W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: multiplexing -- don't do it

From: Mike Belshe <mike@belshe.com>
Date: Mon, 2 Apr 2012 14:11:26 -0700
Message-ID: <CABaLYCv4nTi-=DQd1f-A8MUV-VP+XpSKrrqO38ncx+bVtVbXNA@mail.gmail.com>
To: "Adrien W. de Croy" <adrien@qbik.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Mon, Apr 2, 2012 at 2:08 PM, Adrien W. de Croy <adrien@qbik.com> wrote:

>
> ------ Original Message ------
> From: "Mike Belshe" <mike@belshe.com>
> To: "Adrien W. de Croy" <adrien@qbik.com>
> Cc: "Amos Jeffries" <squid3@treenet.co.nz>;"ietf-http-wg@w3.org" <
> ietf-http-wg@w3.org>
> Sent: 3/04/2012 8:52:22 a.m.
> Subject: Re: multiplexing -- don't do it
>
>
>
> On Mon, Apr 2, 2012 at 1:43 PM, Adrien W. de Croy < <adrien@qbik.com>
> adrien@qbik.com> wrote:
>
>>
>> ------ Original Message ------
>> From: "Mike Belshe" <mike@belshe.com>mike@belshe.com
>>
>>
>>
>> On Mon, Apr 2, 2012 at 6:57 AM, Amos Jeffries < <squid3@treenet.co.nz><squid3@treenet.co.nz>
>> squid3@treenet.co.nz> wrote:
>>
>>> On 1/04/2012 5:17 a.m., Adam Barth wrote:
>>>
>>> On Sat, Mar 31, 2012 at 4:54 AM, Mark Nottingham wrote:
>>>>
>>>>> On 31/03/2012, at 1:11 PM, Mike Belshe wrote:
>>>>>
>>>>> For the record - nobody wants to avoid using port 80 for new
>>>>>> protocols.  I'd love to!  There is no religious reason that we don't - its
>>>>>> just that we know, for a fact, that we can't do it without subjecting a
>>>>>> non-trivial number of users to hangs, data corruption, and other errors.
>>>>>>  You might think its ok for someone else's browser to throw reliability out
>>>>>> the window, but nobody at Microsoft, Google, or Mozilla has been willing to
>>>>>> do thatů
>>>>>>
>>>>> Mike -
>>>>>
>>>>> I don't disagree on any specific point (as I think you know), but I
>>>>> would observe that the errors you're talking about can themselves be viewed
>>>>> as transient. I.e., just because they occur in experiments now, doesn't
>>>>> necessarily mean that they won't be fixed in the infrastructure in the
>>>>> future -- especially if they generate a lot of support calls, because they
>>>>> break a lot MORE things than they do now.
>>>>>
>>>>> Yes, there will be a period of pain, but I just wanted to highlight
>>>>> one of the potential differences between deploying a standard and a
>>>>> single-vendor effort.  It's true that we can't go too far here; if we
>>>>> specify a protocol that breaks horribly 50% of the time, it won't get
>>>>> traction. However, if we have a good base population and perhaps a good
>>>>> fallback story, we *can* change things.
>>>>>
>>>> That's not our experience as browser vendors.  If browsers offer an
>>>> HTTP/2.0 that has a bad user experience for 10% of users, then major
>>>> sites (e.g., Twitter) won't adopt it.  They don't want to punish their
>>>> users any more than we do.
>>>>
>>>> Worse, if they do adopt the new protocol, users who have trouble will
>>>> try another browser (e.g., one that doesn't support HTTP/2.0 such as
>>>> IE 9), observe that it works, and blame the first browser for being
>>>> buggy.  The net result is that we lose a user and no pressure is
>>>> exerted on the intermediaries who are causing the problem in the first
>>>> place.
>>>>
>>>> These are powerful market force that can't really be ignored.
>>>>
>>>
>>> So the takeway there is pay attention to the intermediary people when
>>> they say something cant be implemented (or won't scale reasonably).
>>>
>>
>> I agree we should pay attention to scalability - and we have.
>>
>> Please don't disregard that Google servers switched to SPDY with zero
>> additional hardware (the google servers are fully conformant http/1.1
>> proxies with a lot more DoS logic than the average site).  I know, some
>> people think Google is some magical place where scalability defies physics
>> and is not relevant, but this isn't true.  Google is just like every other
