quic: add support for custom app ticket data config & 0RTT validation#64138
Open
pimterry wants to merge 1 commit into
Open
quic: add support for custom app ticket data config & 0RTT validation#64138pimterry wants to merge 1 commit into
pimterry wants to merge 1 commit into
Conversation
Signed-off-by: Tim Perry <pimterry@gmail.com>
Collaborator
|
Review requested:
|
nodejs-github-bot
added
c++
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
(Extracted from #63995)
When sending data, for any protocol with configuration parameters, you'll need to know the parameters the server is using. With early data that's difficult because in a 0RTT world you have no live information from the server to use at the point when you build your early data message.
To solve this, QUIC servers can include custom app protocol configuration in the session ticket. The client just sends early data with the last config they saw, but also send those configuration params back to the server in the ticket when resuming the session. The server can check that data, and if the current configuration isn't compatible, it can reject the early data completely (so the client falls back to 1RTT, instead of resuming using data linked to now-incompatible params).
This works well perfectly existing HTTP/3 setup (which sets the current SETTINGS in the ticket, and validates any received tickets for resumption match or are stricter than the current value). For other QUIC protocols though currently there is just a default case that returns empty data when creating tickets, and always returns true when validating them - accepting all configurations blindly. This would make it difficult to deploy 0RTT with many QUIC protocols in the real world, or to get anywhere near the existing HTTP/3 behaviour with a custom JS implementation.
This PR adds a
appTicketDataoption as a simple solution: you can configure the server with a fixed value (some serialized version of your protocol configuration) and it will be added to all tickets. All received tickets will be validated against the fixed value, checking for an exact match. If you change your server configuration, tickets will stop matching, and you won't get invalid early data. This also drops thereturn truefallback toreturn falseto fail-closed (1RTT) by default if there's no ticket configuration provided (debatable, but seems safer imo).This first pass is fairly simple, but should be sufficient for most single-protocol servers imo. In future we could expand the option to also accept a callback, where you can use the received ALPN + SNI to generate the appropriate a per-protocol/sni value, and a validation callback for custom validation (e.g. implementing the HTTP/3 validation in JS) but I think we can punt that to later on, and extend this API in that direction only if required.
(Honestly the HTTP/3 split PR doesn't really need to include this one - but it fitted into the "what primitives would you need to be able to implement HTTP/3 in JS on top of our QUIC API". We could punt it entirely, and just drop 0RTT in that case instead if we're not sure how this should work yet).