microsoft
diff --git a/‎docs/CIBIR.md‎
Lines changed: 35 additions & 0 deletions b/‎docs/CIBIR.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎docs/QTIP.md‎
Lines changed: 19 additions & 2 deletions b/‎docs/QTIP.md‎
Lines changed: 19 additions & 2 deletions
diff --git a/‎docs/Settings.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/Settings.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/XDP.md‎
Lines changed: 130 additions & 0 deletions b/‎docs/XDP.md‎
Lines changed: 130 additions & 0 deletions
diff --git a/‎src/core/binding.c‎
Lines changed: 9 additions & 0 deletions b/‎src/core/binding.c‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/core/binding.h‎
Lines changed: 9 additions & 0 deletions b/‎src/core/binding.h‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎src/core/connection.c‎
Lines changed: 6 additions & 3 deletions b/‎src/core/connection.c‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎src/core/library.c‎
Lines changed: 32 additions & 27 deletions b/‎src/core/library.c‎
Lines changed: 32 additions & 27 deletions
@@ -0,0 +1,35 @@
+# CIBIR
+
+## What is it
+
+See the [draft IETF](https://datatracker.ietf.org/doc/html/draft-banks-quic-cibir) for CIBIR.
+
+When CIBIR is used, rather than programming [XDP](./XDP.md) to filter and demux packets based on on address and port number,
+XDP with CIBIR will instead filter and de-mux packets based on address, port number, and QUIC connection ID.
+
+What CIBIR allows for is 2 or more separate server processes to share a single
+port on the same machine, as long as their CIBIR ID is different.
+
+## CIBIR port sharing logic
+- Applications must provide a well-known local port for server sockets when using CIBIR and XDP.
+- **IMPORTANT:** MsQuic will **NOT** reserve an OS port for server sockets when both CIBIR and XDP is enabled and available.
+    - Client sockets can never share ports, so MsQuic will reserve an OS port in that scenario.
+- The responsibility of book-keeping shared ports and ensuring robust protection for those shared ports is delegated to the application.
+
+
+## Port protection recommendations for shared ports
+
+### Option 1: Persistent port reservations (Recommended)
+
+MsQuic strongly recommends applications leverage the Windows [persistent port reservations API](https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-createpersistentudpportreservation) to secure shared CIBIR ports prior to serving multi-process CIBIR traffic on a shared port.
+- One time setup by a system admin to create the persistent reservation.
+    - A good option for book-keeping persistent port reservations is via registry keys.
+- Persistent port reservations survive reboots, allowing for robust protection in the event of crashes.
+- Having a persistent reservation makes sure CIBIR ports are taken out of the ephemeral port pool and forbids sockets from binding to it unless it is associated with a persistent reservation token, which can only happen in an elevated process.
+    - This way, an unsuspecting application process won't get accidently assigned an ephemeral port that collides with a CIBIR port.
+
+### Option 2: WFP ALE (Application Layer Enforcement) filters
+
+As an alternative, applications can use the [Windows Filtering Platform (WFP)](https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-start-page) to create ALE filters that block unauthorized bind attempts to CIBIR ports.
+
+ALE filters operate at the [bind and connect authorization layers](https://learn.microsoft.com/en-us/windows/win32/fwp/ale-layers) (`FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4/V6`, `FWPM_LAYER_ALE_RESOURCE_ASSIGNMENT_V4/V6`). A filter can be configured to block any process from binding to a specific UDP port unless it matches an allowed application path or security descriptor.
@@ -24,7 +24,24 @@ This setting can be overridden per client connection, allowing you to create som
 > [!IMPORTANT]
 > Crucial information necessary for users to succeed.
 
