The proxy MUST reply to each REGISTER_CLIENT_CID capsule with either
an ACK_CLIENT_CID or CLOSE_CLIENT_CID capsule containing the
Connection ID that was in the registration capsule.¶
Similarly, the proxy MUST reply to each REGISTER_TARGET_CID capsule with
either an ACK_TARGET_CID or CLOSE_TARGET_CID capsule containing the
Connection ID that was in the registration capsule.¶
The proxy then determines the proxy-to-target 4-tuple to associate with the
client's request. This will generally involve performing a DNS lookup for
the target hostname in the CONNECT request, or finding an existing proxy-to-target
4-tuple to the authority. The proxy-to-target 4-tuple might already be open due to a
previous request from this client, or another. If the 4-tuple is not already
created, the proxy creates a new one. Proxies can choose to reuse proxy-to-target
4-tuples across multiple UDP proxying requests, or have a unique proxy-to-target 4-tuple
for every UDP proxying request.¶
If a proxy reuses proxy-to-target 4-tuples, it SHOULD store which authorities
(which could be a domain name or IP address literal) are being accessed over a
particular proxy-to-target 4-tuple so it can avoid performing a new DNS query and
potentially choosing a different target server IP address which could map to a
different target server.¶
Proxy-to-target 4-tuples MUST NOT be reused across QUIC and non-QUIC UDP proxy
requests, since it might not be possible to correctly demultiplex or direct
the traffic. Any packets received on a proxy-to-target 4-tuple used for proxying
QUIC that does not correspond to a known CID MUST be dropped.¶
When the proxy recieves a REGISTER_CLIENT_CID capsule, it is receiving a
request to be able to route traffic matching the client CID back to
the client using. If the pair of this client CID and the selected
proxy-to-target 4-tuple does not create a conflict, the proxy creates the mapping
and responds with an ACK_CLIENT_CID capsule. If forwarded mode is enabled, the
capsule contains a proxy-chosen client VCID. If forwarded mode
is enabled, and after receiving an ACK_CLIENT_VCID capsule from the client, any
packets received by the proxy from the proxy-to-target 4-tuple that match the
client CID can to be sent to the client after the proxy has replaced
the CID with the client VCID. If forwarded mode is
not supported, the proxy MUST NOT send a client VCID by setting
the length to zero. The proxy MUST use tunnelled mode (HTTP Datagram frames) for
any long header packets. The proxy SHOULD forward directly to the client for any
matching short header packets if forwarding is supported by the client, but the
proxy MAY tunnel these packets in HTTP Datagram frames instead. If the mapping
would create a conflict, the proxy responds with a CLOSE_CLIENT_CID capsule.¶
When the proxy recieves a REGISTER_TARGET_CID capsule, it is receiving a
request to allow the client to forward packets to the target. The proxy
generates a target VCID for the client to use when sending
packets in forwarded mode. If forwarded mode is not supported, the proxy MUST
NOT send a target VCID by setting the length to zero. If
forwarded mode is supported, the proxy MUST use a target VCID
that does not introduce a conflict with any other Connection ID on the
client-to-proxy 4-tuple. The proxy creates the mapping and responds with an
ACK_TARGET_CID capsule. Once the successful response is sent, the proxy will
forward any short header packets received on the client-to-proxy 4-tuple that use
the target VCID using the correct proxy-to-target 4-tuple after
first rewriting the target VCID to be the correct target CID.¶
Proxies MUST choose unpredictable client and target VCIDs to
avoid forwarding loop attacks.¶
The proxy MUST only forward non-tunnelled packets from the client that are QUIC
short header packets (based on the Header Form bit) and have mapped target VCIDs.
Packets sent by the client that are forwarded SHOULD be
considered as activity for restarting QUIC's Idle Timeout [QUIC].¶
In order to permit the client to change client-to-target connection IDs, the proxy
SHOULD send MAX_CONNECTION_IDS capsules allowing the client additional connection ID
registrations.¶
For any registration capsule for which the proxy has sent an acknowledgement, any
mappings last until either endpoint sends a close capsule or the either side of the
HTTP stream closes.¶
A client that no longer wants a given Connection ID to be forwarded by the
proxy sends a CLOSE_CLIENT_CID or CLOSE_TARGET_CID capsule.¶
If a client's connection to the proxy is terminated for any reason, all
mappings associated with all requests are removed.¶
A proxy can close its proxy-to-target 4-tuple once all UDP proxying requests mapped to
that 4-tuple have been removed.¶