IETF Logo Mail Archive

RE: Choosing a header compression algorithm

RUELLAN Herve <Herve.Ruellan@crf.canon.fr> Thu, 28 March 2013 17:01 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A439F21F905B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 28 Mar 2013 10:01:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.359
X-Spam-Level:
X-Spam-Status: No, score=-9.359 tagged_above=-999 required=5 tests=[AWL=0.290, BAYES_00=-2.599, HELO_EQ_FR=0.35, J_CHICKENPOX_62=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfE0THjCCA-y for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 28 Mar 2013 10:01:20 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id EE3D221F8F24 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 28 Mar 2013 10:01:19 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ULGCB-0000ko-Es for ietf-http-wg-dist@listhub.w3.org; Thu, 28 Mar 2013 17:00:59 +0000
Resent-Date: Thu, 28 Mar 2013 17:00:59 +0000
Resent-Message-Id: <E1ULGCB-0000ko-Es@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <Herve.Ruellan@crf.canon.fr>) id 1ULGBv-0000iM-MR for ietf-http-wg@listhub.w3.org; Thu, 28 Mar 2013 17:00:43 +0000
Received: from inari-msr.crf.canon.fr ([194.2.158.67]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <Herve.Ruellan@crf.canon.fr>) id 1ULGBq-0008Us-Nb for ietf-http-wg@w3.org; Thu, 28 Mar 2013 17:00:43 +0000
Received: from mir-bsr.corp.crf.canon.fr (mir-bsr.corp.crf.canon.fr [172.19.77.99]) by inari-msr.crf.canon.fr (8.13.8/8.13.8) with ESMTP id r2SH09F8012410; Thu, 28 Mar 2013 18:00:09 +0100
Received: from ADELE.crf.canon.fr (adele.fesl2.crf.canon.fr [172.19.70.17]) by mir-bsr.corp.crf.canon.fr (8.13.8/8.13.8) with ESMTP id r2SH092P031560; Thu, 28 Mar 2013 18:00:09 +0100
Received: from ADELE.crf.canon.fr ([::1]) by ADELE.crf.canon.fr ([::1]) with mapi id 14.02.0342.003; Thu, 28 Mar 2013 18:00:09 +0100
From: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>
To: Roberto Peon <grmocg@gmail.com>
CC: "agl@google.com" <agl@google.com>, Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Thread-Topic: Choosing a header compression algorithm
Thread-Index: AQHOJgaI2I9gxWQLAUOB6sMRXNhzJpixMSEAgAB5jdCAAEKngIAAFPgQgAPbnwCAAMyn8IAACJEAgABgHoCAAJ7DUIAAi5aAgAH4HwCAASiv0A==
Date: Thu, 28 Mar 2013 17:00:08 +0000
Message-ID: <6C71876BDCCD01488E70A2399529D5E5163F68FE@ADELE.crf.canon.fr>
References: <254AABEE-22B9-418E-81B0-2729902C4413@mnot.net> <A14105FB-ED1A-4B70-8840-9648847BCC3A@mnot.net> <6C71876BDCCD01488E70A2399529D5E5163F3C67@ADELE.crf.canon.fr> <CAP+FsNfFohSwrX2DxthNcnn+wDj6T5W7xpcg4yA56Gvt_nP3_Q@mail.gmail.com> <6C71876BDCCD01488E70A2399529D5E5163F3D72@ADELE.crf.canon.fr> <7CA7F3EB-A492-471A-8AC4-23293DD10840@mnot.net> <6C71876BDCCD01488E70A2399529D5E5163F4076@ADELE.crf.canon.fr> <CAP+FsNdztfCJjvP58ryVXDRgGyGSPO-37gRMjAuwikz2eviBiw@mail.gmail.com> <CAP+FsNdQ7mNbsaAiUqEF22Oh8KMaK3UWUWFzWE=K0jQbkM7t1Q@mail.gmail.com> <6C71876BDCCD01488E70A2399529D5E5163F4263@ADELE.crf.canon.fr> <CAP+FsNeXvn6UasR6e56A7pHtrkXg6A0NnrVGmRYNW49Qu2vxqg@mail.gmail.com> <CAP+FsNfy0ognTBaF7USBcP9dTL5bQsruav30FmGB70m_0JfjyA@mail.gmail.com>
In-Reply-To: <CAP+FsNfy0ognTBaF7USBcP9dTL5bQsruav30FmGB70m_0JfjyA@mail.gmail.com>
Accept-Language: en-US, fr-FR
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.20.8.8]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: none client-ip=194.2.158.67; envelope-from=Herve.Ruellan@crf.canon.fr; helo=inari-msr.crf.canon.fr
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-2.696, RP_MATCHES_RCVD=-1.3
X-W3C-Scan-Sig: lisa.w3.org 1ULGBq-0008Us-Nb 65e9e0f408c14131858fbefe16748af7
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Choosing a header compression algorithm
Archived-At: <http://www.w3.org/mid/6C71876BDCCD01488E70A2399529D5E5163F68FE@ADELE.crf.canon.fr>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17164
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> -----Original Message-----
> From: Roberto Peon [mailto:grmocg@gmail.com]
> Sent: jeudi 28 mars 2013 01:15
> To: RUELLAN Herve
> Cc: agl@google.com; Mark Nottingham; ietf-http-wg@w3.org Group
> Subject: Re: Choosing a header compression algorithm
> 
> I've checked in some changes to delta2 which expands and documents
> various options for delta2 in the README.md.
> 
> After running a number of variations of delta2, The following defaults look
> good for small buffer sizes:
> 
> 
> delta2=max_entries=256, small_index=1
> 
> small_index basically says use a uint8 instead of a uint16 for representing
> indices, and is the kind of thing that could be messaged somewhere (opcode,
> flag, whatever).
> 
> The best headerdiff option which I believe is safe against CRIME in the future
> is:
>   headerdiff=delta_type=false,Huffman

I think that for headerdiff, the best option which is safe against CRIME is:
headerdiff=delta_type='/&= \coma',Huffman

> 
> I removed prefix matching from delta some months ago (~6 I think?) after
> cogitating on it for a while and then speaking with security folks.. I just
> couldn't come up with a way I could prove was safe, unlike the atom-
> matching, which one can prove is no worse than a brute-force attack.

The limited prefix matching defined above also need a brute-force attack to be broken.

Hervé.

> 
> I've appended runs with these values@4k buffer size for delta2 and
> headerdiff below.
> -=R
> 
> 
> 
> 
> * TOTAL: 5949 req messages
>                                                                                                                       size  time | ratio
> min   max   std
>                                                                                                        http1     3,460,925  0.13 |
> 1.00  1.00  1.00  0.00
>   delta2 (max_byte_size=4096, max_entries=256, small_index=1,
> hg_adjust=0, implicit_hg_add=0, refcnt_vals=0)       664,683  4.16 | 0.19  0.02
> 0.83  0.15
>                                                          headerdiff (buffer=4096, delta_type=false,
> huffman)       759,783  2.03 | 0.22  0.01  0.78  0.18
> 
> 
> * TOTAL: 5948 res messages
>                                                                                                                       size  time | ratio
> min   max   std
>                                                                                                        http1     2,186,162  0.12 |
> 1.00  1.00  1.00  0.00
>   delta2 (max_byte_size=4096, max_entries=256, small_index=1,
> hg_adjust=0, implicit_hg_add=0, refcnt_vals=0)       585,475  5.32 | 0.27  0.02
> 1.28  0.13
>                                                          headerdiff (buffer=4096, delta_type=false,
> huffman)       543,047  3.29 | 0.25  0.02  0.73  0.14
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email