Respond to migration probes with an unlinkable remote connection ID

[Ralith]

When we respond to a probing packet off the active path

quinn/quinn-proto/src/connection/mod.rs

Line 842 in 434c358

if let Some((token, remote)) = self.path_responses.pop_off_path(self.path.remote) {

we reuse the prepared packet builder, which was created with the active path's remote connection ID:

quinn/quinn-proto/src/connection/mod.rs

Lines 759 to 768 in 434c358

	let builder = builder_storage.insert(PacketBuilder::new(
	now,
	space_id,
	self.rem_cids.active(),
	buf,
	buf_capacity,
	datagram_start,
	ack_eliciting,
	self,
	)?);

This allows an external observer to correlate the response with the active connection, and might help the observer correlate future migrated traffic despite the eventual use of a fresh connection ID for non-probing traffic.

For better security, we should check for and potentially send such a response before preparing a builder for the active path, making one-time use of a fresh connection ID. This may be a little tricky because CidQueue currently assumes strictly in-order consumption of CIDs, but discarding the active CID would undermine the goal of avoiding linkability.

[djc]

@straight-flush your comments don't seem to be on-topic for this issue. Please stop?

[djc]

I don't know what you're talking about, it doesn't seem to be related to migration probes and connection IDs. If you have a meta comment to make about the state of this work, your comments so far have not been recognizable as such.

[flub]

I was looking at this because of our multipath branch. I think I can do a fairly easy and clear patch for this based on #2168 and #2195 without too much work. In with those PRs the Option<PacketBuilder> is gone so it's easy to track when the packet builder is created.