W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Design Issue: Max Concurrent Streams Limit and Unidirectional Streams

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 26 Apr 2013 06:51:19 +0000
To: James M Snell <jasnell@gmail.com>
cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <2858.1366959079@critter.freebsd.dk>
In message <CABP7Rbc49-VPGggp3auHCRDKCc6BYfTwO2pZzg68Kfgi_VQdCg@mail.gmail.com>
, James M Snell writes:

>For instance, if the intermediary allows the
>client to open 10 concurrent streams, and the client opens and
>half-closes those streams at too high of a rate without giving the
>server time to properly respond, the intermediary can hold new streams
>for a period of time or reject the new streams until the server
>catches up.

It worries me to no end, that nobody here has even mentioned "DoS" with
a single word.

Denial-Of-Service mitigation has to be built into HTTP/2.0 from the
bottom up.

The default rule should be that any frame which fails any validation
should cause instant and silent session termination.

And we might as well write that into the standard, because that's what
any high-performance implementation will be forced to implement anyway.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 26 April 2013 06:52:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC