[PATCH 1 of 6] QUIC: ignore server address while looking up a connection
arut at nginx.com
Mon Jan 16 12:37:34 UTC 2023
On Tue, Dec 13, 2022 at 08:49:18PM +0300, Maxim Dounin wrote:
> On Fri, Dec 09, 2022 at 09:38:47AM +0000, Roman Arutyunyan wrote:
> > # HG changeset patch
> > # User Roman Arutyunyan <arut at nginx.com>
> > # Date 1670322119 0
> > # Tue Dec 06 10:21:59 2022 +0000
> > # Branch quic
> > # Node ID 1038d7300c29eea02b47eac3f205e293b1e55f5b
> > # Parent b87a0dbc1150f415def5bc1e1f00d02b33519026
> > QUIC: ignore server address while looking up a connection.
> > The server connection check was copied from the common UDP code in c2f5d79cde64.
> > In QUIC it does not make much sense though. Technically client is not allowed
> > to migrate to a different server address. However, migrating withing a single
> > wildcard listening does not seem to affect anything.
> As a trivial example, one can block packets to a particular server
> address on a firewall (in an attempt to stop an attack), with
> something like "block from any to 192.0.2.1", assuming it will
> stop traffic to the server in question. Still, with the proposed
> change, it will be possible to access resources with a previously
> established QUIC connection as long as the attacker knows other IP
> addresses used on the same physical server.
This indeed makes sense. I will remove this patch from the series.
More information about the nginx-devel