-Using QTIP will initialize a TCP socket and attempt to bind to your listener's local address. This is to reserve a TCP port for your listener to ensure
-XDP does not steal any TCP traffic from your other processes later. That also means you need to ensure no other processes are listening on the same TCP port as your listener's local address prior
+Listeners with QTIP enabled will initialize a TCP and UDP socket and attempt to bind to your listener's local address. This is to reserve a TCP/UDP port for your listener to ensure
+XDP does not steal any traffic from other sockets later. That also means you need to ensure no other processes are listening on the same port as your listener's local address prior
 to starting your listener, otherwise the OS will throw a socket access denied / address in use error,
 and your listener will fail to initialize.
+
+**Client connections with different QTIP enablements CAN exist on the same local port.**
+
+MsQuic connections over XDP/UDP creates an OS UDP socket only, and relies on the OS to assign the app an ephemeral UDP port to reserve it. XDP will be configured to intercept UDP packets on that port.
+
+MsQuic connections over XDP/QTIP creates an OS TCP socket only, and relies on the OS to assign the app an ephemeral TCP port to reserve it. XDP will be configured to intercept TCP traffic on that port.
+
+Since apps can create many client connections with different QTIP enablements, sometimes the OS assigns
+the same TCP and UDP port number. If using client connections with and without QTIP enabled simultaneously, the application should not assume 4-tuples uniquely identify a connection and also track the QTIP state.
+
+
+**Listeners with different QTIP enablements shall NOT be able to exist on the same local port.**
+
+A QTIP-enabled listener will reserve both UDP/TCP ports equal to the local port of the listener
+and configure XDP to intercept UDP/TCP packets on that local port. A non-QTIP listener will just reserve a UDP port
+and have XDP intercept UDP packets on that port. To avoid conflicting traffic, we disallow 2 listeners with the same
+local port but different QTIP enablements to exist.
@@ -170,7 +170,7 @@ These parameters are accessed by calling [GetParam](./api/GetParam.md) or [SetPa
 |-------------------------------------------|---------------------------|-----------|-----------------------------------------------------------|
 | `QUIC_PARAM_LISTENER_LOCAL_ADDRESS`<br> 0 | QUIC_ADDR                 | Get-only  | Get the full address tuple the server is listening on.    |
 | `QUIC_PARAM_LISTENER_STATS`<br> 1         | QUIC_LISTENER_STATISTICS  | Get-only  | Get statistics specific to this Listener instance.        |
-| `QUIC_PARAM_LISTENER_CIBIR_ID`<br> 2      | uint8_t[]                 | Both      | The CIBIR well-known idenfitier.                          |
+| `QUIC_PARAM_LISTENER_CIBIR_ID`<br> 2      | uint8_t[]                 | Both      | Sets a [CIBIR](./CIBIR.md) (CID-Based Identification and Routing) well-known identifier. |
 | `QUIC_PARAM_DOS_MODE_EVENTS`<br> 2        | BOOLEAN                   | Both      | The Listener opted in for DoS Mode event.                 |
 
 ## Connection Parameters
 
@@ -0,0 +1,130 @@
+# MsQuic over XDP
+
+To avoid confusion, "XDP" refers to [XDP-for-windows](https://github.com/microsoft/xdp-for-windows).
+MsQuic does not support Linux XDP as a datapath.
+
+## What is XDP
+
+XDP enables received packets to completely bypass the OS networking stack.
+
+Applications can subscribe to XDP ring buffers to post packets to send,
+and process packets that are received through AF_XDP sockets.
+
+Additionally, applications can program XDP to determine the
+logic for which packets to filter for, and what to do with them.
+
+For instance: "drop all packets with a UDP header and destination port
+42."
+
+## Port reservation logic
+
+The type of logic MsQuic programs into XDP looks like:
+ "redirect all packets with a destination port X to an AF_XDP socket."
+
+This runs into the issue of **packet stealing.** If there was an unrelated process
+that binds an OS socket to the same port MsQuic used to program XDP, XDP will steal
+that traffic from underneath it.
+
+Which is why MsQuic will always create an OS UDP socket on the same port as the AF_XDP
+socket to play nice with the rest of the stack.
+
+There are *exceptions* to this port reservation.
+
+- Sometimes, MsQuic may create a TCP OS socket instead, or both TCP and UDP (see [QTIP](./QTIP.md)).
+- Sometimes, MsQuic may NOT create any OS sockets at all (see [CIBIR](./CIBIR.md)).
+
+
+## MsQuic over XDP general architecture:
+
+```mermaid
+flowchart TB
+
+%% =========================
+%% NIC + RSS
+%% =========================
+NIC["NIC interface"]
+
+RSS1["RSS queue"]
+RSS2["RSS queue"]
+
+NIC --> RSS1
+NIC --> RSS2
+
+%% =========================
+%% XDP FILTER ENGINE
+%% =========================
+subgraph XDP_ENGINE["XDP FILTER ENGINE"]
+
+    XDP_PROG1["XDP::XDP program"]
+    XDP_PROG2["XDP::XDP program"]
+
+    XDP_RULES["XDP::XDP RULES"]
+
+    AFXDP1["AF_XDP Socket"]
+    AFXDP2["AF_XDP Socket"]
+
+    RSS1 -->|packet data| XDP_PROG1
+    RSS2 -->|packet data| XDP_PROG2
+
+    XDP_PROG1 --> XDP_RULES
+    XDP_PROG2 --> XDP_RULES
+
+    XDP_RULES --> AFXDP1
+    XDP_RULES --> AFXDP2
+
+end
+
+%% =========================
+%% PACKET DEMUX
+%% =========================
+DEMUX["Packet DE-MUX logic"]
+
+AFXDP1 --> DEMUX
+AFXDP2 --> DEMUX
+
+%% =========================
+%% CXPLAT SOCKET POOL
+%% =========================
+subgraph CXPLAT_POOL["CXPLAT SOCKET POOL HASH TABLE"]
+
+    CX1["CXPLAT Socket"]
+    CX2["CXPLAT Socket"]
+    CX3["CXPLAT Socket"]
+    CX4["CXPLAT Socket"]
+
+end
+
+DEMUX --> CX1
+DEMUX --> CX2
+DEMUX --> CX3
+DEMUX --> CX4
+
+%% =========================
+%% FIND BINDING LOGIC
+%% =========================
+BIND["FIND BINDING LOGIC"]
+
+CX1 --> BIND
+CX2 --> BIND
+CX3 --> BIND
+CX4 --> BIND
+
+%% =========================
+%% MSQUIC OBJECTS
+%% =========================
+subgraph MSQUIC_OBJECTS["MSQUIC OBJECTS"]
+
+    CONN1["Connection"]
+    CONN2["Connection"]
+    CONN3["Connection"]
+    LIST1["Listener"]
+    LIST2["Listener"]
+
+end
+
+BIND --> CONN1
+BIND --> CONN2
+BIND --> CONN3
+BIND --> LIST1
+BIND --> LIST2
+```
@@ -299,6 +299,15 @@ QuicBindingGetRemoteAddress(
 #endif
 }
 
