Re: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks

William Chan (陈智昌) <willchan@chromium.org> Sun, 28 April 2013 22:33 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CB3B21F84B7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 28 Apr 2013 15:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.676
X-Spam-Level:
X-Spam-Status: No, score=-9.676 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTp7exOzOxUG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 28 Apr 2013 15:33:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2FD0021F8484 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 28 Apr 2013 15:33:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UWa9Q-0007Fc-SO for ietf-http-wg-dist@listhub.w3.org; Sun, 28 Apr 2013 22:32:56 +0000
Resent-Date: Sun, 28 Apr 2013 22:32:56 +0000
Resent-Message-Id: <E1UWa9Q-0007Fc-SO@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <willchan@google.com>) id 1UWa9B-0007E7-IF for ietf-http-wg@listhub.w3.org; Sun, 28 Apr 2013 22:32:41 +0000
Received: from mail-qe0-f54.google.com ([209.85.128.54]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <willchan@google.com>) id 1UWa9A-00013Y-Hv for ietf-http-wg@w3.org; Sun, 28 Apr 2013 22:32:41 +0000
Received: by mail-qe0-f54.google.com with SMTP id s14so3655218qeb.41 for <ietf-http-wg@w3.org>; Sun, 28 Apr 2013 15:32:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=ouKF6nGGc5Tq6yRkOZAGqIxPGYo5Y5VBBVo+ay4sVEE=; b=kUEE388ezNQfOkJKG9k+9fkZOr0jxrTI+zfzoDukdbDTuWAU9AlzQbGQ5wq8JuXKug VNUvLEoktH/ltBTEaBnxvgCVQg2LtReXW+7R/zVklzOUg5E91MP/NnmJGpIEzK5wS60t BsYM1kylqrZ7LFG02OzQ0q7K/M8OxeS43obbqcGpObBAjG0B/jajOejwZU+1cfeTp6Hw 42ISR49ozyZYf2K6l3V+8+ywKpTAqSAM8oSf0AjJuk28apOtLScYwK1Hj3iEfWhJGniE E4r4QnCxFYjk8wJ0SF7xwjgGdz3g8+2VOCN+HlOHnUeAGsI8H5Q0kK8LTNVRy5t7dhFQ avOg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=ouKF6nGGc5Tq6yRkOZAGqIxPGYo5Y5VBBVo+ay4sVEE=; b=nZZFN6iLlmXxUF/DRswIZMdhXuzRvHaMWyWZUbOrvPwGsIVZNMeVtXef7M+xQw/ZHq Kn0UxQ1t+Ikayv8MDbX0V+vnvvOYKe8BBvUbmDaQrYnD8fA9x4sGyQR4J/X4Z+V2K/cD CAFkjGl1iAD8UkzVWM2LEcs5FO1pInTVMK32I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=ouKF6nGGc5Tq6yRkOZAGqIxPGYo5Y5VBBVo+ay4sVEE=; b=G+pzQC9oqKkpoSmsNZHrm9d5xkdahI8zD7iwTT1Be/eAoED4LKlngSrMKUeuWxXDI3 +aH1PJQkBtB/qMuzwIzr9nx6xByB5vOsZJaN5edkwx/09hT4K6K5LLS5i6mFvtuLnQSw W0DXkabi2iGLK5AeQcqoxNVMCi/0c3cTAovaWTiPUaXYKsoMCcN0oL2602wyPXcO7vpE dmixG+rjNM/WjLsTRWIJQJJo8Xyi3vTWnF31+1pceowsWlEOjUZFfWTOsJtAbaAxlj4g ZIt14A93QL4gdI1kGuR0+jqjqNnDk36uIv5wxMikGE00emsCiSHt0y+hHm63c9g32J8I NTgw==
MIME-Version: 1.0
X-Received: by 10.229.75.165 with SMTP id y37mr2373856qcj.28.1367188334846; Sun, 28 Apr 2013 15:32:14 -0700 (PDT)
Sender: willchan@google.com
Received: by 10.229.180.4 with HTTP; Sun, 28 Apr 2013 15:32:14 -0700 (PDT)
In-Reply-To: <CABkgnnVp9FO8pSAD3DDtVzU0bCCDhPdx_+L5nY4SpvNFzYxO_w@mail.gmail.com>
References: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com> <792356c04b9e498c886252bc44904651@BY2PR03MB025.namprd03.prod.outlook.com> <CABkgnnXSc_7Gg6Ug8nuJEYRWYzoy7CFC1m8dxxToZ28B5M2SbA@mail.gmail.com> <CABP7RbdUDuyxTuQ=LguMoKqXNT=Qr=R03iJpypMtXRs1nK-Vzg@mail.gmail.com> <CABkgnnVp9FO8pSAD3DDtVzU0bCCDhPdx_+L5nY4SpvNFzYxO_w@mail.gmail.com>
Date: Sun, 28 Apr 2013 15:32:14 -0700
X-Google-Sender-Auth: -7RbZP0SYwXh9AomNlQ2UA7GfAU
Message-ID: <CAA4WUYig4WpOWaK5Jy-=B2XAkvhXMf1W_8-yD8Qw3XuizgHtPw@mail.gmail.com>
From: =?UTF-8?B?V2lsbGlhbSBDaGFuICjpmYjmmbrmmIwp?= <willchan@chromium.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: James M Snell <jasnell@gmail.com>, Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary=0023544713c40a554504db735700
X-Gm-Message-State: ALoCoQn1zCB8u3MSk7Cib5oFZCTECWrArcJ6icZ2a54oorHSR3nKrisJcNIgXdZcBIbla2pJedRTG5TmVR8PRfY5+dECeerdw0NWaN+atENg4oM5CIX+8/Hnn4+6iuoLUPD5uLMzzuoREZxJ23oEGuygQ5W7opT+tyGUpqdOVDyDLhMb0XUcg99dddriS1R0o0KbIdXbV6Bz
Received-SPF: pass client-ip=209.85.128.54; envelope-from=willchan@google.com; helo=mail-qe0-f54.google.com
X-W3C-Hub-Spam-Status: No, score=-5.7
X-W3C-Hub-Spam-Report: AWL=-0.538, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.438, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UWa9A-00013Y-Hv 0a18f150750fe109e993668607539093
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks
Archived-At: <http://www.w3.org/mid/CAA4WUYig4WpOWaK5Jy-=B2XAkvhXMf1W_8-yD8Qw3XuizgHtPw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17648
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

