Re: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487) from Martin Thomson on 2023-10-12 (ietf-http-wg@w3.org from October to December 2023)

From: Martin Thomson <mt@lowentropy.net>
Date: Thu, 12 Oct 2023 15:42:11 +1100
To: "Glenn Strauss" <gs-lists-ietf-http-wg@gluelogic.com>
Cc: "Willy Tarreau" <w@1wt.eu>, "Mark Nottingham" <mnot@mnot.net>, "HTTP Working Group" <ietf-http-wg@w3.org>
Message-Id: <3e0a8602-c846-4eea-a9b1-5e42fa1c423b@betaapp.fastmail.com>

On Thu, Oct 12, 2023, at 15:38, Glenn Strauss wrote:
> Related, I support a future RFC changing the initial setting for HTTP/2
> SETTINGS_MAX_CONCURRENT_STREAMS to something much more limited,
> such as 10.  (FYI: lighttpd sends SETTINGS_MAX_CONCURRENT_STREAMS 8.)

Unfortunately, in order to do that, we would need to define a completely new protocol that is identified by a different ALPN token, like "h2-but-not-as-vulnerable-to-DoS".

I agree that the initial value is bad (a limit of 2^30 is just absurd), but I'm not sure that the cost of fixing this is justified.

Teaching clients cope better with lower concurrency limits (like 8) is probably our best course of action here.

Received on Thursday, 12 October 2023 04:42:36 UTC