On Fri, Sep 11, 2020, at 08:11, Eric Rescorla wrote: > OK, this can't happen in DTLS because the CID management works differently.
Right. > While it's not clear to me that QUIC explicitly prohibits this (it > would be prohibited if CRYPTO frames were STREAM frames because of > draft-ietf-tls-quic-transport S 2.2, it seems like it's quite bad > practice because the result will be that the losing server has a > pending handshake which it continues to retransmit on until the client > times out. QUIC does prohibit this. This looks like another case of a client that sent an Initial and went away: a situation that servers have to deal with. In any case, the server cannot retransmit indefinitely because it is bound by the anti-amplification limit. I believe that QUIC works if the server doesn't arm a timer at this point, if it comes to that. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
