Repositories - haproxy-3.0.git/commit

author	Amaury Denoyelle <adenoyelle@haproxy.com>
	Mon, 6 Nov 2023 10:36:26 +0000 (11:36 +0100)
committer	Amaury Denoyelle <adenoyelle@haproxy.com>
	Thu, 9 Nov 2023 15:23:52 +0000 (16:23 +0100)
commit	278808915b05bab1ff1e08e95fe32be22109719f
tree	44d842f9ea99a3ac136db47c18b7d2b982ad7197	tree \| snapshot
parent	d38bb7f8a7170c8c89d9c02ebd472a2a69e864aa	commit \| diff

MINOR: quic: reduce half open counters scope

Accounting is implemented for half open connections which represent QUIC
connections waiting for handshake completion. When reaching a certain
limit, Retry mechanism is automatically activated prior to instantiate
new connections.

The issue with this behavior is that two notions are mixed : QUIC
connection handshake phase and Retry which is mechanism against
amplification attacks. As such, only peer address validation should be
taken into account to activate Retry protection.

This patch chooses to reduce the scope of half_open_conn. Now only
connection waiting to validate the peer address are now accounted for.
Most notably, connections instantiated with a validated Retry token
check are not accounted.

One impact of this patch is that it should prevent to activate Retry
mechanism too early, in particular in case if multiple handshakes are
too slow. Another limitation should be implemented to protect against
this scenario.

include/haproxy/quic_stats-t.h		diff \| blob \| history
src/quic_conn.c		diff \| blob \| history
src/quic_rx.c		diff \| blob \| history
src/quic_ssl.c		diff \| blob \| history