QUIC-LB connection ID generator config (proto)

This extension has the qualified name envoy.quic.connection_id_generator.quic_lb

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

• envoy.quic.connection_id_generator

This extension must be configured with one of the following type URLs:

• type.googleapis.com/envoy.extensions.quic.connection_id_generator.quic_lb.v3.Config

extensions.quic.connection_id_generator.quic_lb.v3.Config

[extensions.quic.connection_id_generator.quic_lb.v3.Config proto]

Configuration for a connection ID generator implementation for the QUIC-LB draft RFC for routable connection IDs.

Connection IDs always have the length self encoded, as described in https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-length-self-description.

See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers for details.

Warning

This is still a work in progress. Performance is expected to be poor. Interoperability testing has not yet been performed.

Warning

This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

{
  "unsafe_unencrypted_testing_mode": ...,
  "server_id": {...},
  "expected_server_id_length": ...,
  "nonce_length_bytes": ...,
  "encryption_parameters": {...}
}

unsafe_unencrypted_testing_mode

(bool) Use the unencrypted mode. This is useful for testing, but allows for linking different CIDs for the same connection, and leaks information about the valid server IDs in use. This should only be used for testing.

server_id

(config.core.v3.DataSource, REQUIRED) Must be at least 1 octet. The length of server_id and nonce_length_bytes must be 18 or less. See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-server-id-allocation.

expected_server_id_length

(uint32) Optional validation of the expected server ID length. If this is non-zero and the value in server_id does not have a matching length, a configuration error is generated. This can be useful for validating that the server ID is valid.

nonce_length_bytes

(uint32) The nonce length must be at least 4 bytes. The length of server_id and nonce_length_bytes must be 18 bytes or less.

encryption_parameters

(extensions.transport_sockets.tls.v3.SdsSecretConfig, REQUIRED) Configuration to fetch the encryption key and configuration version.

The SDS service is for a GenericSecret. The data should populate secrets:

“encryption_key” must contain the 16 byte encryption key.

“configuration_version” must contain a 1 byte unsigned integer of value less than 7. See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-config-rotation.