RE: Header compression: buffer management
RUELLAN Herve <Herve.Ruellan@crf.canon.fr> Fri, 22 March 2013 14:11 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A84821F8AC1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Mar 2013 07:11:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.118
X-Spam-Level:
X-Spam-Status: No, score=-10.118 tagged_above=-999 required=5 tests=[AWL=0.130, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2DMPDQk3ubV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Mar 2013 07:11:11 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 1437F21F8AB8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Mar 2013 07:11:11 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UJ2f0-00042E-JH for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Mar 2013 14:09:34 +0000
Resent-Date: Fri, 22 Mar 2013 14:09:34 +0000
Resent-Message-Id: <E1UJ2f0-00042E-JH@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <Herve.Ruellan@crf.canon.fr>) id 1UJ2eo-00040l-7n for ietf-http-wg@listhub.w3.org; Fri, 22 Mar 2013 14:09:22 +0000
Received: from inari-msr.crf.canon.fr ([194.2.158.67]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <Herve.Ruellan@crf.canon.fr>) id 1UJ2ei-00062I-Hv for ietf-http-wg@w3.org; Fri, 22 Mar 2013 14:09:22 +0000
Received: from mir-msr.corp.crf.canon.fr (mir-msr.corp.crf.canon.fr [172.19.77.98]) by inari-msr.crf.canon.fr (8.13.8/8.13.8) with ESMTP id r2ME8mS2001712; Fri, 22 Mar 2013 15:08:48 +0100
Received: from ADELE.crf.canon.fr (adele.fesl2.crf.canon.fr [172.19.70.17]) by mir-msr.corp.crf.canon.fr (8.13.8/8.13.8) with ESMTP id r2ME8mVt015664; Fri, 22 Mar 2013 15:08:48 +0100
Received: from ADELE.crf.canon.fr ([::1]) by ADELE.crf.canon.fr ([::1]) with mapi id 14.02.0342.003; Fri, 22 Mar 2013 15:08:48 +0100
From: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>
To: James M Snell <jasnell@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Header compression: buffer management
Thread-Index: Ac4mKEB4rOwKdoC6QHy2X3WZpGsVggAI28WAAAYj7AAAKE+RAA==
Date: Fri, 22 Mar 2013 14:08:47 +0000
Message-ID: <6C71876BDCCD01488E70A2399529D5E5163F3CED@ADELE.crf.canon.fr>
References: <6C71876BDCCD01488E70A2399529D5E5163F39C4@ADELE.crf.canon.fr> <1818.1363884575@critter.freebsd.dk> <CABP7RbdL=cV2qSMBA3Me65T8tGaU3p9F5Wc690Jqk7q8xk_=iw@mail.gmail.com>
In-Reply-To: <CABP7RbdL=cV2qSMBA3Me65T8tGaU3p9F5Wc690Jqk7q8xk_=iw@mail.gmail.com>
Accept-Language: en-US, fr-FR
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.20.7.30]
Content-Type: multipart/alternative; boundary="_000_6C71876BDCCD01488E70A2399529D5E5163F3CEDADELEcrfcanonfr_"
MIME-Version: 1.0
Received-SPF: none client-ip=194.2.158.67; envelope-from=Herve.Ruellan@crf.canon.fr; helo=inari-msr.crf.canon.fr
X-W3C-Hub-Spam-Status: No, score=-4.5
X-W3C-Hub-Spam-Report: AWL=-1.987, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-2.497
X-W3C-Scan-Sig: maggie.w3.org 1UJ2ei-00062I-Hv 6b3bcbc2d75e1a948d58db907b87c36e
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Header compression: buffer management
Archived-At: <http://www.w3.org/mid/6C71876BDCCD01488E70A2399529D5E5163F3CED@ADELE.crf.canon.fr>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17118
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
For HeaderDiff, the encoder can transmit two buffer management commands: - Add a new header - Replace a previous header with a new one A malicious encoder could try to make the buffer grow indefinitely. To prevent this, the decoder must check for each addition and replacement that the buffer size is kept below a predefined limit (either negotiated, or advertised). Some other checks are needed (but this is true for any compression mechanism), for example limiting the length of a header name or of a header value, limiting the total size of a header set… Keeping the buffer management as simpler as possible on the decoder side helps understanding its behavior and preventing attacks from malicious clients. Hervé. From: James M Snell [mailto:jasnell@gmail.com] Sent: jeudi 21 mars 2013 20:45 To: Poul-Henning Kamp Cc: RUELLAN Herve; ietf-http-wg@w3.org Subject: Re: Header compression: buffer management I've briefly looked at this and it definitely is a challenge. With delta, we at least have the benefit of allowing the decompressor to set an upper bound on stored state size, but even that can be problematic under heavy load and does not completely resolve the issue. For instance, a malicious client could potentially send hundreds of junk headers frames intentionally designed to make the decompressor do significant extra work managing it's internal buffers. If the intermediary blindly passes such requests through, it will likely end up double buffering the junk data causing even more issues. It is obvious that fairly aggressive defensive techniques are going to be required to watch for bad behavior and compensate. On the plus side, a delta decompressor could simply choose to throw up its hands and give up doing any buffer management, simply passing values through... Which, of course just passes the problem on to someone else. On Mar 21, 2013 9:51 AM, "Poul-Henning Kamp" <phk@phk.freebsd.dk<mailto:phk@phk.freebsd.dk>> wrote: In message <6C71876BDCCD01488E70A2399529D5E5163F39C4@ADELE.crf.canon.fr<mailto:6C71876BDCCD01488E70A2399529D5E5163F39C4@ADELE.crf.canon.fr>>, RUELL AN Herve writes: >In HeaderDiff we chose to let the encoder decide how the buffer is managed >(regarding additions and removals). These decisions are encoded on the wire > and applied by the decoder on its own buffer. We think this choice has > several advantages. Has this been analysed from a denial-of-service perspective ? Anything in the protocol where the client can cause memory allocation on the server/proxy/whatever, should be scrutinized in a DoS perspective. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG<mailto:phk@FreeBSD.ORG> | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
- Header compression: buffer management RUELLAN Herve
- Re: Header compression: buffer management Amos Jeffries
- Re: Header compression: buffer management Poul-Henning Kamp
- Re: Header compression: buffer management James M Snell
- Re: Header compression: buffer management Roberto Peon
- Re: Header compression: buffer management Poul-Henning Kamp
- Re: Header compression: buffer management Poul-Henning Kamp
- RE: Header compression: buffer management RUELLAN Herve
- RE: Header compression: buffer management RUELLAN Herve