConnectionIdParams to uint32 earlier, but not server setters.
Reviewed By: udippant
Differential Revision: D23917110
fbshipit-source-id: e3bef08c91b52fccc3ef4b2f3cc6aa67e24c089d
Summary:
Adds `quic::AcceptObserver`, an observer that is notified when a connection is accepted.
- Can be used by instrumentation that ties its lifetime to that of the transport; the observer can be used to initialize instrumentation and install additional observers on accept.
- `wangle::Acceptor` has a matching interface being added (D21652470), so instrumentation can follow the same paradigm for both QUIC and TCP.
- In the future, will extend to also be triggered when a transport becomes ready (e.g., TLS handshake complete), similar to what we have for `wangle::Acceptor`.
Reviewed By: mjoras
Differential Revision: D21656740
fbshipit-source-id: 46f30379551087e4f22b06d4493cf0263530639f
Summary: This diff creates a new `ServerCongestionControllerFactory` that will be used to create cc instances on the server only and thus can have different dependencies. At the moment this mirrors `DefaultCongestionControllerFactory`, but later in the stack when CCP is added, only the server cc factory will depend on (and be able to create) CCP instances, but the default one will not. This prevents any client builds from depending on CCP.
Reviewed By: yangchi
Differential Revision: D22139289
fbshipit-source-id: 2987f0234bc54ea6101ca0030b319b460571adeb
Summary: It is useful to know at what frequency we are receiving each version.
Reviewed By: yangchi
Differential Revision: D22071299
fbshipit-source-id: 1e6f909d2b3a65cf54decc35f7e2e321d0ff8f24
Summary:
(1) Only read out the token if the parsing host is a client and the
token matches client's token
(2) More fallbacks to Stateless reset when parsing short header packet. The
only exception would be when we don't have 1-rtt cipher.
Reviewed By: mjoras
Differential Revision: D21868631
fbshipit-source-id: 159edf7ab21061ddd5a5ef17f6b18209c3de24e7
Summary:
This introduces a rate limit to new connections created by a worker.
Right now it will simply send a VN, but eventually this will only issue a RETRY for unverified initials.
Reviewed By: udippant
Differential Revision: D21614905
fbshipit-source-id: 1832fbdad525c53fb1cb810aa9d7bae868c267d6
Summary: safety check, in case someone passes in a bad config
Reviewed By: mjoras
Differential Revision: D21383830
fbshipit-source-id: 60ab9e9e350855d6013c39590fb5c0d4a8e4f1ef
Summary:
Becuase when we clone an existing packet, the logic inside the current
writetStreamFrameHeader is no longer correct.
Reviewed By: mjoras
Differential Revision: D21383828
fbshipit-source-id: 8e6bbb048eefd97ca7cf17b89edc2f395f274a73
Summary:
Currently the packet builder contructor will encode the packet
builder. This is fine when the builder creates its own output buffer. If later
on we decides not to use this builder, or it fails to build packet, the buffer
will be thrown away. But once the builder uses a buffer provided by caller, and
will be reused, we can no longer just throw it away if we decide not to use
this builder. So we have to delay the header encoding until we know we will use
the builder.
This is still not enough to solve the case where we want to use this builder,
it builds, then it fails . For that, we will need to retreat the tail position
of the IOBuf.
Reviewed By: mjoras
Differential Revision: D21000658
fbshipit-source-id: 4d758b3e260463b17c870618ba68bd4b898a7d4c
