Skip to content

DO NOT MERGE! DIVERGENCE FROM STANDARD FOR DITTO USAGE ONLY#1

Draft
Pierre Avital (p-avital) wants to merge 1 commit intomainfrom
pa/non-standard/disable-ip-src-checks
Draft

DO NOT MERGE! DIVERGENCE FROM STANDARD FOR DITTO USAGE ONLY#1
Pierre Avital (p-avital) wants to merge 1 commit intomainfrom
pa/non-standard/disable-ip-src-checks

Conversation

@p-avital
Copy link
Copy Markdown

@p-avital Pierre Avital (p-avital) commented Jul 8, 2025

How to handle this commit?

  • This commit is intended to be used by Ditto as its quinn-proto vendored dependency.
  • This commit SHOULD NOT be merged in main, but stay in a separate branch, which should be rebased on main@upstream regularly.

Why does this commit exist?

The QUIC standard imposes that packets originating from an unvalidated path be discarded (unless they are specifically probing packets in response to a PATH_CHALLENGE, which can only be started once the handshake is completed).

This conflicts heavily with our usage in Ditto, where we perform "implicit server address migration" as a way for peers to discover each other's link-local address for unicast links.

This implicit migration is performed by allowing the client to address the server through an arbitrary "jumpstart" address; the server then responds, continuing the handshake, using its actual link-local IPv6 as the src_ip for its datagrams. From that point onwards, packets from the client will target this newly learnt IP.

This is no less secure than discarding packets based on source IP, as spoofing that IP is trivial; the security being instead provided by cryptography that doesn't take IP headers into account.

Note that this implicit migration is not implemented here, but is enabled by this commit.

The implicit migration is performed by keeping track of a packet's source IP, and setting it as the peer's new IP from the moment the packet has been validated cryptographically; typically by observing that quinn-proto raised an event pertaining to it.

@p-avital
DO NOT MERGE! DIVERGENCE FROM STANDARD FOR DITTO USAGE ONLY
20c9db0 
# How to handle this commit?

- This commit is intended to be used by Ditto as its `quinn-proto` vendored dependency.
- This commit SHOULD NOT be merged in `main`, but stay in a separate branch, which should be rebased
  on `main@upstream` regularly.

# Why does this commit exist?

The QUIC standard imposes that packets originating from an unvalidated path be discarded (unless 
they are specifically probing packets in response to a `PATH_CHALLENGE`, which can only be started
once the handshake is completed).

This conflicts heavily with our usage in Ditto, where we perform "implicit server address migration"
as a way for peers to discover each other's link-local address for unicast links.

This implicit migration is performed by allowing the client to address the server through an
arbitrary "jumpstart" address; the server then responds, continuing the handshake, using its actual
link-local IPv6 as the `src_ip` for its datagrams. From that point onwards, packets from the client
will target this newly learnt IP.

This is no less secure than discarding packets based on source IP, as spoofing that IP is trivial;
the security being instead provided by cryptography that doesn't take IP headers into account.

Note that this implicit migration is not implemented here, but is _enabled_ by this commit.

The implicit migration is performed by keeping track of a packet's source IP, and setting it as the
peer's new IP from the moment the packet has been validated cryptographically; typically by
observing that `quinn-proto` raised an event pertaining to it.
@flub Floris Bruynooghe (flub) mentioned this pull request Apr 14, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@p-avital