- From: Martin Thomson <mt@lowentropy.net>
- Date: Tue, 16 Feb 2021 09:30:42 +1100
- To: ietf-http-wg@w3.org
On Mon, Feb 15, 2021, at 18:55, Meiling Chen wrote: > * 1 byte block at a time is not mandatory in our use case we talk > about a range of smaller values, we consider the addition of a small > window and the few adjusted Windows to be an unusual attack, this > attack looks similar to CVE-2019-9511, you can see in the use case > section 3, we did an analysis, normally, it's almost impossible to have > simultaneous small cases for Window and Window_update. I don't think that this is rare. Even during normal operation. RFC 813, Section 3 describes the same problem. And I would not read the CVE so literally; 1 byte is the worst case, but it's fairly clear that 2 bytes is also bad. Hence my original question about 128 being special. My understanding is that the value you choose is just down to a trade-off of cost of processing vs. value of sensitivity and responsiveness. Smaller values could be faster if the processing cost and overheads can be justified. Implementations could just withhold small flow control updates. Is there a specific reason for having a setting here?
Received on Monday, 15 February 2021 22:31:16 UTC