Support for DDoS boxes?

[martinduke]

Perhaps inevitably, now that QUIC-LB provides a framework for coordination with trusted middleboxes, other middlebox functions may want to use it.

In New York there was talk of anti-DDoS boxes that would send RETRY on behalf of servers. To make this work, I believe we'd need to standardize the encoding of the original DCID in the token, so that the server can extract it and put it in its TPs.

Anyway, consider this a thread to discuss this possibility and a possible reference for a PR. I will not hold up the spec for this extension.

[martinduke]

@nibanks has a proposal here that makes sense.

1. DDoS boxes have an fixed, authenticated retry token format. When activated, they generate Retry tokens in this format and authenticate incoming Initials. -- note: we should clarify what happens to Initial ACKs with tokens.
2. QUIC-LB config will indicate if a DDos box is present. Servers MUST NOT generate their own RETRYs. When a token comes in, they can use the fixed format to extract the odcid.

The patch will probably need a way to distinguish Retry tokens vs. resumption tokens.