Re: new draft for the minimum value setting mechanism of HTTP2.0 Window and Window_update

Hi,

Thanks for sharing this.  I think that I understand the problem you describe, but I'm not sure that I can see how this differs from CVE-2019-9511 “Data Dribble”[1].  Can you explain how this is different?  Is the number 128 somehow special?  The CVE talks about 1-byte increases; is this just that the problem exists for a range of smaller values?

[1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

On Tue, Feb 9, 2021, at 19:44, Meiling Chen wrote:
> Hello all, 
> We find a problem when using http2.0 protocol,  actually happening in 
> our  network, in the course of the interaction when 
> window_size_increment in the window update frame less
> than 128 bytes and the increased window size also less than 128 bytes, 
> then network connection will come to an error.  We describe it in 
> detail in the draft 
> draft-chen-httpbis-window-size-use-case-00(https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size-use-case/).
> Meanwhile,  we proposed a solution to the problem, by define the 
> minimum value setting mechanism of HTTP2.0 Window and Window_update, 
> and a Window_update frame sending
> mechanism. We describe interactive process in detail in the draft 
> draft-chen-httpbis-window-size-00 
> (https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size/) .
> 
> Comments are welcome.
> 
> Best Wishes
> 
> (Chen Meiling)
> 
> --------------------------------------------------------------------------------------
> 
> Research Institute of China Mobile Communications Co. Ltd
> 
> Institute of Safety Technology
> 
> Email address: chenmeiling@chinamobile.com
> 
> Phone: 13810149515
> 
> Telephone: 15801696688-34283
> 
> Address: No. 32, Xuanwumen West Street, Xicheng District, Beijing 
> (Mobile Innovation Building)
>

Received on Tuesday, 9 February 2021 09:56:38 UTC