Re: Stream limits draft posted from Kazuho Oku on 2023-11-08 (ietf-http-wg@w3.org from October to December 2023)

From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 8 Nov 2023 10:00:07 +0100
To: Martin Thomson <mt@lowentropy.net>
Cc: ietf-http-wg@w3.org
Message-ID: <CANatvzwQ3hD9-+5rUo8Fi_zaHSmDBWv8HaJGPHOihT4qf8xs1Q@mail.gmail.com>

2023年11月6日(月) 16:04 Martin Thomson <mt@lowentropy.net>:

>
> https://datatracker.ietf.org/doc/html/draft-thomson-httpbis-h2-stream-limits-00
>
> We've talked about this, but Lucas and I have scrubbed it a little.
>
> This is not a proposal that comes with a statement of "this fixes the
> problem", so the discussion we have about this will be very important.  But
> if some servers benefit from doing things this way and clients are willing
> to implement, then it might be worth doing.
>

Thank you for publishing the draft.

If the problem can be addressed by changing the specification, then that
would be great!

Regarding how, I have two comments to the current state of the draft.

One is that the current approach does not provide a hard limit on the
number of streams that can be opened; this is because until SETTINGS are
exchanged, clients can open any number of streams. As said previously [1],
IMO it would make sense to state that endpoints implementing this extension
MUST NOT open a hard-coded number of streams until it negotiates the use of
the new scheme.

Separately, I wonder if we could use a different ALPN for signalling the
use of this new extension.

As ugly as that might sound, I would point out that the primary if not sole
reason of defining this extension is to let endpoints avoid the cost of
implementing defenses for Rapid Reset attack.

But to avoid that, servers have to either refuse use of vanilla H2 somehow,
or avoid negotiating vanilla H2.

The problem of trying to refuse use of vanilla H2 after concluding the TLS
handshake is that either GOAWAY or maybe 421 have to be sent after the
client has started sending the request, so that the client replays the
request using H1. If the clients can handle that signal and replay the
request over H1, then things would be fine.

However, my concern is that not all H2 clients, especially the ones that
stream the request body, cannot replay requests. My observation is that
Expect: 100-continue is rarely used, and that means that H2 clients are
just forwarding the request body without buffering, which means they cannot
replay (or they have an unbounded buffer, because GOAWAY asking for replay
can arrive after sending a huge request).

If we could use a new ALPN to indicate the use of this extension, this
problem goes away.

Servers can simply stop supporting vanilla H2, only supporting access using
the new safe variant and HTTP/1.1.

My feeling is that that would be a better transition plan to a safer
protocol.

WDYT?

[1] https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0050.html


> We have time to discuss this week.
>
> Cheers,
> Martin
>
>

-- 
Kazuho Oku

Received on Wednesday, 8 November 2023 09:00:25 UTC