Skip to content

feat: accept connection ID validation in amplificationlimit test #442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
larseggert wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: accept connection ID validation in amplificationlimit test #442

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3d176eb
feat: accept connection ID validation in amplificationlimit test
larseggert Nov 2, 2025
1deadb8
black
larseggert Nov 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions testcases_quic.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -555,6 +555,22 @@ def check(self) -> TestResult:
"Server sent %d bytes in Handshake CRYPTO frames.", max_handshake_offset
)

# Track server-chosen connection IDs with at least 64 bits of entropy (8 bytes).
# Per RFC 9000 Section 8.1, the server can consider the address validated
# when the client uses such a connection ID.
server_cids = set()
for p in self._server_trace().get_initial(Direction.FROM_SERVER):
if hasattr(p, "scid"):
# Connection IDs are hex strings with colons (e.g., "01:02:03:04:05:06:07:08").
# Remove colons and check if at least 8 bytes (16 hex chars).
cid = p.scid.replace(":", "")
if len(cid) >= 16: # 8 bytes = 16 hex characters
server_cids.add(p.scid)
logging.debug(
"Server offered connection ID with sufficient entropy: %s",
p.scid,
)

# Check that the server didn't send more than 3-4x what the client sent.
allowed = 0
allowed_with_tolerance = 0
Expand All @@ -576,6 +592,20 @@ def check(self) -> TestResult:
res = TestResult.SUCCEEDED
break
if packet_type is PacketType.INITIAL:
# Check if client is using a server-chosen connection ID.
# Per RFC 9000 Section 8.1: "an endpoint MAY consider the peer address
# validated if the peer uses a connection ID chosen by the endpoint and
# the connection ID contains at least 64 bits of entropy."
if hasattr(p.quic, "dcid"):
client_dcid = p.quic.dcid
if client_dcid in server_cids:
logging.debug(
"Client used server-chosen connection ID %s with sufficient entropy. Address validated.",
client_dcid,
)
res = TestResult.SUCCEEDED
break

client_sent += packet_size
allowed += 3 * packet_size
allowed_with_tolerance += 4 * packet_size
Expand Down