[PATCH 1 of 6] QUIC: ignore server address while looking up a connection
mdounin at mdounin.ru
Tue Dec 13 17:49:18 UTC 2022
On Fri, Dec 09, 2022 at 09:38:47AM +0000, Roman Arutyunyan wrote:
> # HG changeset patch
> # User Roman Arutyunyan <arut at nginx.com>
> # Date 1670322119 0
> # Tue Dec 06 10:21:59 2022 +0000
> # Branch quic
> # Node ID 1038d7300c29eea02b47eac3f205e293b1e55f5b
> # Parent b87a0dbc1150f415def5bc1e1f00d02b33519026
> QUIC: ignore server address while looking up a connection.
> The server connection check was copied from the common UDP code in c2f5d79cde64.
> In QUIC it does not make much sense though. Technically client is not allowed
> to migrate to a different server address. However, migrating withing a single
> wildcard listening does not seem to affect anything.
Wildcard address might be used for a catch-all listening socket,
"if there are several listen directives with the same port but
different addresses, and one of the listen directives listens on
all addresses for the given port (*:port)"
(http://nginx.org/r/listen). For example, in a configuration like
return 200 secret;
This will create just one listening socket on *:80, but only
clients connecting to 127.0.0.1:80 will be able to see the secret.
Distinction between such connections in case of http happens in
ngx_http_init_connection(), see "if (port->naddrs > 1)". In
stream and mail, similar ifs are in ngx_stream_init_connection()
This distinction is expected to be equivalent to using different
listening sockets as long as socket-specific options are
identical. Distinct sockets can be requested with
listen 127.0.0.1:80 bind;
which is expected to result in exactly equivalent behaviour,
but with distinct listening sockets.
Not sure how this can affect QUIC, but the change essentially
removes distinction between packets sent to different listening
sockets. This might not be a good idea from security point of
As a trivial example, one can block packets to a particular server
address on a firewall (in an attempt to stop an attack), with
something like "block from any to 192.0.2.1", assuming it will
stop traffic to the server in question. Still, with the proposed
change, it will be possible to access resources with a previously
established QUIC connection as long as the attacker knows other IP
addresses used on the same physical server.
More information about the nginx-devel