IETF Logo Mail Archive

Re: New Draft: draft-ohanlon-transport-info-header

Patrick McManus <mcmanus@ducksong.com> Mon, 25 November 2019 17:54 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2D7120AF7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 25 Nov 2019 09:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.751
X-Spam-Level:
X-Spam-Status: No, score=-2.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=iXv56Imy; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=C+dEAX5M
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ka_c9Br9N-SQ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 25 Nov 2019 09:54:09 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2402120B04 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 25 Nov 2019 09:53:37 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iZIWJ-0003Hk-S8 for ietf-http-wg-dist@listhub.w3.org; Mon, 25 Nov 2019 17:51:31 +0000
Resent-Date: Mon, 25 Nov 2019 17:51:31 +0000
Resent-Message-Id: <E1iZIWJ-0003Hk-S8@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mcmanus@ducksong.com>) id 1iZIWH-0003Gu-A3 for ietf-http-wg@listhub.w3.org; Mon, 25 Nov 2019 17:51:29 +0000
Received: from outbound2r.ore.mailhop.org ([54.200.129.228]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mcmanus@ducksong.com>) id 1iZIWF-0006Yy-D7 for ietf-http-wg@w3.org; Mon, 25 Nov 2019 17:51:29 +0000
ARC-Seal: i=1; a=rsa-sha256; t=1574704285; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=thX1Cb708t0ICa2L+gvc6mJJDOE7XoTB9t4NtHJdMwSOB19si7xmYzM9BDs+tBA612+GtOGom2J+Y apbnhqE9GWBQh5Dvqf/DWyoMQ/WX5gGzTOfjQQEvaR0+Nz4IxDyfEAzT0SVHTyIKYoIDmy9vmOsCt1 K8srX2kueJK0VInYTOzt78pODGPGUm+dxapeRrl191DVKHg7jzgirZQlwSHq9p0VTAcDaV6YtlIhdO TfS6ZRS+558PrVyhfSxSO3Ff/ljIKxEFI4Bi7D5lvH194WDpvdwu5sBZYOgEPzBppGxdWD8IByLnn0 EXPR4XM/TMQGOa8wFTPd3Kv2UNpwbgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=K8PQP64Ez+nT3Qna6lzzDA7uGBmjBDK11AkONHmqJ6A=; b=CFXgwA/35SsvepfOrKiwTGoAeV9fOoJPLfeIEIY6sR1Xqvnsgp8Av4TNDg/DRK7e+yXB/jXojGzFn NJe7Q/WF38ML6LML8sD/lgzdfWdJokzOwE1COGH6+D/5iwkQQdLJDIp8kQYcT5yDK9ab29rTFHF3Ul CyPafTUJeyQldCkkqECFZJO+W4C3jzidHWjoip1aSCNRMPT7i2MCp2dGns7IZRuZy554d4okM5qaiv PryC0vKwA8a34PQ+g2vnwTTPEgT9gKHDnRxrUCvU9vVZuLaySje4xOlhfx6J38QpjXPtAeTjY2MITS 7iUNfQdQmU1L4EAjArNTpAj8k58tiLA==
ARC-Authentication-Results: i=1; outbound4.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.167.182; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=K8PQP64Ez+nT3Qna6lzzDA7uGBmjBDK11AkONHmqJ6A=; b=iXv56ImydZAauBKKX5TZ05Sfjzi68cBBuDuxWdwkP/ztUVm+mE1e3X+Pt6A/J6LN/jiyddXms+tx6 gmvDNkZqCxvvll5NodOHuA2Kv5bYaUNwdEm64GDSD8F49WLw8oVAWuq5bbjyZzyTf/N7sPKSoXtc9W +ivihnqYmhAwzXNs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=K8PQP64Ez+nT3Qna6lzzDA7uGBmjBDK11AkONHmqJ6A=; b=C+dEAX5MA+2Ocu9Iy3Mk9qMMx6hAW0kAqjwpBsHfCuZDOR5fFux9aKlWVbG/kBixU8o2ScZZX7Oan Qzao1xbe/E5v3NyV/511XpHOrAndpEqPNlVoAIdoemzgBpvyiOiZuPszHyN0Jb7VnpHfn97XLuLyRk kcaFw/I2L5Lw62Z47G9AnUmydIt0CqiqG+vPJKYXKIYH2OnQq9f9DeG2QAalOvWr6fyg1CTqkXcmwt PDs2vqAIIWRNtu84edl6NKfF6HRxfKBHfiNbF+vGGAtVD2hIqoJXkDl8IBNqa8dE8Y78D8rx/Gd5nB cuW/SGxBzNYwcdp6EdpxttfOoOYvHxg==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 319f19d2-0fac-11ea-829e-79a40d15cccd
