IETF Logo Mail Archive

RE: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487)

Mike Bishop <mbishop@evequefou.be> Thu, 12 October 2023 18:34 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B279DC151080 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 12 Oct 2023 11:34:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.659
X-Spam-Level:
X-Spam-Status: No, score=-7.659 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dj8GXLJpgLyo for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 12 Oct 2023 11:34:40 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77739C14CE2F for <httpbisa-archive-bis2Juki@ietf.org>; Thu, 12 Oct 2023 11:34:39 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1qr0V9-005QY1-Hm for ietf-http-wg-dist@listhub.w3.org; Thu, 12 Oct 2023 18:33:39 +0000
Resent-Date: Thu, 12 Oct 2023 18:33:39 +0000
Resent-Message-Id: <E1qr0V9-005QY1-Hm@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mbishop@evequefou.be>) id 1qr0V5-005QWz-P1 for ietf-http-wg@listhub.w3.org; Thu, 12 Oct 2023 18:33:35 +0000
Received: from mail-dm6nam12on2125.outbound.protection.outlook.com ([40.107.243.125] helo=NAM12-DM6-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <mbishop@evequefou.be>) id 1qr0V4-00Fbth-7C for ietf-http-wg@w3.org; Thu, 12 Oct 2023 18:33:35 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ARVRXf9jKD/P7lncRccDFZqOAJFq0WmQJ5zb7su56ECupuiSJpxpv000OwRK6URdjU8iqRFtvS+nrtW9l1HCOcHbvQNdgoW4f6K/AlAn2I7yiG0MaoOJUntHPE8I7m9jqBStsBA9CKdak18QiMawHXB/F01s1x4NoEkmuOe2n6fptQpq0KFcF+yHxpe57QbKrxUt71tV7qzJ877jkIaf5yIvCURTERQ1+UVbo7Is1YxgobPwD7+N72T7UAk9yCnCSZAIheFJyMXyaiHRn1C0+ktOWsKAfrxYacTnwpmEQU/qQBLWVEU2Z/6yRQrXGF3kM1BcSp33GQu3SBdMFLoAGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uB9bMpJveD41R9KrM492JDk56e9jciPxD4psrfBcMQY=; b=nOIG/U4+qGzo9omDpSQLFQJU31tyVVchdm5TZWq5brrJBkRsy7wuji9bnl0XNVIiV+G10KdcrnVb3MqornsfYO3OGKv3xGjhBQSDAY5rrRUX8WIP4H5vtJue/m0M6wyNiyYnZ8Tbpn0L2YwMBHaN8wkjdy6QdBG/czNY0S7ozjTDtAy3VwtKBxQVLMpD/sVxUTxlYy9BDYUAk9bJCaWkSmdSSPHiLtGmWTqZmY82upZTSyl18GoNbGeEN4z3zRtz33i/a4mpNUJJVz3MxjYk5/oGcbsihvT4Y8DkHAr0cTqdUmZ70fHbZ8R54qx86Pn/4/wPKhBhigkANcfFqBzIrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=evequefou.be; dmarc=pass action=none header.from=evequefou.be; dkim=pass header.d=evequefou.be; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector2-evequefou-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uB9bMpJveD41R9KrM492JDk56e9jciPxD4psrfBcMQY=; b=NUwA/KRLXam+uaFG0Qr2Hc+deeseL6Zx70uSkxX9UZUH37ANcy46G7Jc5/B9Ro9uWVoOoFc8VONqRNCJuLNlVVcIJY5ycwckQmiNWwR3Jk3IT96knLuIYRRY74qdHDDCa9N0EK2HPQbSXd5OVL2LRg2dstPVRYq5yAwZKyNgQZQ=
Received: from PH0PR22MB3102.namprd22.prod.outlook.com (2603:10b6:510:143::15) by LV3PR22MB5148.namprd22.prod.outlook.com (2603:10b6:408:1d9::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.45; Thu, 12 Oct 2023 18:33:27 +0000
Received: from PH0PR22MB3102.namprd22.prod.outlook.com ([fe80::8f2c:c630:cb0c:1495]) by PH0PR22MB3102.namprd22.prod.outlook.com ([fe80::8f2c:c630:cb0c:1495%3]) with mapi id 15.20.6863.043; Thu, 12 Oct 2023 18:33:26 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Martin Thomson <mt@lowentropy.net>, Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>
CC: Willy Tarreau <w@1wt.eu>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487)
Thread-Index: AQHZ/MZ5ddU8xwjsUEe76+UCzC+4j7BFk2CAgADloaA=
Date: Thu, 12 Oct 2023 18:33:26 +0000
Message-ID: <PH0PR22MB31026C406E8A9B4544071973DAD3A@PH0PR22MB3102.namprd22.prod.outlook.com>
References: <997813D6-7A5B-49E2-A2C3-FCD1B2D5F5BC@mnot.net> <ZSZuHu5iWdh5Rl3b@1wt.eu> <6e83e59a-494e-4941-9ec5-2bf22b9e8529@betaapp.fastmail.com> <ZSd4Wa/1VHbpJBIo@xps13> <3e0a8602-c846-4eea-a9b1-5e42fa1c423b@betaapp.fastmail.com>
In-Reply-To: <3e0a8602-c846-4eea-a9b1-5e42fa1c423b@betaapp.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=evequefou.be;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR22MB3102:EE_|LV3PR22MB5148:EE_
