- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Thu, 11 May 2017 13:46:10 +0200
- To: Kazuho Oku <kazuhooku@gmail.com>
- Cc: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, Erik Nygren <erik@nygren.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, "Ponec, Miroslav" <mponec@akamai.com>, "Kaduk, Ben" <bkaduk@akamai.com>
> Am 11.05.2017 um 13:38 schrieb Kazuho Oku <kazuhooku@gmail.com>: > > 2017-05-11 20:37 GMT+09:00 Stefan Eissing <stefan.eissing@greenbytes.de>: >> >>> Am 11.05.2017 um 13:35 schrieb Kazuho Oku <kazuhooku@gmail.com>: >>> >>> 2017-05-11 20:33 GMT+09:00 Stefan Eissing <stefan.eissing@greenbytes.de>: >>>> >>>>> Am 11.05.2017 um 13:31 schrieb Kazuho Oku <kazuhooku@gmail.com>: >>>>> >>>>> 2017-05-11 17:19 GMT+09:00 Stefan Eissing <stefan.eissing@greenbytes.de>: >>>>>> >>>>>>> Am 11.05.2017 um 07:33 schrieb Willy Tarreau <w@1wt.eu>: >>>>>>> >>>>>>> Hi Mark, >>>>>>> >>>>>>> On Thu, May 11, 2017 at 10:23:12AM +1000, Mark Nottingham wrote: >>>>>>>> If an origin doesn't have robust retry/replay protection in place for >>>>>>>> non-idempotent requests, it seems operationally simpler and safer for them to >>>>>>>> disable 0RT, rather than refusing it on a request-by-request basis. That's >>>>>>>> the discussion I think we should have here... >>>>>>> >>>>>>> That's exactly the situation I'm facing for now with haproxy. A few >>>>>>> users have asked us to support 0RTT and by lack of way to 1) decide >>>>>>> which requests are really safe, and 2) tell the client it must replay >>>>>>> them using 1RTT, for now I refused to enable it. The load balancer >>>>>>> and the origin server will have a different view of the acceptability >>>>>>> of 0RTT, and all the chain must be able to accept or reject them, and >>>>>>> let the client retry. >>>>>> >>>>>> Even the "origin server" might not be aware what the application's >>>>>> committal and guarantee here is. >>>>>> >>>>>> My thoughts for an implementation is: >>>>>> >>>>>> - it has to work without the "upper" layer / next hop being aware of it >>>>>> - it has to fail in a defined HTTP way. The HTTP request is tagged as >>>>>> possibly replayed, regardless of the actual transport. The answer >>>>>> needs to also work on that transport. >>>>>> - The negative answer to a 0-RTT request might come early, might come >>>>>> late. For h2, other streams might have been opened, even answered, >>>>>> in the meantime. >>>>>> - The sender selecting 0-RTT should only do so, if it understands the >>>>>> retry answer. (Once that is defined) >>>>>> - The sender may well want to select 0-RTT only if it considers the >>>>>> data to be safe for replays *and* it expects the server to come to >>>>>> the same conclusion. >>>>>> - So, ideally, sender and receiver have the same notion about what HTTP >>>>>> data is acceptable for 0-RTT. >>>>> >>>>> This is an interesting discussion! >>>>> >>>>> I believe that there is no need for us to require a _client_ to resend >>>>> a HTTP request, even in case it sends a HTTP request in 0-RTT and then >>>>> turns out that the application running behind tells the "origin >>>>> server" that it cannot handle 0-RTT request. >>>>> >>>>> IMO what the origin server should do is buffer the 0-RTT request >>>>> (note: in TLS 1.3, a server can cap the size of 0-RTT data), and if >>>>> the application refuses to handle the request due to the fact that it >>>>> has been sent in 0-RTT, wait until the client proves itself to be a >>>>> legitimate client (by sending an 1-RTT data), and then resend the >>>>> buffered request to the application. >>>> >>>> Hmm, how many RTTs will this proof take? >>> >>> 1RTT. The latency will be the same as when the client did not use 0-RTT. >>> OTOH, the obvious benefit of the proposed approach is less use of >>> bandwidth since there is no need for a client to resend the request. >> >> Ok, so when the server sees the first non-0-RTT byte from the client, the >> handshake was accepted and the 0-RTT data can be regarded as genuine. >> >> The PING merely triggers the data transfer in case the client does not >> send anything on its own, I assume. > > Yes. That is what I have been thinking. Thank you for clarifying that. Excellent, very nice thinking, Kazuho! This strategy really solves any interop issues for origin servers. Nice. In case of proxies/intermediates, the case is different, I think. If a proxy receives 0-RTT data, it can only make direct use of it inside upstream 0-RTT data on a new connection. If it sends 0-RTT data on an established connection, the server cannot detect the replay weakness. A proxy, on forwarding 0-RTT data on an established connection, must first verify the client handshake. Does that make sense? >>>> >>>> >>>>> In HTTP/2, the proof can be obtained by sending a PING frame from the >>>>> server after sending ServerFinished message (of TLS 1.3) and waiting >>>>> for the response to the PING frame. >>>>> >>>>> So, while I agree that it is beneficial to have an agreement on how >>>>> the interaction scheme between the origin server and the application >>>>> running behind (possibly as an informational RFC), I do not see a >>>>> strong reason that we need to introduce some kind of profile due the >>>>> introduction of 0-RTT data in TLS 1.3. >>>>> >>>>>> -Stefan >>>>>> >>>>>>> >>>>>>> I tend to think that a 4xx status code would make sense and would be >>>>>>> useful to pass the verdict back to the client. For example we could >>>>>>> return "418 not idempotent". >>>>>>> >>>>>>> Willy >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Kazuho Oku >>>> >>> >>> >>> >>> -- >>> Kazuho Oku >> > > > > -- > Kazuho Oku
Received on Thursday, 11 May 2017 11:46:40 UTC