- From: Meiling Chen <chenmeiling@chinamobile.com>
- Date: Mon, 15 Feb 2021 15:55:09 +0800
- To: "Martin Thomson" <mt@lowentropy.net>, ietf-http-wg <ietf-http-wg@w3.org>
- Message-ID: <2021021515550785103815@chinamobile.com>
Hi Martin, Sorry reply late because of the holiday. The attack in CVE-2019-9511 consists of two actions: manipulate the window size and stream priority to force the server to queue data in 1-byte blocks. 1 byte block at a time is not mandatory in our use case we talk about a range of smaller values, we consider the addition of a small window and the few adjusted Windows to be an unusual attack, this attack looks similar to CVE-2019-9511, you can see in the use case section 3, we did an analysis, normally, it's almost impossible to have simultaneous small cases for Window and Window_update. Best Wishes, Meiling Chen From: Martin Thomson Date: 2021-02-09 17:56 To: ietf-http-wg Subject: Re: new draft for the minimum value setting mechanism of HTTP2.0 Window and Window_update Hi, Thanks for sharing this. I think that I understand the problem you describe, but I'm not sure that I can see how this differs from CVE-2019-9511 “Data Dribble”[1]. Can you explain how this is different? Is the number 128 somehow special? The CVE talks about 1-byte increases; is this just that the problem exists for a range of smaller values? [1] https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md On Tue, Feb 9, 2021, at 19:44, Meiling Chen wrote: > Hello all, > We find a problem when using http2.0 protocol, actually happening in > our network, in the course of the interaction when > window_size_increment in the window update frame less > than 128 bytes and the increased window size also less than 128 bytes, > then network connection will come to an error. We describe it in > detail in the draft > draft-chen-httpbis-window-size-use-case-00(https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size-use-case/). > Meanwhile, we proposed a solution to the problem, by define the > minimum value setting mechanism of HTTP2.0 Window and Window_update, > and a Window_update frame sending > mechanism. We describe interactive process in detail in the draft > draft-chen-httpbis-window-size-00 > (https://datatracker.ietf.org/doc/draft-chen-httpbis-window-size/) . > > Comments are welcome. > > Best Wishes > > (Chen Meiling) > > -------------------------------------------------------------------------------------- > > Research Institute of China Mobile Communications Co. Ltd > > Institute of Safety Technology > > Email address: chenmeiling@chinamobile.com > > Phone: 13810149515 > > Telephone: 15801696688-34283 > > Address: No. 32, Xuanwumen West Street, Xicheng District, Beijing > (Mobile Innovation Building) >
Received on Monday, 15 February 2021 07:55:51 UTC