x-ms-office365-filtering-correlation-id: 86aaeb0b-081e-4dcc-3dd2-08dbcb51b98a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uyV7fpvHtaCFyR2ZKeYEYUAV0WG23gfB/pAZgFW7oScUbkIJQ04bFyEnse3/XVWi9iE8ifxLgZH0BdhOVJDxhPsKPe7UNAtKA4oqjOUBJHN917TF9MhiFIVdytQndvbxJxCay/i7uip0hnyIiO2u4d/I7k9XjQqfqcN+SnAMRiJkQ3d02twJwy5RGtFAja5TSht1rQUrbnEck+NHKMdkvifDTMYtwSv8V5v4i7HzzySpCUdBtg/TPgwFoY+IOnoIGRX50cxsr1R7XRt+0bcgop8/gDIafdPEPR4UgyG/p2Bxrm5aFjNhQDBHyO4snCdMwB69/mdIHeTidmGniIrdT+jRD/M+hoZ7d1bipLDD8PI2mgc79ml1c9APxPP/liGGZvGLDHKJRcas/OUsp45Bg0EASqaYl+ofRf4tMXt3KpGHd6hF3iJ+4Ih1tQkzCcnMy5iDDcwxDFr+JKqpl0RQ1b1JAuT/QO3EvQGt0ZzLL4iGMK9spKrqYc0yO9BfMoh4dI8R1uKt8zKbPGei5V6h1HhyWZTBufud0jHUvop9fCP5tNaNuZ3+SnXZOIy1GXVL4cwjxcMnfBoaRR3ZEYcEPym9XTPQHuQBeZPDzrEFYnYTHBorsuRsYWif2Vf0bu5K
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR22MB3102.namprd22.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(346002)(376002)(39830400003)(136003)(396003)(230922051799003)(64100799003)(186009)(451199024)(1800799009)(52536014)(8676002)(4326008)(8936002)(66574015)(55016003)(38100700002)(33656002)(122000001)(38070700005)(86362001)(2906002)(83380400001)(5660300002)(41300700001)(9686003)(6506007)(53546011)(7696005)(71200400001)(478600001)(110136005)(54906003)(64756008)(66946007)(76116006)(66556008)(66476007)(66446008)(316002);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GUeRudiPNEqauTHCIC059MKHnZnljEoeiB02vjDlSiGj3Gk3S/Ph2QPF1THkt0peQcMuD57BxzPqRyA/qRHetV5A4yEBoIseR8ORYEkmRSUZttxfB2DMUhvEezlrYQocp+YiXXvBP3GZZKopWDw5sPPLPgpi2WKtvufp/IfC6N2T8NVoNS+E42ngDOSrN5/92Hrorf0N7A4WwUSB+hPRDK7nyFOsKfQEKr4GGjQmSL+vd+xDX9G0pRH376cWNkmDlMWhy7OpcnkIjPP/THtMU0h+DS0P929WH5I1eSAQmMAkfRJsNMxN1IR9UzYwmc4Qgmc4Qw/7Ef1rsmIlUKv3nXxh3b0kVfWwqQYhcjBHYpt8NyuKP8vYZCSd/DBFyLu9u58NiwbF65ms7YRA37LM9SGHK+CAGRaLmpLUuKWJYPwTFn3DmP96K9IUeTpZfwNym89+5kESo2hChh8Ka2OejyBKPHprsr9qyVkhL4lXGe7NaMj0kL1LkxrijSFniAA1+/WBSrIcUZ8ldu5Bfpa+ZxIZ8v4M7i/iTaCQ6AEuBfhUl5U1HcdAFD1xJBmvjHekxxB9LAZho15YI1dc3d90baE5RUw3HY3u5zlojcBpXHuhbbS/pnM7ROC8Z7M1s1+h0O46E4kP9HSN77ELOURNWHorrJvDxy/o91ed8Rg8ilHY79bYzhAcEYcGmquLyybjoi7KIvZ2uooRXDLX8P9grfHwlFPjqsmGiBZdT9qYOxQtx5T1xi/ZZZ82FtLm3I7jDklygHmSdansGdpswf1Tfhf/H5b9z6pmprVMSAv5qZzoUPdzT5f+ntVLv/S5Rm73L0hhaeGWbjbLnqHqPtUGP+xqcJKyw9Ws9BxFQ+EY/+m6Y662WFePwlIFC86d5ZbuJAaEsGSa2CjXfSqxt8bEwlFpFNoKw4sXpmUzqKieFMWWAq2hyZXQ7Auwu4aRvqukZgkcWJoYnU40I1ad8riCbm1icebTXXpFnPXdZ8wzrCuMCpvxEbAFThKsTNP0Pz98hZOUEyo9fmRsw6sTXxKiJeT8f0q9hcYVk0OiSs2DxR+g3BsWJM7w1+lcNuliygoMXIyeSX9vC1SoAh6OCgm49JSjK9uQ+Pi2CKrhe8XNyCov4jp0E1fA8oVxCihyAOKfbL/vsp1SLXYqRiqGZSz1UK+FazvGmXMSG6K1PgTJOBhRZ3lgscBKJxvXM6m+DFBsbtsn2UIyqrPCp/Qsjkx4hUEKmZcGcEnZBmOaLRf06F8a9LpO/lTJwKndKZhmOG6GuaWW+XQwK67TU1diioVbVUNCciiBlnSEUIjpPYWT0DJPYESpMbxUjogLBt8fBYzmZJIGwPSLE6V2rT6zZVtaMLjF6woKWfwyzb2JLStpDUzyWE4+tu3aUGIaWOYGDFPVigUoYEeNJQ1ww5h40JkyPdoL5GxsqCTO3BHCGpHSMYIl4k/qiogjEPGiuamGMJ9GsKLJcxS8jzP7eB8ylVLSL1XIc41Q9zqxQlkYCWT1zPsBY1IiWxXMxsbcDk39sKqs3gRQeaRjNAH25gt1a2U/Uzb79fOx2Pe7bbLtaqFt4FswJCbIBOOiY6W5BS1tKVrPPObZ8Covw/RCHfDJr4lGdckTVwjywyg9TtZCepoxv1AlDeOwbehM7Zd2WxpS2y6Z
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR22MB3102.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 86aaeb0b-081e-4dcc-3dd2-08dbcb51b98a
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2023 18:33:26.8475 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M5hqiL6S9LypQx7xoAFNDByjmkKFnKVtgcdmCssG+/fIqdcKk4M2gIEVE7MlhpyfWzUaC+KihqLjAOE19tYYWQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV3PR22MB5148
Received-SPF: pass client-ip=40.107.243.125; envelope-from=mbishop@evequefou.be; helo=NAM12-DM6-obe.outbound.protection.outlook.com
X-W3C-Hub-DKIM-Status: validation passed: (address=mbishop@evequefou.be domain=evequefou.onmicrosoft.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1qr0V4-00Fbth-7C 59f36ef5abdc09e51ee2f3db041dd626
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487)
Archived-At: <https://www.w3.org/mid/PH0PR22MB31026C406E8A9B4544071973DAD3A@PH0PR22MB3102.namprd22.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51470
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

