RE: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Mike Bishop <Michael.Bishop@microsoft.com> Fri, 26 April 2013 18:09 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70B1721F99B3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 11:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.426
X-Spam-Level:
X-Spam-Status: No, score=-7.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_BASE64_BLANKS=0.041, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpzHmZbzAt+q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 26 Apr 2013 11:09:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6C921F9919 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 26 Apr 2013 11:09:44 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UVn53-0008F7-Sy for ietf-http-wg-dist@listhub.w3.org; Fri, 26 Apr 2013 18:09:09 +0000
Resent-Date: Fri, 26 Apr 2013 18:09:09 +0000
Resent-Message-Id: <E1UVn53-0008F7-Sy@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <Michael.Bishop@microsoft.com>) id 1UVn4y-0008DM-9l for ietf-http-wg@listhub.w3.org; Fri, 26 Apr 2013 18:09:04 +0000
Received: from mail-by2lp0244.outbound.protection.outlook.com ([207.46.163.244] helo=na01-by2-obe.outbound.protection.outlook.com) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <Michael.Bishop@microsoft.com>) id 1UVn4x-0002nG-2z for ietf-http-wg@w3.org; Fri, 26 Apr 2013 18:09:04 +0000
Received: from BL2FFO11FD008.protection.gbl (10.173.161.202) by BL2FFO11HUB023.protection.gbl (10.173.161.47) with Microsoft SMTP Server (TLS) id 15.0.675.0; Fri, 26 Apr 2013 18:08:35 +0000
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD008.mail.protection.outlook.com (10.173.161.4) with Microsoft SMTP Server (TLS) id 15.0.675.0 via Frontend Transport; Fri, 26 Apr 2013 18:08:35 +0000
Received: from CO9EHSOBE014.bigfish.com (157.54.51.81) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.2.318.3; Fri, 26 Apr 2013 18:08:10 +0000
Received: from mail78-co9-R.bigfish.com (10.236.132.237) by CO9EHSOBE014.bigfish.com (10.236.130.77) with Microsoft SMTP Server id 14.1.225.23; Fri, 26 Apr 2013 18:08:10 +0000
Received: from mail78-co9 (localhost [127.0.0.1]) by mail78-co9-R.bigfish.com (Postfix) with ESMTP id 01C93A0150 for <ietf-http-wg@w3.org.FOPE.CONNECTOR.OVERRIDE>; Fri, 26 Apr 2013 18:08:10 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT004.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: 3
X-BigFish: PS3(z551biz9371I542Izz1f42h1fc6h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ahzz8275bh8275dhz31h2a8h668h839h93fhd24hf0ah1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1ad9h1b0ah1d07h1d0ch17ej9a9j1155h)
Received-SPF: softfail (mail78-co9: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=Michael.Bishop@microsoft.com; helo=BL2PRD0310HT004.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB025; H:BY2PR03MB025.namprd03.prod.outlook.com; LANG:en;
Received: from mail78-co9 (localhost.localdomain [127.0.0.1]) by mail78-co9 (MessageSwitch) id 136699968864533_1192; Fri, 26 Apr 2013 18:08:08 +0000 (UTC)
Received: from CO9EHSMHS003.bigfish.com (unknown [10.236.132.238]) by mail78-co9.bigfish.com (Postfix) with ESMTP id 0A2DD2E00A7; Fri, 26 Apr 2013 18:08:08 +0000 (UTC)
Received: from BL2PRD0310HT004.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS003.bigfish.com (10.236.130.13) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 26 Apr 2013 18:08:07 +0000
Received: from BY2PR03MB025.namprd03.prod.outlook.com (10.255.240.39) by BL2PRD0310HT004.namprd03.prod.outlook.com (10.255.97.39) with Microsoft SMTP Server (TLS) id 14.16.299.2; Fri, 26 Apr 2013 18:08:07 +0000
Received: from BY2PR03MB025.namprd03.prod.outlook.com (10.255.240.39) by BY2PR03MB025.namprd03.prod.outlook.com (10.255.240.39) with Microsoft SMTP Server (TLS) id 15.0.670.13; Fri, 26 Apr 2013 18:08:04 +0000