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.167.182
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-oi1-f182.google.com (unknown [209.85.167.182]) by outbound4.ore.mailhop.org (Halon) with ESMTPSA id 319f19d2-0fac-11ea-829e-79a40d15cccd; Mon, 25 Nov 2019 17:51:24 +0000 (UTC)
Received: by mail-oi1-f182.google.com with SMTP id d22so13914947oic.7 for <ietf-http-wg@w3.org>; Mon, 25 Nov 2019 09:51:23 -0800 (PST)
X-Gm-Message-State: APjAAAWhVgmAU9GaQt5CY8ksn5K7M8l9QLy89if/AcOPgaYKT05D0n9L o506BUCRogIPUevvyKqgZIlTii9IIB3hsEEOwQo=
X-Google-Smtp-Source: APXvYqyJmxv8Gpc095tvb20ggvc37jHer5TI8kN2zCSuC1BOQi2WRCiw13OfgoVHEIpwzUruXeekrxUyIYsp9U23Csg=
X-Received: by 2002:aca:b105:: with SMTP id a5mr85856oif.82.1574704282738; Mon, 25 Nov 2019 09:51:22 -0800 (PST)
MIME-Version: 1.0
References: <CAFWWCs4jSRbrK_-5mxM8w4YexYNKRuwGGJSK4iNrhr4en2Q=_w@mail.gmail.com> <CALGR9ob+EgQwC=VK80PPRWxABxi3AeLUpGXk=wzBK57H0OUzJw@mail.gmail.com> <CAFWWCs5u=qAjmhPek17YqN=AmVJgyCXEVkfP2RsQ5uM-DBZc0A@mail.gmail.com> <CAOdDvNrKSPwxNPDYW_0rqc78Zu4NJW9E49qGFt+nv7v3cUgTXg@mail.gmail.com> <CAFWWCs7XqVjOcNyt75P7enHXkAV3WzM8TDZLmUUaiDHFdT3QQQ@mail.gmail.com> <CAOdDvNo2dC77aQJif_351SR70J=judm+eKupm64=fSCY8212PA@mail.gmail.com> <FC0A337E-C794-446A-B587-36FA4F57820D@bbc.co.uk>
In-Reply-To: <FC0A337E-C794-446A-B587-36FA4F57820D@bbc.co.uk>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Mon, 25 Nov 2019 12:51:11 -0500
X-Gmail-Original-Message-ID: <CAOdDvNoJyKia5KLHi-1dg7jX6ShJUPycnZwnazSFa4wf0qvLig@mail.gmail.com>
Message-ID: <CAOdDvNoJyKia5KLHi-1dg7jX6ShJUPycnZwnazSFa4wf0qvLig@mail.gmail.com>
To: Piers O'Hanlon <piers.ohanlon@bbc.co.uk>
Cc: Patrick McManus <mcmanus@ducksong.com>, Piers O'Hanlon <p.ohanlon@gmail.com>, Lucas Pardue <lucaspardue.24.7@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000066279105982f6969"
Received-SPF: permerror client-ip=54.200.129.228; envelope-from=mcmanus@ducksong.com; helo=outbound2r.ore.mailhop.org
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iZIWF-0006Yy-D7 5e87cea9604288fd6b6544f068749fd8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Draft: draft-ohanlon-transport-info-header
Archived-At: <https://www.w3.org/mid/CAOdDvNoJyKia5KLHi-1dg7jX6ShJUPycnZwnazSFa4wf0qvLig@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37192
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Mon, Nov 25, 2019 at 11:50 AM Piers O'Hanlon <piers.ohanlon@bbc.co.uk>
wrote:

