RE: Choosing a header compression algorithm from RUELLAN Herve on 2013-03-28 (ietf-http-wg@w3.org from January to March 2013)

From: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>
Date: Thu, 28 Mar 2013 17:00:08 +0000
To: Roberto Peon <grmocg@gmail.com>
CC: "agl@google.com" <agl@google.com>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <6C71876BDCCD01488E70A2399529D5E5163F68FE@ADELE.crf.canon.fr>

> -----Original Message-----
> From: Roberto Peon [mailto:grmocg@gmail.com]
> Sent: jeudi 28 mars 2013 01:15
> To: RUELLAN Herve
> Cc: agl@google.com; Mark Nottingham; ietf-http-wg@w3.org Group
> Subject: Re: Choosing a header compression algorithm
> 
> I've checked in some changes to delta2 which expands and documents
> various options for delta2 in the README.md.
> 
> After running a number of variations of delta2, The following defaults look
> good for small buffer sizes:
> 
> 
> delta2=max_entries=256, small_index=1
> 
> small_index basically says use a uint8 instead of a uint16 for representing
> indices, and is the kind of thing that could be messaged somewhere (opcode,
> flag, whatever).
> 
> The best headerdiff option which I believe is safe against CRIME in the future
> is:
>   headerdiff=delta_type=false,Huffman

I think that for headerdiff, the best option which is safe against CRIME is:
headerdiff=delta_type='/&= \coma',Huffman

> 
> I removed prefix matching from delta some months ago (~6 I think?) after
> cogitating on it for a while and then speaking with security folks.. I just
> couldn't come up with a way I could prove was safe, unlike the atom-
> matching, which one can prove is no worse than a brute-force attack.

The limited prefix matching defined above also need a brute-force attack to be broken.

Hervé.

> 
> I've appended runs with these values@4k buffer size for delta2 and
> headerdiff below.
> -=R
> 
> 
> 
> 
> * TOTAL: 5949 req messages
>                                                                                                                       size  time | ratio
> min   max   std
>                                                                                                        http1     3,460,925  0.13 |
> 1.00  1.00  1.00  0.00
>   delta2 (max_byte_size=4096, max_entries=256, small_index=1,
> hg_adjust=0, implicit_hg_add=0, refcnt_vals=0)       664,683  4.16 | 0.19  0.02
> 0.83  0.15
>                                                          headerdiff (buffer=4096, delta_type=false,
> huffman)       759,783  2.03 | 0.22  0.01  0.78  0.18
> 
> 
> * TOTAL: 5948 res messages
>                                                                                                                       size  time | ratio
> min   max   std
>                                                                                                        http1     2,186,162  0.12 |
> 1.00  1.00  1.00  0.00
>   delta2 (max_byte_size=4096, max_entries=256, small_index=1,
> hg_adjust=0, implicit_hg_add=0, refcnt_vals=0)       585,475  5.32 | 0.27  0.02
> 1.28  0.13
>                                                          headerdiff (buffer=4096, delta_type=false,
> huffman)       543,047  3.29 | 0.25  0.02  0.73  0.14
> 
> 
> 
>

Received on Thursday, 28 March 2013 17:00:43 UTC