- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Fri, 26 Apr 2013 06:51:19 +0000
- To: James M Snell <jasnell@gmail.com>
- cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In message <CABP7Rbc49-VPGggp3auHCRDKCc6BYfTwO2pZzg68Kfgi_VQdCg@mail.gmail.com> , James M Snell writes: >For instance, if the intermediary allows the >client to open 10 concurrent streams, and the client opens and >half-closes those streams at too high of a rate without giving the >server time to properly respond, the intermediary can hold new streams >for a period of time or reject the new streams until the server >catches up. It worries me to no end, that nobody here has even mentioned "DoS" with a single word. Denial-Of-Service mitigation has to be built into HTTP/2.0 from the bottom up. The default rule should be that any frame which fails any validation should cause instant and silent session termination. And we might as well write that into the standard, because that's what any high-performance implementation will be forced to implement anyway. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 26 April 2013 06:52:07 UTC