1.1.Document Structure

This document describes the core QUIC protocol and is structured as follows:¶

• Streams are the basic service abstraction that QUIC provides.¶

  • Section 2 describes core concepts related to streams,¶
  • Section 3 provides a reference model for stream states, and¶
  • Section 4 outlines the operation of flow control.¶

• Connections are the context in which QUIC endpoints communicate.¶

  • Section 5 describes core concepts related to connections,¶
  • Section 6 describes version negotiation,¶
  • Section 7 details the process for establishing connections,¶
  • Section 8 describes address validation and critical denial ofservice mitigations,¶
  • Section 9 describes how endpoints migrate a connection to a newnetwork path,¶
  • Section 10 lists the options for terminating an open connection, and¶
  • Section 11 provides guidance for stream and connection errorhandling.¶

• Packets and frames are the basic unit used by QUIC to communicate.¶

  • Section 12 describes concepts related to packets and frames,¶
  • Section 13 defines models for the transmission, retransmission, andacknowledgement of data, and¶
  • Section 14 specifies rules for managing the size of datagramscarrying QUIC packets.¶

• Finally, encoding details of QUIC protocol elements are described in:¶

  • Section 15 (Versions),¶
  • Section 16 (Integer Encoding),¶
  • Section 17 (Packet Headers),¶
  • Section 18 (Transport Parameters),¶
  • Section 19 (Frames), and¶
  • Section 20 (Errors).¶

Accompanying documents describe QUIC's loss detection and congestion control[QUIC-RECOVERY], and the use of TLS for key negotiation[QUIC-TLS].¶

This document defines QUIC version 1, which conforms to the protocol invariantsin[QUIC-INVARIANTS].¶

To refer to QUIC version 1, cite this document. References to the limitedset of version-independent properties of QUIC can cite[QUIC-INVARIANTS].¶

1.2.Terms and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALLNOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted asdescribed in BCP 14[RFC2119][RFC8174] when, and only when, theyappear in all capitals, as shown here.¶

Commonly used terms in the document are described below.¶

QUIC:

The transport protocol described by this document. QUIC is a name, not anacronym.¶

Endpoint:

An entity that can participate in a QUIC connection by generating, receiving,and processing QUIC packets. There are only two types of endpoint in QUIC:client and server.¶

Client:

The endpoint that initiates a QUIC connection.¶

Server:

The endpoint that accepts a QUIC connection.¶

QUIC packet:

A complete processable unit of QUIC that can be encapsulated in a UDPdatagram. One or more QUIC packets can be encapsulated in a single UDPdatagram.¶

Ack-eliciting Packet:

A QUIC packet that contains frames other than ACK, PADDING, andCONNECTION_CLOSE. These cause a recipient to send an acknowledgment; seeSection 13.2.1.¶

Frame:

A unit of structured protocol information. There are multiple frame types,each of which carries different information. Frames are contained in QUICpackets.¶

Address:

When used without qualification, the tuple of IP version, IP address, and UDPport number that represents one end of a network path.¶

Connection ID:

An identifier that is used to identify a QUIC connection at an endpoint.Each endpoint selects one or more Connection IDs for its peer to include inpackets sent towards the endpoint. This value is opaque to the peer.¶

Stream:

A unidirectional or bidirectional channel of ordered bytes within a QUICconnection. A QUIC connection can carry multiple simultaneous streams.¶

Application:

An entity that uses QUIC to send and receive data.¶

This document uses the terms "QUIC packets", "UDP datagrams", and "IP packets"to refer to the units of the respective protocols. That is, one or more QUICpackets can be encapsulated in a UDP datagram, which is in turn encapsulated inan IP packet.¶

1.3.Notational Conventions

Packet and frame diagrams in this document use a custom format. The purpose ofthis format is to summarize, not define, protocol elements. Prose defines thecomplete semantics and details of structures.¶

Complex fields are named and then followed by a list of fields surrounded by apair of matching braces. Each field in this list is separated by commas.¶

Individual fields include length information, plus indications about fixedvalue, optionality, or repetitions. Individual fields use the followingnotational conventions, with all lengths in bits:¶

x (A):

Indicates that x is A bits long¶

x (i):

Indicates that x uses the variable-length encoding inSection 16¶

x (A..B):

Indicates that x can be any length from A to B; A can be omitted to indicatea minimum of zero bits and B can be omitted to indicate no set upper limit;values in this format always end on an octet boundary¶

x (?) = C:

Indicates that x has a fixed value of C with the length described by?, as above¶

x (?) = C..D:

Indicates that x has a value in the range from C to D, inclusive,with the length described by ?, as above¶

[x (E)]:

Indicates that x is optional (and has length of E)¶

x (E) ...:

Indicates that x is repeated zero or more times (and that each instance islength E)¶

This document uses network byte order (that is, big endian) values. Fieldsare placed starting from the high-order bits of each byte.¶

By convention, individual fields reference a complex field by using the name ofthe complex field.¶

For example:¶

Example Structure {  One-bit Field (1),  7-bit Field with Fixed Value (7) = 61,  Field with Variable-Length Integer (i),  Arbitrary-Length Field (..),  Variable-Length Field (8..24),  Field With Minimum Length (16..),  Field With Maximum Length (..128),  [Optional Field (64)],  Repeated Field (8) ...,}

When a single-bit field is referenced in prose, the position of that field canbe clarified by using the value of the byte that carries the field with thefield's value set. For example, the value 0x80 could be used to refer to thesingle-bit field in the most significant bit of the byte, such as One-bit FieldinFigure 1.¶

2.1.Stream Types and Identifiers

Streams can be unidirectional or bidirectional. Unidirectional streams carrydata in one direction: from the initiator of the stream to its peer.Bidirectional streams allow for data to be sent in both directions.¶

Streams are identified within a connection by a numeric value, referred to asthe stream ID. A stream ID is a 62-bit integer (0 to 2^62-1) that is unique forall streams on a connection. Stream IDs are encoded as variable-lengthintegers; seeSection 16. A QUIC endpoint MUST NOT reuse a stream IDwithin a connection.¶

The least significant bit (0x1) of the stream ID identifies the initiator of thestream. Client-initiated streams have even-numbered stream IDs (with the bitset to 0), and server-initiated streams have odd-numbered stream IDs (with thebit set to 1).¶

The second least significant bit (0x2) of the stream ID distinguishes betweenbidirectional streams (with the bit set to 0) and unidirectional streams (withthe bit set to 1).¶

The two least significant bits from a stream ID therefore identify a stream asone of four types, as summarized inTable 1.¶

The stream space for each type begins at the minimum value (0x0 through 0x3respectively); successive streams of each type are created with numericallyincreasing stream IDs. A stream ID that is used out of order results in allstreams of that type with lower-numbered stream IDs also being opened.¶

2.2.Sending and Receiving Data

STREAM frames (Section 19.8) encapsulate data sent by an application. Anendpoint uses the Stream ID and Offset fields in STREAM frames to place data inorder.¶

Endpoints MUST be able to deliver stream data to an application as an orderedbyte-stream. Delivering an ordered byte-stream requires that an endpoint bufferany data that is received out of order, up to the advertised flow control limit.¶

QUIC makes no specific allowances for delivery of stream data out oforder. However, implementations MAY choose to offer the ability to deliver dataout of order to a receiving application.¶

An endpoint could receive data for a stream at the same stream offset multipletimes. Data that has already been received can be discarded. The data at agiven offset MUST NOT change if it is sent multiple times; an endpoint MAY treatreceipt of different data at the same offset within a stream as a connectionerror of type PROTOCOL_VIOLATION.¶

Streams are an ordered byte-stream abstraction with no other structure visibleto QUIC. STREAM frame boundaries are not expected to be preserved whendata is transmitted, retransmitted after packet loss, or delivered to theapplication at a receiver.¶

An endpoint MUST NOT send data on any stream without ensuring that it is withinthe flow control limits set by its peer. Flow control is described in detail inSection 4.¶

2.3.Stream Prioritization

Stream multiplexing can have a significant effect on application performance ifresources allocated to streams are correctly prioritized.¶

QUIC does not provide a mechanism for exchanging prioritization information.Instead, it relies on receiving priority information from the application.¶

A QUIC implementation SHOULD provide ways in which an application can indicatethe relative priority of streams. An implementation uses information providedby the application to determine how to allocate resources to active streams.¶

2.4.Operations on Streams

This document does not define an API for QUIC, but instead defines a set offunctions on streams that application protocols can rely upon. An applicationprotocol can assume that a QUIC implementation provides an interface thatincludes the operations described in this section. An implementation designedfor use with a specific application protocol might provide only those operationsthat are used by that protocol.¶

On the sending part of a stream, an application protocol can:¶

• write data, understanding when stream flow control credit(Section 4.1) has successfully been reserved to send the writtendata;¶
• end the stream (clean termination), resulting in a STREAM frame(Section 19.8) with the FIN bit set; and¶
• reset the stream (abrupt termination), resulting in a RESET_STREAM frame(Section 19.4) if the stream was not already in a terminal state.¶

On the receiving part of a stream, an application protocol can:¶

• read data; and¶
• abort reading of the stream and request closure, possibly resulting in aSTOP_SENDING frame (Section 19.5).¶

An application protocol can also request to be informed of state changes onstreams, including when the peer has opened or reset a stream, when a peeraborts reading on a stream, when new data is available, and when data can orcannot be written to the stream due to flow control.¶

3.1.Sending Stream States

Figure 2 shows the states for the part of a stream that sendsdata to a peer.¶

       o       | Create Stream (Sending)       | Peer Creates Bidirectional Stream       v   +-------+   | Ready | Send RESET_STREAM   |       |-----------------------.   +-------+                       |       |                           |       | Send STREAM /             |       |      STREAM_DATA_BLOCKED  |       |                           |       | Peer Creates              |       |      Bidirectional Stream |       v                           |   +-------+                       |   | Send  | Send RESET_STREAM     |   |       |---------------------->|   +-------+                       |       |                           |       | Send STREAM + FIN         |       v                           v   +-------+                   +-------+   | Data  | Send RESET_STREAM | Reset |   | Sent  |------------------>| Sent  |   +-------+                   +-------+       |                           |       | Recv All ACKs             | Recv ACK       v                           v   +-------+                   +-------+   | Data  |                   | Reset |   | Recvd |                   | Recvd |   +-------+                   +-------+

The sending part of a stream that the endpoint initiates (types 0and 2 for clients, 1 and 3 for servers) is opened by the application. The"Ready" state represents a newly created stream that is able to accept data fromthe application. Stream data might be buffered in this state in preparation forsending.¶

Sending the first STREAM or STREAM_DATA_BLOCKED frame causes a sending part of astream to enter the "Send" state. An implementation might choose to deferallocating a stream ID to a stream until it sends the first STREAM frame andenters this state, which can allow for better stream prioritization.¶

The sending part of a bidirectional stream initiated by a peer (type 0 for aserver, type 1 for a client) starts in the "Ready" state when the receiving partis created.¶

In the "Send" state, an endpoint transmits - and retransmits as necessary -stream data in STREAM frames. The endpoint respects the flow control limits setby its peer, and continues to accept and process MAX_STREAM_DATA frames. Anendpoint in the "Send" state generates STREAM_DATA_BLOCKED frames if it isblocked from sending by stream or connection flow control limitsSection 4.1.¶

After the application indicates that all stream data has been sent and a STREAMframe containing the FIN bit is sent, the sending part of the stream enters the"Data Sent" state. From this state, the endpoint only retransmits stream dataas necessary. The endpoint does not need to check flow control limits or sendSTREAM_DATA_BLOCKED frames for a stream in this state. MAX_STREAM_DATA framesmight be received until the peer receives the final stream offset. The endpointcan safely ignore any MAX_STREAM_DATA frames it receives from its peer for astream in this state.¶

Once all stream data has been successfully acknowledged, the sending part of thestream enters the "Data Recvd" state, which is a terminal state.¶

From any of the "Ready", "Send", or "Data Sent" states, an application cansignal that it wishes to abandon transmission of stream data. Alternatively, anendpoint might receive a STOP_SENDING frame from its peer. In either case, theendpoint sends a RESET_STREAM frame, which causes the stream to enter the "ResetSent" state.¶

An endpoint MAY send a RESET_STREAM as the first frame that mentions a stream;this causes the sending part of that stream to open and then immediatelytransition to the "Reset Sent" state.¶

Once a packet containing a RESET_STREAM has been acknowledged, the sending partof the stream enters the "Reset Recvd" state, which is a terminal state.¶

3.2.Receiving Stream States

Figure 3 shows the states for the part of a stream thatreceives data from a peer. The states for a receiving part of a stream mirroronly some of the states of the sending part of the stream at the peer. Thereceiving part of a stream does not track states on the sending part that cannotbe observed, such as the "Ready" state. Instead, the receiving part of a streamtracks the delivery of data to the application, some of which cannot be observedby the sender.¶

       o       | Recv STREAM / STREAM_DATA_BLOCKED / RESET_STREAM       | Create Bidirectional Stream (Sending)       | Recv MAX_STREAM_DATA / STOP_SENDING (Bidirectional)       | Create Higher-Numbered Stream       v   +-------+   | Recv  | Recv RESET_STREAM   |       |-----------------------.   +-------+                       |       |                           |       | Recv STREAM + FIN         |       v                           |   +-------+                       |   | Size  | Recv RESET_STREAM     |   | Known |---------------------->|   +-------+                       |       |                           |       | Recv All Data             |       v                           v   +-------+ Recv RESET_STREAM +-------+   | Data  |--- (optional) --->| Reset |   | Recvd |  Recv All Data    | Recvd |   +-------+<-- (optional) ----+-------+       |                           |       | App Read All Data         | App Read RST       v                           v   +-------+                   +-------+   | Data  |                   | Reset |   | Read  |                   | Read  |   +-------+                   +-------+

The receiving part of a stream initiated by a peer (types 1 and 3 for a client,or 0 and 2 for a server) is created when the first STREAM, STREAM_DATA_BLOCKED,or RESET_STREAM frame is received for that stream. For bidirectional streamsinitiated by a peer, receipt of a MAX_STREAM_DATA or STOP_SENDING frame for thesending part of the stream also creates the receiving part. The initial statefor the receiving part of a stream is "Recv".¶

The receiving part of a stream enters the "Recv" state when the sending part ofa bidirectional stream initiated by the endpoint (type 0 for a client, type 1for a server) enters the "Ready" state.¶

An endpoint opens a bidirectional stream when a MAX_STREAM_DATA or STOP_SENDINGframe is received from the peer for that stream. Receiving a MAX_STREAM_DATAframe for an unopened stream indicates that the remote peer has opened thestream and is providing flow control credit. Receiving a STOP_SENDING frame foran unopened stream indicates that the remote peer no longer wishes to receivedata on this stream. Either frame might arrive before a STREAM orSTREAM_DATA_BLOCKED frame if packets are lost or reordered.¶

Before a stream is created, all streams of the same type with lower-numberedstream IDs MUST be created. This ensures that the creation order for streams isconsistent on both endpoints.¶

In the "Recv" state, the endpoint receives STREAM and STREAM_DATA_BLOCKEDframes. Incoming data is buffered and can be reassembled into the correct orderfor delivery to the application. As data is consumed by the application andbuffer space becomes available, the endpoint sends MAX_STREAM_DATA frames toallow the peer to send more data.¶

When a STREAM frame with a FIN bit is received, the final size of the stream isknown; seeSection 4.5. The receiving part of the stream then enters the"Size Known" state. In this state, the endpoint no longer needs to sendMAX_STREAM_DATA frames, it only receives any retransmissions of stream data.¶

Once all data for the stream has been received, the receiving part enters the"Data Recvd" state. This might happen as a result of receiving the same STREAMframe that causes the transition to "Size Known". After all data has beenreceived, any STREAM or STREAM_DATA_BLOCKED frames for the stream can bediscarded.¶

The "Data Recvd" state persists until stream data has been delivered to theapplication. Once stream data has been delivered, the stream enters the "DataRead" state, which is a terminal state.¶

Receiving a RESET_STREAM frame in the "Recv" or "Size Known" states causes thestream to enter the "Reset Recvd" state. This might cause the delivery ofstream data to the application to be interrupted.¶

It is possible that all stream data has already been received when aRESET_STREAM is received (that is, in the "Data Recvd" state). Similarly, it ispossible for remaining stream data to arrive after receiving a RESET_STREAMframe (the "Reset Recvd" state). An implementation is free to manage thissituation as it chooses.¶

Sending RESET_STREAM means that an endpoint cannot guarantee delivery of streamdata; however there is no requirement that stream data not be delivered if aRESET_STREAM is received. An implementation MAY interrupt delivery of streamdata, discard any data that was not consumed, and signal the receipt of theRESET_STREAM. A RESET_STREAM signal might be suppressed or withheld if streamdata is completely received and is buffered to be read by the application. Ifthe RESET_STREAM is suppressed, the receiving part of the stream remains in"Data Recvd".¶

Once the application receives the signal indicating that the streamwas reset, the receiving part of the stream transitions to the "Reset Read"state, which is a terminal state.¶

3.3.Permitted Frame Types

The sender of a stream sends just three frame types that affect the state of astream at either sender or receiver: STREAM (Section 19.8),STREAM_DATA_BLOCKED (Section 19.13), and RESET_STREAM(Section 19.4).¶

A sender MUST NOT send any of these frames from a terminal state ("Data Recvd"or "Reset Recvd"). A sender MUST NOT send a STREAM or STREAM_DATA_BLOCKED framefor a stream in the "Reset Sent" state or any terminal state, that is, aftersending a RESET_STREAM frame. A receiver could receive any of these threeframes in any state, due to the possibility of delayed delivery of packetscarrying them.¶

The receiver of a stream sends MAX_STREAM_DATA (Section 19.10) andSTOP_SENDING frames (Section 19.5).¶

The receiver only sends MAX_STREAM_DATA in the "Recv" state. A receiver MAYsend STOP_SENDING in any state where it has not received a RESET_STREAM frame;that is states other than "Reset Recvd" or "Reset Read". However there islittle value in sending a STOP_SENDING frame in the "Data Recvd" state, sinceall stream data has been received. A sender could receive either of these twoframes in any state as a result of delayed delivery of packets.¶

3.4.Bidirectional Stream States

A bidirectional stream is composed of sending and receiving parts.Implementations can represent states of the bidirectional stream as compositesof sending and receiving stream states. The simplest model presents the streamas "open" when either sending or receiving parts are in a non-terminal state and"closed" when both sending and receiving streams are in terminal states.¶

Table 2 shows a more complex mapping of bidirectional streamstates that loosely correspond to the stream states in HTTP/2[HTTP2]. This shows that multiple states on sending or receivingparts of streams are mapped to the same composite state. Note that this is justone possibility for such a mapping; this mapping requires that data isacknowledged before the transition to a "closed" or "half-closed" state.¶

Note (*1):

A stream is considered "idle" if it has not yet been created, or if thereceiving part of the stream is in the "Recv" state without yet havingreceived any frames.¶

3.5.Solicited State Transitions

If an application is no longer interested in the data it is receiving on astream, it can abort reading the stream and specify an application error code.¶

If the stream is in the "Recv" or "Size Known" states, the transport SHOULDsignal this by sending a STOP_SENDING frame to prompt closure of the stream inthe opposite direction. This typically indicates that the receiving applicationis no longer reading data it receives from the stream, but it is not a guaranteethat incoming data will be ignored.¶

STREAM frames received after sending a STOP_SENDING frame are still countedtoward connection and stream flow control, even though these frames can bediscarded upon receipt.¶

A STOP_SENDING frame requests that the receiving endpoint send a RESET_STREAMframe. An endpoint that receives a STOP_SENDING frame MUST send a RESET_STREAMframe if the stream is in the Ready or Send state. If the stream is in the"Data Sent" state, the endpoint MAY defer sending the RESET_STREAM frame untilthe packets containing outstanding data are acknowledged or declared lost. Ifany outstanding data is declared lost, the endpoint SHOULD send a RESET_STREAMframe instead of retransmitting the data.¶

An endpoint SHOULD copy the error code from the STOP_SENDING frame to theRESET_STREAM frame it sends, but MAY use any application error code. Anendpoint that sends a STOP_SENDING frame MAY ignore the error code inany RESET_STREAM frames subsequently received for that stream.¶

STOP_SENDING SHOULD only be sent for a stream that has not been reset by thepeer. STOP_SENDING is most useful for streams in the "Recv" or "Size Known"states.¶

An endpoint is expected to send another STOP_SENDING frame if a packetcontaining a previous STOP_SENDING is lost. However, once either all streamdata or a RESET_STREAM frame has been received for the stream - that is, thestream is in any state other than "Recv" or "Size Known" - sending aSTOP_SENDING frame is unnecessary.¶

An endpoint that wishes to terminate both directions of a bidirectional streamcan terminate one direction by sending a RESET_STREAM frame, and it canencourage prompt termination in the opposite direction by sending a STOP_SENDINGframe.¶

4.1.Data Flow Control

QUIC employs a limit-based flow-control scheme where a receiver advertises thelimit of total bytes it is prepared to receive on a given stream or for theentire connection. This leads to two levels of data flow control in QUIC:¶

• Stream flow control, which prevents a single stream from consuming the entirereceive buffer for a connection by limiting the amount of data that can besent on any stream.¶
• Connection flow control, which prevents senders from exceeding a receiver'sbuffer capacity for the connection, by limiting the total bytes of stream datasent in STREAM frames on all streams.¶

Senders MUST NOT send data in excess of either limit.¶

A receiver sets initial limits for all streams through transport parametersduring the handshake (Section 7.4). Subsequently, a receiver sendsMAX_STREAM_DATA (Section 19.10) or MAX_DATA (Section 19.9)frames to the sender to advertise larger limits.¶

A receiver can advertise a larger limit for a stream by sending aMAX_STREAM_DATA frame with the corresponding stream ID. A MAX_STREAM_DATA frameindicates the maximum absolute byte offset of a stream. A receiver coulddetermine the flow control offset to be advertised based on the current offsetof data consumed on that stream.¶

A receiver can advertise a larger limit for a connection by sending a MAX_DATAframe, which indicates the maximum of the sum of the absolute byte offsets ofall streams. A receiver maintains a cumulative sum of bytes received on allstreams, which is used to check for violations of the advertised connection orstream data limits. A receiver could determine the maximum data limit to beadvertised based on the sum of bytes consumed on all streams.¶

Once a receiver advertises a limit for the connection or a stream, it MAYadvertise a smaller limit, but this has no effect.¶

A receiver MUST close the connection with a FLOW_CONTROL_ERROR error(Section 11) if the sender violates the advertised connection or streamdata limits.¶

A sender MUST ignore any MAX_STREAM_DATA or MAX_DATA frames that do not increaseflow control limits.¶

If a sender has sent data up to the limit, it will be unable to send new dataand is considered blocked. A sender SHOULD send a STREAM_DATA_BLOCKED orDATA_BLOCKED frame to indicate to the receiver that it has data to write but isblocked by flow control limits. If a sender is blocked for a period longer thanthe idle timeout (Section 10.1), the receiver might close the connectioneven when the sender has data that is available for transmission. To keep theconnection from closing, a sender that is flow control limited SHOULDperiodically send a STREAM_DATA_BLOCKED or DATA_BLOCKED frame when it has noack-eliciting packets in flight.¶

4.2.Increasing Flow Control Limits

Implementations decide when and how much credit to advertise in MAX_STREAM_DATAand MAX_DATA frames, but this section offers a few considerations.¶

To avoid blocking a sender, a receiver MAY send a MAX_STREAM_DATA or MAX_DATAframe multiple times within a round trip or send it early enough to allow timefor loss of the frame and subsequent recovery.¶

Control frames contribute to connection overhead. Therefore, frequently sendingMAX_STREAM_DATA and MAX_DATA frames with small changes is undesirable. On theother hand, if updates are less frequent, larger increments to limits arenecessary to avoid blocking a sender, requiring larger resource commitments atthe receiver. There is a trade-off between resource commitment and overheadwhen determining how large a limit is advertised.¶

