On 3/2/2026 11:34 AM, Marco Munizaga wrote:
- Why is path initiation not symmetric in RFC 9000?
Several reasons. As you noted, that scenario is not a priority for most
clients, given NAT and firewalls. Also, allowing the server to create
paths would extend the attack surface, in particular for request forgery
attacks. The general feeling when finalizing the specifications was that
QUIC was complex enough, this scenario would require extra work and had
limited applicability, thus let's not try to address it.
- Why is path initiation not symmetric in the Multipath Extension for QUIC?
Because of the general decision to remain aligned with RFC 9000. Also,
because allowing path creation by both client and server introduced
extra complexity in the management of paths, and a desire to keep the
path simple.
- Are there any security concerns about allowing servers to initiate paths?
Yes. Request forgery attacks in particular.
Also not that it is possible to create paths to different server
addresses, if the application manages it. The application would have to
learn the IP address and port that the server desire, then asks the
client to start a new path towards that address.
There is also work going on on P2P QUIC, which defines extensions to
address this scenario.
-- Christian Huitema