>
> The only transactions that traverse that connection are between the client
> and the “origin”.
>
>
no - connections are not limited to a single origin as far back as the h1
proxy use case and its definitely not true in h2/h3 at all. And even if it
were, that's not enough protection. HTTP exchanges are explicitly stateless
- mechanisms that ignore that to create some kind of ambient state always
cause trouble (e.g. ntlm).


> > These transactions don't necessarily share the same origin (or the same
> auth properties).
> >
> If they don’t share the same origin they’re transported on a different
> connection so would have a different CWND(s).
>

no.


>
> The CWND sent in a Transport-Info header would only be related to a single
> transport connection between one “origin" and one client over which flows
> transactions related to those entities.


I want to put up a flag here and say that even same-origin exchanges need
to be isolated from each other. Two different sets of login cookies on the
same origin don't share the same security context.


> The transactions from the same origin to other clients would be over a
> different transport connection so the cwnd would be different.
> Transactions that don’t share the same origin would be a different
> connection and contain yet another cwnd.
>
>
no.


> *when I say “origin” I mean the last hop edge node of whatever CDN serves
> the origin.
>
>
origin is the combination of scheme host and port. A CDN edge serves many
origins.


> Apologies if I’m missing your point but from what have you have described
> the side channel isn’t clear to me?
>
>
obviously the HTTP protocol is aware of this sharing - indeed it initiates
it! but the ramifications of it are generally opaque to the semantics of
HTTP exchanges (roughly expressed by headers and messages). So perhaps what
you want is better carried in the protocol (e.g. as a frame).. if you are
proposing exposing it to content it needs to be scrutinized for the same
reason that it is useful. This can be subtle - see CRIME and BREACH for
example.

hth



> Piers
>
> > On Mon, Nov 25, 2019 at 7:19 AM Piers O'Hanlon <p.ohanlon@gmail.com>
> wrote:
> > Hi Patrick,
> >
> > Thanks for your feedback.
> >
> > I'm assuming most cross-origin issues should be dealt with by CORS but
> > were you concerned with that suggestion that the header could be
> > contained in an OPTIONS response? I can see that since such a response
> > is not subject to CORS - such as in a CORS pre-flight request - then
> > we could drop that as an approach and just keep to using HEAD requests
> > as a mechanism to obtain the Transport-Info.
> >
> > Let me know what if that doesn't address your issue or if you have any
> > other concerns.
> >
> > Piers
> >
> >
> > On Fri, 22 Nov 2019 at 21:41, Patrick McManus <mcmanus@ducksong.com>
> wrote:
> > >
> > > To the extent that this leaks information across origins to js its
> probably a problem too.
> > >
> > > On Fri, Nov 22, 2019 at 8:58 PM Piers O'Hanlon <p.ohanlon@gmail.com>
> wrote:
> > >>
> > >> Hi Lucas,
> > >>
> > >> Thanks for bring that up - as you say Nginx's default for
> > >> http2_max_requests is 1000, although it can be changed (and appears to
> > >> be done so for RPC applications). I'm not sure how many other server
> > >> implementations do this?
> > >>
> > >> Firstly, we can detect this through of the use of the dstport
> > >> parameter - as a new TCP connection would use a different port.
> > >> Although it could potentially lead to temporary loss of information
> > >> for a time as discussed below.
> > >>
> > >> Secondly, the affect of this would be only apparent each time the
> > >> request count is exceeded - so say every 1000 requests - when a switch
> > >> over would occur. When a switch over does occur then it depends on the
> > >> comparative duration of the data responses of interest, versus how
> > >> often one wants to perform parallel HEAD/OPTION requests for
> > >> Transport-Info. So for the case where where the frequency of parallel
> > >> requests is about the same then I think it shouldn't matter much as
> > >> with most server systems these days the congestion control parameters
> > >> are cached in the kernel so a subsequent connection to the same
> > >> destination would be preloaded with the cached metrics so the
> > >> Transport-Info header would contain these. In the case where there's a
> > >> series of long running responses then it might be an issue as after
> > >> switch over point there would also be two parallel TCP connections to
> > >> the same point but they would exist separately for a longer period so
> > >> potentially the metrics obtained via subsequent HEAD/OPTIONS could be
> > >> different as the cwnd can be reduced for low volume flows, though
> > >> these would generally not be used since the dstport would not match so
> > >> there could be a loss of information in this case.
> > >>
> > >> Cheers
> > >>
> > >> Piers
> > >>
> > >> On Fri, 22 Nov 2019 at 10:51, Lucas Pardue <
> lucaspardue.24.7@gmail.com> wrote:
> > >> >
> > >> > Hi Piers,
> > >> >
> > >> >
> > >> >
> > >> >
> > >> > On Fri, 22 Nov 2019, 17:58 Piers O'Hanlon, <p.ohanlon@gmail.com>
> wrote:
> > >> >>
> > >> >> Hi all,
> > >> >>
> > >> >> - “It only provides information per response which isn’t very
> often”
> > >> >> We mention in the draft that with H2+ one can send and arbitrary
> number of requests (using OPTIONS/HEAD) to obtain more measurements
> responses per unit time.
> > >> >
> > >> >
> > >> > I have an observation but not sure it belongs in a document.
> Implementations such as nginx have a soft max number of HTTP/2 requests
> before closing the connection (default 1000 last I checked). If you're
> trying to sample the transport info to frequently you may end ip blowing it
> up. This seems unfortunate because the client use case is designed around
> making smarter transport related decisions.
> > >> >
> > >> > Cheers
> > >> > Lucas
> > >> >
> > >> >>
> > >> >> We would welcome any more feedback by email and/or Github issues
> > >> >>
> > >> >> Thanks,
> > >> >>
> > >> >> Piers O'Hanlon
> > >>
> >
>
>

v2.23.0 | Report a Bug | By Email