IETF Logo Mail Archive

Re: [httpapi] RateLimit ready for last call

Roberto Polli <robipolli@gmail.com> Wed, 20 July 2022 10:02 UTC

Return-Path: <robipolli@gmail.com>
X-Original-To: httpapi@ietfa.amsl.com
Delivered-To: httpapi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0265BC15A731 for <httpapi@ietfa.amsl.com>; Wed, 20 Jul 2022 03:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MA4tKAv0T3Xu for <httpapi@ietfa.amsl.com>; Wed, 20 Jul 2022 03:02:50 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84C7AC14792E for <httpapi@ietf.org>; Wed, 20 Jul 2022 03:02:50 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id l11so6915744ilf.11 for <httpapi@ietf.org>; Wed, 20 Jul 2022 03:02:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3yRDMfGk/3almTDM5fdICIQHEl2/E7jg8EaB9nAD47c=; b=X5W5FnccFdJHdi1215TLkQIwHVkR0i4oIVKgH5jQqduHiGq0IUVnZl5XEBxAGf8uIf 8fFCYu1xmniWNwYdIQymw61Nj67Syqx8tA/hmWzkktDlhKBm1m2MnW5Gx6pedCF5kE0p LkfvxVDvw+rRR3zCUr/LghJ6rPUFL2zASkfZflKxB2KxIIi5N7p6dLFBbjuH8ADgf75+ /hi/6WXQKBMubj66l386Tlq1EACzZWrLAIu0Ux0eMvit+H8a/Bv2qr9Ai0DrJHEjwtJE LmYTUdn8hZLK7+49aWv7NAflzyVGtxMMfcch7DWyMMpTQX0u52X+ag1gYEmfwEStMqLS Kzqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3yRDMfGk/3almTDM5fdICIQHEl2/E7jg8EaB9nAD47c=; b=g/9AfVJts6BQp1nOI6+ugJ/laBR98+Z2wUEMhNpcWeE5oWb6ieaRjf7kAbYkT+hTez osZLEHQOs4xUHGhAjuH0/AGCDWPxtNUw1AHzlaqKGWytp2XZPglF+rxjGj++/i/eis0e SA5X7J5nvUlkswBa0Kajv/9VuIDBX4bf0syUbysCQwj7eylLm377XL8AQUo0uMWwTZGb a08EQIyNxVIO9pwBaOTyoj+smTCKLP2FiAcJ0IWSLPexk2gVz+29xZjmIZUkwXTjCvpl HzNY83v0+VbrizAIpfC5ebIyxUNGR1OvxNNoOwh4o1/X4u6uafcoqKvyOn4ZvOTTZ+tc IObA==
X-Gm-Message-State: AJIora9BrHWNiGjgK8d3QMEamCDitSFe0+4AdJfSFEJERl+aJLsdKP0o HwYWytljWIprpH3xTxOn/iqMc4eWP7PVuOZ703g=
X-Google-Smtp-Source: AGRyM1sWC4A4PU4u6bWZW70auPg8urJ57J3QzzVqaUGFrayutJrQ13jiQtTJloubUi30iYKf0VgNGSMoTzxZ8ZNAp9s=
X-Received: by 2002:a05:6e02:1044:b0:2dd:be1:7f04 with SMTP id p4-20020a056e02104400b002dd0be17f04mr697285ilj.119.1658311369810; Wed, 20 Jul 2022 03:02:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAP9qbHVFunOVT_HH8EOu+HxG4WSs5tPizSL8aN4=4aatEkcB8g@mail.gmail.com> <EF5814FF-42E8-49C6-827C-33523BF425F1@mnot.net> <CAP9qbHW3ERuWyw15uQEONhFqkOM7G6anrDDFPbiGCXgXHH7Spg@mail.gmail.com> <MN2PR00MB0672E00216E96EDA3234C185F08F9@MN2PR00MB0672.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB0672E00216E96EDA3234C185F08F9@MN2PR00MB0672.namprd00.prod.outlook.com>
From: Roberto Polli <robipolli@gmail.com>
Date: Wed, 20 Jul 2022 12:02:38 +0200
Message-ID: <CAP9qbHXq+OK6QTpEfKFXMjv_-9Y5CvuFq_8Ayx1dy70uEz6-ew@mail.gmail.com>
To: Darrel Miller <Darrel.Miller@microsoft.com>
Cc: Mark Nottingham <mnot@mnot.net>, "httpapi@ietf.org" <httpapi@ietf.org>, Alejandro Martinez Ruiz <alex@flawedcode.org>, Erik Wilde <erik.wilde@dret.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/si7ug4KiZ0NVA5DXxEsVxC9_1NM>
Subject: Re: [httpapi] RateLimit ready for last call
X-BeenThere: httpapi@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/httpapi>, <mailto:httpapi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi/>
List-Post: <mailto:httpapi@ietf.org>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/httpapi>, <mailto:httpapi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2022 10:02:51 -0000

Hi Darrel, Mark, Erik & co,

Replies inline.

Il giorno mar 19 lug 2022 alle ore 21:00 Darrel Miller
<Darrel.Miller@microsoft.com> ha scritto:
> From a chair perspective I'd like to try and summarize where I think we are in this conversation.
Thanks!

> RateLimit-Policy is a new header that is defined as a SF List of Items where each item can have parameters.
Yes. Moreover there's one REQUIRED parameter.

> RateLimit-Remaining, RateLimit-Limit and RateLimit-Reset are equivalent to the existing x- versions of the headers that have significant industry usage.
> These header values are non-negative integer values that are simple for any consumer to parse.
Ok.

> The open question is whether the three existing headers should be replaced by a single:
>
> RateLimit: limit=10, remaining=5, reset=40
>
> The arguments for the new header include:
>
> - If we were designing this header from scratch and SF header support was widespread, it would be the preferred design.
I agree that this would be the "natural" design.
Since no one uses this approach, there is no operational experience
for saying that this design would be "preferable".

> - Header compression will produce a more efficient result
Since "remaining" and "reset" change on every response, the benefits of this
design wrt to compression are not clear to me yet.
IIUC the current design allows to at least compress RateLimit-Limit,
but header compression is not my field of competence.

> - Consistent use of SF parameters across both RateLimit-Policy and RateLimit header.
IMHO a single RateLimit field would be limited to the three dictionary
keys and no parameters.
This is a good point though and some times ago I tried to imagine how
a RateLimit SF could be extended with more keywords and parameters.
I foresaw then a fragmented landscape, while the actual text forces
server implementations to describe ratelimit in terms of actionable
quota units and time windows to simplify the life of clients.
Instead, servers might start adding parameters or dictionary keys with
the expectation that clients should
change their behavior according to them; this is something that we do not want.

> The arguments against the new  header include:
>
> - Many HTTP components and connectors do not yet natively support SF headers, making parsing this header more difficult
> - There is a concern that changing the existing headers into a single header will significantly impact adoption.
> - The original goal of the specification was to standardize existing industry behavior, with minor renames and non-breaking additions. The new header goes beyond that goal.
>
> Based on these arguments, I think the important question to ask ourselves is,  what is our primary goal?
> Is it to standardize existing industry behaviour to reduce further fragmentation,
The goal is with no doubt to reduce fragmentation standardizing an
existing industry behavior:
we didn't want to invent a new way of doing rate limiting.


> or is it to design a specification that describes where we want the industry to move to.
This might not be the right question: we all want the industry to move
towards SF.
In the Italian API Guidelines that apply to all Italian agencies
(~20.000 agencies including cities) we suggest using SF for custom
HTTP fields.

But the industry in *this specific case* might still prefer a single
combined field instead of three distinct fields even if SF were fully
supported.
To propose an alternative approach, we at HTTP API should probably
conduct a successful, large-scale, multi-stakeholder (SaaS,
on-premise/COTS) experiment with one single combined field.
I thought about it, and it would be great, but I realized that I do
not have the time/resources for that.

Sorry for the long answer - I tried to shorten it but without success.
Thanks for the opportunity to discuss such matters with you all, and
please forgive me if I can appear assertive: as a non-native speaker I
can miss some nuances sometimes.
I really acknowledge your deep and extensive expertise in this field
and appreciate
all the time you are spending on this spec.

Have a nice day,
R.

v2.23.0 | Report a Bug | By Email