Re: Working Group Last Call for Using Early Data in HTTP from Victor Vasiliev on 2017-12-04 (ietf-http-wg@w3.org from October to December 2017)

From: Victor Vasiliev <vasilvv@google.com>
Date: Sun, 3 Dec 2017 20:07:32 -0500
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>, mnot <mnot@mnot.net>
Message-ID: <CAAZdMafC_2TdxqYA-zUuc24aybUdSWE7Upp9ZpM6bQ7v7Y7Bzw@mail.gmail.com>

Are we talking about the "scenarios in the middle" when a request is
processed
differently on 0-RTT and 1-RTT, but the 0-RTT processing is actually
meaningful
(not 425 or buffering)?  Because if you process request same regardless of
whether it's 0-RTT or 1-RTT, you're consistent.


On Sun, Dec 3, 2017 at 7:57 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On Mon, Dec 4, 2017 at 11:53 AM, Victor Vasiliev <vasilvv@google.com>
> wrote:
> > On Fri, Dec 1, 2017 at 2:47 PM, Willy Tarreau <w@1wt.eu> wrote:
> >>
> >> That's exactly why it's requested that all servers are configured
> >> consistently. As you demonstrated, as long as "all of them" is granted
> >> regardless of the decision, the processing is safe. What is important
> >> is that you can't end up in a situation whose starts with "some
> servers".
> >>
> >> Willy
> >>
> >
> > That's what I thought.  But Martin's email makes it sound like there is a
> > reason to discard early data when it's received after handshake
> completion,
> > instead of treating it as replay-secure.
>
> If there is a chance that you would have accepted (and processed)
> those packets prior to handshake completion, you have an exposure.
> This is just a another case of the consistency requirement.
>

Received on Monday, 4 December 2017 01:07:56 UTC