0

I read some docs about Quic and understand that a connection ID is generated for each session and as the document say :

"Connection IDs MUST NOT contain any information that can be used by an external observer (that is, one that does not cooperate with the issuer) to correlate them with other connection IDs for the same connection."

Source : https://tools.ietf.org/id/draft-ietf-quic-transport-24.html#connection-id

What security concern should be aware of ? Should the connection Id be purely random ?

Thanks in advance

Francois Delville
  • 1

1 Answers1

0

The whole concept of having multiple connection ID's for the same connection is to break linkability: observers should not be able to tell whether packets with different connection ID's belong to the same connection or not. That is the security concern you are referring to.

Pure random connection ID's will certainly satisfy this requirement. But you can think of other means, e.g. encryption of a set of properties.

Peter
  • 725
  • 4
  • 13