Re: #541: CONTINUATION from Johnny Graettinger on 2014-07-07 (ietf-http-wg@w3.org from July to September 2014)

From: Johnny Graettinger <jgraettinger@chromium.org>
Date: Mon, 7 Jul 2014 18:21:53 -0400
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAEn92TqRUkns8FLC_cLZ1xbh1iNpVexixZtawR1M7A5Eg8n-8g@mail.gmail.com>

>
> I thought about server visibility along these lines:
>
> In the case where the server is producing the basis for subsequent
> requests (ie: links on a web-page), It is reasonable to expect the
> web-designer to either theoretically or through tests confirm that
> the links pass muster.
>

This is a tall order :) Consider even a mildly-dysfunctional organization
with multiple teams owning siloed services operating over a shared cookie
space. Throw in some AJAX requests with metadata made across those service
boundaries for extra fun.


In the other case, for instance where the client composes requests
> based on some written API manual, I think the risk of huge HEADERS
> is much more likely, but here again it doesn't matter who produces the
> 413, the right person still receives it.
>

How do I (as an API provider) discover that users are trying to use my
service in a way I'm not currently supporting?

Perhaps they're attempting a use case I'd actually like to support.
Realistically, I need to have metrics on this.


>So, having a maximum header size setting isn't useful to the client [...]
>
> Not in all cases, but it does for instances it tell the client that
> they can get their kerberos tickets through.
>
> And it does help in shaving DoS attaks.
>

How? Advertising the allowable length makes it easy for an attacker to
craft the most-damaging payload possible. If I tighten my limit in response
to a DoS, I also certainly don't want to advertise it, as that makes it
easy for the attacker to follow along. I therefore need a mitigation on the
server-side capable of rejecting over-limit requests, and since I must have
this anyway, what is the setting buying me?


A server can advertise a SETTINGS which is narrowly tuned to allow
> all legitimate requests.
>

In my experience, "narrow tuning to allow all legitimate requests" is an
oxymoron :)


Any client disrespecting this with intent to DoS will declare it's
> intention in the first four bytes of the HEADERS frame and the
> server will instantly know, without opening the time/space window
> from the valid sizes to the current drafts "unlimited" to abuse.
>

If I have intent to DoS, I'll send you exactly as much payload as you allow
and no more. I'm not going to make it easy for you.

Received on Monday, 7 July 2014 22:22:20 UTC