A receiver can use an autotuning mechanism to tune the frequency and amount ofadvertised additional credit based on a round-trip time estimate and the rate atwhich the receiving application consumes data, similar to common TCPimplementations. As an optimization, an endpoint could send frames related toflow control only when there are other frames to send, ensuring that flowcontrol does not cause extra packets to be sent.¶

A blocked sender is not required to send STREAM_DATA_BLOCKED or DATA_BLOCKEDframes. Therefore, a receiver MUST NOT wait for a STREAM_DATA_BLOCKED orDATA_BLOCKED frame before sending a MAX_STREAM_DATA or MAX_DATA frame; doing socould result in the sender being blocked for the rest of the connection. Even ifthe sender sends these frames, waiting for them will result in the sender beingblocked for at least an entire round trip.¶

When a sender receives credit after being blocked, it might be able to send alarge amount of data in response, resulting in short-term congestion; seeSection 6.9 in[QUIC-RECOVERY] for a discussion of how a sender can avoid thiscongestion.¶

4.3.Flow Control Performance

If an endpoint cannot ensure that its peer always has available flow controlcredit that is greater than the peer's bandwidth-delay product on thisconnection, its receive throughput will be limited by flow control.¶

Packet loss can cause gaps in the receive buffer, preventing the applicationfrom consuming data and freeing up receive buffer space.¶

Sending timely updates of flow control limits can improve performance.Sending packets only to provide flow control updates can increase networkload and adversely affect performance. Sending flow control updates along withother frames, such as ACK frames, reduces the cost of those updates.¶

4.4.Handling Stream Cancellation

Endpoints need to eventually agree on the amount of flow control credit that hasbeen consumed on every stream, to be able to account for all bytes forconnection-level flow control.¶

On receipt of a RESET_STREAM frame, an endpoint will tear down state for thematching stream and ignore further data arriving on that stream.¶

RESET_STREAM terminates one direction of a stream abruptly. For a bidirectionalstream, RESET_STREAM has no effect on data flow in the opposite direction. Bothendpoints MUST maintain flow control state for the stream in the unterminateddirection until that direction enters a terminal state.¶

4.5.Stream Final Size

The final size is the amount of flow control credit that is consumed by astream. Assuming that every contiguous byte on the stream was sent once, thefinal size is the number of bytes sent. More generally, this is one higherthan the offset of the byte with the largest offset sent on the stream, or zeroif no bytes were sent.¶

A sender always communicates the final size of a stream to the receiverreliably, no matter how the stream is terminated. The final size is the sum ofthe Offset and Length fields of a STREAM frame with a FIN flag, noting thatthese fields might be implicit. Alternatively, the Final Size field of aRESET_STREAM frame carries this value. This guarantees that both endpoints agreeon how much flow control credit was consumed by the sender on that stream.¶

An endpoint will know the final size for a stream when the receiving part of thestream enters the "Size Known" or "Reset Recvd" state (Section 3). Thereceiver MUST use the final size of the stream to account for all bytes sent onthe stream in its connection level flow controller.¶

An endpoint MUST NOT send data on a stream at or beyond the final size.¶

Once a final size for a stream is known, it cannot change. If a RESET_STREAM orSTREAM frame is received indicating a change in the final size for the stream,an endpoint SHOULD respond with a FINAL_SIZE_ERROR error; seeSection 11. A receiver SHOULD treat receipt of data at or beyond thefinal size as a FINAL_SIZE_ERROR error, even after a stream is closed.Generating these errors is not mandatory, because requiring that anendpoint generate these errors also means that the endpoint needs to maintainthe final size state for closed streams, which could mean a significant statecommitment.¶

4.6.Controlling Concurrency

An endpoint limits the cumulative number of incoming streams a peer can open.Only streams with a stream ID less than (max_stream * 4 +initial_stream_id_for_type) can be opened; seeTable 1. Initiallimits are set in the transport parameters; seeSection 18.2. Subsequent limits are advertised usingMAX_STREAMS frames; seeSection 19.11. Separate limits apply tounidirectional and bidirectional streams.¶

If a max_streams transport parameter or a MAX_STREAMS frame is received with avalue greater than 2^60, this would allow a maximum stream ID that cannot beexpressed as a variable-length integer; seeSection 16. If either isreceived, the connection MUST be closed immediately with a connection error oftype TRANSPORT_PARAMETER_ERROR if the offending value was received in atransport parameter or of type FRAME_ENCODING_ERROR if it was received in aframe; seeSection 10.2.¶

Endpoints MUST NOT exceed the limit set by their peer. An endpoint thatreceives a frame with a stream ID exceeding the limit it has sent MUST treatthis as a connection error of type STREAM_LIMIT_ERROR (Section 11).¶

Once a receiver advertises a stream limit using the MAX_STREAMS frame,advertising a smaller limit has no effect. A receiver MUST ignore anyMAX_STREAMS frame that does not increase the stream limit.¶

As with stream and connection flow control, this document leaves implementationsto decide when and how many streams should be advertisedto a peer via MAX_STREAMS. Implementations might choose to increase limits asstreams are closed, to keep the number of streams available to peers roughlyconsistent.¶

An endpoint that is unable to open a new stream due to the peer's limits SHOULDsend a STREAMS_BLOCKED frame (Section 19.14). This signal isconsidered useful for debugging. An endpoint MUST NOT wait to receive thissignal before advertising additional credit, since doing so will mean that thepeer will be blocked for at least an entire round trip, and potentiallyindefinitely if the peer chooses not to send STREAMS_BLOCKED frames.¶

5.1.Connection ID

Each connection possesses a set of connection identifiers, or connection IDs,each of which can identify the connection. Connection IDs are independentlyselected by endpoints; each endpoint selects the connection IDs that its peeruses.¶

The primary function of a connection ID is to ensure that changes in addressingat lower protocol layers (UDP, IP) do not cause packets for a QUICconnection to be delivered to the wrong endpoint. Each endpoint selectsconnection IDs using an implementation-specific (and perhapsdeployment-specific) method that will allow packets with that connection ID tobe routed back to the endpoint and to be identified by the endpoint uponreceipt.¶

Connection IDs MUST NOT contain any information that can be used by an externalobserver (that is, one that does not cooperate with the issuer) to correlatethem with other connection IDs for the same connection. As a trivial example,this means the same connection ID MUST NOT be issued more than once on the sameconnection.¶

Packets with long headers include Source Connection ID and DestinationConnection ID fields. These fields are used to set the connection IDs for newconnections; seeSection 7.2 for details.¶

Packets with short headers (Section 17.3) only include the DestinationConnection ID and omit the explicit length. The length of the DestinationConnection ID field is expected to be known to endpoints. Endpoints using aload balancer that routes based on connection ID could agree with the loadbalancer on a fixed length for connection IDs, or agree on an encoding scheme.A fixed portion could encode an explicit length, which allows the entireconnection ID to vary in length and still be used by the load balancer.¶

A Version Negotiation (Section 17.2.1) packet echoes the connection IDsselected by the client, both to ensure correct routing toward the client and todemonstrate that the packet is in response to a packet sent by the client.¶

A zero-length connection ID can be used when a connection ID is not needed toroute to the correct endpoint. However, multiplexing connections on the samelocal IP address and port while using zero-length connection IDs will causefailures in the presence of peer connection migration, NAT rebinding, and clientport reuse. An endpoint MUST NOT use the same IP address and port for multipleconnections with zero-length connection IDs, unless it is certain that thoseprotocol features are not in use.¶

When an endpoint uses a non-zero-length connection ID, it needs to ensure thatthe peer has a supply of connection IDs from which to choose for packets sent tothe endpoint. These connection IDs are supplied by the endpoint using theNEW_CONNECTION_ID frame (Section 19.15).¶

5.2.Matching Packets to Connections

Incoming packets are classified on receipt. Packets can either be associatedwith an existing connection, or - for servers - potentially create a newconnection.¶

Endpoints try to associate a packet with an existing connection. If the packethas a non-zero-length Destination Connection ID corresponding to an existingconnection, QUIC processes that packet accordingly. Note that more than oneconnection ID can be associated with a connection; seeSection 5.1.¶

If the Destination Connection ID is zero length and the addressing informationin the packet matches the addressing information the endpoint uses to identify aconnection with a zero-length connection ID, QUIC processes the packet as partof that connection. An endpoint can use just destination IP and port or bothsource and destination addresses for identification, though this makesconnections fragile as described inSection 5.1.¶

Endpoints can send a Stateless Reset (Section 10.3) for any packets thatcannot be attributed to an existing connection. A stateless reset allows a peerto more quickly identify when a connection becomes unusable.¶

Packets that are matched to an existing connection are discarded if the packetsare inconsistent with the state of that connection. For example, packets arediscarded if they indicate a different protocol version than that of theconnection, or if the removal of packet protection is unsuccessful once theexpected keys are available.¶

Invalid packets that lack strong integrity protection, such as Initial, Retry,or Version Negotiation, MAY be discarded. An endpoint MUST generate aconnection error if processing the contents of these packets prior todiscovering an error, unless it fully reverts these changes.¶

5.3.Operations on Connections

This document does not define an API for QUIC, but instead defines a set offunctions for QUIC connections that application protocols can rely upon. Anapplication protocol can assume that an implementation of QUIC provides aninterface that includes the operations described in this section. Animplementation designed for use with a specific application protocol mightprovide only those operations that are used by that protocol.¶

When implementing the client role, an application protocol can:¶

• open a connection, which begins the exchange described inSection 7;¶
• enable Early Data when available; and¶
• be informed when Early Data has been accepted or rejected by a server.¶

When implementing the server role, an application protocol can:¶

• listen for incoming connections, which prepares for the exchange described inSection 7;¶
• if Early Data is supported, embed application-controlled data in the TLSresumption ticket sent to the client; and¶
• if Early Data is supported, retrieve application-controlled data from theclient's resumption ticket and accept or reject Early Data based on thatinformation.¶

In either role, an application protocol can:¶

• configure minimum values for the initial number of permitted streams of eachtype, as communicated in the transport parameters (Section 7.4);¶
• control resource allocation for receive buffers by setting flow control limitsboth for streams and for the connection¶
• identify whether the handshake has completed successfully or is still ongoing;¶
• keep a connection from silently closing, either by generating PING frames(Section 19.2) or by requesting that the transport send additional framesbefore the idle timeout expires (Section 10.1); and¶
• immediately close (Section 10.2) the connection.¶

6.1.Sending Version Negotiation Packets

If the version selected by the client is not acceptable to the server, theserver responds with a Version Negotiation packet; seeSection 17.2.1. Thisincludes a list of versions that the server will accept. An endpoint MUST NOTsend a Version Negotiation packet in response to receiving a Version Negotiationpacket.¶

This system allows a server to process packets with unsupported versions withoutretaining state. Though either the Initial packet or the Version Negotiationpacket that is sent in response could be lost, the client will send new packetsuntil it successfully receives a response or it abandons the connection attempt.As a result, the client discards all state for the connection and does not sendany more packets on the connection.¶

A server MAY limit the number of Version Negotiation packets it sends. Forinstance, a server that is able to recognize packets as 0-RTT might choose notto send Version Negotiation packets in response to 0-RTT packets with theexpectation that it will eventually receive an Initial packet.¶

6.2.Handling Version Negotiation Packets

Version Negotiation packets are designed to allow future versions of QUIC tonegotiate the version in use between endpoints. Future versions of QUIC mightchange how implementations that support multiple versions of QUIC react toVersion Negotiation packets when attempting to establish a connection using thisversion.¶

A client that supports only this version of QUIC MUST abandon the currentconnection attempt if it receives a Version Negotiation packet, with thefollowing two exceptions. A client MUST discard any Version Negotiation packetif it has received and successfully processed any other packet, including anearlier Version Negotiation packet. A client MUST discard a Version Negotiationpacket that lists the QUIC version selected by the client.¶

How to perform version negotiation is left as future work defined by futureversions of QUIC. In particular, that future work will ensure robustnessagainst version downgrade attacks; seeSection 21.12.¶

6.3.Using Reserved Versions

For a server to use a new version in the future, clients need to correctlyhandle unsupported versions. Some version numbers (0x?a?a?a?a as defined inSection 15) are reserved for inclusion in fields that contain versionnumbers.¶

Endpoints MAY add reserved versions to any field where unknown or unsupportedversions are ignored to test that a peer correctly ignores the value. Forinstance, an endpoint could include a reserved version in a Version Negotiationpacket; seeSection 17.2.1. Endpoints MAY send packets with a reservedversion to test that a peer correctly discards the packet.¶

7.1.Example Handshake Flows

Details of how TLS is integrated with QUIC are provided in[QUIC-TLS], butsome examples are provided here. An extension of this exchange to supportclient address validation is shown inSection 8.1.2.¶

Once any address validation exchanges are complete, thecryptographic handshake is used to agree on cryptographic keys. Thecryptographic handshake is carried in Initial (Section 17.2.2) and Handshake(Section 17.2.4) packets.¶

Figure 5 provides an overview of the 1-RTT handshake. Each lineshows a QUIC packet with the packet type and packet number shown first, followedby the frames that are typically contained in those packets. So, for instancethe first packet is of type Initial, with packet number 0, and contains a CRYPTOframe carrying the ClientHello.¶

Multiple QUIC packets -- even of different packet types -- can be coalesced intoa single UDP datagram; seeSection 12.2. As a result, this handshakecould consist of as few as 4 UDP datagrams, or any number more (subject tolimits inherent to the protocol, such as congestion control andanti-amplification). For instance, the server's first flight contains Initialpackets, Handshake packets, and "0.5-RTT data" in 1-RTT packets.¶

Client                                                  ServerInitial[0]: CRYPTO[CH] ->                                 Initial[0]: CRYPTO[SH] ACK[0]                       Handshake[0]: CRYPTO[EE, CERT, CV, FIN]                                 <- 1-RTT[0]: STREAM[1, "..."]Initial[1]: ACK[0]Handshake[0]: CRYPTO[FIN], ACK[0]1-RTT[0]: STREAM[0, "..."], ACK[0] ->                                          Handshake[1]: ACK[0]         <- 1-RTT[1]: HANDSHAKE_DONE, STREAM[3, "..."], ACK[0]

Figure 6 shows an example of a connection with a 0-RTT handshakeand a single packet of 0-RTT data. Note that as described inSection 12.3, the server acknowledges 0-RTT data in 1-RTT packets, andthe client sends 1-RTT packets in the same packet number space.¶

Client                                                  ServerInitial[0]: CRYPTO[CH]0-RTT[0]: STREAM[0, "..."] ->                                 Initial[0]: CRYPTO[SH] ACK[0]                                  Handshake[0] CRYPTO[EE, FIN]                          <- 1-RTT[0]: STREAM[1, "..."] ACK[0]Initial[1]: ACK[0]Handshake[0]: CRYPTO[FIN], ACK[0]1-RTT[1]: STREAM[0, "..."] ACK[0] ->                                          Handshake[1]: ACK[0]         <- 1-RTT[1]: HANDSHAKE_DONE, STREAM[3, "..."], ACK[1]

7.2.Negotiating Connection IDs

A connection ID is used to ensure consistent routing of packets, as described inSection 5.1. The long header contains two connection IDs: the DestinationConnection ID is chosen by the recipient of the packet and is used to provideconsistent routing; the Source Connection ID is used to set the DestinationConnection ID used by the peer.¶

During the handshake, packets with the long header (Section 17.2) are usedto establish the connection IDs used by both endpoints. Each endpoint uses theSource Connection ID field to specify the connection ID that is used in theDestination Connection ID field of packets being sent to them. After processingthe first Initial packet, each endpoint sets the Destination Connection IDfield in subsequent packets it sends to the value of the Source Connection IDfield that it received.¶

When an Initial packet is sent by a client that has not previously received anInitial or Retry packet from the server, the client populates the DestinationConnection ID field with an unpredictable value. This Destination Connection IDMUST be at least 8 bytes in length. Until a packet is received from the server,the client MUST use the same Destination Connection ID value on all packets inthis connection.¶

The Destination Connection ID field from the first Initial packet sent by aclient is used to determine packet protection keys for Initial packets. Thesekeys change after receiving a Retry packet; see Section 5.2 of[QUIC-TLS].¶

The client populates the Source Connection ID field with a value of its choosingand sets the Source Connection ID Length field to indicate the length.¶

The first flight of 0-RTT packets use the same Destination Connection ID andSource Connection ID values as the client's first Initial packet.¶

Upon first receiving an Initial or Retry packet from the server, the client usesthe Source Connection ID supplied by the server as the Destination Connection IDfor subsequent packets, including any 0-RTT packets. This means that a clientmight have to change the connection ID it sets in the Destination Connection IDfield twice during connection establishment: once in response to a Retry, andonce in response to an Initial packet from the server. Once a client hasreceived a valid Initial packet from the server, it MUST discard any subsequentpacket it receives with a different Source Connection ID.¶

A client MUST change the Destination Connection ID it uses for sending packetsin response to only the first received Initial or Retry packet. A server MUSTset the Destination Connection ID it uses for sending packets based on the firstreceived Initial packet. Any further changes to the Destination Connection IDare only permitted if the values are taken from NEW_CONNECTION_ID frames; ifsubsequent Initial packets include a different Source Connection ID, they MUSTbe discarded. This avoids unpredictable outcomes that might otherwise resultfrom stateless processing of multiple Initial packets with different SourceConnection IDs.¶

The Destination Connection ID that an endpoint sends can change over thelifetime of a connection, especially in response to connection migration(Section 9); seeSection 5.1.1 for details.¶

7.3.Authenticating Connection IDs

The choice each endpoint makes about connection IDs during the handshake isauthenticated by including all values in transport parameters; seeSection 7.4. This ensures that all connection IDs used for thehandshake are also authenticated by the cryptographic handshake.¶

Each endpoint includes the value of the Source Connection ID field from thefirst Initial packet it sent in the initial_source_connection_id transportparameter; seeSection 18.2. A server includes theDestination Connection ID field from the first Initial packet it received fromthe client in the original_destination_connection_id transport parameter; if theserver sent a Retry packet, this refers to the first Initial packet receivedbefore sending the Retry packet. If it sends a Retry packet, a server alsoincludes the Source Connection ID field from the Retry packet in theretry_source_connection_id transport parameter.¶

The values provided by a peer for these transport parameters MUST match thevalues that an endpoint used in the Destination and Source Connection ID fieldsof Initial packets that it sent. Including connection ID values in transportparameters and verifying them ensures that that an attacker cannot influencethe choice of connection ID for a successful connection by injecting packetscarrying attacker-chosen connection IDs during the handshake.¶

An endpoint MUST treat absence of the initial_source_connection_id transportparameter from either endpoint or absence of theoriginal_destination_connection_id transport parameter from the server as aconnection error of type TRANSPORT_PARAMETER_ERROR.¶

An endpoint MUST treat the following as a connection error of typeTRANSPORT_PARAMETER_ERROR or PROTOCOL_VIOLATION:¶

• absence of the retry_source_connection_id transport parameter from the serverafter receiving a Retry packet,¶
• presence of the retry_source_connection_id transport parameter when no Retrypacket was received, or¶
• a mismatch between values received from a peer in these transport parametersand the value sent in the corresponding Destination or Source Connection IDfields of Initial packets.¶

If a zero-length connection ID is selected, the corresponding transportparameter is included with a zero-length value.¶

Figure 7 shows the connection IDs (with DCID=Destination Connection ID,SCID=Source Connection ID) that are used in a complete handshake. The exchangeof Initial packets is shown, plus the later exchange of 1-RTT packets thatincludes the connection ID established during the handshake.¶

Client                                                  ServerInitial: DCID=S1, SCID=C1 ->                                  <- Initial: DCID=C1, SCID=S3                             ...1-RTT: DCID=S3 ->                                             <- 1-RTT: DCID=C1

Figure 8 shows a similar handshake that includes a Retry packet.¶

Client                                                  ServerInitial: DCID=S1, SCID=C1 ->                                    <- Retry: DCID=C1, SCID=S2Initial: DCID=S2, SCID=C1 ->                                  <- Initial: DCID=C1, SCID=S3                             ...1-RTT: DCID=S3 ->                                             <- 1-RTT: DCID=C1

In both cases (Figure 7 andFigure 8), the client sets thevalue of the initial_source_connection_id transport parameter toC1.¶

When the handshake does not include a Retry (Figure 7), the server setsoriginal_destination_connection_id toS1 and initial_source_connection_id toS3. In this case, the server does not include a retry_source_connection_idtransport parameter.¶

When the handshake includes a Retry (Figure 8), the server setsoriginal_destination_connection_id toS1, retry_source_connection_id toS2,and initial_source_connection_id toS3.¶

7.4.Transport Parameters

During connection establishment, both endpoints make authenticated declarationsof their transport parameters. Endpoints are required to comply with therestrictions that each parameter defines; the description of each parameterincludes rules for its handling.¶

Transport parameters are declarations that are made unilaterally by eachendpoint. Each endpoint can choose values for transport parameters independentof the values chosen by its peer.¶

The encoding of the transport parameters is detailed inSection 18.¶

QUIC includes the encoded transport parameters in the cryptographic handshake.Once the handshake completes, the transport parameters declared by the peer areavailable. Each endpoint validates the values provided by its peer.¶

Definitions for each of the defined transport parameters are included inSection 18.2.¶

An endpoint MUST treat receipt of a transport parameter with an invalid value asa connection error of type TRANSPORT_PARAMETER_ERROR.¶

An endpoint MUST NOT send a parameter more than once in a given transportparameters extension. An endpoint SHOULD treat receipt of duplicate transportparameters as a connection error of type TRANSPORT_PARAMETER_ERROR.¶

Endpoints use transport parameters to authenticate the negotiation ofconnection IDs during the handshake; seeSection 7.3.¶

Application Layer Protocol Negotiation (ALPN; see[ALPN]) allowsclients to offer multiple application protocols during connectionestablishment. The transport parameters that a client includes during thehandshake apply to all application protocols that the client offers. Applicationprotocols can recommend values for transport parameters, such as the initialflow control limits. However, application protocols that set constraints onvalues for transport parameters could make it impossible for a client to offermultiple application protocols if these constraints conflict.¶

7.5.Cryptographic Message Buffering

Implementations need to maintain a buffer of CRYPTO data received out of order.Because there is no flow control of CRYPTO frames, an endpoint couldpotentially force its peer to buffer an unbounded amount of data.¶

Implementations MUST support buffering at least 4096 bytes of data received inout-of-order CRYPTO frames. Endpoints MAY choose to allow more data to bebuffered during the handshake. A larger limit during the handshake could allowfor larger keys or credentials to be exchanged. An endpoint's buffer size doesnot need to remain constant during the life of the connection.¶

Being unable to buffer CRYPTO frames during the handshake can lead to aconnection failure. If an endpoint's buffer is exceeded during the handshake, itcan expand its buffer temporarily to complete the handshake. If an endpointdoes not expand its buffer, it MUST close the connection with aCRYPTO_BUFFER_EXCEEDED error code.¶

Once the handshake completes, if an endpoint is unable to buffer all data in aCRYPTO frame, it MAY discard that CRYPTO frame and all CRYPTO frames received inthe future, or it MAY close the connection with a CRYPTO_BUFFER_EXCEEDED errorcode. Packets containing discarded CRYPTO frames MUST be acknowledged becausethe packet has been received and processed by the transport even though theCRYPTO frame was discarded.¶

8.1.Address Validation During Connection Establishment

Connection establishment implicitly provides address validation for bothendpoints. In particular, receipt of a packet protected with Handshake keysconfirms that the peer successfully processed an Initial packet. Once anendpoint has successfully processed a Handshake packet from the peer, it canconsider the peer address to have been validated.¶

Additionally, an endpoint MAY consider the peer address validated if the peeruses a connection ID chosen by the endpoint and the connection ID contains atleast 64 bits of entropy.¶

For the client, the value of the Destination Connection ID field in its firstInitial packet allows it to validate the server address as a part ofsuccessfully processing any packet. Initial packets from the server areprotected with keys that are derived from this value (see Section 5.2 of[QUIC-TLS]). Alternatively, the value is echoed by the server in VersionNegotiation packets (Section 6) or included in the Integrity Tagin Retry packets (Section 5.8 of[QUIC-TLS]).¶

Prior to validating the client address, servers MUST NOT send more than threetimes as many bytes as the number of bytes they have received. This limits themagnitude of any amplification attack that can be mounted using spoofed sourceaddresses. For the purposes of avoiding amplification prior to addressvalidation, servers MUST count all of the payload bytes received in datagramsthat are uniquely attributed to a single connection. This includes datagramsthat contain packets that are successfully processed and datagrams that containpackets that are all discarded.¶

Clients MUST ensure that UDP datagrams containing Initial packets have UDPpayloads of at least 1200 bytes, adding PADDING frames as necessary.A client that sends padded datagrams allows the server tosend more data prior to completing address validation.¶

Loss of an Initial or Handshake packet from the server can cause a deadlock ifthe client does not send additional Initial or Handshake packets. A deadlockcould occur when the server reaches its anti-amplification limit and the clienthas received acknowledgements for all the data it has sent. In this case, whenthe client has no reason to send additional packets, the server will be unableto send more data because it has not validated the client's address. To preventthis deadlock, clients MUST send a packet on a probe timeout (PTO, see Section6.2 of[QUIC-RECOVERY]). Specifically, the client MUST send an Initial packetin a UDP datagram that contains at least 1200 bytes if it does not haveHandshake keys, and otherwise send a Handshake packet.¶

A server might wish to validate the client address before starting thecryptographic handshake. QUIC uses a token in the Initial packet to provideaddress validation prior to completing the handshake. This token is delivered tothe client during connection establishment with a Retry packet (seeSection 8.1.2) or in a previous connection using the NEW_TOKEN frame (seeSection 8.1.3).¶

In addition to sending limits imposed prior to address validation, servers arealso constrained in what they can send by the limits set by the congestioncontroller. Clients are only constrained by the congestion controller.¶

Client                                                  ServerInitial[0]: CRYPTO[CH] ->                                                <- Retry+TokenInitial+Token[1]: CRYPTO[CH] ->                                 Initial[0]: CRYPTO[SH] ACK[1]                       Handshake[0]: CRYPTO[EE, CERT, CV, FIN]                                 <- 1-RTT[0]: STREAM[1, "..."]