>> site, except much much bigger.   If we had a 10% increase in server load
>> with SPDY, Google never could have shipped it.  Seriously, who would roll
>> out thousands of new machines for an experimental protocol?  Nobody.  How
>> would we have convinced the executive team "this will be faster", if they
>> were faced with some huge cap-ex bill?  Doesn't sound very convincing, does
>> it?  In my mind, we have already proven clearly that SPDY scales just fine.
>>
>> But I'm open to other data.  So if you have a SPDY implementation and
>> want to comment on the effects on your server, lets hear it!   And I'm not
>> saying SPDY is free.  But, when you weigh costs (like compression and
>> framing) against benefits (like 6x fewer connections),  there is no
>> problem.  And could we make improvements still?  Of course.  But don't
>> pretend that these are the critical parts of SPDY.  These are the mice nuts.
>>
>>
>> For a forward proxy, there are several main reasons to even exist:
>>
>> a) implement and enforce access control policy
>> b) audit usage
>> c) cache
>>
>> you block any of these by bypassing everything with TLS, you have a
>> non-starter for corporate environments.  Even if currently admins kinda
>> turn a blind eye (because they have to) and allow port 443 through, as more
>> and more traffic moves over to 443, more pressure will come down from
>> management to control it.
>>
>> Best we don't get left with the only option being MITM.
>>
>
> In my talk at the IETF, I proposed a solution to this.
>
> Browsers need to implement SSL to trusted proxies, which can do all of the
> a/b/c that you suggested above.  This solution is better because the proxy
> becomes explicit rather than implicit.  This means that the user knows of
> it, and it IT guys knows of it.  If there are problems, it can be
> configured out of the system.  Implicit proxies are only known the the IT
> guy (maybe), and can't be configured out from a client.  The browser can be
> made to honor HSTS so that end-to-end encryption is always enforced
> appropriately.
>
> Further, proxies today already need this solution, even without SPDY.
>  Traffic is moving to SSL already, albeit slowly, and corporate firewalls
> can't see it today.  Corporate firewall admins are forced to do things like
> block facebook entirely to prevent data leakage.  But, with this solution,
> they could allow facebook access and still protect their IP.  (Or they
> could block it if they wanted to, of course).
>
> Anyway, I do agree with you that we need better solutions so that we don't
> incur more SSL MITM.  Many corporations are already looking for expensive
> SSL MITM solutions (very complex to rollout due to key management) because
> of the reasons I mention above, and its a technically inferior solution.
>
> So lets do it!
>
>
> I basically agree with all the above, however there is the ISP
> intercepting proxy to think about.
>
> Many ISPs here in NZ have them, it's just a fact of life when you're 150ms
> from the US and restricted bandwidth.  Pretty much all the big ISPs have
> intercepting caching proxies.
>
> There's just no way to make these work... period...
>
> unless the ISP is to
>
> a) try and support all their customers to use an explicit proxy, or
> b) get all their customers to install a root cert so they can do MITM.
>


> Maybe we need a better way to force a client to use a proxy, and take the
> pain out of it for administration.  And do it securely (just remembering
> why 305 was deprecated).
>

Do proxy pacs or dhcp work for this?

Note that we also need the browsers to honor HSTS end-to-end, even if we
turn on "GET https://".
Mike




> Adrien
>
>
>
>
>
>
>
> Mike
>
>
>
>
>>
>> Adrien
>>
>>
>>
>>
>> Mike
>>
>>
>>
>>> With plenty of bias, I agree.
>>>
>>> AYJ
>>>
>>>
>>
>
Received on Monday, 2 April 2012 21:11:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:59 GMT