+1


On Fri, Apr 26, 2013 at 11:37 AM, Martin Thomson
<martin.thomson@gmail.com>wrote;wrote:

> The Security Considerations sounds like a good place to put something
> like that.  Chances are, the text will say something like "that's bad
> man, but it's your problem, deal with it".
>
> On 26 April 2013 11:34, James M Snell <jasnell@gmail.com> wrote:
> > In my experience,  it's usually better to be a bit more prescriptive in
> how
> > to deal with potential security issues if you want people to do it
> correctly
> > ;-).  Simply saying, "well, that's a bad man but it's your problem, deal
> > with it"  isn't quite enough.
> >
> > On Apr 26, 2013 11:28 AM, "Martin Thomson" <martin.thomson@gmail.com>
> wrote:
> >>
> >> Let me know if the text in the current draft leaves that unclear Mike.
> >>
> >> For the rest of this issue, I don't see this as a problem that
> >> specifications can address.
> >>
> >> If your implementation is ignoring these frames in every sense of the
> >> word, then you are in trouble.  If someone wants to willfully ignore
> >> RST_STREAM, send more frames than your flow control window allows, or
> >> any of these nasty sorts of things, then they are a bad person and you
> >> should be prepared to treat them accordingly.
> >>
> >> On 26 April 2013 11:08, Mike Bishop <Michael.Bishop@microsoft.com>
> wrote:
> >> > I raised a related issue with Martin, that the FINAL flag is valid in
> >> > these ignored frames, and the ordering of those rules could lead to
> >> > disagreement between the peers whether a given stream has been
> half-closed
> >> > or not.  We might simply modify the text to say that the payload and
> >> > frame-specific flags must be ignored, not the entire frame per se.
> >> >
> >> > -----Original Message-----
> >> > From: James M Snell [mailto:jasnell@gmail.com]
> >> > Sent: Friday, April 26, 2013 10:55 AM
> >> > To: ietf-http-wg@w3.org
> >> > Subject: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial
> of
> >> > Service Attacks
> >> >
> >> > https://github.com/http2/http2-spec/issues/80#issuecomment-17089487
> >> >
> >> > In the current draft (-02), we say that Unknown and unrecognized Frame
> >> > types MUST be ignored by an endpoint. While this is ok in theory,
> this can
> >> > be very dangerous in practice. Specifically, an attacking sender could
> >> > choose to flood a recipient with a high number of junk frames that
> use a
> >> > previously unused type code. Because of the MUST IGNORE rule, these
> would
> >> > simply be discarded by the recipient but the damage will already have
> been
> >> > done. Flow control actions could help mitigate the problem, but those
> are
> >> > only partially effective.
> >> >
> >> > Also, the order of processing here for error handling is not clear.
> >> >
> >> > Let's say an attacker sends a HEADERS frame to the server initiating a
> >> > stream. The server sends an RST_STREAM REFUSED_STREAM fully closing
> the
> >> > stream. The attacker continues to send JUNK frames for the same
> stream ID.
> >> > There are two conditions happening here:
> >> >
> >> > 1. The sender is sending frames for a closed stream, which ought to
> >> > result in an RST_STREAM, but..
> >> >
> >> > 2. The frame type is unknown and unrecognized by the server so MUST be
> >> > ignored.
> >> >
> >> > Which condition takes precedence and how do we mitigate the possible
> >> > attack vector on this one.
> >> >
> >> > - James
> >> >
> >> >
> >> >
>
>