8.2.Path Validation

Path validation is used by both peers during connection migration(seeSection 9) to verify reachability after a change of address.In path validation, endpoints test reachability between a specific localaddress and a specific peer address, where an address is the two-tuple ofIP address and port.¶

Path validation tests that packets sent on a path to a peer arereceived by that peer. Path validation is used to ensure that packets receivedfrom a migrating peer do not carry a spoofed source address.¶

Path validation does not validate that a peer can send in the return direction.Acknowledgments cannot be used for return path validation because they containinsufficient entropy and might be spoofed. Endpoints independently determinereachability on each direction of a path, and therefore return reachability canonly be established by the peer.¶

Path validation can be used at any time by either endpoint. For instance, anendpoint might check that a peer is still in possession of its address after aperiod of quiescence.¶

Path validation is not designed as a NAT traversal mechanism. Though themechanism described here might be effective for the creation of NAT bindingsthat support NAT traversal, the expectation is that one or other peer is able toreceive packets without first having sent a packet on that path. Effective NATtraversal needs additional synchronization mechanisms that are not providedhere.¶

An endpoint MAY include other frames with the PATH_CHALLENGE and PATH_RESPONSEframes used for path validation. In particular, an endpoint can include PADDINGframes with a PATH_CHALLENGE frame for Path Maximum Transmission Unit Discovery(PMTUD; seeSection 14.2.1); it can also include its own PATH_CHALLENGE frame witha PATH_RESPONSE frame.¶

An endpoint uses a new connection ID for probes sent from a new local address;seeSection 9.5. When probing a new path, an endpoint canensure that its peer has an unused connection ID available forresponses. Sending NEW_CONNECTION_ID and PATH_CHALLENGE frames in the samepacket, if the peer's active_connection_id_limit permits, ensures that an unusedconnection ID will be available to the peer when sending a response.¶

An endpoint can choose to simultaneously probe multiple paths. The number ofsimultaneous paths used for probes is limited by the number of extra connectionIDs its peer has previously supplied, since each new local address used for aprobe requires a previously unused connection ID.¶

9.1.Probing a New Path

An endpoint MAY probe for peer reachability from a new local address using pathvalidation (Section 8.2) prior to migrating the connection to the newlocal address. Failure of path validation simply means that the new path is notusable for this connection. Failure to validate a path does not cause theconnection to end unless there are no valid alternative paths available.¶

PATH_CHALLENGE, PATH_RESPONSE, NEW_CONNECTION_ID, and PADDING frames are"probing frames", and all other frames are "non-probing frames". A packetcontaining only probing frames is a "probing packet", and a packet containingany other frame is a "non-probing packet".¶

9.2.Initiating Connection Migration

An endpoint can migrate a connection to a new local address by sending packetscontaining non-probing frames from that address.¶

Each endpoint validates its peer's address during connection establishment.Therefore, a migrating endpoint can send to its peer knowing that the peer iswilling to receive at the peer's current address. Thus an endpoint can migrateto a new local address without first validating the peer's address.¶

To establish reachability on the new path, an endpoint initiates pathvalidation (Section 8.2) on the new path. An endpoint MAY defer pathvalidation until after a peer sends the next non-probing frame to its newaddress.¶

When migrating, the new path might not support the endpoint's current sendingrate. Therefore, the endpoint resets its congestion controller and RTT estimate,as described inSection 9.4.¶

The new path might not have the same ECN capability. Therefore, the endpointvalidates ECN capability as described inSection 13.4.¶

9.3.Responding to Connection Migration

Receiving a packet from a new peer address containing a non-probing frameindicates that the peer has migrated to that address.¶

If the recipient permits the migration, it MUST send subsequent packetsto the new peer address and MUST initiate path validation (Section 8.2)to verify the peer's ownership of the address if validation is not alreadyunderway.¶

An endpoint only changes the address to which it sends packets in response tothe highest-numbered non-probing packet. This ensures that an endpoint does notsend packets to an old peer address in the case that it receives reorderedpackets.¶

An endpoint MAY send data to an unvalidated peer address, but it MUST protectagainst potential attacks as described inSection 9.3.1 andSection 9.3.2. An endpoint MAY skip validation of a peer address if thataddress has been seen recently. In particular, if an endpoint returns to apreviously-validated path after detecting some form of spurious migration,skipping address validation and restoring loss detection and congestion statecan reduce the performance impact of the attack.¶

After changing the address to which it sends non-probing packets, an endpointcan abandon any path validation for other addresses.¶

Receiving a packet from a new peer address could be the result of a NATrebinding at the peer.¶

After verifying a new client address, the server SHOULD send new addressvalidation tokens (Section 8) to the client.¶

9.4.Loss Detection and Congestion Control

The capacity available on the new path might not be the same as the old path.Packets sent on the old path MUST NOT contribute to congestion control or RTTestimation for the new path.¶

On confirming a peer's ownership of its new address, an endpoint MUSTimmediately reset the congestion controller and round-trip time estimator forthe new path to initial values (see Appendices A.3 and B.3 in[QUIC-RECOVERY])unless the only change in the peer's address is its port number. Becauseport-only changes are commonly the result of NAT rebinding or other middleboxactivity, the endpoint MAY instead retain its congestion control state andround-trip estimate in those cases instead of reverting to initial values.In cases where congestion control stateretained from an old path is used on a new path with substantially differentcharacteristics, a sender could transmit too aggressively until the congestioncontroller and the RTT estimator have adapted. Generally, implementations areadvised to be cautious when using previous values on a new path.¶

There could be apparent reordering at the receiver when an endpoint sends dataand probes from/to multiple addresses during the migration period, since the tworesulting paths could have different round-trip times. A receiver of packets onmultiple paths will still send ACK frames covering all received packets.¶

While multiple paths might be used during connection migration, a singlecongestion control context and a single loss recovery context (as described in[QUIC-RECOVERY]) could be adequate. For instance, an endpoint might delayswitching to a new congestion control context until it is confirmed that an oldpath is no longer needed (such as the case inSection 9.3.3).¶

A sender can make exceptions for probe packets so that their loss detection isindependent and does not unduly cause the congestion controller to reduce itssending rate. An endpoint might set a separate timer when a PATH_CHALLENGE issent, which is cancelled if the corresponding PATH_RESPONSE is received. If thetimer fires before the PATH_RESPONSE is received, the endpoint might send a newPATH_CHALLENGE, and restart the timer for a longer period of time. This timerSHOULD be set as described in Section 6.2.1 of[QUIC-RECOVERY] and MUST NOT bemore aggressive.¶

9.5.Privacy Implications of Connection Migration

Using a stable connection ID on multiple network paths would allow a passiveobserver to correlate activity between those paths. An endpoint that movesbetween networks might not wish to have their activity correlated by any entityother than their peer, so different connection IDs are used when sending fromdifferent local addresses, as discussed inSection 5.1. For this to beeffective, endpoints need to ensure that connection IDs they provide cannot belinked by any other entity.¶

At any time, endpoints MAY change the Destination Connection ID they transmitwith to a value that has not been used on another path.¶

An endpoint MUST NOT reuse a connection ID when sending from more than one localaddress, for example when initiating connection migration as described inSection 9.2 or when probing a new network path as described inSection 9.1.¶

Similarly, an endpoint MUST NOT reuse a connection ID when sending to more thanone destination address. Due to network changes outside the control of itspeer, an endpoint might receive packets from a new source address with the samedestination connection ID, in which case it MAY continue to use the currentconnection ID with the new remote address while still sending from the samelocal address.¶

These requirements regarding connection ID reuse apply only to the sending ofpackets, as unintentional changes in path without a change in connection ID arepossible. For example, after a period of network inactivity, NAT rebindingmight cause packets to be sent on a new path when the client resumes sending.An endpoint responds to such an event as described inSection 9.3.¶

Using different connection IDs for packets sent in both directions on each newnetwork path eliminates the use of the connection ID for linking packets fromthe same connection across different network paths. Header protection ensuresthat packet numbers cannot be used to correlate activity. This does not preventother properties of packets, such as timing and size, from being used tocorrelate activity.¶

An endpoint SHOULD NOT initiate migration with a peer that has requested azero-length connection ID, because traffic over the new path might be triviallylinkable to traffic over the old one. If the server is able to associatepackets with a zero-length connection ID to the right connection, it means thatthe server is using other information to demultiplex packets. For example, aserver might provide a unique address to every client, for instance using HTTPalternative services[ALTSVC]. Information that might allow correctrouting of packets across multiple network paths will also allow activity onthose paths to be linked by entities other than the peer.¶

A client might wish to reduce linkability by employing a new connection ID andsource UDP port when sending traffic after a period of inactivity. Changing theUDP port from which it sends packets at the same time might cause the packet toappear as a connection migration. This ensures that the mechanisms that supportmigration are exercised even for clients that do not experience NAT rebindingsor genuine migrations. Changing port number can cause a peer to reset itscongestion state (seeSection 9.4), so the port SHOULD only be changedinfrequently.¶

An endpoint that exhausts available connection IDs cannot probe new paths orinitiate migration, nor can it respond to probes or attempts by its peer tomigrate. To ensure that migration is possible and packets sent on differentpaths cannot be correlated, endpoints SHOULD provide new connection IDs beforepeers migrate; seeSection 5.1.1. If a peer might have exhausted availableconnection IDs, a migrating endpoint could include a NEW_CONNECTION_ID frame inall packets sent on a new network path.¶

9.6.Server's Preferred Address

QUIC allows servers to accept connections on one IP address and attempt totransfer these connections to a more preferred address shortly after thehandshake. This is particularly useful when clients initially connect to anaddress shared by multiple servers but would prefer to use a unicast address toensure connection stability. This section describes the protocol for migrating aconnection to a preferred server address.¶

Migrating a connection to a new server address mid-connection is not supportedby the version of QUIC specified in this document. If a client receives packetsfrom a new server address when the client has not initiated a migration to thataddress, the client SHOULD discard these packets.¶

9.7.Use of IPv6 Flow-Label and Migration

Endpoints that send data using IPv6 SHOULD apply an IPv6 flow labelin compliance with[RFC6437], unless the local API does not allowsetting IPv6 flow labels.¶

The IPv6 flow label SHOULD be a pseudo-random function of the source anddestination addresses, source and destination UDP ports, and the DestinationConnection ID field. The flow label generation MUST be designed to minimize thechances of linkability with a previously used flow label, as this would enablecorrelating activity on multiple paths; seeSection 9.5.¶

A possible implementation is to compute the flow label as a cryptographic hashfunction of the source and destination addresses, source and destinationUDP ports, Destination Connection ID field, and a local secret.¶

10.1.Idle Timeout

If a max_idle_timeout is specified by either peer in its transport parameters(Section 18.2), the connection is silently closedand its state is discarded when it remains idle for longer than the minimum ofboth peers max_idle_timeout values.¶

Each endpoint advertises a max_idle_timeout, but the effective valueat an endpoint is computed as the minimum of the two advertised values. Byannouncing a max_idle_timeout, an endpoint commits to initiating an immediateclose (Section 10.2) if it abandons the connection prior to the effectivevalue.¶

An endpoint restarts its idle timer when a packet from its peer is received andprocessed successfully. An endpoint also restarts its idle timer when sending anack-eliciting packet if no other ack-eliciting packets have been sent since lastreceiving and processing a packet. Restarting this timer when sending a packetensures that connections are not closed after new activity is initiated.¶

To avoid excessively small idle timeout periods, endpoints MUST increase theidle timeout period to be at least three times the current Probe Timeout (PTO).This allows for multiple PTOs to expire, and therefore multiple probes to besent and lost, prior to idle timeout.¶

10.2.Immediate Close

An endpoint sends a CONNECTION_CLOSE frame (Section 19.19) toterminate the connection immediately. A CONNECTION_CLOSE frame causes allstreams to immediately become closed; open streams can be assumed to beimplicitly reset.¶

After sending a CONNECTION_CLOSE frame, an endpoint immediately enters theclosing state; seeSection 10.2.1. After receiving a CONNECTION_CLOSE frame,endpoints enter the draining state; seeSection 10.2.2.¶

Violations of the protocol lead to an immediate close.¶

An immediate close can be used after an application protocol has arranged toclose a connection. This might be after the application protocol negotiates agraceful shutdown. The application protocol can exchange messages that areneeded for both application endpoints to agree that the connection can beclosed, after which the application requests that QUIC close the connection.When QUIC consequently closes the connection, a CONNECTION_CLOSE frame with anapplication-supplied error code will be used to signal closure to the peer.¶

The closing and draining connection states exist to ensure that connectionsclose cleanly and that delayed or reordered packets are properly discarded.These states SHOULD persist for at least three times the current Probe Timeout(PTO) interval as defined in[QUIC-RECOVERY].¶

Disposing of connection state prior to exiting the closing or draining statecould result in an endpoint generating a stateless reset unnecessarily when itreceives a late-arriving packet. Endpoints that have some alternative meansto ensure that late-arriving packets do not induce a response, such as thosethat are able to close the UDP socket, MAY end these states earlier to allowfor faster resource recovery. Servers that retain an open socket for acceptingnew connections SHOULD NOT end the closing or draining states early.¶

Once its closing or draining state ends, an endpoint SHOULD discard allconnection state. The endpoint MAY send a stateless reset in response to anyfurther incoming packets belonging to this connection.¶

10.3.Stateless Reset

A stateless reset is provided as an option of last resort for an endpoint thatdoes not have access to the state of a connection. A crash or outage mightresult in peers continuing to send data to an endpoint that is unable toproperly continue the connection. An endpoint MAY send a stateless reset inresponse to receiving a packet that it cannot associate with an activeconnection.¶

A stateless reset is not appropriate for indicating errors in activeconnections. An endpoint that wishes to communicate a fatal connection errorMUST use a CONNECTION_CLOSE frame if it is able.¶

To support this process, an endpoint issues a stateless reset token, which is a16-byte value that is hard to guess. If the peer subsequently receives astateless reset, which is a UDP datagram that ends in that stateless resettoken, the peer will immediately end the connection.¶

A stateless reset token is specific to a connection ID. An endpoint issues astateless reset token by including the value in the Stateless Reset Token fieldof a NEW_CONNECTION_ID frame. Servers can also issue a stateless_reset_tokentransport parameter during the handshake that applies to the connection ID thatit selected during the handshake. These exchanges are protected by encryption,so only client and server know their value. Note that clients cannot use thestateless_reset_token transport parameter because their transport parameters donot have confidentiality protection.¶

Tokens are invalidated when their associated connection ID is retired via aRETIRE_CONNECTION_ID frame (Section 19.16).¶

An endpoint that receives packets that it cannot process sends a packet in thefollowing layout (seeSection 1.3):¶

Stateless Reset {  Fixed Bits (2) = 1,  Unpredictable Bits (38..),  Stateless Reset Token (128),}

This design ensures that a stateless reset packet is - to the extent possible -indistinguishable from a regular packet with a short header.¶

A stateless reset uses an entire UDP datagram, starting with the first two bitsof the packet header. The remainder of the first byte and an arbitrary numberof bytes following it are set to values that SHOULD be indistinguishablefrom random. The last 16 bytes of the datagram contain a Stateless Reset Token.¶

To entities other than its intended recipient, a stateless reset will appear tobe a packet with a short header. For the stateless reset to appear as a validQUIC packet, the Unpredictable Bits field needs to include at least 38 bits ofdata (or 5 bytes, less the two fixed bits).¶

The resulting minimum size of 21 bytes does not guarantee that a stateless resetis difficult to distinguish from other packets if the recipient requires the useof a connection ID. To achieve that end, the endpoint SHOULD ensure that allpackets it sends are at least 22 bytes longer than the minimum connection IDlength that it requests the peer to include in its packets, adding PADDINGframes as necessary. This ensures that any stateless reset sent by the peeris indistinguishable from a valid packet sent to the endpoint. An endpoint thatsends a stateless reset in response to a packet that is 43 bytes or shorterSHOULD send a stateless reset that is one byte shorter than the packet itresponds to.¶

These values assume that the Stateless Reset Token is the same length as theminimum expansion of the packet protection AEAD. Additional unpredictable bytesare necessary if the endpoint could have negotiated a packet protection schemewith a larger minimum expansion.¶

An endpoint MUST NOT send a stateless reset that is three times or more largerthan the packet it receives to avoid being used for amplification.Section 10.3.3 describes additional limits on stateless reset size.¶

Endpoints MUST discard packets that are too small to be valid QUIC packets. Togive an example, with the set of AEAD functions defined in[QUIC-TLS], shortheader packets that are smaller than 21 bytes are never valid.¶

Endpoints MUST send stateless reset packets formatted as a packet with a shortheader. However, endpoints MUST treat any packet ending in a valid statelessreset token as a stateless reset, as other QUIC versions might allow the use ofa long header.¶

An endpoint MAY send a stateless reset in response to a packet with a longheader. Sending a stateless reset is not effective prior to the stateless resettoken being available to a peer. In this QUIC version, packets with a longheader are only used during connection establishment. Because the statelessreset token is not available until connection establishment is complete or nearcompletion, ignoring an unknown packet with a long header might be as effectiveas sending a stateless reset.¶

An endpoint cannot determine the Source Connection ID from a packet with a shortheader, therefore it cannot set the Destination Connection ID in the statelessreset packet. The Destination Connection ID will therefore differ from thevalue used in previous packets. A random Destination Connection ID makes theconnection ID appear to be the result of moving to a new connection ID that wasprovided using a NEW_CONNECTION_ID frame (Section 19.15).¶

Using a randomized connection ID results in two problems:¶

• The packet might not reach the peer. If the Destination Connection ID iscritical for routing toward the peer, then this packet could be incorrectlyrouted. This might also trigger another Stateless Reset in response; seeSection 10.3.3. A Stateless Reset that is not correctly routed isan ineffective error detection and recovery mechanism. In thiscase, endpoints will need to rely on other methods - such as timers - todetect that the connection has failed.¶
• The randomly generated connection ID can be used by entities other than thepeer to identify this as a potential stateless reset. An endpoint thatoccasionally uses different connection IDs might introduce some uncertaintyabout this.¶

This stateless reset design is specific to QUIC version 1. An endpoint thatsupports multiple versions of QUIC needs to generate a stateless reset that willbe accepted by peers that support any version that the endpoint might support(or might have supported prior to losing state). Designers of new versions ofQUIC need to be aware of this and either reuse this design, or use a portion ofthe packet other than the last 16 bytes for carrying data.¶

11.1.Connection Errors

Errors that result in the connection being unusable, such as an obviousviolation of protocol semantics or corruption of state that affects an entireconnection, MUST be signaled using a CONNECTION_CLOSE frame(Section 19.19).¶

Application-specific protocol errors are signaled using the CONNECTION_CLOSEframe with a frame type of 0x1d. Errors that are specific to the transport,including all those described in this document, are carried in theCONNECTION_CLOSE frame with a frame type of 0x1c.¶

A CONNECTION_CLOSE frame could be sent in a packet that is lost. An endpointSHOULD be prepared to retransmit a packet containing a CONNECTION_CLOSE frame ifit receives more packets on a terminated connection. Limiting the number ofretransmissions and the time over which this final packet is sent limits theeffort expended on terminated connections.¶

An endpoint that chooses not to retransmit packets containing a CONNECTION_CLOSEframe risks a peer missing the first such packet. The only mechanism availableto an endpoint that continues to receive data for a terminated connection is touse the stateless reset process (Section 10.3).¶

As the AEAD on Initial packets does not provide strong authentication, anendpoint MAY discard an invalid Initial packet. Discarding an Initial packet ispermitted even where this specification otherwise mandates a connection error.An endpoint can only discard a packet if it does not process the frames in thepacket or reverts the effects of any processing. Discarding invalid Initialpackets might be used to reduce exposure to denial of service; seeSection 21.2.¶

11.2.Stream Errors

If an application-level error affects a single stream, but otherwise leaves theconnection in a recoverable state, the endpoint can send a RESET_STREAM frame(Section 19.4) with an appropriate error code to terminate just theaffected stream.¶

Resetting a stream without the involvement of the application protocol couldcause the application protocol to enter an unrecoverable state. RESET_STREAMMUST only be instigated by the application protocol that uses QUIC.¶

The semantics of the application error code carried in RESET_STREAM aredefined by the application protocol. Only the application protocol is able tocause a stream to be terminated. A local instance of the application protocoluses a direct API call and a remote instance uses the STOP_SENDING frame, whichtriggers an automatic RESET_STREAM.¶

Application protocols SHOULD define rules for handling streams that areprematurely cancelled by either endpoint.¶

12.1.Protected Packets

QUIC packets have different levels of cryptographic protection based on thetype of packet. Details of packet protection are found in[QUIC-TLS]; thissection includes an overview of the protections that are provided.¶

Version Negotiation packets have no cryptographic protection; see[QUIC-INVARIANTS].¶

Retry packets use an authenticated encryption with associated data function(AEAD;[AEAD]) to protect against accidental modification.¶

Initial packets use an AEAD, the keys for which are derived using a value thatis visible on the wire. Initial packets therefore do not have effectiveconfidentiality protection. Initial protection exists to ensure that the senderof the packet is on the network path. Any entity that receives an Initial packetfrom a client can recover the keys that will allow them to both read thecontents of the packet and generate Initial packets that will be successfullyauthenticated at either endpoint. The AEAD also protects Initial packetsagainst accidental modification.¶

All other packets are protected with keys derived from the cryptographichandshake. The cryptographic handshake ensures that only the communicatingendpoints receive the corresponding keys for Handshake, 0-RTT, and 1-RTTpackets. Packets protected with 0-RTT and 1-RTT keys have strongconfidentiality and integrity protection.¶

The Packet Number field that appears in some packet types has alternativeconfidentiality protection that is applied as part of header protection; seeSection 5.4 of[QUIC-TLS] for details. The underlying packet number increaseswith each packet sent in a given packet number space; seeSection 12.3 fordetails.¶

12.2.Coalescing Packets

Initial (Section 17.2.2), 0-RTT (Section 17.2.3), and Handshake(Section 17.2.4) packets contain a Length field that determines the endof the packet. The length includes both the Packet Number and Payloadfields, both of which are confidentiality protected and initially of unknownlength. The length of the Payload field is learned once header protection isremoved.¶

Using the Length field, a sender can coalesce multiple QUIC packets into one UDPdatagram. This can reduce the number of UDP datagrams needed to complete thecryptographic handshake and start sending data. This can also be used toconstruct PMTU probes; seeSection 14.4.1. Receivers MUST be able toprocess coalesced packets.¶

Coalescing packets in order of increasing encryption levels (Initial, 0-RTT,Handshake, 1-RTT; see Section 4.1.4 of[QUIC-TLS]) makes it more likely thereceiver will be able to process all the packets in a single pass. A packetwith a short header does not include a length, so it can only be the lastpacket included in a UDP datagram. An endpoint SHOULD include multiple framesin a single packet if they are to be sent at the same encryption level, insteadof coalescing multiple packets at the same encryption level.¶

Receivers MAY route based on the information in the first packet contained in aUDP datagram. Senders MUST NOT coalesce QUIC packets with different connectionIDs into a single UDP datagram. Receivers SHOULD ignore any subsequent packetswith a different Destination Connection ID than the first packet in thedatagram.¶

Every QUIC packet that is coalesced into a single UDP datagram is separate andcomplete. The receiver of coalesced QUIC packets MUST individually process eachQUIC packet and separately acknowledge them, as if they were received as thepayload of different UDP datagrams. For example, if decryption fails (becausethe keys are not available or any other reason), the receiver MAY either discardor buffer the packet for later processing and MUST attempt to process theremaining packets.¶

Retry packets (Section 17.2.5), Version Negotiation packets(Section 17.2.1), and packets with a short header (Section 17.3) do notcontain a Length field and so cannot be followed by other packets in the sameUDP datagram. Note also that there is no situation where a Retry or VersionNegotiation packet is coalesced with another packet.¶

12.3.Packet Numbers

The packet number is an integer in the range 0 to 2^62-1. This number is usedin determining the cryptographic nonce for packet protection. Each endpointmaintains a separate packet number for sending and receiving.¶

Packet numbers are limited to this range because they need to be representablein whole in the Largest Acknowledged field of an ACK frame (Section 19.3).When present in a long or short header however, packet numbers are reduced andencoded in 1 to 4 bytes; seeSection 17.1.¶

Version Negotiation (Section 17.2.1) and Retry (Section 17.2.5) packetsdo not include a packet number.¶

Packet numbers are divided into 3 spaces in QUIC:¶

• Initial space: All Initial packets (Section 17.2.2) are in this space.¶
• Handshake space: All Handshake packets (Section 17.2.4) are in thisspace.¶
• Application data space: All 0-RTT (Section 17.2.3) and 1-RTT(Section 17.3.1) encrypted packets are in this space.¶

As described in[QUIC-TLS], each packet type uses different protection keys.¶

Conceptually, a packet number space is the context in which a packet can beprocessed and acknowledged. Initial packets can only be sent with Initialpacket protection keys and acknowledged in packets that are also Initialpackets. Similarly, Handshake packets are sent at the Handshake encryptionlevel and can only be acknowledged in Handshake packets.¶

This enforces cryptographic separation between the data sent in the differentpacket number spaces. Packet numbers in each space start at packet number 0.Subsequent packets sent in the same packet number space MUST increase the packetnumber by at least one.¶

0-RTT and 1-RTT data exist in the same packet number space to make loss recoveryalgorithms easier to implement between the two packet types.¶

A QUIC endpoint MUST NOT reuse a packet number within the same packet numberspace in one connection. If the packet number for sending reaches 2^62 - 1, thesender MUST close the connection without sending a CONNECTION_CLOSE frame or anyfurther packets; an endpoint MAY send a Stateless Reset (Section 10.3) inresponse to further packets that it receives.¶

A receiver MUST discard a newly unprotected packet unless it is certain that ithas not processed another packet with the same packet number from the samepacket number space. Duplicate suppression MUST happen after removing packetprotection for the reasons described in Section 9.5 of[QUIC-TLS].¶

Endpoints that track all individual packets for the purposes of detectingduplicates are at risk of accumulating excessive state. The data required fordetecting duplicates can be limited by maintaining a minimum packet number belowwhich all packets are immediately dropped. Any minimum needs to account forlarge variations in round trip time, which includes the possibility that a peermight probe network paths with much larger round trip times; seeSection 9.¶

Packet number encoding at a sender and decoding at a receiver are described inSection 17.1.¶

12.4.Frames and Frame Types

The payload of QUIC packets, after removing packet protection, consists of asequence of complete frames, as shown inFigure 11. VersionNegotiation, Stateless Reset, and Retry packets do not contain frames.¶

Packet Payload {  Frame (8..) ...,}

The payload of a packet that contains frames MUST contain at least one frame,and MAY contain multiple frames and multiple frame types. An endpoint MUSTtreat receipt of a packet containing no frames as a connection error of typePROTOCOL_VIOLATION. Frames always fit within a single QUIC packet and cannotspan multiple packets.¶

Each frame begins with a Frame Type, indicating its type, followed byadditional type-dependent fields:¶

Frame {  Frame Type (i),  Type-Dependent Fields (..),}

Table 3 lists and summarizes information about each frame type that isdefined in this specification. A description of this summary is included afterthe table.¶

The format and semantics of each frame type are explained in more detail inSection 19. The remainder of this section provides a summary ofimportant and general information.¶

The Frame Type in ACK, STREAM, MAX_STREAMS, STREAMS_BLOCKED, andCONNECTION_CLOSE frames is used to carry other frame-specific flags. For allother frames, the Frame Type field simply identifies the frame.¶

The "Pkts" column inTable 3 lists the types of packets that each frametype could appear in, indicated by the following characters:¶

I:

Initial (Section 17.2.2)¶

H:

Handshake (Section 17.2.4)¶

0:

0-RTT (Section 17.2.3)¶

1:

1-RTT (Section 17.3.1)¶

ih:

Only a CONNECTION_CLOSE frame of type 0x1c can appear in Initial or Handshakepackets.¶

For more detail about these restrictions, seeSection 12.5. Notethat all frames can appear in 1-RTT packets. An endpoint MUST treat receipt ofa frame in a packet type that is not permitted as a connection error of typePROTOCOL_VIOLATION.¶

The "Spec" column inTable 3 summarizes any special rules governing theprocessing or generation of the frame type, as indicated by the followingcharacters:¶

N:

Packets containing only frames with this marking are not ack-eliciting; seeSection 13.2.¶

C:

Packets containing only frames with this marking do not count toward bytesin flight for congestion control purposes; see[QUIC-RECOVERY].¶

P:

Packets containing only frames with this marking can be used to probe newnetwork paths during connection migration; seeSection 9.1.¶

F:

The content of frames with this marking are flow controlled; seeSection 4.¶

The "Pkts" and "Spec" columns inTable 3 do not form part of the IANAregistry; seeSection 22.4.¶

An endpoint MUST treat the receipt of a frame of unknown type as a connectionerror of type FRAME_ENCODING_ERROR.¶

All frames are idempotent in this version of QUIC. That is, a valid frame doesnot cause undesirable side effects or errors when received more than once.¶

The Frame Type field uses a variable-length integer encoding (seeSection 16) with one exception. To ensure simple and efficientimplementations of frame parsing, a frame type MUST use the shortest possibleencoding. For frame types defined in this document, this means a single-byteencoding, even though it is possible to encode these values as a two-, four-or eight-byte variable-length integer. For instance, though 0x4001 isa legitimate two-byte encoding for a variable-length integer with a valueof 1, PING frames are always encoded as a single byte with the value 0x01.This rule applies to all current and future QUIC frame types. An endpointMAY treat the receipt of a frame type that uses a longer encoding thannecessary as a connection error of type PROTOCOL_VIOLATION.¶

12.5.Frames and Number Spaces

Some frames are prohibited in different packet number spaces. The rules heregeneralize those of TLS, in that frames associated with establishing theconnection can usually appear in packets in any packet number space, whereasthose associated with transferring data can only appear in the applicationdata packet number space:¶

• PADDING, PING, and CRYPTO frames MAY appear in any packet number space.¶
• CONNECTION_CLOSE frames signaling errors at the QUIC layer (type 0x1c) MAYappear in any packet number space. CONNECTION_CLOSE frames signalingapplication errors (type 0x1d) MUST only appear in the application data packetnumber space.¶
• ACK frames MAY appear in any packet number space, but can only acknowledgepackets that appeared in that packet number space. However, as noted below,0-RTT packets cannot contain ACK frames.¶
• All other frame types MUST only be sent in the application data packet numberspace.¶

Note that it is not possible to send the following frames in 0-RTT packets forvarious reasons: ACK, CRYPTO, HANDSHAKE_DONE, NEW_TOKEN, PATH_RESPONSE, andRETIRE_CONNECTION_ID. A server MAY treat receipt of these frames in 0-RTTpackets as a connection error of type PROTOCOL_VIOLATION.¶

13.1.Packet Processing

A packet MUST NOT be acknowledged until packet protection has been successfullyremoved and all frames contained in the packet have been processed. For STREAMframes, this means the data has been enqueued in preparation to be received bythe application protocol, but it does not require that data is delivered andconsumed.¶

Once the packet has been fully processed, a receiver acknowledges receipt bysending one or more ACK frames containing the packet number of the receivedpacket.¶

An endpoint SHOULD treat receipt of an acknowledgment for a packet it did notsend as a connection error of type PROTOCOL_VIOLATION, if it is able to detectthe condition.¶

13.2.Generating Acknowledgements

Endpoints acknowledge all packets they receive and process. However, onlyack-eliciting packets cause an ACK frame to be sent within the maximum ackdelay. Packets that are not ack-eliciting are only acknowledged when an ACKframe is sent for other reasons.¶

When sending a packet for any reason, an endpoint SHOULD attempt to include anACK frame if one has not been sent recently. Doing so helps with timely lossdetection at the peer.¶

In general, frequent feedback from a receiver improves loss and congestionresponse, but this has to be balanced against excessive load generated by areceiver that sends an ACK frame in response to every ack-eliciting packet. Theguidance offered below seeks to strike this balance.¶

13.3.Retransmission of Information

QUIC packets that are determined to be lost are not retransmitted whole. Thesame applies to the frames that are contained within lost packets. Instead, theinformation that might be carried in frames is sent again in new frames asneeded.¶

New frames and packets are used to carry information that is determined to havebeen lost. In general, information is sent again when a packet containing thatinformation is determined to be lost and sending ceases when a packetcontaining that information is acknowledged.¶

• Data sent in CRYPTO frames is retransmitted according to the rules in[QUIC-RECOVERY], until all data has been acknowledged. Data in CRYPTOframes for Initial and Handshake packets is discarded when keys for thecorresponding packet number space are discarded.¶
• Application data sent in STREAM frames is retransmitted in new STREAM framesunless the endpoint has sent a RESET_STREAM for that stream. Once an endpointsends a RESET_STREAM frame, no further STREAM frames are needed.¶
• ACK frames carry the most recent set of acknowledgements and theacknowledgement delay from the largest acknowledged packet, as described inSection 13.2.1. Delaying the transmission of packets containingACK frames or resending old ACK frames can cause the peer to generate aninflated RTT sample or unnecessarily disable ECN.¶
• Cancellation of stream transmission, as carried in a RESET_STREAM frame, issent until acknowledged or until all stream data is acknowledged by the peer(that is, either the "Reset Recvd" or "Data Recvd" state is reached on thesending part of the stream). The content of a RESET_STREAM frame MUST NOTchange when it is sent again.¶
• Similarly, a request to cancel stream transmission, as encoded in aSTOP_SENDING frame, is sent until the receiving part of the stream enterseither a "Data Recvd" or "Reset Recvd" state; seeSection 3.5.¶
• Connection close signals, including packets that contain CONNECTION_CLOSEframes, are not sent again when packet loss is detected, but as described inSection 10.¶
• The current connection maximum data is sent in MAX_DATA frames. An updatedvalue is sent in a MAX_DATA frame if the packet containing the most recentlysent MAX_DATA frame is declared lost, or when the endpoint decides to updatethe limit. Care is necessary to avoid sending this frame too often as thelimit can increase frequently and cause an unnecessarily large number ofMAX_DATA frames to be sent; seeSection 4.2.¶
• The current maximum stream data offset is sent in MAX_STREAM_DATA frames.Like MAX_DATA, an updated value is sent when the packet containing the mostrecent MAX_STREAM_DATA frame for a stream is lost or when the limit isupdated, with care taken to prevent the frame from being sent too often. Anendpoint SHOULD stop sending MAX_STREAM_DATA frames when the receiving part ofthe stream enters a "Size Known" state.¶
• The limit on streams of a given type is sent in MAX_STREAMS frames. LikeMAX_DATA, an updated value is sent when a packet containing the most recentMAX_STREAMS for a stream type frame is declared lost or when the limit isupdated, with care taken to prevent the frame from being sent too often.¶
• Blocked signals are carried in DATA_BLOCKED, STREAM_DATA_BLOCKED, andSTREAMS_BLOCKED frames. DATA_BLOCKED frames have connection scope,STREAM_DATA_BLOCKED frames have stream scope, and STREAMS_BLOCKED frames arescoped to a specific stream type. New frames are sent if packets containingthe most recent frame for a scope is lost, but only while the endpoint isblocked on the corresponding limit. These frames always include the limit thatis causing blocking at the time that they are transmitted.¶
• A liveness or path validation check using PATH_CHALLENGE frames is sentperiodically until a matching PATH_RESPONSE frame is received or until thereis no remaining need for liveness or path validation checking. PATH_CHALLENGEframes include a different payload each time they are sent.¶
• Responses to path validation using PATH_RESPONSE frames are sent just once.The peer is expected to send more PATH_CHALLENGE frames as necessary to evokeadditional PATH_RESPONSE frames.¶
• New connection IDs are sent in NEW_CONNECTION_ID frames and retransmitted ifthe packet containing them is lost. Retransmissions of this frame carry thesame sequence number value. Likewise, retired connection IDs are sent inRETIRE_CONNECTION_ID frames and retransmitted if the packet containing them islost.¶
• NEW_TOKEN frames are retransmitted if the packet containing them is lost. Nospecial support is made for detecting reordered and duplicated NEW_TOKENframes other than a direct comparison of the frame contents.¶
• PING and PADDING frames contain no information, so lost PING or PADDING framesdo not require repair.¶
• The HANDSHAKE_DONE frame MUST be retransmitted until it is acknowledged.¶

Endpoints SHOULD prioritize retransmission of data over sending new data, unlesspriorities specified by the application indicate otherwise; seeSection 2.3.¶

Even though a sender is encouraged to assemble frames containing up-to-dateinformation every time it sends a packet, it is not forbidden to retransmitcopies of frames from lost packets. A sender that retransmits copies of framesneeds to handle decreases in available payload size due to change in packetnumber length, connection ID length, and path MTU. A receiver MUST acceptpackets containing an outdated frame, such as a MAX_DATA frame carrying asmaller maximum data than one found in an older packet.¶

A sender SHOULD avoid retransmitting information from packets once they areacknowledged. This includes packets that are acknowledged after being declaredlost, which can happen in the presence of network reordering. Doing so requiressenders to retain information about packets after they are declared lost. Asender can discard this information after a period of time elapses thatadequately allows for reordering, such as a PTO (Section 6.2 of[QUIC-RECOVERY]), or on other events, such as reaching a memory limit.¶

Upon detecting losses, a sender MUST take appropriate congestion control action.The details of loss detection and congestion control are described in[QUIC-RECOVERY].¶

13.4.Explicit Congestion Notification

QUIC endpoints can use Explicit Congestion Notification (ECN)[RFC3168] todetect and respond to network congestion. ECN allows an endpoint to set an ECTcodepoint in the ECN field of an IP packet. A network node can then indicatecongestion by setting the CE codepoint in the ECN field instead of dropping thepacket[RFC8087]. Endpoints react to reported congestion by reducing theirsending rate in response, as described in[QUIC-RECOVERY].¶

To enable ECN, a sending QUIC endpoint first determines whether a path supportsECN marking and whether the peer reports the ECN values in received IP headers;seeSection 13.4.2.¶

14.1.Initial Datagram Size

A client MUST expand the payload of all UDP datagrams carrying Initial packetsto at least the smallest allowed maximum datagram size of 1200 bytes by addingPADDING frames to the Initial packet or by coalescing the Initial packet; seeSection 12.2. Similarly, a server MUST expand the payload of all UDPdatagrams carrying ack-eliciting Initial packets to at least the smallestallowed maximum datagram size of 1200 bytes. Sending UDP datagrams of this sizeensures that the network path supports a reasonable Path Maximum TransmissionUnit (PMTU), in both directions. Additionally, a client that expands Initialpackets helps reduce the amplitude of amplification attacks caused by serverresponses toward an unverified client address; seeSection 8.¶

Datagrams containing Initial packets MAY exceed 1200 bytes if the senderbelieves that the network path and peer both support the size that it chooses.¶

A server MUST discard an Initial packet that is carried in a UDP datagram with apayload that is smaller than the smallest allowed maximum datagram size of 1200bytes. A server MAY also immediately close the connection by sending aCONNECTION_CLOSE frame with an error code of PROTOCOL_VIOLATION; seeSection 10.2.3.¶

The server MUST also limit the number of bytes it sends before validating theaddress of the client; seeSection 8.¶

14.2.Path Maximum Transmission Unit

The Path Maximum Transmission Unit (PMTU) is the maximum size of the entire IPpacket including the IP header, UDP header, and UDP payload. The UDP payloadincludes one or more QUIC packet headers and protected payloads. The PMTU candepend on path characteristics, and can therefore change over time. The largestUDP payload an endpoint sends at any given time is referred to as the endpoint'smaximum datagram size.¶

An endpoint SHOULD use DPLPMTUD (Section 14.3) or PMTUD (Section 14.2.1) to determinewhether the path to a destination will support a desired maximum datagram sizewithout fragmentation. In the absence of these mechanisms, QUIC endpointsSHOULD NOT send datagrams larger than the smallest allowed maximum datagramsize.¶

Both DPLPMTUD and PMTUD send datagrams that are larger than the current maximumdatagram size, referred to as PMTU probes. All QUIC packets that are not sentin a PMTU probe SHOULD be sized to fit within the maximum datagram size to avoidthe datagram being fragmented or dropped ([RFC8085]).¶

If a QUIC endpoint determines that the PMTU between any pair of local and remoteIP addresses has fallen below the smallest allowed maximum datagram size of 1200bytes, it MUST immediately cease sending QUIC packets, except for those in PMTUprobes or those containing CONNECTION_CLOSE frames, on the affected path. Anendpoint MAY terminate the connection if an alternative path cannot be found.¶

Each pair of local and remote addresses could have a different PMTU. QUICimplementations that implement any kind of PMTU discovery therefore SHOULDmaintain a maximum datagram size for each combination of local and remote IPaddresses.¶

A QUIC implementation MAY be more conservative in computing the maximum datagramsize to allow for unknown tunnel overheads or IP header options/extensions.¶

14.3.Datagram Packetization Layer PMTU Discovery

Datagram Packetization Layer PMTU Discovery (DPLPMTUD;[DPLPMTUD])relies on tracking loss or acknowledgment of QUIC packets that are carried inPMTU probes. PMTU probes for DPLPMTUD that use the PADDING frame implement"Probing using padding data", as defined in Section 4.1 of[DPLPMTUD].¶

Endpoints SHOULD set the initial value of BASE_PLPMTU (Section 5.1 of[DPLPMTUD]) to be consistent with QUIC's smallest allowed maximum datagramsize. The MIN_PLPMTU is the same as the BASE_PLPMTU.¶

QUIC endpoints implementing DPLPMTUD maintain a DPLPMTUD Maximum Packet Size(MPS, Section 4.4 of[DPLPMTUD]) for each combination of local and remote IPaddresses. This corresponds to the maximum datagram size.¶

14.4.Sending QUIC PMTU Probes

PMTU probes are ack-eliciting packets.¶

Endpoints could limit the content of PMTU probes to PING and PADDING frames,since packets that are larger than the current maximum datagram size are morelikely to be dropped by the network. Loss of a QUIC packet that is carried in aPMTU probe is therefore not a reliable indication of congestion and SHOULD NOTtrigger a congestion control reaction; see Section 3, Bullet 7 of[DPLPMTUD].However, PMTU probes consume congestion window, which could delay subsequenttransmission by an application.¶

17.1.Packet Number Encoding and Decoding

Packet numbers are integers in the range 0 to 2^62-1 (Section 12.3). Whenpresent in long or short packet headers, they are encoded in 1 to 4 bytes. Thenumber of bits required to represent the packet number is reduced by includingonly the least significant bits of the packet number.¶

The encoded packet number is protected as described in Section 5.4 of[QUIC-TLS].¶

Prior to receiving an acknowledgement for a packet number space, the full packetnumber MUST be included; it is not to be truncated as described below.¶

After an acknowledgement is received for a packet number space, the sender MUSTuse a packet number size able to represent more than twice as large a range thanthe difference between the largest acknowledged packet and packet number beingsent. A peer receiving the packet will then correctly decode the packet number,unless the packet is delayed in transit such that it arrives after manyhigher-numbered packets have been received. An endpoint SHOULD use a largeenough packet number encoding to allow the packet number to be recovered even ifthe packet arrives after packets that are sent afterwards.¶

As a result, the size of the packet number encoding is at least one bit morethan the base-2 logarithm of the number of contiguous unacknowledged packetnumbers, including the new packet. Pseudocode and examples for packet numberencoding can be found inAppendix A.2.¶

At a receiver, protection of the packet number is removed prior to recoveringthe full packet number. The full packet number is then reconstructed based onthe number of significant bits present, the value of those bits, and the largestpacket number received on a successfully authenticated packet. Recovering thefull packet number is necessary to successfully remove packet protection.¶

Once header protection is removed, the packet number is decoded by finding thepacket number value that is closest to the next expected packet. The nextexpected packet is the highest received packet number plus one. Pseudocode andan example for packet number decoding can be found inAppendix A.3.¶

17.2.Long Header Packets

Long Header Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2),  Type-Specific Bits (4),  Version (32),  Destination Connection ID Length (8),  Destination Connection ID (0..160),  Source Connection ID Length (8),  Source Connection ID (0..160),  Type-Specific Payload (..),}

Long headers are used for packets that are sent prior to the establishmentof 1-RTT keys. Once 1-RTT keys are available,a sender switches to sending packets using the short header(Section 17.3). The long form allows for special packets - such as theVersion Negotiation packet - to be represented in this uniform fixed-lengthpacket format. Packets that use the long header contain the following fields:¶

Header Form:

The most significant bit (0x80) of byte 0 (the first byte) is set to 1 forlong headers.¶

Fixed Bit:

The next bit (0x40) of byte 0 is set to 1. Packets containing a zero valuefor this bit are not valid packets in this version and MUST be discarded.¶

Long Packet Type:

The next two bits (those with a mask of 0x30) of byte 0 contain a packet type.Packet types are listed inTable 5.¶

Type-Specific Bits:

The lower four bits (those with a mask of 0x0f) of byte 0 are type-specific.¶

Version:

The QUIC Version is a 32-bit field that follows the first byte. This fieldindicates the version of QUIC that is in use and determines how the rest ofthe protocol fields are interpreted.¶

Destination Connection ID Length:

The byte following the version contains the length in bytes of the DestinationConnection ID field that follows it. This length is encoded as an 8-bitunsigned integer. In QUIC version 1, this value MUST NOT exceed 20.Endpoints that receive a version 1 long header with a value larger than 20MUST drop the packet. In order to properly form a Version Negotiation packet,servers SHOULD be able to read longer connection IDs from other QUIC versions.¶

Destination Connection ID:

The Destination Connection ID field follows the Destination Connection IDLength field, which indicates the length of this field.Section 7.2 describes the use of this field in more detail.¶

Source Connection ID Length:

The byte following the Destination Connection ID contains the length in bytesof the Source Connection ID field that follows it. This length is encoded asa 8-bit unsigned integer. In QUIC version 1, this value MUST NOT exceed 20bytes. Endpoints that receive a version 1 long header with a value largerthan 20 MUST drop the packet. In order to properly form a Version Negotiationpacket, servers SHOULD be able to read longer connection IDs from other QUICversions.¶

