RE: HTTP/2 extensibility <draft-ietf-httpbis-http2-17>
Bob Briscoe <bob.briscoe@bt.com> Fri, 06 March 2015 17:14 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 253911A0396 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 6 Mar 2015 09:14:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g44F0yF6WWml for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 6 Mar 2015 09:14:39 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EE371A1A00 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 6 Mar 2015 09:14:14 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YTvlh-0000hj-4N for ietf-http-wg-dist@listhub.w3.org; Fri, 06 Mar 2015 17:10:33 +0000
Resent-Date: Fri, 06 Mar 2015 17:10:33 +0000
Resent-Message-Id: <E1YTvlh-0000hj-4N@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <bob.briscoe@bt.com>) id 1YTvlV-0000gv-Vy for ietf-http-wg@listhub.w3.org; Fri, 06 Mar 2015 17:10:22 +0000
Received: from hubrelay-by-03.bt.com ([62.7.242.139]) by lisa.w3.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <bob.briscoe@bt.com>) id 1YTvlU-0000fO-DA for ietf-http-wg@w3.org; Fri, 06 Mar 2015 17:10:21 +0000
Received: from EVMHR02-UKBR.domain1.systemhost.net (193.113.108.41) by EVMHR03-UKBR.bt.com (10.216.161.35) with Microsoft SMTP Server (TLS) id 8.3.348.2; Fri, 6 Mar 2015 17:09:50 +0000
Received: from EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) by EVMHR02-UKBR.domain1.systemhost.net (193.113.108.41) with Microsoft SMTP Server (TLS) id 8.3.348.2; Fri, 6 Mar 2015 17:09:51 +0000
Received: from bagheera.jungle.bt.co.uk (132.146.168.158) by EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) with Microsoft SMTP Server id 14.3.181.6; Fri, 6 Mar 2015 17:09:50 +0000
Received: from BTP075694.jungle.bt.co.uk ([10.111.19.140]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id t26H9lEw014362; Fri, 6 Mar 2015 17:09:47 GMT
Message-ID: <201503061709.t26H9lEw014362@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 06 Mar 2015 17:09:46 +0000
To: Mike Bishop <Michael.Bishop@microsoft.com>
From: Bob Briscoe <bob.briscoe@bt.com>
CC: "mbelshe@chromium.org" <mbelshe@chromium.org>, "fenix@google.com" <fenix@google.com>, "martin.thomson@gmail.com" <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>
In-Reply-To: <7.1.0.9.2.20150306125548.0d9f9748@bt.com>
References: <201503051255.t25Ct8YK001645@bagheera.jungle.bt.co.uk> <BL2PR03MB1327F1C997FAEBD383044C9871F0@BL2PR03MB132.namprd03.prod.outlook.com> <7.1.0.9.2.20150306125548.0d9f9748@bt.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
Received-SPF: pass client-ip=62.7.242.139; envelope-from=bob.briscoe@bt.com; helo=hubrelay-by-03.bt.com
X-W3C-Hub-Spam-Status: No, score=-1.2
X-W3C-Hub-Spam-Report: AWL=-0.460, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001
X-W3C-Scan-Sig: lisa.w3.org 1YTvlU-0000fO-DA fa330fae3457d0cf4f5423718fd7366d
X-Original-To: ietf-http-wg@w3.org
Subject: RE: HTTP/2 extensibility <draft-ietf-httpbis-http2-17>
Archived-At: <http://www.w3.org/mid/201503061709.t26H9lEw014362@bagheera.jungle.bt.co.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/28901
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Mike, I omitted to comment on the rather unconventional structure of SETTINGS frames too, which makes SETTINGS both hard to extend and inefficient. "A SETTINGS frame with a length other than a multiple of 6 octets MUST be treated as a connection error" The SETTINGS frame structure seems not to use the extensible type-length-value (TLV) design, that has been tried and tested for binary protocols over decades. The 16b SETTINGS type is currently used for 6 values (1-6). Extensibility to allow the other 65,530 values will be fairly pointless if each of their values has to fit within 32b. A [T:L:V] of [8:8:variable] octets would probably have been sufficient, more efficient and far more flexible. Bob [Side-stepping Poul-Henning's comments that are probably true, but perhaps not phrased in a way that will persuade you to reconsider.] At 13:35 06/03/2015, Bob Briscoe wrote: >Mike, > >At 18:22 05/03/2015, Mike Bishop wrote: >>Hi, Bob - >> >>Let me try to address a few