Unclear sentence in "Criticism"
philippgille opened this issue · 1 comments
In a "Criticism" section there's this part of a sentence:
a server must not send more than three times the size of the request in response without receiving a packet from the client in response.
I don't understand this. It sounds like if a client sends an initial request of size x, then the server may send a response up to size 3*x. And there's an exception where the server may send a bigger response, which is when the client sends a packet in response to the response? How is the security mechanism supposed to know whether there will be a response by the client in order to allow a larger response by the server?
Maybe the part of the sentence can be rephrased or expanded on to make it easier to understand.
In section 8 of RFC 9000 the following is stated:
The primary defense against amplification attacks is verifying that a
peer is able to receive packets at the transport address that it
claims. Therefore, after receiving packets from an address that is
not yet validated, an endpoint MUST limit the amount of data it sends
to the unvalidated address to three times the amount of data received
from that address. This limit on the size of responses is known as
the anti-amplification limit.
So I think "without receiving a packet from the client in response" means before the client address is validated.
Also, in section 8.1:
Prior to validating the client address, servers MUST NOT send more
than three times as many bytes as the number of bytes they have
received. This limits the magnitude of any amplification attack that
can be mounted using spoofed source addresses.
So the cited sentence could be slightly changed as:
a server must not send more than three times the size of the request in response before having validated the client address (ie completed connection establishment).