Are we talking about the "scenarios in the middle" when a request is
processed
differently on 0-RTT and 1-RTT, but the 0-RTT processing is actually
meaningful
(not 425 or buffering)?  Because if you process request same regardless of
whether it's 0-RTT or 1-RTT, you're consistent.
On Sun, Dec 3, 2017 at 7:57 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:
> On Mon, Dec 4, 2017 at 11:53 AM, Victor Vasiliev <vasilvv@google.com>
> wrote:
> > On Fri, Dec 1, 2017 at 2:47 PM, Willy Tarreau <w@1wt.eu> wrote:
> >>
> >> That's exactly why it's requested that all servers are configured
> >> consistently. As you demonstrated, as long as "all of them" is granted
> >> regardless of the decision, the processing is safe. What is important
> >> is that you can't end up in a situation whose starts with "some
> servers".
> >>
> >> Willy
> >>
> >
> > That's what I thought.  But Martin's email makes it sound like there is a
> > reason to discard early data when it's received after handshake
> completion,
> > instead of treating it as replay-secure.
>
> If there is a chance that you would have accepted (and processed)
> those packets prior to handshake completion, you have an exposure.
> This is just a another case of the consistency requirement.
>