Re: Re: new draft for the minimum value setting mechanism of HTTP2.0 Window and Window_update

Hi Martin,
Sorry reply late because of the holiday.
The attack in CVE-2019-9511 consists of two actions: manipulate the window size and stream priority to force the server to queue data in 1-byte blocks.
1 byte block at a time is not mandatory in our use case we talk about a range of smaller values,  we consider the addition of a small window and the few adjusted Windows to be an unusual attack, this attack looks similar to CVE-2019-9511, you can see in the use case section 3, we did an analysis, normally, it's almost impossible to have simultaneous small cases for Window and Window_update. 

Best Wishes,
Meiling Chen
From: Martin Thomson
Date: 2021-02-09 17:56
To: ietf-http-wg
Subject: Re: new draft for the minimum value setting mechanism of HTTP2.0 Window and Window_update
Hi,
 
Thanks for sharing this.  I think that I understand the problem you describe, but I'm not sure that I can see how this differs from CVE-2019-9511 “Data Dribble”[1].  Can you explain how this is different?  Is the number 128 somehow special?  The CVE talks about 1-byte increases; is this just that the problem exists for a range of smaller values?
 
[1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

 
On Tue, Feb 9, 2021, at 19:44, Meiling Chen wrote:
> Hello all, 
> We find a problem when using http2.0 protocol,  actually happening in 
> our  network, in the course of the interaction when 
> window_size_increment in the window update frame less
> than 128 bytes and the increased window size also less than 128 bytes, 
> then network connection will come to an error.  We describe it in 
> detail in the draft 
> draft-chen-httpbis-window-size-use-case-00(https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size-use-case/).
> Meanwhile,  we proposed a solution to the problem, by define the 
> minimum value setting mechanism of HTTP2.0 Window and Window_update, 
> and a Window_update frame sending
> mechanism. We describe interactive process in detail in the draft 
> draft-chen-httpbis-window-size-00 
> (https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size/) .
> 
> Comments are welcome.
> 
> Best Wishes
> 
> (Chen Meiling)
> 
> --------------------------------------------------------------------------------------
> 
> Research Institute of China Mobile Communications Co. Ltd
> 
> Institute of Safety Technology
> 
> Email address: chenmeiling@chinamobile.com
> 
> Phone: 13810149515
> 
> Telephone: 15801696688-34283
> 
> Address: No. 32, Xuanwumen West Street, Xicheng District, Beijing 
> (Mobile Innovation Building)
>
 
 

Received on Monday, 15 February 2021 07:55:51 UTC