W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: Security Condideration of initial SETTINGS_MAX_CONCURRENT_STREAMS

From: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Date: Thu, 16 Jan 2014 10:08:08 +0900
Message-ID: <52D730F8.4030007@iij.ad.jp>
To: ietf-http-wg@w3.org
(2014/01/16 2:51), Roberto Peon wrote:
> We've actually discussed this in the past, IIRC.
> Yes, we've seen this limit exceeded in the first roundtrip at least once.
>
> This is precisely one of the cases for ENHANCE_YOUR_CALM.
> If the server doesn't like a large number of streams and does want to serve, it can RST them.
> The basic issue here being that we prefer to avoid HOL blocking until it is explicitly signaled that it is needed.

I've just submitted an issue to add a description of this DoS case
in the security section as

https://github.com/http2/http2-spec/issues/343

Regards,
Received on Thursday, 16 January 2014 01:08:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:23 UTC