Source Connection ID:

The Source Connection ID field follows the Source Connection ID Length field,which indicates the length of this field.Section 7.2describes the use of this field in more detail.¶

Type-Specific Payload:

The remainder of the packet, if any, is type-specific.¶

In this version of QUIC, the following packet types with the long header aredefined:¶

The header form bit, Destination and Source Connection ID lengths, Destinationand Source Connection ID fields, and Version fields of a long header packet areversion-independent. The other fields in the first byte are version-specific.See[QUIC-INVARIANTS] for details on how packets from different versions ofQUIC are interpreted.¶

The interpretation of the fields and the payload are specific to a version andpacket type. While type-specific semantics for this version are described inthe following sections, several long-header packets in this version of QUICcontain these additional fields:¶

Reserved Bits:

Two bits (those with a mask of 0x0c) of byte 0 are reserved across multiplepacket types. These bits are protected using header protection; see Section5.4 of[QUIC-TLS]. The value included prior to protection MUST be set to 0.An endpoint MUST treat receipt of a packet that has a non-zero value for thesebits after removing both packet and header protection as a connection errorof type PROTOCOL_VIOLATION. Discarding such a packet after only removingheader protection can expose the endpoint to attacks; see Section 9.5 of[QUIC-TLS].¶

Packet Number Length:

In packet types that contain a Packet Number field, the least significant twobits (those with a mask of 0x03) of byte 0 contain the length of the packetnumber, encoded as an unsigned, two-bit integer that is one less than thelength of the packet number field in bytes. That is, the length of the packetnumber field is the value of this field, plus one. These bits are protectedusing header protection; see Section 5.4 of[QUIC-TLS].¶

Length:

The length of the remainder of the packet (that is, the Packet Number andPayload fields) in bytes, encoded as a variable-length integer(Section 16).¶

Packet Number:

The packet number field is 1 to 4 bytes long. The packet number is protectedusing header protection; see Section 5.4 of[QUIC-TLS]. The length of thepacket number field is encoded in the Packet Number Length bits of byte 0; seeabove.¶

Version Negotiation Packet {  Header Form (1) = 1,  Unused (7),  Version (32) = 0,  Destination Connection ID Length (8),  Destination Connection ID (0..2040),  Source Connection ID Length (8),  Source Connection ID (0..2040),  Supported Version (32) ...,}

Initial Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 0,  Reserved Bits (2),  Packet Number Length (2),  Version (32),  Destination Connection ID Length (8),  Destination Connection ID (0..160),  Source Connection ID Length (8),  Source Connection ID (0..160),  Token Length (i),  Token (..),  Length (i),  Packet Number (8..32),  Packet Payload (8..),}

0-RTT Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 1,  Reserved Bits (2),  Packet Number Length (2),  Version (32),  Destination Connection ID Length (8),  Destination Connection ID (0..160),  Source Connection ID Length (8),  Source Connection ID (0..160),  Length (i),  Packet Number (8..32),  Packet Payload (8..),}

Handshake Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 2,  Reserved Bits (2),  Packet Number Length (2),  Version (32),  Destination Connection ID Length (8),  Destination Connection ID (0..160),  Source Connection ID Length (8),  Source Connection ID (0..160),  Length (i),  Packet Number (8..32),  Packet Payload (8..),}

Retry Packet {  Header Form (1) = 1,  Fixed Bit (1) = 1,  Long Packet Type (2) = 3,  Unused (4),  Version (32),  Destination Connection ID Length (8),  Destination Connection ID (0..160),  Source Connection ID Length (8),  Source Connection ID (0..160),  Retry Token (..),  Retry Integrity Tag (128),}

17.3.Short Header Packets

This version of QUIC defines a single packet type that uses the short packetheader.¶

1-RTT Packet {  Header Form (1) = 0,  Fixed Bit (1) = 1,  Spin Bit (1),  Reserved Bits (2),  Key Phase (1),  Packet Number Length (2),  Destination Connection ID (0..160),  Packet Number (8..32),  Packet Payload (8..),}

17.4.Latency Spin Bit

The latency spin bit, which is defined for 1-RTT packets (Section 17.3.1),enables passive latency monitoring from observation points on the network paththroughout the duration of a connection. The server reflects the spin valuereceived, while the client 'spins' it after one RTT. On-path observers canmeasure the time between two spin bit toggle events to estimate the end-to-endRTT of a connection.¶

The spin bit is only present in 1-RTT packets, since it is possible to measurethe initial RTT of a connection by observing the handshake. Therefore, the spinbit is available after version negotiation and connection establishment arecompleted. On-path measurement and use of the latency spin bit is furtherdiscussed in[QUIC-MANAGEABILITY].¶

The spin bit is an OPTIONAL feature of this version of QUIC. A QUIC stack thatchooses to support the spin bit MUST implement it as specified in this section.¶

Each endpoint unilaterally decides if the spin bit is enabled or disabled for aconnection. Implementations MUST allow administrators of clients and serversto disable the spin bit either globally or on a per-connection basis. Even whenthe spin bit is not disabled by the administrator, endpoints MUST disable theiruse of the spin bit for a random selection of at least one in every 16 networkpaths, or for one in every 16 connection IDs. As each endpoint disables thespin bit independently, this ensures that the spin bit signal is disabled onapproximately one in eight network paths.¶

When the spin bit is disabled, endpoints MAY set the spin bit to any value, andMUST ignore any incoming value. It is RECOMMENDED that endpoints set the spinbit to a random value either chosen independently for each packet or chosenindependently for each connection ID.¶

If the spin bit is enabled for the connection, the endpoint maintains a spinvalue for each network path and sets the spin bit in the packet header to thecurrently stored value when a 1-RTT packet is sent on that path. The spin valueis initialized to 0 in the endpoint for each network path. Each endpoint alsoremembers the highest packet number seen from its peer on each path.¶

When a server receives a 1-RTT packet that increases the highest packet numberseen by the server from the client on a given network path, it sets the spinvalue for that path to be equal to the spin bit in the received packet.¶

When a client receives a 1-RTT packet that increases the highest packet numberseen by the client from the server on a given network path, it sets the spinvalue for that path to the inverse of the spin bit in the received packet.¶

An endpoint resets the spin value for a network path to zero when changing theconnection ID being used on that network path.¶

18.1.Reserved Transport Parameters

Transport parameters with an identifier of the form31 * N + 27 for integervalues of N are reserved to exercise the requirement that unknown transportparameters be ignored. These transport parameters have no semantics, and cancarry arbitrary values.¶

18.2.Transport Parameter Definitions

This section details the transport parameters defined in this document.¶

Many transport parameters listed here have integer values. Those transportparameters that are identified as integers use a variable-length integerencoding; seeSection 16. Transport parameters have a default valueof 0 if the transport parameter is absent unless otherwise stated.¶

The following transport parameters are defined:¶

original_destination_connection_id (0x00):

The value of the Destination Connection ID field from the first Initial packetsent by the client; seeSection 7.3. This transport parameter is only sentby a server.¶

max_idle_timeout (0x01):

The max idle timeout is a value in milliseconds that is encoded as an integer;see (Section 10.1). Idle timeout is disabled when both endpoints omitthis transport parameter or specify a value of 0.¶

stateless_reset_token (0x02):

A stateless reset token is used in verifying a stateless reset; seeSection 10.3. This parameter is a sequence of 16 bytes. Thistransport parameter MUST NOT be sent by a client, but MAY be sent by a server.A server that does not send this transport parameter cannot use statelessreset (Section 10.3) for the connection ID negotiated during thehandshake.¶

max_udp_payload_size (0x03):

The maximum UDP payload size parameter is an integer value that limits thesize of UDP payloads that the endpoint is willing to receive. UDP datagramswith payloads larger than this limit are not likely to be processed by thereceiver.¶

The default for this parameter is the maximum permitted UDP payload of 65527.Values below 1200 are invalid.¶

This limit does act as an additional constraint on datagram size in the sameway as the path MTU, but it is a property of the endpoint and not the path;seeSection 14. It is expected that this is the space an endpointdedicates to holding incoming packets.¶

initial_max_data (0x04):

The initial maximum data parameter is an integer value that contains theinitial value for the maximum amount of data that can be sent on theconnection. This is equivalent to sending a MAX_DATA (Section 19.9) forthe connection immediately after completing the handshake.¶

initial_max_stream_data_bidi_local (0x05):

This parameter is an integer value specifying the initial flow control limitfor locally-initiated bidirectional streams. This limit applies to newlycreated bidirectional streams opened by the endpoint that sends the transportparameter. In client transport parameters, this applies to streams with anidentifier with the least significant two bits set to 0x0; in server transportparameters, this applies to streams with the least significant two bits set to0x1.¶

initial_max_stream_data_bidi_remote (0x06):

This parameter is an integer value specifying the initial flow control limitfor peer-initiated bidirectional streams. This limit applies to newly createdbidirectional streams opened by the endpoint that receives the transportparameter. In client transport parameters, this applies to streams with anidentifier with the least significant two bits set to 0x1; in server transportparameters, this applies to streams with the least significant two bits set to0x0.¶

initial_max_stream_data_uni (0x07):

This parameter is an integer value specifying the initial flow control limitfor unidirectional streams. This limit applies to newly createdunidirectional streams opened by the endpoint that receives the transportparameter. In client transport parameters, this applies to streams with anidentifier with the least significant two bits set to 0x3; in server transportparameters, this applies to streams with the least significant two bits set to0x2.¶

initial_max_streams_bidi (0x08):

The initial maximum bidirectional streams parameter is an integer value thatcontains the initial maximum number of bidirectional streams the peer ispermitted to initiate. If this parameter is absent or zero, the peer cannotopen bidirectional streams until a MAX_STREAMS frame is sent. Setting thisparameter is equivalent to sending a MAX_STREAMS (Section 19.11) ofthe corresponding type with the same value.¶

initial_max_streams_uni (0x09):

The initial maximum unidirectional streams parameter is an integer value thatcontains the initial maximum number of unidirectional streams the peer ispermitted to initiate. If this parameter is absent or zero, the peer cannotopen unidirectional streams until a MAX_STREAMS frame is sent. Setting thisparameter is equivalent to sending a MAX_STREAMS (Section 19.11) ofthe corresponding type with the same value.¶

ack_delay_exponent (0x0a):

The acknowledgement delay exponent is an integer value indicating an exponentused to decode the ACK Delay field in the ACK frame (Section 19.3). If thisvalue is absent, a default value of 3 is assumed (indicating a multiplier of8). Values above 20 are invalid.¶

max_ack_delay (0x0b):

The maximum acknowledgement delay is an integer value indicating the maximumamount of time in milliseconds by which the endpoint will delay sendingacknowledgments. This value SHOULD include the receiver's expected delays inalarms firing. For example, if a receiver sets a timer for 5ms and alarmscommonly fire up to 1ms late, then it should send a max_ack_delay of 6ms. Ifthis value is absent, a default of 25 milliseconds is assumed. Values of 2^14or greater are invalid.¶

disable_active_migration (0x0c):

The disable active migration transport parameter is included if the endpointdoes not support active connection migration (Section 9) on the addressbeing used during the handshake. When a peer sets this transport parameter,an endpoint MUST NOT use a new local address when sending to the address thatthe peer used during the handshake. This transport parameter does notprohibit connection migration after a client has acted on a preferred_addresstransport parameter. This parameter is a zero-length value.¶

preferred_address (0x0d):

The server's preferred address is used to effect a change in server address atthe end of the handshake, as described inSection 9.6. Thistransport parameter is only sent by a server. Servers MAY choose to only senda preferred address of one address family by sending an all-zero address andport (0.0.0.0:0 or ::.0) for the other family. IP addresses are encoded innetwork byte order.¶

The preferred_address transport parameter contains an address and port forboth IP version 4 and 6. The four-byte IPv4 Address field is followed by theassociated two-byte IPv4 Port field. This is followed by a 16-byte IPv6Address field and two-byte IPv6 Port field. After address and port pairs,a Connection ID Length field describes the length of the following ConnectionID field. Finally, a 16-byte Stateless Reset Token field includes thestateless reset token associated with the connection ID. The format of thistransport parameter is shown inFigure 22.¶

The Connection ID field and the Stateless Reset Token field contain analternative connection ID that has a sequence number of 1; seeSection 5.1.1.Having these values sent alongside the preferred address ensures that therewill be at least one unused active connection ID when the client initiatesmigration to the preferred address.¶

The Connection ID and Stateless Reset Token fields of a preferred address areidentical in syntax and semantics to the corresponding fields of aNEW_CONNECTION_ID frame (Section 19.15). A server that choosesa zero-length connection ID MUST NOT provide a preferred address. Similarly,a server MUST NOT include a zero-length connection ID in this transportparameter. A client MUST treat violation of these requirements as aconnection error of type TRANSPORT_PARAMETER_ERROR.¶

Preferred Address {  IPv4 Address (32),  IPv4 Port (16),  IPv6 Address (128),  IPv6 Port (16),  Connection ID Length (8),  Connection ID (..),  Stateless Reset Token (128),}

active_connection_id_limit (0x0e):

The active connection ID limit is an integer value specifying themaximum number of connection IDs from the peer that an endpoint is willingto store. This value includes the connection ID received during the handshake,that received in the preferred_address transport parameter, and those receivedin NEW_CONNECTION_ID frames.The value of the active_connection_id_limit parameter MUST be at least 2.An endpoint that receives a value less than 2 MUST close the connectionwith an error of type TRANSPORT_PARAMETER_ERROR.If this transport parameter is absent, a default of 2 is assumed. If anendpoint issues a zero-length connection ID, it will never send aNEW_CONNECTION_ID frame and therefore ignores the active_connection_id_limitvalue received from its peer.¶

initial_source_connection_id (0x0f):

The value that the endpoint included in the Source Connection ID field of thefirst Initial packet it sends for the connection; seeSection 7.3.¶

retry_source_connection_id (0x10):

The value that the server included in the Source Connection ID field of aRetry packet; seeSection 7.3. This transport parameter is only sent by aserver.¶

If present, transport parameters that set initial flow control limits(initial_max_stream_data_bidi_local, initial_max_stream_data_bidi_remote, andinitial_max_stream_data_uni) are equivalent to sending a MAX_STREAM_DATA frame(Section 19.10) on every stream of the corresponding typeimmediately after opening. If the transport parameter is absent, streams ofthat type start with a flow control limit of 0.¶

A client MUST NOT include any server-only transport parameter:original_destination_connection_id, preferred_address,retry_source_connection_id, or stateless_reset_token. A server MUST treatreceipt of any of these transport parameters as a connection error of typeTRANSPORT_PARAMETER_ERROR.¶

19.1.PADDING Frames

A PADDING frame (type=0x00) has no semantic value. PADDING frames can be usedto increase the size of a packet. Padding can be used to increase an initialclient packet to the minimum required size, or to provide protection againsttraffic analysis for protected packets.¶

PADDING frames are formatted as shown inFigure 23, which shows thatPADDING frames have no content. That is, a PADDING frame consists of the singlebyte that identifies the frame as a PADDING frame.¶

PADDING Frame {  Type (i) = 0x00,}

19.2.PING Frames

Endpoints can use PING frames (type=0x01) to verify that their peers are stillalive or to check reachability to the peer.¶

PING frames are formatted as shown inFigure 24, which shows that PINGframes have no content.¶

PING Frame {  Type (i) = 0x01,}

The receiver of a PING frame simply needs to acknowledge the packet containingthis frame.¶

The PING frame can be used to keep a connection alive when an application orapplication protocol wishes to prevent the connection from timing out; seeSection 10.1.2.¶

19.3.ACK Frames

Receivers send ACK frames (types 0x02 and 0x03) to inform senders of packetsthey have received and processed. The ACK frame contains one or more ACK Ranges.ACK Ranges identify acknowledged packets. If the frame type is 0x03, ACK framesalso contain the sum of QUIC packets with associated ECN marks received on theconnection up until this point. QUIC implementations MUST properly handle bothtypes and, if they have enabled ECN for packets they send, they SHOULD use theinformation in the ECN section to manage their congestion state.¶

QUIC acknowledgements are irrevocable. Once acknowledged, a packet remainsacknowledged, even if it does not appear in a future ACK frame. This is unlikereneging for TCP SACKs ([RFC2018]).¶

Packets from different packet number spaces can be identified using the samenumeric value. An acknowledgment for a packet needs to indicate both a packetnumber and a packet number space. This is accomplished by having each ACK frameonly acknowledge packet numbers in the same space as the packet in which theACK frame is contained.¶

Version Negotiation and Retry packets cannot be acknowledged because they do notcontain a packet number. Rather than relying on ACK frames, these packets areimplicitly acknowledged by the next Initial packet sent by the client.¶

ACK frames are formatted as shown inFigure 25.¶

ACK Frame {  Type (i) = 0x02..0x03,  Largest Acknowledged (i),  ACK Delay (i),  ACK Range Count (i),  First ACK Range (i),  ACK Range (..) ...,  [ECN Counts (..)],}

ACK frames contain the following fields:¶

Largest Acknowledged:

A variable-length integer representing the largest packet number the peer isacknowledging; this is usually the largest packet number that the peer hasreceived prior to generating the ACK frame. Unlike the packet number in theQUIC long or short header, the value in an ACK frame is not truncated.¶

ACK Delay:

A variable-length integer encoding the acknowledgement delay inmicroseconds; seeSection 13.2.5. It is decoded by multiplying thevalue in the field by 2 to the power of the ack_delay_exponent transportparameter sent by the sender of the ACK frame; seeSection 18.2. Compared to simply expressingthe delay as an integer, this encoding allows for a larger range ofvalues within the same number of bytes, at the cost of lower resolution.¶

ACK Range Count:

A variable-length integer specifying the number of Gap and ACK Range fields inthe frame.¶

First ACK Range:

A variable-length integer indicating the number of contiguous packetspreceding the Largest Acknowledged that are being acknowledged. The First ACKRange is encoded as an ACK Range; seeSection 19.3.1 starting from theLargest Acknowledged. That is, the smallest packet acknowledged in therange is determined by subtracting the First ACK Range value from the LargestAcknowledged.¶

ACK Ranges:

Contains additional ranges of packets that are alternately notacknowledged (Gap) and acknowledged (ACK Range); seeSection 19.3.1.¶

ECN Counts:

The three ECN Counts; seeSection 19.3.2.¶

ACK Range {  Gap (i),  ACK Range Length (i),}

   smallest = largest - ack_range

   largest = previous_smallest - gap - 2

ECN Counts {  ECT0 Count (i),  ECT1 Count (i),  ECN-CE Count (i),}

19.4.RESET_STREAM Frames

An endpoint uses a RESET_STREAM frame (type=0x04) to abruptly terminate thesending part of a stream.¶

After sending a RESET_STREAM, an endpoint ceases transmission and retransmissionof STREAM frames on the identified stream. A receiver of RESET_STREAM candiscard any data that it already received on that stream.¶

An endpoint that receives a RESET_STREAM frame for a send-only stream MUSTterminate the connection with error STREAM_STATE_ERROR.¶

RESET_STREAM frames are formatted as shown inFigure 28.¶

RESET_STREAM Frame {  Type (i) = 0x04,  Stream ID (i),  Application Protocol Error Code (i),  Final Size (i),}

RESET_STREAM frames contain the following fields:¶

Stream ID:

A variable-length integer encoding of the Stream ID of the stream beingterminated.¶

Application Protocol Error Code:

A variable-length integer containing the application protocol errorcode (seeSection 20.2) that indicates why the stream is beingclosed.¶

Final Size:

A variable-length integer indicating the final size of the stream by theRESET_STREAM sender, in unit of bytes; seeSection 4.5.¶

19.5.STOP_SENDING Frames

An endpoint uses a STOP_SENDING frame (type=0x05) to communicate that incomingdata is being discarded on receipt at application request. STOP_SENDINGrequests that a peer cease transmission on a stream.¶

A STOP_SENDING frame can be sent for streams in the Recv or Size Known states;seeSection 3.1. Receiving a STOP_SENDING frame for alocally-initiated stream that has not yet been created MUST be treated as aconnection error of type STREAM_STATE_ERROR. An endpoint that receives aSTOP_SENDING frame for a receive-only stream MUST terminate the connection witherror STREAM_STATE_ERROR.¶

STOP_SENDING frames are formatted as shown inFigure 29.¶

STOP_SENDING Frame {  Type (i) = 0x05,  Stream ID (i),  Application Protocol Error Code (i),}

STOP_SENDING frames contain the following fields:¶

Stream ID:

A variable-length integer carrying the Stream ID of the stream being ignored.¶

Application Protocol Error Code:

A variable-length integer containing the application-specified reason thesender is ignoring the stream; seeSection 20.2.¶

19.6.CRYPTO Frames

A CRYPTO frame (type=0x06) is used to transmit cryptographic handshake messages.It can be sent in all packet types except 0-RTT. The CRYPTO frame offers thecryptographic protocol an in-order stream of bytes. CRYPTO frames arefunctionally identical to STREAM frames, except that they do not bear a streamidentifier; they are not flow controlled; and they do not carry markers foroptional offset, optional length, and the end of the stream.¶

CRYPTO frames are formatted as shown inFigure 30.¶

CRYPTO Frame {  Type (i) = 0x06,  Offset (i),  Length (i),  Crypto Data (..),}

CRYPTO frames contain the following fields:¶

Offset:

A variable-length integer specifying the byte offset in the stream for thedata in this CRYPTO frame.¶

Length:

A variable-length integer specifying the length of the Crypto Data field inthis CRYPTO frame.¶

Crypto Data:

The cryptographic message data.¶

There is a separate flow of cryptographic handshake data in each encryptionlevel, each of which starts at an offset of 0. This implies that each encryptionlevel is treated as a separate CRYPTO stream of data.¶

The largest offset delivered on a stream - the sum of the offset and datalength - cannot exceed 2^62-1. Receipt of a frame that exceeds this limit MUSTbe treated as a connection error of type FRAME_ENCODING_ERROR orCRYPTO_BUFFER_EXCEEDED.¶

Unlike STREAM frames, which include a Stream ID indicating to which stream thedata belongs, the CRYPTO frame carries data for a single stream per encryptionlevel. The stream does not have an explicit end, so CRYPTO frames do not have aFIN bit.¶

19.7.NEW_TOKEN Frames

A server sends a NEW_TOKEN frame (type=0x07) to provide the client with a tokento send in the header of an Initial packet for a future connection.¶

NEW_TOKEN frames are formatted as shown inFigure 31.¶

NEW_TOKEN Frame {  Type (i) = 0x07,  Token Length (i),  Token (..),}

NEW_TOKEN frames contain the following fields:¶

Token Length:

A variable-length integer specifying the length of the token in bytes.¶

Token:

An opaque blob that the client can use with a future Initial packet. The tokenMUST NOT be empty. A client MUST treat receipt of a NEW_TOKEN frame withan empty Token field as a connection error of type FRAME_ENCODING_ERROR.¶

A client might receive multiple NEW_TOKEN frames that contain the same tokenvalue if packets containing the frame are incorrectly determined to be lost.Clients are responsible for discarding duplicate values, which might be usedto link connection attempts; seeSection 8.1.3.¶

Clients MUST NOT send NEW_TOKEN frames. A server MUST treat receipt of aNEW_TOKEN frame as a connection error of type PROTOCOL_VIOLATION.¶

19.8.STREAM Frames

STREAM frames implicitly create a stream and carry stream data. The STREAMframe Type field takes the form 0b00001XXX (or the set of values from 0x08 to0x0f). The three low-order bits of the frame type determine the fields thatare present in the frame:¶

• The OFF bit (0x04) in the frame type is set to indicate that there is anOffset field present. When set to 1, the Offset field is present. When setto 0, the Offset field is absent and the Stream Data starts at an offset of 0(that is, the frame contains the first bytes of the stream, or the end of astream that includes no data).¶
• The LEN bit (0x02) in the frame type is set to indicate that there is a Lengthfield present. If this bit is set to 0, the Length field is absent and theStream Data field extends to the end of the packet. If this bit is set to 1,the Length field is present.¶
• The FIN bit (0x01) indicates that the frame marks the end of the stream. Thefinal size of the stream is the sum of the offset and the length of thisframe.¶

An endpoint MUST terminate the connection with error STREAM_STATE_ERROR if itreceives a STREAM frame for a locally-initiated stream that has not yet beencreated, or for a send-only stream.¶

STREAM frames are formatted as shown inFigure 32.¶

STREAM Frame {  Type (i) = 0x08..0x0f,  Stream ID (i),  [Offset (i)],  [Length (i)],  Stream Data (..),}

STREAM frames contain the following fields:¶

Stream ID:

A variable-length integer indicating the stream ID of the stream; seeSection 2.1.¶

Offset:

A variable-length integer specifying the byte offset in the stream for thedata in this STREAM frame. This field is present when the OFF bit is set to1. When the Offset field is absent, the offset is 0.¶

Length:

A variable-length integer specifying the length of the Stream Data field inthis STREAM frame. This field is present when the LEN bit is set to 1. Whenthe LEN bit is set to 0, the Stream Data field consumes all the remainingbytes in the packet.¶

Stream Data:

The bytes from the designated stream to be delivered.¶

When a Stream Data field has a length of 0, the offset in the STREAM frame isthe offset of the next byte that would be sent.¶

The first byte in the stream has an offset of 0. The largest offset deliveredon a stream - the sum of the offset and data length - cannot exceed 2^62-1, asit is not possible to provide flow control credit for that data. Receipt of aframe that exceeds this limit MUST be treated as a connection error of typeFRAME_ENCODING_ERROR or FLOW_CONTROL_ERROR.¶

19.9.MAX_DATA Frames

A MAX_DATA frame (type=0x10) is used in flow control to inform the peer of themaximum amount of data that can be sent on the connection as a whole.¶

MAX_DATA frames are formatted as shown inFigure 33.¶

MAX_DATA Frame {  Type (i) = 0x10,  Maximum Data (i),}

MAX_DATA frames contain the following field:¶

Maximum Data:

A variable-length integer indicating the maximum amount of data that can besent on the entire connection, in units of bytes.¶

All data sent in STREAM frames counts toward this limit. The sum of the finalsizes on all streams - including streams in terminal states - MUST NOT exceedthe value advertised by a receiver. An endpoint MUST terminate a connectionwith a FLOW_CONTROL_ERROR error if it receives more data than the maximum datavalue that it has sent. This includes violations of remembered limits in EarlyData; seeSection 7.4.1.¶

19.10.MAX_STREAM_DATA Frames

A MAX_STREAM_DATA frame (type=0x11) is used in flow control to inform a peerof the maximum amount of data that can be sent on a stream.¶

A MAX_STREAM_DATA frame can be sent for streams in the Recv state; seeSection 3.1. Receiving a MAX_STREAM_DATA frame for alocally-initiated stream that has not yet been created MUST be treated as aconnection error of type STREAM_STATE_ERROR. An endpoint that receives aMAX_STREAM_DATA frame for a receive-only stream MUST terminate the connectionwith error STREAM_STATE_ERROR.¶

MAX_STREAM_DATA frames are formatted as shown inFigure 34.¶

MAX_STREAM_DATA Frame {  Type (i) = 0x11,  Stream ID (i),  Maximum Stream Data (i),}

MAX_STREAM_DATA frames contain the following fields:¶

Stream ID:

The stream ID of the stream that is affected encoded as a variable-lengthinteger.¶

Maximum Stream Data:

A variable-length integer indicating the maximum amount of data that can besent on the identified stream, in units of bytes.¶

When counting data toward this limit, an endpoint accounts for the largestreceived offset of data that is sent or received on the stream. Loss orreordering can mean that the largest received offset on a stream can be greaterthan the total size of data received on that stream. Receiving STREAM framesmight not increase the largest received offset.¶

The data sent on a stream MUST NOT exceed the largest maximum stream data valueadvertised by the receiver. An endpoint MUST terminate a connection with aFLOW_CONTROL_ERROR error if it receives more data than the largest maximumstream data that it has sent for the affected stream. This includes violationsof remembered limits in Early Data; seeSection 7.4.1.¶

19.11.MAX_STREAMS Frames

A MAX_STREAMS frame (type=0x12 or 0x13) inform the peer of the cumulativenumber of streams of a given type it is permitted to open. A MAX_STREAMS framewith a type of 0x12 applies to bidirectional streams, and a MAX_STREAMS framewith a type of 0x13 applies to unidirectional streams.¶

MAX_STREAMS frames are formatted as shown inFigure 35;¶

MAX_STREAMS Frame {  Type (i) = 0x12..0x13,  Maximum Streams (i),}

MAX_STREAMS frames contain the following field:¶

Maximum Streams:

A count of the cumulative number of streams of the corresponding type thatcan be opened over the lifetime of the connection. This value cannot exceed2^60, as it is not possible to encode stream IDs larger than 2^62-1.Receipt of a frame that permits opening of a stream larger than this limitMUST be treated as a FRAME_ENCODING_ERROR.¶

Loss or reordering can cause a MAX_STREAMS frame to be received that state alower stream limit than an endpoint has previously received. MAX_STREAMS framesthat do not increase the stream limit MUST be ignored.¶

An endpoint MUST NOT open more streams than permitted by the current streamlimit set by its peer. For instance, a server that receives a unidirectionalstream limit of 3 is permitted to open stream 3, 7, and 11, but not stream 15.An endpoint MUST terminate a connection with a STREAM_LIMIT_ERROR error if apeer opens more streams than was permitted. This includes violations ofremembered limits in Early Data; seeSection 7.4.1.¶

Note that these frames (and the corresponding transport parameters) do notdescribe the number of streams that can be opened concurrently. The limitincludes streams that have been closed as well as those that are open.¶

19.12.DATA_BLOCKED Frames

A sender SHOULD send a DATA_BLOCKED frame (type=0x14) when it wishes to senddata, but is unable to do so due to connection-level flow control; seeSection 4. DATA_BLOCKED frames can be used as input to tuning of flowcontrol algorithms; seeSection 4.2.¶

DATA_BLOCKED frames are formatted as shown inFigure 36.¶

DATA_BLOCKED Frame {  Type (i) = 0x14,  Maximum Data (i),}

DATA_BLOCKED frames contain the following field:¶

Maximum Data:

A variable-length integer indicating the connection-level limit at whichblocking occurred.¶

19.13.STREAM_DATA_BLOCKED Frames

A sender SHOULD send a STREAM_DATA_BLOCKED frame (type=0x15) when it wishes tosend data, but is unable to do so due to stream-level flow control. This frameis analogous to DATA_BLOCKED (Section 19.12).¶

An endpoint that receives a STREAM_DATA_BLOCKED frame for a send-only streamMUST terminate the connection with error STREAM_STATE_ERROR.¶

STREAM_DATA_BLOCKED frames are formatted as shown inFigure 37.¶

STREAM_DATA_BLOCKED Frame {  Type (i) = 0x15,  Stream ID (i),  Maximum Stream Data (i),}

STREAM_DATA_BLOCKED frames contain the following fields:¶

Stream ID:

A variable-length integer indicating the stream that is blocked due to flowcontrol.¶

Maximum Stream Data:

A variable-length integer indicating the offset of the stream at which theblocking occurred.¶

19.14.STREAMS_BLOCKED Frames

A sender SHOULD send a STREAMS_BLOCKED frame (type=0x16 or 0x17) when it wishesto open a stream, but is unable to due to the maximum stream limit set by itspeer; seeSection 19.11. A STREAMS_BLOCKED frame of type 0x16 is usedto indicate reaching the bidirectional stream limit, and a STREAMS_BLOCKED frameof type 0x17 is used to indicate reaching the unidirectional stream limit.¶

A STREAMS_BLOCKED frame does not open the stream, but informs the peer that anew stream was needed and the stream limit prevented the creation of the stream.¶

STREAMS_BLOCKED frames are formatted as shown inFigure 38.¶

STREAMS_BLOCKED Frame {  Type (i) = 0x16..0x17,  Maximum Streams (i),}

STREAMS_BLOCKED frames contain the following field:¶

Maximum Streams:

A variable-length integer indicating the maximum number of streams allowedat the time the frame was sent. This value cannot exceed 2^60, as it isnot possible to encode stream IDs larger than 2^62-1. Receipt of a framethat encodes a larger stream ID MUST be treated as a STREAM_LIMIT_ERROR or aFRAME_ENCODING_ERROR.¶

19.15.NEW_CONNECTION_ID Frames

An endpoint sends a NEW_CONNECTION_ID frame (type=0x18) to provide its peer withalternative connection IDs that can be used to break linkability when migratingconnections; seeSection 9.5.¶

NEW_CONNECTION_ID frames are formatted as shown inFigure 39.¶

NEW_CONNECTION_ID Frame {  Type (i) = 0x18,  Sequence Number (i),  Retire Prior To (i),  Length (8),  Connection ID (8..160),  Stateless Reset Token (128),}

NEW_CONNECTION_ID frames contain the following fields:¶

Sequence Number:

The sequence number assigned to the connection ID by the sender, encoded as avariable-length integer; seeSection 5.1.1.¶

Retire Prior To:

A variable-length integer indicating which connection IDs should be retired;seeSection 5.1.2.¶

Length:

An 8-bit unsigned integer containing the length of the connection ID. Valuesless than 1 and greater than 20 are invalid and MUST be treated as aconnection error of type FRAME_ENCODING_ERROR.¶

Connection ID:

A connection ID of the specified length.¶

Stateless Reset Token:

A 128-bit value that will be used for a stateless reset when the associatedconnection ID is used; seeSection 10.3.¶

An endpoint MUST NOT send this frame if it currently requires that its peer sendpackets with a zero-length Destination Connection ID. Changing the length of aconnection ID to or from zero-length makes it difficult to identify when thevalue of the connection ID changed. An endpoint that is sending packets with azero-length Destination Connection ID MUST treat receipt of a NEW_CONNECTION_IDframe as a connection error of type PROTOCOL_VIOLATION.¶

Transmission errors, timeouts and retransmissions might cause the sameNEW_CONNECTION_ID frame to be received multiple times. Receipt of the sameframe multiple times MUST NOT be treated as a connection error. A receiver canuse the sequence number supplied in the NEW_CONNECTION_ID frame to handlereceiving the same NEW_CONNECTION_ID frame multiple times.¶

If an endpoint receives a NEW_CONNECTION_ID frame that repeats a previouslyissued connection ID with a different Stateless Reset Token or a differentsequence number, or if a sequence number is used for different connectionIDs, the endpoint MAY treat that receipt as a connection error of typePROTOCOL_VIOLATION.¶

The Retire Prior To field applies to connection IDs established duringconnection setup and the preferred_address transport parameter; seeSection 5.1.2. The Retire Prior To field MUST be less than or equal to theSequence Number field. Receiving a value greater than the Sequence Number MUSTbe treated as a connection error of type FRAME_ENCODING_ERROR.¶

Once a sender indicates a Retire Prior To value, smaller values sent insubsequent NEW_CONNECTION_ID frames have no effect. A receiver MUST ignore anyRetire Prior To fields that do not increase the largest received Retire Prior Tovalue.¶

An endpoint that receives a NEW_CONNECTION_ID frame with a sequence numbersmaller than the Retire Prior To field of a previously receivedNEW_CONNECTION_ID frame MUST send a corresponding RETIRE_CONNECTION_ID framethat retires the newly received connection ID, unless it has already done sofor that sequence number.¶

19.16.RETIRE_CONNECTION_ID Frames

An endpoint sends a RETIRE_CONNECTION_ID frame (type=0x19) to indicate that itwill no longer use a connection ID that was issued by its peer. This includesthe connection ID provided during the handshake. Sending a RETIRE_CONNECTION_IDframe also serves as a request to the peer to send additional connection IDs forfuture use; seeSection 5.1. New connection IDs can be delivered to apeer using the NEW_CONNECTION_ID frame (Section 19.15).¶

Retiring a connection ID invalidates the stateless reset token associated withthat connection ID.¶

RETIRE_CONNECTION_ID frames are formatted as shown inFigure 40.¶

RETIRE_CONNECTION_ID Frame {  Type (i) = 0x19,  Sequence Number (i),}

RETIRE_CONNECTION_ID frames contain the following field:¶

Sequence Number:

The sequence number of the connection ID being retired; seeSection 5.1.2.¶

Receipt of a RETIRE_CONNECTION_ID frame containing a sequence number greaterthan any previously sent to the peer MUST be treated as a connection error oftype PROTOCOL_VIOLATION.¶

The sequence number specified in a RETIRE_CONNECTION_ID frame MUST NOT referto the Destination Connection ID field of the packet in which the frame iscontained. The peer MAY treat this as a connection error of typePROTOCOL_VIOLATION.¶

An endpoint cannot send this frame if it was provided with a zero-lengthconnection ID by its peer. An endpoint that provides a zero-length connectionID MUST treat receipt of a RETIRE_CONNECTION_ID frame as a connection error oftype PROTOCOL_VIOLATION.¶

19.17.PATH_CHALLENGE Frames

Endpoints can use PATH_CHALLENGE frames (type=0x1a) to check reachability to thepeer and for path validation during connection migration.¶

PATH_CHALLENGE frames are formatted as shown inFigure 41.¶

PATH_CHALLENGE Frame {  Type (i) = 0x1a,  Data (64),}

PATH_CHALLENGE frames contain the following field:¶

Data:

This 8-byte field contains arbitrary data.¶

Including 64 bits of entropy in a PATH_CHALLENGE frame ensures that it is easierto receive the packet than it is to guess the value correctly.¶

The recipient of this frame MUST generate a PATH_RESPONSE frame(Section 19.18) containing the same Data.¶

19.18.PATH_RESPONSE Frames

A PATH_RESPONSE frame (type=0x1b) is sent in response to a PATH_CHALLENGE frame.¶

PATH_RESPONSE frames are formatted as shown inFigure 42, which isidentical to the PATH_CHALLENGE frame (Section 19.17).¶

PATH_RESPONSE Frame {  Type (i) = 0x1b,  Data (64),}

If the content of a PATH_RESPONSE frame does not match the content of aPATH_CHALLENGE frame previously sent by the endpoint, the endpoint MAY generatea connection error of type PROTOCOL_VIOLATION.¶

19.19.CONNECTION_CLOSE Frames

An endpoint sends a CONNECTION_CLOSE frame (type=0x1c or 0x1d) to notify itspeer that the connection is being closed. The CONNECTION_CLOSE with a frametype of 0x1c is used to signal errors at only the QUIC layer, or the absence oferrors (with the NO_ERROR code). The CONNECTION_CLOSE frame with a type of 0x1dis used to signal an error with the application that uses QUIC.¶

If there are open streams that have not been explicitly closed, they areimplicitly closed when the connection is closed.¶

CONNECTION_CLOSE frames are formatted as shown inFigure 43.¶

CONNECTION_CLOSE Frame {  Type (i) = 0x1c..0x1d,  Error Code (i),  [Frame Type (i)],  Reason Phrase Length (i),  Reason Phrase (..),}

CONNECTION_CLOSE frames contain the following fields:¶

Error Code:

A variable-length integer error code that indicates the reason forclosing this connection. A CONNECTION_CLOSE frame of type 0x1c uses codesfrom the space defined inSection 20.1. A CONNECTION_CLOSE frameof type 0x1d uses codes from the application protocol error code space; seeSection 20.2.¶

Frame Type:

A variable-length integer encoding the type of frame that triggered the error.A value of 0 (equivalent to the mention of the PADDING frame) is used when theframe type is unknown. The application-specific variant of CONNECTION_CLOSE(type 0x1d) does not include this field.¶

Reason Phrase Length:

A variable-length integer specifying the length of the reason phrase in bytes.Because a CONNECTION_CLOSE frame cannot be split between packets, any limitson packet size will also limit the space available for a reason phrase.¶

Reason Phrase:

A human-readable explanation for why the connection was closed. This can bezero length if the sender chooses not to give details beyond the Error Code.This SHOULD be a UTF-8 encoded string[RFC3629].¶

The application-specific variant of CONNECTION_CLOSE (type 0x1d) can only besent using 0-RTT or 1-RTT packets; seeSection 12.5. When anapplication wishes to abandon a connection during the handshake, an endpointcan send a CONNECTION_CLOSE frame (type 0x1c) with an error code ofAPPLICATION_ERROR in an Initial or a Handshake packet.¶

19.20.HANDSHAKE_DONE Frames

The server uses a HANDSHAKE_DONE frame (type=0x1e) to signal confirmation ofthe handshake to the client.¶

HANDSHAKE_DONE frames are formatted as shown inFigure 44, whichshows that HANDSHAKE_DONE frames have no content.¶

HANDSHAKE_DONE Frame {  Type (i) = 0x1e,}

A HANDSHAKE_DONE frame can only be sent by the server. Servers MUST NOT send aHANDSHAKE_DONE frame before completing the handshake. A server MUST treatreceipt of a HANDSHAKE_DONE frame as a connection error of typePROTOCOL_VIOLATION.¶

19.21.Extension Frames

QUIC frames do not use a self-describing encoding. An endpoint therefore needsto understand the syntax of all frames before it can successfully process apacket. This allows for efficient encoding of frames, but it means that anendpoint cannot send a frame of a type that is unknown to its peer.¶

An extension to QUIC that wishes to use a new type of frame MUST first ensurethat a peer is able to understand the frame. An endpoint can use a transportparameter to signal its willingness to receive extension frame types. Onetransport parameter can indicate support for one or more extension frame types.¶

Extensions that modify or replace core protocol functionality (including frametypes) will be difficult to combine with other extensions that modify orreplace the same functionality unless the behavior of the combination isexplicitly defined. Such extensions SHOULD define their interaction withpreviously-defined extensions modifying the same protocol components.¶

Extension frames MUST be congestion controlled and MUST cause an ACK frame tobe sent. The exception is extension frames that replace or supplement the ACKframe. Extension frames are not included in flow control unless specifiedin the extension.¶

An IANA registry is used to manage the assignment of frame types; seeSection 22.4.¶

20.1.Transport Error Codes

This section lists the defined QUIC transport error codes that can be used in aCONNECTION_CLOSE frame with a type of 0x1c. These errors apply to the entireconnection.¶

NO_ERROR (0x0):

An endpoint uses this with CONNECTION_CLOSE to signal that the connection isbeing closed abruptly in the absence of any error.¶

INTERNAL_ERROR (0x1):

The endpoint encountered an internal error and cannot continue with theconnection.¶

CONNECTION_REFUSED (0x2):

The server refused to accept a new connection.¶

FLOW_CONTROL_ERROR (0x3):

An endpoint received more data than it permitted in its advertised datalimits; seeSection 4.¶

STREAM_LIMIT_ERROR (0x4):

An endpoint received a frame for a stream identifier that exceeded itsadvertised stream limit for the corresponding stream type.¶

STREAM_STATE_ERROR (0x5):

An endpoint received a frame for a stream that was not in a state thatpermitted that frame; seeSection 3.¶

FINAL_SIZE_ERROR (0x6):

An endpoint received a STREAM frame containing data that exceeded thepreviously established final size. Or an endpoint received a STREAM frame ora RESET_STREAM frame containing a final size that was lower than the size ofstream data that was already received. Or an endpoint received a STREAM frameor a RESET_STREAM frame containing a different final size to the one alreadyestablished.¶

FRAME_ENCODING_ERROR (0x7):

An endpoint received a frame that was badly formatted. For instance, a frameof an unknown type, or an ACK frame that has more acknowledgment ranges thanthe remainder of the packet could carry.¶

TRANSPORT_PARAMETER_ERROR (0x8):

An endpoint received transport parameters that were badly formatted, includedan invalid value, was absent even though it is mandatory, was present thoughit is forbidden, or is otherwise in error.¶

CONNECTION_ID_LIMIT_ERROR (0x9):

The number of connection IDs provided by the peer exceeds the advertisedactive_connection_id_limit.¶

PROTOCOL_VIOLATION (0xa):

An endpoint detected an error with protocol compliance that was not covered bymore specific error codes.¶

INVALID_TOKEN (0xb):

A server received a client Initial that contained an invalid Token field.¶

APPLICATION_ERROR (0xc):

The application or application protocol caused the connection to be closed.¶

CRYPTO_BUFFER_EXCEEDED (0xd):

An endpoint has received more data in CRYPTO frames than it can buffer.¶

KEY_UPDATE_ERROR (0xe):

An endpoint detected errors in performing key updates; see Section 6 of[QUIC-TLS].¶

AEAD_LIMIT_REACHED (0xf):

An endpoint has reached the confidentiality or integrity limit for the AEADalgorithm used by the given connection.¶

NO_VIABLE_PATH (0x10):

An endpoint has determined that the network path is incapable of supportingQUIC. An endpoint is unlikely to receive CONNECTION_CLOSE carrying this codeexcept when the path does not support a large enough MTU.¶

CRYPTO_ERROR (0x1XX):

The cryptographic handshake failed. A range of 256 values is reserved forcarrying error codes specific to the cryptographic handshake that is used.Codes for errors occurring when TLS is used for the crypto handshake aredescribed in Section 4.8 of[QUIC-TLS].¶

SeeSection 22.5 for details of registering new error codes.¶

In defining these error codes, several principles are applied. Error conditionsthat might require specific action on the part of a recipient are given uniquecodes. Errors that represent common conditions are given specific codes.Absent either of these conditions, error codes are used to identify a generalfunction of the stack, like flow control or transport parameter handling.Finally, generic errors are provided for conditions where implementations areunable or unwilling to use more specific codes.¶

20.2.Application Protocol Error Codes

The management of application error codes is left to application protocols.Application protocol error codes are used for the RESET_STREAM frame(Section 19.4), the STOP_SENDING frame (Section 19.5), andthe CONNECTION_CLOSE frame with a type of 0x1d (Section 19.19).¶

21.1.Overview of Security Properties

A complete security analysis of QUIC is outside the scope of this document.This section provides an informal description of the desired security propertiesas an aid to implementors and to help guide protocol analysis.¶

QUIC assumes the threat model described in[SEC-CONS] and providesprotections against many of the attacks that arise from that model.¶

For this purpose, attacks are divided into passive and active attacks. Passiveattackers have the capability to read packets from the network, while activeattackers also have the capability to write packets into the network. However,a passive attack could involve an attacker with the ability to cause a routingchange or other modification in the path taken by packets that comprise aconnection.¶

Attackers are additionally categorized as either on-path attackers or off-pathattackers; see Section 3.5 of[SEC-CONS]. An on-path attacker can read,modify, or remove any packet it observes such that it no longer reaches itsdestination, while an off-path attacker observes the packets, but cannot preventthe original packet from reaching its intended destination. Both types ofattackers can also transmit arbitrary packets.¶

Properties of the handshake, protected packets, and connection migration areconsidered separately.¶

21.2.Handshake Denial of Service

As an encrypted and authenticated transport QUIC provides a range of protectionsagainst denial of service. Once the cryptographic handshake is complete, QUICendpoints discard most packets that are not authenticated, greatly limiting theability of an attacker to interfere with existing connections.¶

Once a connection is established QUIC endpoints might accept someunauthenticated ICMP packets (seeSection 14.2.1), but the use of these packetsis extremely limited. The only other type of packet that an endpoint mightaccept is a stateless reset (Section 10.3), which relies on the tokenbeing kept secret until it is used.¶

During the creation of a connection, QUIC only provides protection againstattack from off the network path. All QUIC packets contain proof that therecipient saw a preceding packet from its peer.¶

Addresses cannot change during the handshake, so endpoints can discard packetsthat are received on a different network path.¶

The Source and Destination Connection ID fields are the primary means ofprotection against off-path attack during the handshake. These are required tomatch those set by a peer. Except for an Initial and stateless reset packets,an endpoint only accepts packets that include a Destination Connection ID fieldthat matches a value the endpoint previously chose. This is the only protectionoffered for Version Negotiation packets.¶