That might be exactly what we need. This has been a problem for many of us for a while, despite it being publicly discussed only recently. While your draft is a fine patch for well-behaved clients, the reality is that attackers will simply play dumb and pretend to be unextended HTTP/2 clients. Other mitigations will still be needed as long as that connection pattern is allowed.  (And reducing the default or recommended value does nothing to mitigate this particular attack, so I'm not particularly concerned about it.  Servers will enforce their actual value from the start of the connection and RESET and excess streams anyway.)

What servers would need is the ability to deny the use of HTTP/2 unless this mechanism is supported.  That implies an ability to consider the presence of this extension when the server is deciding which of the client's ALPNs to select.

ALPS might be a solution, but the interplay between ALPS and ALPN would be unpleasant, even if it were already present and usable in most stacks. Something like that feels like a better answer to things which will influence the first flight, but not influence the protocol selection.

When we designed the HTTP/2 extension mechanism, we took a hard stance against embedding extension IDs in the ALPN, because of the potential explosion of IDs as multiple extensions were supported.  But for a case where we might change support of a protocol based on the absence of certain extensions, an ALPN token could be warranted.

How's "h2.1"?

-----Original Message-----
From: Martin Thomson <mt@lowentropy.net> 
Sent: Thursday, October 12, 2023 12:42 AM
To: Glenn Strauss <gs-lists-ietf-http-wg@gluelogic.com>
Cc: Willy Tarreau <w@1wt.eu>; Mark Nottingham <mnot@mnot.net>; HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487)

On Thu, Oct 12, 2023, at 15:38, Glenn Strauss wrote:
> Related, I support a future RFC changing the initial setting for 
> HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS to something much more limited, 
> such as 10.  (FYI: lighttpd sends SETTINGS_MAX_CONCURRENT_STREAMS 8.)

Unfortunately, in order to do that, we would need to define a completely new protocol that is identified by a different ALPN token, like "h2-but-not-as-vulnerable-to-DoS".

I agree that the initial value is bad (a limit of 2^30 is just absurd), but I'm not sure that the cost of fixing this is justified.

Teaching clients cope better with lower concurrency limits (like 8) is probably our best course of action here.

v2.23.0 | Report a Bug | By Email