CIDs must not be reused without rotating the stateless reset key

[Ralith]

Quinn presently uses randomized connection IDs and a stateless reset key set at startup. Stateless reset tokens are no longer secret once used, so if an on-path attacker is able to observe two connections that reuse the same ID, they might be able to interrupt the second connection.

To prevent this, Quinn should remember previously issued CIDs, and generate a new stateless reset key for use with future connections whenever the set of previously issued CIDs grows large enough that storage or duplicate-avoidance becomes unreasonably expensive.

The odds of a CID ever being reused are low--astronomically low, if CIDs use the default 8-byte length rather than the minimum--so the threat is limited, even for long-running servers.

[Demi-Marie]

Can we just use 8-byte monotonically increasing counters? Those won’t overflow in any reasonable amount of time.

It is worth noting that some code might rely on connection IDs never being reused.

[Ralith]

An encrypted counter, so the information is not leaked to every observer, is a possibility. Just rotating the stateless reset key every N connections shouldn't be unreasonably difficult, though.