+_IRQL_requires_max_(DISPATCH_LEVEL)
+BOOLEAN
+QuicBindingGetQtipEnabled(
+    _In_ const QUIC_BINDING* Binding
+    )
+{
+    return CxPlatSocketGetQtipEnabled(Binding->Socket);
+}
+
 //
 // Returns TRUE if there are any registered listeners on this binding.
 //
 
@@ -321,6 +321,15 @@ QuicBindingGetRemoteAddress(
     _Out_ QUIC_ADDR* Address
     );
 
+//
+// Queries the QTIP settings of the binding.
+//
+_IRQL_requires_max_(DISPATCH_LEVEL)
+BOOLEAN
+QuicBindingGetQtipEnabled(
+    _In_ const QUIC_BINDING* Binding
+    );
+
 //
 // Looks up the listener based on the ALPN list. Optionally, outputs the
 // first ALPN that matches.
 
@@ -6699,11 +6699,14 @@ QuicConnParamSet(
         memcpy(Connection->CibirId + 1, Buffer, BufferLength);
 
         QuicTraceLogConnInfo(
-            CibirIdSet,
+            CibirIdSetInfo,
             Connection,
-            "CIBIR ID set (len %hhu, offset %hhu)",
+            "CIBIR ID set (len %hhu, offset %hhu, id 0x%llx)",
             Connection->CibirId[0],
-            Connection->CibirId[1]);
+            Connection->CibirId[1],
+            (unsigned long long)QuicCibirIdToUint64(
+                Connection->CibirId + 2,
+                Connection->CibirId[0]));
 
         return QUIC_STATUS_SUCCESS;
     }
 
@@ -2108,13 +2108,13 @@ MsQuicClose(
 _IRQL_requires_max_(DISPATCH_LEVEL)
 QUIC_BINDING*
 QuicLibraryLookupBinding(
-#ifdef QUIC_COMPARTMENT_ID
-    _In_ QUIC_COMPARTMENT_ID CompartmentId,
-#endif
-    _In_ const QUIC_ADDR* LocalAddress,
-    _In_opt_ const QUIC_ADDR* RemoteAddress
+    _In_ const CXPLAT_UDP_CONFIG* UdpConfig
     )
 {
+    const QUIC_ADDR* LocalAddress = UdpConfig->LocalAddress;
+    const QUIC_ADDR* RemoteAddress = UdpConfig->RemoteAddress;
+    BOOLEAN EnableQtip = !!(UdpConfig->Flags & CXPLAT_SOCKET_FLAG_QTIP);
+
     for (CXPLAT_LIST_ENTRY* Link = MsQuicLib.Bindings.Flink;
         Link != &MsQuicLib.Bindings;
         Link = Link->Flink) {
@@ -2123,7 +2123,7 @@ QuicLibraryLookupBinding(
             CXPLAT_CONTAINING_RECORD(Link, QUIC_BINDING, Link);
 
