- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Wed, 11 Oct 2023 10:42:31 +0000
- To: Mark Nottingham <mnot@mnot.net>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
--------
Mark Nottingham writes:
> This is a heads-up that we'll be requesting a side meeting at IETF 118
> to discuss whether any IETF work would help implementations to address
> this and similar attacks.
The H2 and H3 "design" process have been totally dominated by
the "reduce time to first render at any cost", maybe we could
soften that focus a bit ?
For instance, we could attempt to not brush people of with "We have
enough CPUs to deal with that", when they point out that things
like this is an open invitation for DoS exposure:
SETTINGS_MAX_CONCURRENT_STREAMS (0x3): Indicates the maximum number
of concurrent streams that the sender will allow. This limit is
directional: it applies to the number of streams that the sender
permits the receiver to create. Initially, there is no limit to
this value. [...]
And maybe also, we should not call it a "zero-day", when we have
designed the barn door ourselves and have been warned about it for
more than 10 years ?
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Received on Wednesday, 11 October 2023 10:42:39 UTC