of your points. The logic behind >>"discard unknown" is precisely so that new frame types can be >>added. If you receive a frame type that you know and can validate >>the length, then you're able to reject it as an improper length -- >>but if it's a frame type you don't recognize, the length allows you >>to skip past it. > >That's only an argument for having a length field. It doesn't >justify 'discard unknown' any more than it justifies 'ignore >unknown'. And it doesn't justify hard-coding the predetermined valid >length into the implementation. > >>So, just as you suggest, the worst case is to inject something that >>gets ignored. There were concerns raised with forwarding frame >>types you don't understand, particularly when you consider a >>connection to an intermediary where different streams may be going >>to different servers on the back-end. If the frames on different >>streams were related in some way, but you could only untangle the >>relation if you understood the frames, the eventual recipients >>would get fragmentary conversations. (Think of a shared >>compression context across streams, for example.) > >OK, that /is/ a valid argument for 'discard unknown' rather than >'forward unknown'. > >But I suggested a solution to that; if it's unknown, there could be >a field in the frame that says whether to forward or discard it >(aka. late binding, like in IPv6 extension headers). Then: >* if a new frame type would be susceptible to inconsistency over >different paths, it can be flagged as 'discard unknown'. >* Otherwise it would be flagged as 'forward unknown'. >* And if we're not sure, we can play safe and flag it as 'discard >unknown' anyway. > >Then you could keep the tightly consistent design you want today (by >setting discard unknown on all frame types), but you haven't >foreclosed on a 'forward unknown' frame type if you really need it in future. > >During the design discussions, did anyone suggest this 'late binding' idea? > >>For this reason, it was decided that extension frames should be >>hop-by-hop, but could be defined such that a recipient who >>understands the frame would relay it onto subsequent >>connections. New extensions can define additional frames, and can >>define the processing of them. That processing may include >>whether/how to forward them to the next hop, if you're an >>intermediary. I would consider it good practice for any extension >>which defines frames to also define intermediary behavior, but the >>WG opted not to make that good practice a normative requirement. > >There seems to be an assumption that implementers will add new >features even though they won't work e2e until everyone else has >implemented and deployed the same feature. That seems to overlook >the last two depressing decades of experience (at the transport >layer) of chicken-and-egg deployment incentives. > >>It was also an explicit choice not to allow an endpoint to >>*unilaterally* change the definition of existing frames, because >>that leads to unknown behavior when you receive a known frame type >>of an unexpected length. You don't know where the changes are, and >>whether fields still mean what you think they do. However, the >>flexibility to modify rules by mutual agreement is the obvious way >>around that. Define, as part of your extension, a setting that >>indicates your willingness to accept, say, an "opinion" string >>embedded in each SETTINGS ACK. Upon receipt of that setting, >>someone who doesn't speak your extension ignores it and sends >>normal ACKs. Someone who does speak your extension knows they can >>send you non-standard ACKs and you'll handle them appropriately >>without generating a FRAME_SIZE_ERROR. > >Yes. So again, my concern is that the spec requires frames to be >discarded if they are of known type but unknown length; rather than >using the 'late-binding' idea, to be able to 'ignore but forward unknown'. > > >Bob > > >>-----Original Message----- >>From: Bob Briscoe [mailto:bob.briscoe@bt.com] >>Sent: Thursday, March 5, 2015 4:55 AM >>To: mbelshe@chromium.org; fenix@google.com; martin.thomson@gmail.com >>Cc: ietf-http-wg@w3.org >>Subject: HTTP/2 extensibility <draft-ietf-httpbis-http2-17> >> >>HTTP/2 folks, >> >>I've reviewed the whole draft. I know the draft has just >>successfully passed IESG review, but I hope this posting is still useful. >> >>My credentials for this: first role in the IETF in 1995 was to ensure >>HTTP/1.1 generalised from Web pages to objects, but for the last 15 >>years my focus has shifted down the layers into transport. >>Non-credentials: I've been paying insufficient attention to HTTP/2 >>until now, but I have tried to research back over the ML for the >>rationale behind design decisions. >> >>So consider this as a late review from a clueful but fresh pair of eyes. >> >>My main concerns are >>* extensibility >>* flow control >>* numerous open issues left dangling >>I'll cover extensibility here, and my other concerns (as well as >>nits) in subsequent posting. >> >> >>Achieving this milestone on time has been impressive. I understand >>the reasons for having to get something standardised. However, I see >>potential problems. And that would be fine, but only if there were a >>more granular mechanism to extend the protocol to fix it in future. >> >>For instance, a number of potential issues around DoS are left open. >>If the protocol has to be hardened against new attacks, I believe the >>recommended extensibility path is to design and implement a >>completely new protocol release, then upgraded endpoints negotiate it >>during the initial handshake. The timescale for such a process is >>measured in years, during which the vulnerability has to be lived >>with. Surely we need more granular extensibility; to introduce new >>frame types and structures, and/or to deprecate outdated/vulnerable ones. >> >>Rather than a blanket statement saying that an endpoint discards and >>ignores a frame type that it does not recognise, we should include a >>field in the generic frame header to specify this behaviour. In this >>way, the currently defined extensibility behaviour could be required >>or relaxed depending on what the future brings - instead of having to >>decide the extensibility model now. >> >>This would be safe, because the worst an attacker can do is inject a >>new unrecognised header and get it forwarded, but not acted on. >>Unless it is a type known to at least one implementation, it will >>never be acted on. >> >>The same point applies to extending known frame types. There is no >>point having a length field on frames if any length other than that >>specified produces a FRAME_SIZE_ERROR. For extensibility, a frame >>with an unexpected length should at least be ignored, rather than >>leading to a stream error. Ideally, similar to above, there should be >>a field that specifies what action to take (forward or not) if the >>structure of the frame type is unrecognised. >> >>One of the greatest strengths of HTTP/1.x was the general rule about >>unrecognised headers, which enabled 'a thousand flowers to bloom'. >>The few most beautiful ones survived. If evolution can only proceed >>in giant steps, the natural selection process will be glacially slow. >> >>HTTP is important to us all. It has now become the only way to extend >>transport capabilities. The last thing we should do is build over the >>only pathway we have left with an evolutionary cul-de-sac. >> >> >> >>Bob >> >> >>________________________________________________________________ >>Bob Briscoe, BT > >________________________________________________________________ >Bob Briscoe, BT ________________________________________________________________ Bob Briscoe, BT
- HTTP/2 extensibility <draft-ietf-httpbis-http2-17> Bob Briscoe
- Re: HTTP/2 extensibility <draft-ietf-httpbis-http… Martin Thomson
- RE: HTTP/2 extensibility <draft-ietf-httpbis-http… Mike Bishop
- Re: HTTP/2 extensibility <draft-ietf-httpbis-http… Ben Niven-Jenkins
- RE: HTTP/2 extensibility <draft-ietf-httpbis-http… Bob Briscoe
- Re: HTTP/2 extensibility <draft-ietf-httpbis-http… Bob Briscoe
- Re: HTTP/2 extensibility <draft-ietf-httpbis-http… Poul-Henning Kamp
- RE: HTTP/2 extensibility <draft-ietf-httpbis-http… Bob Briscoe