 #ifdef QUIC_COMPARTMENT_ID
-        if (CompartmentId != Binding->CompartmentId) {
+        if (UdpConfig->CompartmentId != Binding->CompartmentId) {
             continue;
         }
 #endif
@@ -2134,21 +2134,25 @@ QuicLibraryLookupBinding(
         if (Binding->Connected) {
             //
             // For client/connected bindings we need to match on both local and
-            // remote addresses/ports.
+            // remote addresses/ports, along with transport type (QTIP). We need to match on the 5-tuple,
+            // because client connections cannot share the binding if the underlying transport does not match.
             //
             if (RemoteAddress &&
                 QuicAddrCompare(LocalAddress, &BindingLocalAddr)) {
                 QUIC_ADDR BindingRemoteAddr;
                 QuicBindingGetRemoteAddress(Binding, &BindingRemoteAddr);
-                if (QuicAddrCompare(RemoteAddress, &BindingRemoteAddr)) {
+                if (QuicAddrCompare(RemoteAddress, &BindingRemoteAddr) &&
+                    QuicBindingGetQtipEnabled(Binding) == EnableQtip) {
                     return Binding;
                 }
             }
 
         } else {
             //
             // For server (unconnected/listening) bindings we always use wildcard
-            // addresses, so we simply need to match on local port.
+            // addresses, so we simply need to match on the local port. We need not consider the
+            // binding QTIP settings because we always disallow listeners with different QTIP settings to
+            // share a binding. This is enforced by the caller.
             //
             if (QuicAddrGetPort(&BindingLocalAddr) == QuicAddrGetPort(LocalAddress)) {
                 //
@@ -2179,6 +2183,8 @@ QuicLibraryGetBinding(
         UdpConfig->LocalAddress == NULL || QuicAddrGetPort(UdpConfig->LocalAddress) == 0;
     const BOOLEAN ShareBinding = !!(UdpConfig->Flags & CXPLAT_SOCKET_FLAG_SHARE);
     const BOOLEAN ServerOwned = !!(UdpConfig->Flags & CXPLAT_SOCKET_SERVER_OWNED);
+    const BOOLEAN EnableQtip = !!(UdpConfig->Flags & CXPLAT_SOCKET_FLAG_QTIP);
+
 
 #ifdef QUIC_SHARED_EPHEMERAL_WORKAROUND
     //
@@ -2209,17 +2215,12 @@ QuicLibraryGetBinding(
 
     Status = QUIC_STATUS_NOT_FOUND;
     CxPlatDispatchLockAcquire(&MsQuicLib.DatapathLock);
-
     Binding =
-        QuicLibraryLookupBinding(
-#ifdef QUIC_COMPARTMENT_ID
-            UdpConfig->CompartmentId,
-#endif
-            UdpConfig->LocalAddress,
-            UdpConfig->RemoteAddress);
+        QuicLibraryLookupBinding(UdpConfig);
     if (Binding != NULL) {
         if (!ShareBinding || Binding->Exclusive ||
-            (ServerOwned != Binding->ServerOwned)) {
+            (ServerOwned != Binding->ServerOwned) ||
+            (!Binding->Connected && QuicBindingGetQtipEnabled(Binding) != EnableQtip)) {
             //
             // The binding does already exist, but cannot be shared with the
             // requested configuration.
@@ -2291,26 +2292,30 @@ QuicLibraryGetBinding(
         // tuple, so we need to do collision detection based on the whole
         // 4-tuple.
         //
-        Binding =
-            QuicLibraryLookupBinding(
+        CXPLAT_UDP_CONFIG Config = {0};
 #ifdef QUIC_COMPARTMENT_ID
-                UdpConfig->CompartmentId,
+        Config.CompartmentId = UdpConfig->CompartmentId;
 #endif
-                &NewLocalAddress,
-                UdpConfig->RemoteAddress);
+        Config.LocalAddress = &NewLocalAddress;
+        Config.RemoteAddress = UdpConfig->RemoteAddress;
+        Config.Flags = UdpConfig->Flags;
+        Binding =
+            QuicLibraryLookupBinding(&Config);
     } else {
         //
         // The datapath does not supports multiple connected sockets on the same
         // local tuple, so we just do collision detection based on the local
         // tuple.
         //
-        Binding =
-            QuicLibraryLookupBinding(
+        CXPLAT_UDP_CONFIG Config = {0};
 #ifdef QUIC_COMPARTMENT_ID
-                UdpConfig->CompartmentId,
+        Config.CompartmentId = UdpConfig->CompartmentId;
 #endif
-                &NewLocalAddress,
-                NULL);
+        Config.LocalAddress = &NewLocalAddress;
+        Config.RemoteAddress = NULL;
+        Config.Flags = UdpConfig->Flags;
+        Binding =
+            QuicLibraryLookupBinding(&Config);
     }
 
     if (Binding != NULL) {