Re: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487) from Poul-Henning Kamp on 2023-10-13 (ietf-http-wg@w3.org from October to December 2023)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 13 Oct 2023 11:09:10 +0000
To: Kazuho Oku <kazuhooku@gmail.com>
cc: Willy Tarreau <w@1wt.eu>, Mike Bishop <mbishop@evequefou.be>, Martin Thomson <mt@lowentropy.net>, Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <202310131109.39DB9A9w072713@critter.freebsd.dk>

--------
Kazuho Oku writes:

> If we take this approach, there will be a guarantee that the client will
> open no more than 100 streams initially, 

Does any published data exist on how "100" relates to how many streams
real-life legit clients /actually/ open on a new H2 connection ?

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Friday, 13 October 2023 11:09:24 UTC