W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Frame Length Restrictions

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 21 Apr 2014 16:16:21 -0700
Message-ID: <CABkgnnW4DhghiRzKc5RdWodgQpYPoeK2QWSx3qKhqKZzjYEoBA@mail.gmail.com>
To: Jeff Pinner <jpinner@twitter.com>
Cc: Johnny Graettinger <jgraettinger@chromium.org>, Patrick McManus <mcmanus@ducksong.com>, K.Morgan@iaea.org, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 21 April 2014 15:57, Jeff Pinner <jpinner@twitter.com> wrote:
> The goals here are:
> 1) achieve a desired (to-be-provided) frame length distribution
> 2) achieve this with the minimum amount of padding
> 3) achieve the desired distribution regardless of the input data stream
> The intend is not to avoid reframing, it's to avoid a discontinuity in the
> output distribution.

Then those goals can be achieved without changing anything.
Re-packaging frames into smaller chunks allows you to meet those

I can understand if there are END_SEGMENT flags in place that this
complicates things.  But completely-full frames with END_SEGMENT
should be a pathological case.

> Now, if I operate under the assumption that an adversary can force my server
> to produce full size frames, [...]

This is where we have the disconnect.  If an adversary has that much
control over your code, I don't trust *anything* you are sending me.
What's padding going to do to help then?
Received on Monday, 21 April 2014 23:16:49 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC