W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Interleaving #481 (was Re: Limiting header block size)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 3 Jun 2014 10:08:39 -0700
Message-ID: <CABkgnnW0Q4AD1svdgWaiCfB=Y-C_Du3ii12eYan42KY9mo-CNw@mail.gmail.com>
To: Greg Wilkins <gregw@intalio.com>
Cc: Michael Sweet <msweet@apple.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 3 June 2014 01:56, Greg Wilkins <gregw@intalio.com> wrote:
> The DoS vector is also against the server.  Allowing arbitrary large headers
> is an unconstrained memory commitment that each server has to make when
> accepting a new stream.

Well, if you stipulate that servers have to accept the request, then
they have to accept the request and all that it entails.

As I've pointed out before, a limit won't prevent effectively
unbounded commitment.  HPACK can be used to generate a much larger
state commitment than it's wire format requires.

Servers do have the option of rejecting the string and avoiding the
memory commitment.  Market forces notwithstanding.

> I truly do think this
> is a network neutrality issue

In that case, I recommend that you direct your comment to
http://www.fcc.gov/comments

> I also do not think you can so easily dismiss the intermediary issue as
> simple a problem for intermediaries to solve.  It may be very difficult to
> detect a bad actor before a DoS occurs.     Consider a load balancer in
> front of an auction site, which will typically receive a burst of bids just
> before the closing time.  A bad actor can be a perfectly reasonable client
> until a few seconds before the auction closes, at which time they suddenly
> send several incomplete header blocks.

You had me until this point.  An intermediary shouldn't commit
incomplete header blocks to a multiplexed connection.  In most cases,
they can't.  This is part of what I'm talking about when I say that
the intermediary has a responsibility to multiplex properly.

> One solution would be for load balancers to always reject streams with
> continuation frames.  This would work perfectly well for 99.9% of traffic.
> So one may ask why are continuation frames in the spec?

This would be a bad idea.  The existence of continuations is largely
orthogonal to header size.  You might as well reject requests based on
whether the current date when converted to RGB is a colour you don't
like.  Such behaviour leads to the sorts of perversions clients are
forced to do to get HTTP/1.1 requests working today.

> I believe that we should be able to apply a known limit to header sizes so
> that applications can be written in such a way that they know they will pass
> intermediaries and be acceptable to servers.
> An ecosystem where we say that unlimited headers are allowed, but then
> arbitrary undocumented and undiscovereable limits are applied, is a
> difficult space to effectively use meta data in.

I'm inclined to agree with the general principle, but am unable to
effectively turn this into practice without breaking things.  We've
already established (several times over now) that a hard limit is
unacceptable.  It's also been established that a hop-by-hop
negotiation for size doesn't work for something that is essentially
end-to-end.  Thus, we arrive at where we are today.

> But failing that, interleaving data frames from existing streams would at
> least somewhat address the attack I described above.

I think that it would enable it more than it would mitigate it.
Received on Tuesday, 3 June 2014 17:09:08 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC