Re: Choosing a header compression algorithm from Roberto Peon on 2013-03-28 (ietf-http-wg@w3.org from January to March 2013)

From: Roberto Peon <grmocg@gmail.com>
Date: Wed, 27 Mar 2013 17:21:19 -0700
To: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>
Cc: "agl@google.com" <agl@google.com>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNd8-H2X_DTOn9WDp-DTeGkSg+2Luo5bvEgHaRXx0TNV0Q@mail.gmail.com>

Arg. Sorry, the best provably safe option for HeaderDiff is:

*headerdiff (buffer=4096, delta=false, huffman)*

* TOTAL: 5949 req messages
                                                          size  time |
ratio min   max   std
                                           http1     3,460,925  0.22 | 1.00
 1.00  1.00  0.00
           headerdiff (buffer=4096, delta=false)     1,250,042  0.64 | 0.36
 0.01  0.96  0.22
  headerdiff (buffer=4096, delta=false, huffman)       936,003  2.05 | 0.27
 0.01  0.79  0.16

* TOTAL: 5948 res messages
                                                          size  time |
ratio min   max   std
                                           http1     2,186,162  0.08 | 1.00
 1.00  1.00  0.00
           headerdiff (buffer=4096, delta=false)       768,387  2.16 | 0.35
 0.02  0.92  0.18
  headerdiff (buffer=4096, delta=false, huffman)       581,046  3.22 | 0.27
 0.02  0.73  0.14



On Wed, Mar 27, 2013 at 5:14 PM, Roberto Peon <grmocg@gmail.com> wrote:

> I've checked in some changes to delta2 which expands and documents various
> options for delta2 in the README.md.
>
> After running a number of variations of delta2, The following defaults
> look good for small buffer sizes:
>
> delta2=max_entries=256, small_index=1
>
> small_index basically says use a uint8 instead of a uint16 for
> representing indices, and is the kind of thing that could be messaged
> somewhere (opcode, flag, whatever).
>
> The best headerdiff option which I believe is safe against CRIME in the
> future is:
>   headerdiff=delta_type=false,huffman
>
> I removed prefix matching from delta some months ago (~6 I think?) after
> cogitating on it for a while and then speaking with security folks.. I just
> couldn't come up with a way I could prove was safe, unlike the
> atom-matching, which one can prove is no worse than a brute-force attack.
>
> I've appended runs with these values@4k buffer size for delta2 and
> headerdiff below.
> -=R
>
>
>
> * TOTAL: 5949 req messages
>
>                                             size  time | ratio min   max
> std
>
>                              http1     3,460,925  0.13 | 1.00  1.00  1.00
>  0.00
>   delta2 (max_byte_size=4096, max_entries=256, small_index=1, hg_adjust=0,
> implicit_hg_add=0, refcnt_vals=0)       664,683  4.16 | 0.19  0.02  0.83
>  0.15
>                                                          headerdiff
> (buffer=4096, delta_type=false, huffman)       759,783  2.03 | 0.22  0.01
>  0.78  0.18
>
> * TOTAL: 5948 res messages
>
>                                             size  time | ratio min   max
> std
>
>                              http1     2,186,162  0.12 | 1.00  1.00  1.00
>  0.00
>   delta2 (max_byte_size=4096, max_entries=256, small_index=1, hg_adjust=0,
> implicit_hg_add=0, refcnt_vals=0)       585,475  5.32 | 0.27  0.02  1.28
>  0.13
>                                                          headerdiff
> (buffer=4096, delta_type=false, huffman)       543,047  3.29 | 0.25  0.02
>  0.73  0.14
>
>
>
>

Received on Thursday, 28 March 2013 00:21:46 UTC