The Destination Connection ID field in an Initial packet is selected by a clientto be unpredictable, which serves an additional purpose. The packets that carrythe cryptographic handshake are protected with a key that is derived from thisconnection ID and salt specific to the QUIC version. This allows endpoints touse the same process for authenticating packets that they receive as they useafter the cryptographic handshake completes. Packets that cannot beauthenticated are discarded. Protecting packets in this fashion provides astrong assurance that the sender of the packet saw the Initial packet andunderstood it.¶

These protections are not intended to be effective against an attacker that isable to receive QUIC packets prior to the connection being established. Such anattacker can potentially send packets that will be accepted by QUIC endpoints.This version of QUIC attempts to detect this sort of attack, but it expects thatendpoints will fail to establish a connection rather than recovering. For themost part, the cryptographic handshake protocol[QUIC-TLS] is responsible fordetecting tampering during the handshake.¶

Endpoints are permitted to use other methods to detect and attempt to recoverfrom interference with the handshake. Invalid packets can be identified anddiscarded using other methods, but no specific method is mandated in thisdocument.¶

21.3.Amplification Attack

An attacker might be able to receive an address validation token(Section 8) from a server and then release the IP address it usedto acquire that token. At a later time, the attacker can initiate a 0-RTTconnection with a server by spoofing this same address, which might now addressa different (victim) endpoint. The attacker can thus potentially cause theserver to send an initial congestion window's worth of data towards the victim.¶

Servers SHOULD provide mitigations for this attack by limiting the usage andlifetime of address validation tokens; seeSection 8.1.3.¶

21.4.Optimistic ACK Attack

An endpoint that acknowledges packets it has not received might cause acongestion controller to permit sending at rates beyond what the networksupports. An endpoint MAY skip packet numbers when sending packets to detectthis behavior. An endpoint can then immediately close the connection with aconnection error of type PROTOCOL_VIOLATION; seeSection 10.2.¶

21.5.Request Forgery Attacks

A request forgery attack occurs where an endpoint causes its peer to issue arequest towards a victim, with the request controlled by the endpoint. Requestforgery attacks aim to provide an attacker with access to capabilities of itspeer that might otherwise be unavailable to the attacker. For a networkingprotocol, a request forgery attack is often used to exploit any implicitauthorization conferred on the peer by the victim due to the peer's location inthe network.¶

For request forgery to be effective, an attacker needs to be able to influencewhat packets the peer sends and where these packets are sent. If an attackercan target a vulnerable service with a controlled payload, that service mightperform actions that are attributed to the attacker's peer, but decided by theattacker.¶

For example, cross-site request forgery[CSRF]exploits on the Web cause a client to issue requests that include authorizationcookies[COOKIE], allowing one site access to information andactions that are intended to be restricted to a different site.¶

As QUIC runs over UDP, the primary attack modality of concern is one where anattacker can select the address to which its peer sends UDP datagrams and cancontrol some of the unprotected content of those packets. As much of the datasent by QUIC endpoints is protected, this includes control over ciphertext. Anattack is successful if an attacker can cause a peer to send a UDP datagram toa host that will perform some action based on content in the datagram.¶

This section discusses ways in which QUIC might be used for request forgeryattacks.¶

This section also describes limited countermeasures that can be implemented byQUIC endpoints. These mitigations can be employed unilaterally by a QUICimplementation or deployment, without potential targets for request forgeryattacks taking action. However these countermeasures could be insufficient ifUDP-based services do not properly authorize requests.¶

Because the migration attack described inSection 21.5.4 is quite powerful and does not haveadequate countermeasures, QUIC server implementations should assume thatattackers can cause them to generate arbitrary UDP payloads to arbitrarydestinations. QUIC servers SHOULD NOT be deployed in networks that also haveinadequately secured UDP endpoints.¶

Although it is not generally possible to ensure that clients are not co-locatedwith vulnerable endpoints, this version of QUIC does not allow servers tomigrate, thus preventing spoofed migration attacks on clients. Any futureextension which allows server migration MUST also define countermeasures forforgery attacks.¶

21.6.Slowloris Attacks

The attacks commonly known as Slowloris ([SLOWLORIS]) try to keep manyconnections to the target endpoint open and hold them open as long as possible.These attacks can be executed against a QUIC endpoint by generating the minimumamount of activity necessary to avoid being closed for inactivity. This mightinvolve sending small amounts of data, gradually opening flow control windows inorder to control the sender rate, or manufacturing ACK frames that simulate ahigh loss rate.¶

QUIC deployments SHOULD provide mitigations for the Slowloris attacks, such asincreasing the maximum number of clients the server will allow, limiting thenumber of connections a single IP address is allowed to make, imposingrestrictions on the minimum transfer speed a connection is allowed to have, andrestricting the length of time an endpoint is allowed to stay connected.¶

21.7.Stream Fragmentation and Reassembly Attacks

An adversarial sender might intentionally not send portions of the stream data,causing the receiver to commit resources for the unsent data. This couldcause a disproportionate receive buffer memory commitment and/or the creation ofa large and inefficient data structure at the receiver.¶

An adversarial receiver might intentionally not acknowledge packets containingstream data in an attempt to force the sender to store the unacknowledged streamdata for retransmission.¶

The attack on receivers is mitigated if flow control windows correspond toavailable memory. However, some receivers will over-commit memory andadvertise flow control offsets in the aggregate that exceed actual availablememory. The over-commitment strategy can lead to better performance whenendpoints are well behaved, but renders endpoints vulnerable to the streamfragmentation attack.¶

QUIC deployments SHOULD provide mitigations against stream fragmentationattacks. Mitigations could consist of avoiding over-committing memory,limiting the size of tracking data structures, delaying reassemblyof STREAM frames, implementing heuristics based on the age andduration of reassembly holes, or some combination.¶

21.8.Stream Commitment Attack

An adversarial endpoint can open a large number of streams, exhausting state onan endpoint. The adversarial endpoint could repeat the process on a largenumber of connections, in a manner similar to SYN flooding attacks in TCP.¶

Normally, clients will open streams sequentially, as explained inSection 2.1.However, when several streams are initiated at short intervals, loss orreordering can cause STREAM frames that open streams to be received out ofsequence. On receiving a higher-numbered stream ID, a receiver is required toopen all intervening streams of the same type; seeSection 3.2.Thus, on a new connection, opening stream 4000000 opens 1 million and 1client-initiated bidirectional streams.¶

The number of active streams is limited by the initial_max_streams_bidi andinitial_max_streams_uni transport parameters, as explained inSection 4.6. If chosen judiciously, these limits mitigate theeffect of the stream commitment attack. However, setting the limit too lowcould affect performance when applications expect to open large number ofstreams.¶

21.9.Peer Denial of Service

QUIC and TLS both contain frames or messages that have legitimate uses in somecontexts, but that can be abused to cause a peer to expend processing resourceswithout having any observable impact on the state of the connection.¶

Messages can also be used to change and revert state in small or inconsequentialways, such as by sending small increments to flow control limits.¶

If processing costs are disproportionately large in comparison to bandwidthconsumption or effect on state, then this could allow a malicious peer toexhaust processing capacity.¶

While there are legitimate uses for all messages, implementations SHOULD trackcost of processing relative to progress and treat excessive quantities of anynon-productive packets as indicative of an attack. Endpoints MAY respond tothis condition with a connection error, or by dropping packets.¶

21.10.Explicit Congestion Notification Attacks

An on-path attacker could manipulate the value of ECN fields in the IP headerto influence the sender's rate.[RFC3168] discusses manipulations and theireffects in more detail.¶

An on-the-side attacker can duplicate and send packets with modified ECN fieldsto affect the sender's rate. If duplicate packets are discarded by a receiver,an off-path attacker will need to race the duplicate packet against theoriginal to be successful in this attack. Therefore, QUIC endpoints ignore theECN field on an IP packet unless at least one QUIC packet in that IP packet issuccessfully processed; seeSection 13.4.¶

21.11.Stateless Reset Oracle

Stateless resets create a possible denial of service attack analogous to a TCPreset injection. This attack is possible if an attacker is able to cause astateless reset token to be generated for a connection with a selectedconnection ID. An attacker that can cause this token to be generated can resetan active connection with the same connection ID.¶

If a packet can be routed to different instances that share a static key, forexample by changing an IP address or port, then an attacker can cause the serverto send a stateless reset. To defend against this style of denial of service,endpoints that share a static key for stateless reset (seeSection 10.3.2) MUSTbe arranged so that packets with a given connection ID always arrive at aninstance that has connection state, unless that connection is no longer active.¶

More generally, servers MUST NOT generate a stateless reset if a connection withthe corresponding connection ID could be active on any endpoint using the samestatic key.¶

In the case of a cluster that uses dynamic load balancing, it is possible that achange in load balancer configuration could occur while an active instanceretains connection state. Even if an instance retains connection state, thechange in routing and resulting stateless reset will result in the connectionbeing terminated. If there is no chance of the packet being routed to thecorrect instance, it is better to send a stateless reset than wait for theconnection to time out. However, this is acceptable only if the routing cannotbe influenced by an attacker.¶

21.12.Version Downgrade

This document defines QUIC Version Negotiation packets inSection 6 that can be used to negotiate the QUIC version usedbetween two endpoints. However, this document does not specify how thisnegotiation will be performed between this version and subsequent futureversions. In particular, Version Negotiation packets do not contain anymechanism to prevent version downgrade attacks. Future versions of QUIC thatuse Version Negotiation packets MUST define a mechanism that is robust againstversion downgrade attacks.¶

21.13.Targeted Attacks by Routing

Deployments should limit the ability of an attacker to target a new connectionto a particular server instance. This means that client-controlled fields, suchas the initial Destination Connection ID used on Initial and 0-RTT packetsSHOULD NOT be used by themselves to make routing decisions. Ideally, routingdecisions are made independently of client-selected values; a Source ConnectionID can be selected to route later packets to the same server.¶

21.14.Traffic Analysis

The length of QUIC packets can reveal information about the length of thecontent of those packets. The PADDING frame is provided so that endpoints havesome ability to obscure the length of packet content; seeSection 19.1.¶

Note however that defeating traffic analysis is challenging and the subject ofactive research. Length is not the only way that information might leak.Endpoints might also reveal sensitive information through other side channels,such as the timing of packets.¶

22.1.Registration Policies for QUIC Registries

All QUIC registries allow for both provisional and permanent registration ofcodepoints. This section documents policies that are common to theseregistries.¶

22.2.QUIC Versions Registry

IANA [SHALL add/has added] a registry for "QUIC Versions" under a "QUIC"heading.¶

The "QUIC Versions" registry governs a 32-bit space; seeSection 15. Thisregistry follows the registration policy fromSection 22.1. Permanentregistrations in this registry are assigned using the Specification Requiredpolicy ([RFC8126]).¶

The codepoint of 0x00000001 to the protocol is assigned with permanent statusto the protocol defined in this document. The codepoint of 0x00000000 ispermanently reserved; the note for this codepoint [shall] indicate[s] thatthis version is reserved for Version Negotiation.¶

All codepoints that follow the pattern 0x?a?a?a?a are reserved and MUST NOT beassigned by IANA and MUST NOT appear in the listing of assigned values.¶

[[RFC editor: please remove the following note before publication.]]¶

IANA note:

Several pre-standardization versions will likely be in use at the time ofpublication. There is no need to document these in an RFC, but recordinginformation about these version will ensure that the information in theregistry is accurate. The document editors or working group chairs canfacilitate getting the necessary information.¶

22.3.QUIC Transport Parameter Registry

IANA [SHALL add/has added] a registry for "QUIC Transport Parameters" under a"QUIC" heading.¶

The "QUIC Transport Parameters" registry governs a 62-bit space. This registryfollows the registration policy fromSection 22.1. Permanent registrationsin this registry are assigned using the Specification Required policy([RFC8126]).¶

In addition to the fields inSection 22.1.1, permanent registrations inthis registry MUST include the following field:¶

Parameter Name:

A short mnemonic for the parameter.¶

The initial contents of this registry are shown inTable 6.¶

Each value of the format31 * N + 27 for integer values of N (that is, 27, 58,89, ...) are reserved; these values MUST NOT be assigned by IANA and MUST NOTappear in the listing of assigned values.¶

22.4.QUIC Frame Types Registry

IANA [SHALL add/has added] a registry for "QUIC Frame Types" under a"QUIC" heading.¶

The "QUIC Frame Types" registry governs a 62-bit space. This registry followsthe registration policy fromSection 22.1. Permanent registrations in thisregistry are assigned using the Specification Required policy ([RFC8126]),except for values between 0x00 and 0x3f (in hexadecimal; inclusive), which areassigned using Standards Action or IESG Approval as defined in Section 4.9 and4.10 of[RFC8126].¶

In addition to the fields inSection 22.1.1, permanent registrations inthis registry MUST include the following field:¶

Frame Name:

A short mnemonic for the frame type.¶

In addition to the advice inSection 22.1, specifications for new permanentregistrations SHOULD describe the means by which an endpoint might determinethat it can send the identified type of frame. An accompanying transportparameter registration is expected for most registrations; seeSection 22.3. Specifications for permanent registrations alsoneed to describe the format and assigned semantics of any fields in the frame.¶

The initial contents of this registry are tabulated inTable 3. Notethat the registry does not include the "Pkts" and "Spec" columns fromTable 3.¶

22.5.QUIC Transport Error Codes Registry

IANA [SHALL add/has added] a registry for "QUIC Transport Error Codes" under a"QUIC" heading.¶

The "QUIC Transport Error Codes" registry governs a 62-bit space. This space issplit into three regions that are governed by different policies. Permanentregistrations in this registry are assigned using the Specification Requiredpolicy ([RFC8126]), except for values between 0x00 and 0x3f (in hexadecimal;inclusive), which are assigned using Standards Action or IESG Approval asdefined in Section 4.9 and 4.10 of[RFC8126].¶

In addition to the fields inSection 22.1.1, permanent registrations inthis registry MUST include the following fields:¶

Code:

A short mnemonic for the parameter.¶

Description:

A brief description of the error code semantics, which MAY be a summary if aspecification reference is provided.¶

The initial contents of this registry are shown inTable 7.¶

A.1.Sample Variable-Length Integer Decoding

The pseudocode inFigure 45 shows how a variable-length integer can beread from a stream of bytes. The function ReadVarint takes a single argument, asequence of bytes which can be read in network byte order.¶

ReadVarint(data):  // The length of variable-length integers is encoded in the  // first two bits of the first byte.  v = data.next_byte()  prefix = v >> 6  length = 1 << prefix  // Once the length is known, remove these bits and read any  // remaining bytes.  v = v & 0x3f  repeat length-1 times:    v = (v << 8) + data.next_byte()  return v

For example, the eight-byte sequence 0xc2197c5eff14e88c decodes to the decimalvalue 151,288,809,941,952,652; the four-byte sequence 0x9d7f3e7d decodes to494,878,333; the two-byte sequence 0x7bbd decodes to 15,293; and the single byte0x25 decodes to 37 (as does the two-byte sequence 0x4025).¶

A.2.Sample Packet Number Encoding Algorithm

The pseudocode inFigure 46 shows how an implementation can selectan appropriate size for packet number encodings.¶

The EncodePacketNumber function takes two arguments:¶

• full_pn is the full packet number of the packet being sent.¶
• largest_acked is the largest packet number which has been acknowledged by thepeer in the current packet number space, if any.¶

EncodePacketNumber(full_pn, largest_acked):  // The number of bits must be at least one more  // than the base-2 logarithm of the number of contiguous  // unacknowledged packet numbers, including the new packet.  if largest_acked is None:    num_unacked = full_pn + 1  else:    num_unacked = full_pn - largest_acked  min_bits = log(num_unacked, 2) + 1  num_bytes = ceil(min_bits / 8)  // Encode the integer value and truncate to  // the num_bytes least-significant bytes.  return encode(full_pn, num_bytes)

For example, if an endpoint has received an acknowledgment for packet 0xabe8bcand is sending a packet with a number of 0xac5c02, there are 29,519 (0x734f)outstanding packets. In order to represent at least twice this range (59,038packets, or 0xe69e), 16 bits are required.¶

In the same state, sending a packet with a number of 0xace8fe uses the 24-bitencoding, because at least 18 bits are required to represent twice the range(131,182 packets, or 0x2006e).¶

A.3.Sample Packet Number Decoding Algorithm

The pseudocode inFigure 47 includes an example algorithm for decodingpacket numbers after header protection has been removed.¶

The DecodePacketNumber function takes three arguments:¶

• largest_pn is the largest packet number that has been successfullyprocessed in the current packet number space.¶
• truncated_pn is the value of the Packet Number field.¶
• pn_nbits is the number of bits in the Packet Number field (8, 16, 24, or 32).¶

DecodePacketNumber(largest_pn, truncated_pn, pn_nbits):   expected_pn  = largest_pn + 1   pn_win       = 1 << pn_nbits   pn_hwin      = pn_win / 2   pn_mask      = pn_win - 1   // The incoming packet number should be greater than   // expected_pn - pn_hwin and less than or equal to   // expected_pn + pn_hwin   //   // This means we cannot just strip the trailing bits from   // expected_pn and add the truncated_pn because that might   // yield a value outside the window.   //   // The following code calculates a candidate value and   // makes sure it's within the packet number window.   // Note the extra checks to prevent overflow and underflow.   candidate_pn = (expected_pn & ~pn_mask) | truncated_pn   if candidate_pn <= expected_pn - pn_hwin and      candidate_pn < (1 << 62) - pn_win:      return candidate_pn + pn_win   if candidate_pn > expected_pn + pn_hwin and      candidate_pn >= pn_win:      return candidate_pn - pn_win   return candidate_pn

For example, if the highest successfully authenticated packet had a packetnumber of 0xa82f30ea, then a packet containing a 16-bit value of 0x9b32 will bedecoded as 0xa82f9b32.¶

A.4.Sample ECN Validation Algorithm

Each time an endpoint commences sending on a new network path, it determineswhether the path supports ECN; seeSection 13.4. If the path supports ECN, the goalis to use ECN. Endpoints might also periodically reassess a path that wasdetermined to not support ECN.¶

This section describes one method for testing new paths. This algorithm isintended to show how a path might be tested for ECN support. Endpoints canimplement different methods.¶

The path is assigned an ECN state that is one of "testing", "unknown", "failed",or "capable". On paths with a "testing" or "capable" state the endpoint sendspackets with an ECT marking, by default ECT(0); otherwise, the endpoint sendsunmarked packets.¶

To start testing a path, the ECN state is set to "testing" and existing ECNcounts are remembered as a baseline.¶

The testing period runs for a number of packets or a limited time, asdetermined by the endpoint. The goal is not to limit the duration of thetesting period, but to ensure that enough marked packets are sent for receivedECN counts to provide a clear indication of how the path treats marked packets.Section 13.4.2 suggests limiting this to 10 packets or 3 times the probetimeout.¶

After the testing period ends, the ECN state for the path becomes "unknown".From the "unknown" state, successful validation of the ECN counts an ACK frame(seeSection 13.4.2.1) causes the ECN state for the path to become "capable", unlessno marked packet has been acknowledged.¶

If validation of ECN counts fails at any time, the ECN state for the affectedpath becomes "failed". An endpoint can also mark the ECN state for a path as"failed" if marked packets are all declared lost or if they are all CE marked.¶

Following this algorithm ensures that ECN is rarely disabled for paths thatproperly support ECN. Any path that incorrectly modifies markings will causeECN to be disabled. For those rare cases where marked packets are discarded bythe path, the short duration of the testing period limits the number of lossesincurred.¶

B.1.Since draft-ietf-quic-transport-32

• Endpoints are required to limit the total data they send in response to anapparent connection migration to three times what was received (#4257, #4264)¶
• Added an error code for path validation failures (#4257, #4331)¶
• Defined DoS protections for clients during the handshake (#4259, #4330)¶
• Prohibited connection errors when datagrams are not the required size (#4273,#4342)¶

• A number of improvements to IANA considerations:¶

  • Added a registry for versions (#4345, #4280)¶
  • Clarified rules for first reserved value (#4378, #4389)¶
  • Reserved values are not added to the registry (#4372, #4428)¶
• Added final version numbers (#4430)¶

B.2.Since draft-ietf-quic-transport-31

• Require expansion of datagrams to ensure that a path supports at least 1200bytes in both directions:¶

  • During the handshake ack-eliciting Initial packets from the server need tobe expanded (#4183, #4188)¶
  • Path validation now requires packets containing PATH_CHALLENGE andPATH_RESPONSE to be expanded and PATH_RESPONSE is sent on the same networkpath (#4216, #4226)¶
• Though senders need to expand datagrams in some cases, receivers cannotenforce this requirement (#4253, #4254)¶
• Split contact into contact and change controller for IANA registrations(#4230, #4239)¶

B.3.Since draft-ietf-quic-transport-30

• Use TRANSPORT_PARAMETER_ERROR for an invalid transport parameter (#4099,#4100)¶
• Add a new error code for AEAD_LIMIT_REACHED code to avoid conflict (#4087,#4088)¶
• Allow use of address validation token when server address changes (#4076,#4089)¶

B.4.Since draft-ietf-quic-transport-29

• Require the same connection ID on coalesced packets (#3800, #3930)¶
• Allow caching of packets that can't be decrypted, by allowing the reportedacknowledgment delay to exceed max_ack_delay prior to confirming thehandshake (#3821, #3980, #4035, #3874)¶
• Allow connection ID to be used for address validation (#3834, #3924)¶
• Required protocol operations are no longer directed at implementations, butare features provided to application protocols (#3838, #3935)¶
• Narrow requirements for reset of congestion state on path change (#3842,#3945)¶
• Add a three times amplification limit for sending of CONNECTION_CLOSE withreduced state (#3845, #3864)¶
• Change error code for invalid RETIRE_CONNECTION_ID frames (#3860, #3861)¶
• Recommend retention of state for lost packets to allow for late arrival andavoid unnecessary retransmission (#3956, #3957)¶
• Allow a server to reject connections if a client reuses packet numbers afterRetry (#3989, #3990)¶
• Limit recommendation for immediate acknowledgment to when ack-elicitingpackets are reordered (#4001, #4000)¶

B.5.Since draft-ietf-quic-transport-28

• Made SERVER_BUSY error (0x2) more generic, now CONNECTION_REFUSED (#3709,#3690, #3694)¶
• Allow TRANSPORT_PARAMETER_ERROR when validating connection IDs (#3703, #3691)¶
• Integrate QUIC-specific language from draft-ietf-tsvwg-datagram-plpmtud(#3695, #3702)¶
• disable_active_migration does not apply to the addresses offered inserver_preferred_address (#3608, #3670)¶

B.6.Since draft-ietf-quic-transport-27

• Allowed CONNECTION_CLOSE in any packet number space, with a requirement touse a new transport-level error for application-specific errors in Initialand Handshake packets (#3430, #3435, #3440)¶
• Clearer requirements for address validation (#2125, #3327)¶
• Security analysis of handshake and migration (#2143, #2387, #2925)¶
• The entire payload of a datagram is used when counting bytes formitigating amplification attacks (#3333, #3470)¶
• Connection IDs can be used at any time, including in the handshake (#3348,#3560, #3438, #3565)¶
• Only one ACK should be sent for each instance of reordering (#3357, #3361)¶
• Remove text allowing a server to proceed with a bad Retry token (#3396,#3398)¶
• Ignore active_connection_id_limit with a zero-length connection ID (#3427,#3426)¶
• Require active_connection_id_limit be remembered for 0-RTT (#3423, #3425)¶
• Require ack_delay not be remembered for 0-RTT (#3433, #3545)¶
• Redefined max_packet_size to max_udp_datagram_size (#3471, #3473)¶
• Guidance on limiting outstanding attempts to retire connection IDs (#3489,#3509, #3557, #3547)¶
• Restored text on dropping bogus Version Negotiation packets (#3532, #3533)¶
• Clarified that largest acknowledged needs to be saved, but not necessarilysignaled in all cases (#3541, #3581)¶
• Addressed linkability risk with the use of preferred_address (#3559, #3563)¶
• Added authentication of handshake connection IDs (#3439, #3499)¶
• Opening a stream in the wrong direction is an error (#3527)¶

B.7.Since draft-ietf-quic-transport-26

• Change format of transport parameters to use varints (#3294, #3169)¶

B.8.Since draft-ietf-quic-transport-25

• Define the use of CONNECTION_CLOSE prior to establishing connection state(#3269, #3297, #3292)¶
• Allow use of address validation tokens after client address changes (#3307,#3308)¶
• Define the timer for address validation (#2910, #3339)¶

B.9.Since draft-ietf-quic-transport-24

• Added HANDSHAKE_DONE to signal handshake confirmation (#2863, #3142, #3145)¶
• Add integrity check to Retry packets (#3014, #3274, #3120)¶
• Specify handling of reordered NEW_CONNECTION_ID frames (#3194, #3202)¶
• Require checking of sequence numbers in RETIRE_CONNECTION_ID (#3037, #3036)¶
• active_connection_id_limit is enforced (#3193, #3197, #3200, #3201)¶
• Correct overflow in packet number decode algorithm (#3187, #3188)¶
• Allow use of CRYPTO_BUFFER_EXCEEDED for CRYPTO frame errors (#3258, #3186)¶
• Define applicability and scope of NEW_TOKEN (#3150, #3152, #3155, #3156)¶
• Tokens from Retry and NEW_TOKEN must be differentiated (#3127, #3128)¶
• Allow CONNECTION_CLOSE in response to invalid token (#3168, #3107)¶
• Treat an invalid CONNECTION_CLOSE as an invalid frame (#2475, #3230, #3231)¶
• Throttle when sending CONNECTION_CLOSE after discarding state (#3095, #3157)¶
• Application-variant of CONNECTION_CLOSE can only be sent in 0-RTT or 1-RTTpackets (#3158, #3164)¶
• Advise sending while blocked to avoid idle timeout (#2744, #3266)¶
• Define error codes for invalid frames (#3027, #3042)¶
• Idle timeout is symmetric (#2602, #3099)¶
• Prohibit IP fragmentation (#3243, #3280)¶
• Define the use of provisional registration for all registries (#3109, #3020,#3102, #3170)¶
• Packets on one path must not adjust values for a different path (#2909,#3139)¶

B.10.Since draft-ietf-quic-transport-23

• Allow ClientHello to span multiple packets (#2928, #3045)¶
• Client Initial size constraints apply to UDP datagram payload (#3053, #3051)¶

• Stateless reset changes (#2152, #2993)¶

  • tokens need to be compared in constant time¶
  • detection uses UDP datagrams, not packets¶
  • tokens cannot be reused (#2785, #2968)¶
• Clearer rules for sharing of UDP ports and use of connection IDs when doing so(#2844, #2851)¶
• A new connection ID is necessary when responding to migration (#2778, #2969)¶
• Stronger requirements for connection ID retirement (#3046, #3096)¶
• NEW_TOKEN cannot be empty (#2978, #2977)¶
• PING can be sent at any encryption level (#3034, #3035)¶
• CONNECTION_CLOSE is not ack-eliciting (#3097, #3098)¶
• Frame encoding error conditions updated (#3027, #3042)¶
• Non-ack-eliciting packets cannot be sent in response to non-ack-elicitingpackets (#3100, #3104)¶
• Servers have to change connection IDs in Retry (#2837, #3147)¶

B.11.Since draft-ietf-quic-transport-22

• Rules for preventing correlation by connection ID tightened (#2084, #2929)¶
• Clarified use of CONNECTION_CLOSE in Handshake packets (#2151, #2541, #2688)¶
• Discourage regressions of largest acknowledged in ACK (#2205, #2752)¶
• Improved robustness of validation process for ECN counts (#2534, #2752)¶
• Require endpoints to ignore spurious migration attempts (#2342, #2893)¶
• Transport parameter for disabling migration clarified to allow NAT rebinding(#2389, #2893)¶
• Document principles for defining new error codes (#2388, #2880)¶
• Reserve transport parameters for greasing (#2550, #2873)¶
• A maximum ACK delay of 0 is used for handshake packet number spaces (#2646,#2638)¶
• Improved rules for use of congestion control state on new paths (#2685, #2918)¶
• Removed recommendation to coordinate spin for multiple connections that sharea path (#2763, #2882)¶
• Allow smaller stateless resets and recommend a smaller minimum on packetsthat might trigger a stateless reset (#2770, #2869, #2927, #3007).¶
• Provide guidance around the interface to QUIC as used by application protocols(#2805, #2857)¶
• Frames other than STREAM can cause STREAM_LIMIT_ERROR (#2825, #2826)¶
• Tighter rules about processing of rejected 0-RTT packets (#2829, #2840, #2841)¶
• Explanation of the effect of Retry on 0-RTT packets (#2842, #2852)¶
• Cryptographic handshake needs to provide server transport parameter encryption(#2920, #2921)¶
• Moved ACK generation guidance from recovery draft to transport draft (#1860,#2916).¶

B.12.Since draft-ietf-quic-transport-21

• Connection ID lengths are now one octet, but limited in version 1 to 20 octetsof length (#2736, #2749)¶

B.13.Since draft-ietf-quic-transport-20

• Error codes are encoded as variable-length integers (#2672, #2680)¶
• NEW_CONNECTION_ID includes a request to retire old connection IDs (#2645,#2769)¶
• Tighter rules for generating and explicitly eliciting ACK frames (#2546,#2794)¶
• Recommend having only one packet per encryption level in a datagram (#2308,#2747)¶
• More normative language about use of stateless reset (#2471, #2574)¶
• Allow reuse of stateless reset tokens (#2732, #2733)¶
• Allow, but not require, enforcing non-duplicate transport parameters (#2689,#2691)¶
• Added an active_connection_id_limit transport parameter (#1994, #1998)¶
• max_ack_delay transport parameter defaults to 0 (#2638, #2646)¶
• When sending 0-RTT, only remembered transport parameters apply (#2458, #2360,#2466, #2461)¶
• Define handshake completion and confirmation; define clearer rules when itencryption keys should be discarded (#2214, #2267, #2673)¶
• Prohibit path migration prior to handshake confirmation (#2309, #2370)¶
• PATH_RESPONSE no longer needs to be received on the validated path (#2582,#2580, #2579, #2637)¶
• PATH_RESPONSE frames are not stored and retransmitted (#2724, #2729)¶
• Document hack for enabling routing of ICMP when doing PMTU probing (#1243,#2402)¶

B.14.Since draft-ietf-quic-transport-19

• Refine discussion of 0-RTT transport parameters (#2467, #2464)¶
• Fewer transport parameters need to be remembered for 0-RTT (#2624, #2467)¶
• Spin bit text incorporated (#2564)¶
• Close the connection when maximum stream ID in MAX_STREAMS exceeds 2^62 - 1(#2499, #2487)¶
• New connection ID required for intentional migration (#2414, #2413)¶
• Connection ID issuance can be rate-limited (#2436, #2428)¶
• The "QUIC bit" is ignored in Version Negotiation (#2400, #2561)¶
• Initial packets from clients need to be padded to 1200 unless a Handshakepacket is sent as well (#2522, #2523)¶
• CRYPTO frames can be discarded if too much data is buffered (#1834, #2524)¶
• Stateless reset uses a short header packet (#2599, #2600)¶

B.15.Since draft-ietf-quic-transport-18

• Removed version negotiation; version negotiation, including authentication ofthe result, will be addressed in the next version of QUIC (#1773, #2313)¶
• Added discussion of the use of IPv6 flow labels (#2348, #2399)¶
• A connection ID can't be retired in a packet that uses that connection ID(#2101, #2420)¶
• Idle timeout transport parameter is in milliseconds (from seconds) (#2453,#2454)¶
• Endpoints are required to use new connection IDs when they use new networkpaths (#2413, #2414)¶
• Increased the set of permissible frames in 0-RTT (#2344, #2355)¶

B.16.Since draft-ietf-quic-transport-17

• Stream-related errors now use STREAM_STATE_ERROR (#2305)¶
• Endpoints discard initial keys as soon as handshake keys are available (#1951,#2045)¶
• Expanded conditions for ignoring ICMP packet too big messages (#2108, #2161)¶
• Remove rate control from PATH_CHALLENGE/PATH_RESPONSE (#2129, #2241)¶
• Endpoints are permitted to discard malformed initial packets (#2141)¶
• Clarified ECN implementation and usage requirements (#2156, #2201)¶
• Disable ECN count verification for packets that arrive out of order (#2198,#2215)¶
• Use Probe Timeout (PTO) instead of RTO (#2206, #2238)¶
• Loosen constraints on retransmission of ACK ranges (#2199, #2245)¶
• Limit Retry and Version Negotiation to once per datagram (#2259, #2303)¶
• Set a maximum value for max_ack_delay transport parameter (#2282, #2301)¶
• Allow server preferred address for both IPv4 and IPv6 (#2122, #2296)¶
• Corrected requirements for migration to a preferred address (#2146, #2349)¶
• ACK of non-existent packet is illegal (#2298, #2302)¶

B.17.Since draft-ietf-quic-transport-16

• Stream limits are defined as counts, not maximums (#1850, #1906)¶
• Require amplification attack defense after closing (#1905, #1911)¶
• Remove reservation of application error code 0 for STOPPING (#1804, #1922)¶
• Renumbered frames (#1945)¶
• Renumbered transport parameters (#1946)¶
• Numeric transport parameters are expressed as varints (#1608, #1947, #1955)¶
• Reorder the NEW_CONNECTION_ID frame (#1952, #1963)¶

• Rework the first byte (#2006)¶

  • Fix the 0x40 bit¶
  • Change type values for long header¶
  • Add spin bit to short header (#631, #1988)¶
  • Encrypt the remainder of the first byte (#1322)¶
  • Move packet number length to first byte¶
  • Move ODCIL to first byte of retry packets¶
  • Simplify packet number protection (#1575)¶
• Allow STOP_SENDING to open a remote bidirectional stream (#1797, #2013)¶
• Added mitigation for off-path migration attacks (#1278, #1749, #2033)¶
• Don't let the PMTU to drop below 1280 (#2063, #2069)¶
• Require peers to replace retired connection IDs (#2085)¶
• Servers are required to ignore Version Negotiation packets (#2088)¶
• Tokens are repeated in all Initial packets (#2089)¶
• Clarified how PING frames are sent after loss (#2094)¶
• Initial keys are discarded once Handshake are available (#1951, #2045)¶
• ICMP PTB validation clarifications (#2161, #2109, #2108)¶

B.18.Since draft-ietf-quic-transport-15

Substantial editorial reorganization; no technical changes.¶

B.19.Since draft-ietf-quic-transport-14

• Merge ACK and ACK_ECN (#1778, #1801)¶
• Explicitly communicate max_ack_delay (#981, #1781)¶
• Validate original connection ID after Retry packets (#1710, #1486, #1793)¶
• Idle timeout is optional and has no specified maximum (#1765)¶
• Update connection ID handling; add RETIRE_CONNECTION_ID type (#1464, #1468,#1483, #1484, #1486, #1495, #1729, #1742, #1799, #1821)¶
• Include a Token in all Initial packets (#1649, #1794)¶
• Prevent handshake deadlock (#1764, #1824)¶

B.20.Since draft-ietf-quic-transport-13

• Streams open when higher-numbered streams of the same type open (#1342, #1549)¶
• Split initial stream flow control limit into 3 transport parameters (#1016,#1542)¶
• All flow control transport parameters are optional (#1610)¶
• Removed UNSOLICITED_PATH_RESPONSE error code (#1265, #1539)¶
• Permit stateless reset in response to any packet (#1348, #1553)¶
• Recommended defense against stateless reset spoofing (#1386, #1554)¶
• Prevent infinite stateless reset exchanges (#1443, #1627)¶
• Forbid processing of the same packet number twice (#1405, #1624)¶
• Added a packet number decoding example (#1493)¶
• More precisely define idle timeout (#1429, #1614, #1652)¶
• Corrected format of Retry packet and prevented looping (#1492, #1451, #1448,#1498)¶
• Permit 0-RTT after receiving Version Negotiation or Retry (#1507, #1514,#1621)¶
• Permit Retry in response to 0-RTT (#1547, #1552)¶
• Looser verification of ECN counters to account for ACK loss (#1555, #1481,#1565)¶
• Remove frame type field from APPLICATION_CLOSE (#1508, #1528)¶

B.21.Since draft-ietf-quic-transport-12

• Changes to integration of the TLS handshake (#829, #1018, #1094, #1165, #1190,#1233, #1242, #1252, #1450, #1458)¶

  • The cryptographic handshake uses CRYPTO frames, not stream 0¶
  • QUIC packet protection is used in place of TLS record protection¶
  • Separate QUIC packet number spaces are used for the handshake¶
  • Changed Retry to be independent of the cryptographic handshake¶
  • Added NEW_TOKEN frame and Token fields to Initial packet¶
  • Limit the use of HelloRetryRequest to address TLS needs (like key shares)¶
• Enable server to transition connections to a preferred address (#560, #1251,#1373)¶
• Added ECN feedback mechanisms and handling; new ACK_ECN frame (#804, #805,#1372)¶
• Changed rules and recommendations for use of new connection IDs (#1258, #1264,#1276, #1280, #1419, #1452, #1453, #1465)¶
• Added a transport parameter to disable intentional connection migration(#1271, #1447)¶
• Packets from different connection ID can't be coalesced (#1287, #1423)¶
• Fixed sampling method for packet number encryption; the length field in longheaders includes the packet number field in addition to the packet payload(#1387, #1389)¶
• Stateless Reset is now symmetric and subject to size constraints (#466, #1346)¶
• Added frame type extension mechanism (#58, #1473)¶

B.22.Since draft-ietf-quic-transport-11

• Enable server to transition connections to a preferred address (#560, #1251)¶
• Packet numbers are encrypted (#1174, #1043, #1048, #1034, #850, #990, #734,#1317, #1267, #1079)¶
• Packet numbers use a variable-length encoding (#989, #1334)¶
• STREAM frames can now be empty (#1350)¶

B.23.Since draft-ietf-quic-transport-10

• Swap payload length and packed number fields in long header (#1294)¶
• Clarified that CONNECTION_CLOSE is allowed in Handshake packet (#1274)¶
• Spin bit reserved (#1283)¶
• Coalescing multiple QUIC packets in a UDP datagram (#1262, #1285)¶
• A more complete connection migration (#1249)¶
• Refine opportunistic ACK defense text (#305, #1030, #1185)¶
• A Stateless Reset Token isn't mandatory (#818, #1191)¶
• Removed implicit stream opening (#896, #1193)¶
• An empty STREAM frame can be used to open a stream without sending data (#901,#1194)¶
• Define stream counts in transport parameters rather than a maximum stream ID(#1023, #1065)¶
• STOP_SENDING is now prohibited before streams are used (#1050)¶
• Recommend including ACK in Retry packets and allow PADDING (#1067, #882)¶
• Endpoints now become closing after an idle timeout (#1178, #1179)¶
• Remove implication that Version Negotiation is sent when a packet of the wrongversion is received (#1197)¶

B.24.Since draft-ietf-quic-transport-09

• Added PATH_CHALLENGE and PATH_RESPONSE frames to replace PING with Data andPONG frame. Changed ACK frame type from 0x0e to 0x0d. (#1091, #725, #1086)¶
• A server can now only send 3 packets without validating the client address(#38, #1090)¶
• Delivery order of stream data is no longer strongly specified (#252, #1070)¶
• Rework of packet handling and version negotiation (#1038)¶
• Stream 0 is now exempt from flow control until the handshake completes (#1074,#725, #825, #1082)¶
• Improved retransmission rules for all frame types: information isretransmitted, not packets or frames (#463, #765, #1095, #1053)¶
• Added an error code for server busy signals (#1137)¶
• Endpoints now set the connection ID that their peer uses. Connection IDs arevariable length. Removed the omit_connection_id transport parameter and thecorresponding short header flag. (#1089, #1052, #1146, #821, #745, #821,#1166, #1151)¶

B.25.Since draft-ietf-quic-transport-08

• Clarified requirements for BLOCKED usage (#65, #924)¶
• BLOCKED frame now includes reason for blocking (#452, #924, #927, #928)¶
• GAP limitation in ACK Frame (#613)¶
• Improved PMTUD description (#614, #1036)¶
• Clarified stream state machine (#634, #662, #743, #894)¶
• Reserved versions don't need to be generated deterministically (#831, #931)¶
• You don't always need the draining period (#871)¶
• Stateless reset clarified as version-specific (#930, #986)¶
• initial_max_stream_id_x transport parameters are optional (#970, #971)¶
• ACK delay assumes a default value during the handshake (#1007, #1009)¶
• Removed transport parameters from NewSessionTicket (#1015)¶

B.26.Since draft-ietf-quic-transport-07

• The long header now has version before packet number (#926, #939)¶
• Rename and consolidate packet types (#846, #822, #847)¶
• Packet types are assigned new codepoints and the Connection ID Flag isinverted (#426, #956)¶
• Removed type for Version Negotiation and use Version 0 (#963, #968)¶

• Streams are split into unidirectional and bidirectional (#643, #656, #720,#872, #175, #885)¶

  • Stream limits now have separate uni- and bi-directional transport parameters(#909, #958)¶
  • Stream limit transport parameters are now optional and default to 0 (#970,#971)¶
• The stream state machine has been split into read and write (#634, #894)¶
• Employ variable-length integer encodings throughout (#595)¶

• Improvements to connection close¶

  • Added distinct closing and draining states (#899, #871)¶
  • Draining period can terminate early (#869, #870)¶
  • Clarifications about stateless reset (#889, #890)¶
• Address validation for connection migration (#161, #732, #878)¶
• Clearly defined retransmission rules for BLOCKED (#452, #65, #924)¶
• negotiated_version is sent in server transport parameters (#710, #959)¶
• Increased the range over which packet numbers are randomized (#864, #850,#964)¶

B.27.Since draft-ietf-quic-transport-06

• Replaced FNV-1a with AES-GCM for all "Cleartext" packets (#554)¶
• Split error code space between application and transport (#485)¶
• Stateless reset token moved to end (#820)¶
• 1-RTT-protected long header types removed (#848)¶
• No acknowledgments during draining period (#852)¶
• Remove "application close" as a separate close type (#854)¶
• Remove timestamps from the ACK frame (#841)¶
• Require transport parameters to only appear once (#792)¶

B.28.Since draft-ietf-quic-transport-05

• Stateless token is server-only (#726)¶
• Refactor section on connection termination (#733, #748, #328, #177)¶
• Limit size of Version Negotiation packet (#585)¶
• Clarify when and what to ack (#736)¶
• Renamed STREAM_ID_NEEDED to STREAM_ID_BLOCKED¶
• Clarify Keep-alive requirements (#729)¶

B.29.Since draft-ietf-quic-transport-04

• Introduce STOP_SENDING frame, RESET_STREAM only resets in one direction (#165)¶
• Removed GOAWAY; application protocols are responsible for graceful shutdown(#696)¶
• Reduced the number of error codes (#96, #177, #184, #211)¶
• Version validation fields can't move or change (#121)¶
• Removed versions from the transport parameters in a NewSessionTicket message(#547)¶
• Clarify the meaning of "bytes in flight" (#550)¶
• Public reset is now stateless reset and not visible to the path (#215)¶
• Reordered bits and fields in STREAM frame (#620)¶
• Clarifications to the stream state machine (#572, #571)¶
• Increased the maximum length of the Largest Acknowledged field in ACK framesto 64 bits (#629)¶
• truncate_connection_id is renamed to omit_connection_id (#659)¶
• CONNECTION_CLOSE terminates the connection like TCP RST (#330, #328)¶
• Update labels used in HKDF-Expand-Label to match TLS 1.3 (#642)¶

B.30.Since draft-ietf-quic-transport-03

• Change STREAM and RESET_STREAM layout¶
• Add MAX_STREAM_ID settings¶

B.31.Since draft-ietf-quic-transport-02

• The size of the initial packet payload has a fixed minimum (#267, #472)¶
• Define when Version Negotiation packets are ignored (#284, #294, #241, #143,#474)¶
• The 64-bit FNV-1a algorithm is used for integrity protection of unprotectedpackets (#167, #480, #481, #517)¶
• Rework initial packet types to change how the connection ID is chosen (#482,#442, #493)¶
• No timestamps are forbidden in unprotected packets (#542, #429)¶
• Cryptographic handshake is now on stream 0 (#456)¶
• Remove congestion control exemption for cryptographic handshake (#248, #476)¶
• Version 1 of QUIC uses TLS; a new version is needed to use a differenthandshake protocol (#516)¶
• STREAM frames have a reduced number of offset lengths (#543, #430)¶

• Split some frames into separate connection- and stream- level frames(#443)¶

  • WINDOW_UPDATE split into MAX_DATA and MAX_STREAM_DATA (#450)¶
  • BLOCKED split to match WINDOW_UPDATE split (#454)¶
  • Define STREAM_ID_NEEDED frame (#455)¶
• A NEW_CONNECTION_ID frame supports connection migration without linkability(#232, #491, #496)¶

• Transport parameters for 0-RTT are retained from a previous connection (#405,#513, #512)¶

  • A client in 0-RTT no longer required to reset excess streams (#425, #479)¶
• Expanded security considerations (#440, #444, #445, #448)¶

B.32.Since draft-ietf-quic-transport-01

• Defined short and long packet headers (#40, #148, #361)¶
• Defined a versioning scheme and stable fields (#51, #361)¶
• Define reserved version values for "greasing" negotiation (#112, #278)¶
• The initial packet number is randomized (#35, #283)¶
• Narrow the packet number encoding range requirement (#67, #286, #299, #323,#356)¶
• Defined client address validation (#52, #118, #120, #275)¶
• Define transport parameters as a TLS extension (#49, #122)¶
• SCUP and COPT parameters are no longer valid (#116, #117)¶
• Transport parameters for 0-RTT are either remembered from before, or assumedefault values (#126)¶
• The server chooses connection IDs in its final flight (#119, #349, #361)¶
• The server echoes the Connection ID and packet number fields when sending aVersion Negotiation packet (#133, #295, #244)¶
• Defined a minimum packet size for the initial handshake packet from the client(#69, #136, #139, #164)¶
• Path MTU Discovery (#64, #106)¶
• The initial handshake packet from the client needs to fit in a single packet(#338)¶
• Forbid acknowledgment of packets containing only ACK and PADDING (#291)¶
• Require that frames are processed when packets are acknowledged (#381, #341)¶
• Removed the STOP_WAITING frame (#66)¶
• Don't require retransmission of old timestamps for lost ACK frames (#308)¶
• Clarified that frames are not retransmitted, but the information in them canbe (#157, #298)¶
• Error handling definitions (#335)¶
• Split error codes into four sections (#74)¶
• Forbid the use of Public Reset where CONNECTION_CLOSE is possible (#289)¶
• Define packet protection rules (#336)¶
• Require that stream be entirely delivered or reset, including acknowledgmentof all STREAM frames or the RESET_STREAM, before it closes (#381)¶
• Remove stream reservation from state machine (#174, #280)¶
• Only stream 1 does not contribute to connection-level flow control (#204)¶
• Stream 1 counts towards the maximum concurrent stream limit (#201, #282)¶
• Remove connection-level flow control exclusion for some streams (except 1)(#246)¶
• RESET_STREAM affects connection-level flow control (#162, #163)¶
• Flow control accounting uses the maximum data offset on each stream, ratherthan bytes received (#378)¶
• Moved length-determining fields to the start of STREAM and ACK (#168, #277)¶
• Added the ability to pad between frames (#158, #276)¶
• Remove error code and reason phrase from GOAWAY (#352, #355)¶
• GOAWAY includes a final stream number for both directions (#347)¶
• Error codes for RESET_STREAM and CONNECTION_CLOSE are now at a consistentoffset (#249)¶
• Defined priority as the responsibility of the application protocol (#104,#303)¶

B.33.Since draft-ietf-quic-transport-00

• Replaced DIVERSIFICATION_NONCE flag with KEY_PHASE flag¶
• Defined versioning¶
• Reworked description of packet and frame layout¶
• Error code space is divided into regions for each component¶
• Use big endian for all numeric values¶

B.34.Since draft-hamilton-quic-transport-protocol-01

• Adopted as base for draft-ietf-quic-tls¶
• Updated authors/editors list¶
• Added IANA Considerations section¶
• Moved Contributors and Acknowledgments to appendices¶