[Bug]: Address validation token is too easy.

alibaba / xquic

XQUIC Library released by Alibaba is a cross-platform implementation of QUIC and HTTP/3 protocol.

Apache License 2.0

1.7k stars 327 forks source link

[Bug]: Address validation token is too easy. #266

Open Luffbee opened 1 year ago

Luffbee commented 1 year ago

What happened?

8.1.4. Address Validation Token Integrity An address validation token MUST be difficult to guess. Including a random value with at least 128 bits of entropy in the token would be sufficient, but this depends on the server remembering the value it sends to clients.

Xquic use ip address + expire time as token.

Steps To Reproduce

Read the code.

Relevant log output

No response

Ya-Pasha-364shy commented 5 months ago

Hello, i'm working on it