Received: from BY2PR03MB025.namprd03.prod.outlook.com ([169.254.9.30]) by BY2PR03MB025.namprd03.prod.outlook.com ([169.254.9.68]) with mapi id 15.00.0670.000; Fri, 26 Apr 2013 18:08:04 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Thread-Index: AQHOQqegLIaGPCCJS0uyidksf41arJjoy9Yg
Date: Fri, 26 Apr 2013 18:08:04 +0000
Message-ID: <792356c04b9e498c886252bc44904651@BY2PR03MB025.namprd03.prod.outlook.com>
References: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
In-Reply-To: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:1b:4:e830:166:821:28f2]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB025.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%W3.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464002)(377454001)(199002)(189002)(79102001)(65816001)(4396001)(77982001)(59766001)(56816002)(49866001)(63696002)(50466002)(74366001)(23676002)(16676001)(47736001)(81342001)(50986001)(74316001)(81542001)(6806003)(54356001)(51856001)(31966008)(56776001)(74502001)(74662001)(20776003)(47446002)(47776003)(33646001)(54316002)(53806001)(47976001)(80022001)(44976003)(76482001)(46102001)(69226001)(3826001)(24736002)(217873001); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB023; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08286A0BE2
Received-SPF: pass client-ip=207.46.163.244; envelope-from=Michael.Bishop@microsoft.com; helo=na01-by2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=0.7
X-W3C-Hub-Spam-Report: RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=0.716
X-W3C-Scan-Sig: lisa.w3.org 1UVn4x-0002nG-2z adb1ad348e1a6a282ef18a5bef7e0213
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Archived-At: <http://www.w3.org/mid/792356c04b9e498c886252bc44904651@BY2PR03MB025.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17611
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
I raised a related issue with Martin, that the FINAL flag is valid in these ignored frames, and the ordering of those rules could lead to disagreement between the peers whether a given stream has been half-closed or not. We might simply modify the text to say that the payload and frame-specific flags must be ignored, not the entire frame per se. -----Original Message----- From: James M Snell [mailto:jasnell@gmail.com] Sent: Friday, April 26, 2013 10:55 AM To: ietf-http-wg@w3.org Subject: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks https://github.com/http2/http2-spec/issues/80#issuecomment-17089487 In the current draft (-02), we say that Unknown and unrecognized Frame types MUST be ignored by an endpoint. While this is ok in theory, this can be very dangerous in practice. Specifically, an attacking sender could choose to flood a recipient with a high number of junk frames that use a previously unused type code. Because of the MUST IGNORE rule, these would simply be discarded by the recipient but the damage will already have been done. Flow control actions could help mitigate the problem, but those are only partially effective. Also, the order of processing here for error handling is not clear. Let's say an attacker sends a HEADERS frame to the server initiating a stream. The server sends an RST_STREAM REFUSED_STREAM fully closing the stream. The attacker continues to send JUNK frames for the same stream ID. There are two conditions happening here: 1. The sender is sending frames for a closed stream, which ought to result in an RST_STREAM, but.. 2. The frame type is unknown and unrecognized by the server so MUST be ignored. Which condition takes precedence and how do we mitigate the possible attack vector on this one. - James
- Design Issue: Unknown Frame Type MUST IGNORE rule… James M Snell
- RE: Design Issue: Unknown Frame Type MUST IGNORE … Mike Bishop
- Re: Design Issue: Unknown Frame Type MUST IGNORE … Martin Thomson
- Re: Design Issue: Unknown Frame Type MUST IGNORE … James M Snell
- Re: Design Issue: Unknown Frame Type MUST IGNORE … Martin Thomson
- Re: Design Issue: Unknown Frame Type MUST IGNORE … William Chan (陈智昌)