Running nginx-quic in a real environment
Sergey Kandaurov
pluknet at nginx.com
Thu Sep 29 13:53:52 UTC 2022
> On 28 Sep 2022, at 01:04, Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> Hello!
>
> On Tue, Sep 27, 2022 at 04:05:54PM +0400, Sergey Kandaurov wrote:
>
>>> On 27 Sep 2022, at 14:11, João Sousa Andrade <joao.andrade at protocol.ai> wrote:
>>>
>>> Thank you for the clarification Sergey.
>>>
>>> We have been running http3 in production for the past couple of weeks. There's something we have noticed which I'm not entirely sure as to what is causing it.
>>>
>>> We have been getting lots of errors of the form: "[error] 34#34: *338736 quic no available client ids for new path while handling decrypted packet, client: $IP, server: 0.0.0.0:443". I tried looking through the code to little avail. I'm wondering what's causing these errors. Is it something which could be tweaked through configuration?
>>
>> This happens when QUIC connection continues over a new network path,
>> known as QUIC connection migration, which should by done by switching
>> to a new connection ID, but the client didn't previously supply enough
>> Connection ID to chose from. Normally both peers maintain a set of
>> unused Connection IDs, which may be needed not only for migration,
>> but also due to NAT rebinding. Assuming that peers that initiate
>> connection migration maintain enough connection IDs, a likely reason
>> of the network path change failure as seen in the above error can be
>> due to NAT rebinding with the client implementation that doesn't a notion
>> of connection migration so it didn't sent NEW_CONNECTION_ID frames.
>> In the case of NAT rebinding the server should send probing frames
>> over a new network path using next available client Connection ID,
>> but there were no any, as seen in the above error.
>> Hope that helps.
>
At least Firefox doesn't send NEW_CONNECTION_ID, which normally
happens after handshake completion, and, as additionally received
in another, private report, this leads to such errors behind NAT.
> Shouldn't it be at the "info" level, much like other
> client-related errors?
>
So indeed it may have sense to change logging level.
# HG changeset patch
# User Sergey Kandaurov <pluknet at nginx.com>
# Date 1664459599 -14400
# Thu Sep 29 17:53:19 2022 +0400
# Branch quic
# Node ID 7d78208f141b382a55bea3f7c1e66471b0c53937
# Parent a931e690475ee59387af517de60845b4b4307d28
QUIC: "info" logging level on insufficient client connection ids.
Apparently, this error is reported on NAT rebinding if client didn't
previously send NEW_CONNECTION_ID to supply additional connection ids.
diff --git a/src/event/quic/ngx_event_quic_migration.c b/src/event/quic/ngx_event_quic_migration.c
--- a/src/event/quic/ngx_event_quic_migration.c
+++ b/src/event/quic/ngx_event_quic_migration.c
@@ -309,7 +309,7 @@ ngx_quic_set_path(ngx_connection_t *c, n
/* new path requires new client id */
cid = ngx_quic_next_client_id(c);
if (cid == NULL) {
- ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
"quic no available client ids for new path");
/* stop processing of this datagram */
return NGX_DONE;
--
Sergey Kandaurov
More information about the nginx
mailing list