RE: #466 segment compression from K.Morgan@iaea.org on 2014-04-29 (ietf-http-wg@w3.org from April to June 2014)

From: <K.Morgan@iaea.org>
Date: Tue, 29 Apr 2014 08:41:59 +0000
To: <matthew@kerwin.net.au>, <ietf-http-wg@w3.org>
CC: <martin.thomson@gmail.com>
Message-ID: <0356EBBE092D394F9291DA01E8D28EC20112984BB2@sem001pd.sg.iaea.org>

I think the simplest idea is to require the origin to separate attacker-controlled data and private/confidential data by segments.  All of the rest of the intermediary problems go away since an intermediary already can’t re-frame across segment boundaries, plus it allows an intermediary to do whatever it wants within a segment (compress/uncompress/concatenate/de-compress+re-compress).

The thing I like about Martin’s idea to switch to one compression context per segment is that it provides greater compatibility between HTTP/1.x T-E and HTTP/2 transfer codings.  Per-frame compression as we have it now is compatible with T-E when going from 2 -> 1.x, but it’s not compatible from 1.x -> 2.  The added complexity and the “vast increase in DoS surface area” [1] is a big deal though.

[1] https://github.com/http2/http2-spec/issues/466#issuecomment-41361711




--
Keith S. Morgan
Remote Monitoring Unit
Safeguards, International Atomic Energy Agency (IAEA)
Vienna, Austria
Office: +43 1 2600 26672
Handy: +43 699 165 26672

From: phluid61@gmail.com [mailto:phluid61@gmail.com] On Behalf Of matthew@kerwin.net.au
Sent: Tuesday,29 April 2014 08:53
To: ietf-http-wg@w3.org
Cc: Martin Thomson
Subject: Re: #466 segment compression

Sorry for replying to myself.

On 29 April 2014 16:26, Matthew Kerwin <matthew@kerwin.net.au<mailto:matthew@kerwin.net.au>> wrote:
All three operations (determining frame length, compressing frames, and padding) are hop-by-hop operations, and any intermediary can second-guess or obstinately undo the previous hop's choices if it wants.


I just noticed the bit in 10.6 that says that intermediaries can't add compression. Is that the delineation to which you referred in #466 Martin?  That text introduces complexity I hadn't imagined when proposing per-frame compression. I'll think about it some more.


--
  Matthew Kerwin
  http://matthew.kerwin.net.au/


This email message is intended only for the use of the named recipient. Information contained in this email message and its attachments may be privileged, confidential and protected from disclosure. If you are not the intended recipient, please do not read, copy, use or disclose this communication to others. Also please notify the sender by replying to this message and then delete it from your system.

Received on Tuesday, 29 April 2014 08:42:38 UTC