IETF Logo Mail Archive

Re: WebSockets and masking

David Schinazi <dschinazi.ietf@gmail.com> Fri, 19 May 2023 21:31 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C26BC151070 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 May 2023 14:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.038
X-Spam-Level:
X-Spam-Status: No, score=-5.038 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5hBu5LaZ-vz for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 19 May 2023 14:31:22 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2401C14CE55 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 19 May 2023 14:31:22 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1q07gr-00703l-3M for ietf-http-wg-dist@listhub.w3.org; Fri, 19 May 2023 21:31:09 +0000
Resent-Date: Fri, 19 May 2023 21:31:09 +0000
Resent-Message-Id: <E1q07gr-00703l-3M@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1q07gq-00702n-4L for ietf-http-wg@listhub.w3.org; Fri, 19 May 2023 21:31:08 +0000
Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1q07go-000HX9-Hd for ietf-http-wg@w3.org; Fri, 19 May 2023 21:31:07 +0000
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-96aadfb19d7so711198566b.2 for <ietf-http-wg@w3.org>; Fri, 19 May 2023 14:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684531862; x=1687123862; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o05VGFqyiut1TsDha4qDdXze4F7HAMQGgAP7Gfy9UAA=; b=UQ8AslooVOPb/liMmaRNoDh0fYD84d7ioXuxgCSQ6fAMs8BWRrAGW6GlxAs8hlAfdH 3KNGqjLAnPa3v1yUaTOYozQFXFpIdaQHetgforSVSBaJI8woy8BS+OmiRPn7a0JpsmMT Mgyfu/TRPpneJuWgtatRYV393yYlpb/rGbMgY69OD890T40rH7pjaU4ckmdmEq46mwjz sqYWtyhHpCAJ5cPpYyhYrF7EpD141LZxsnEqzNREyrXuEX3Q+Z9RiSwkuwyR0/zelX/3 YYc0qQt8TOi00+ZjhGSlMUbiF3waAR2pni7kVorKSG6knFyLvF86C8jkaZMRjLZPrffe nH7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684531862; x=1687123862; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o05VGFqyiut1TsDha4qDdXze4F7HAMQGgAP7Gfy9UAA=; b=hHb+SEg7J9Tm2gr5ij69qRsBN5bekmFoLePg6X0zu+umy1C1VSdXyte2bwC/9uHyaF vbczy0g18jmoKTrGEx7uLcxYn5ZnWA+zn9qD3Bm8Fntf4hT4j60Dd/NYsiPIMtn0sDv/ 4jp0wnq1gkFZL/Tyth7g7nlu1a9VBgKP6dn2ImCq2OfBHyuVBosoKXyDJansuEdSohBg hzfN4b7p0U24S+QGW2p1lPHL7TiJnU7Mi5w5YHDM5WBXqK7hHuhu1NqmY9w9/3ItuRgY DG9F2eyCqBowxQOWejuDkJzQVJi2C5We5ygj9OZ3H2dujPyDsAfUC53/GiCgP1sC7eGP +Fxg==
X-Gm-Message-State: AC+VfDzhU+m8+ik5QN+pX6Dz+TbSjp8D/M7Dqd0/TAc/5lTl2MMSw2IV NuGxaJFbCkFXuLN3wXuuzq+KQlFS4aNTGR2pr8J6E0gJ
X-Google-Smtp-Source: ACHHUZ4P/V+rsMJrnJqEe1D05Y4cw4ZXQWdgXPB2dCxrKfPr13LASaYB9EndTow7+CxBDM9CpLt/1bnruEqJKDCE+9o=
X-Received: by 2002:a17:907:6e03:b0:94f:250b:2536 with SMTP id sd3-20020a1709076e0300b0094f250b2536mr3821719ejc.28.1684531861913; Fri, 19 May 2023 14:31:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAG0m4gR36f3yg27Bgp5gWAH=PZdc8oy-M-GeA-XKgzpQ2DLr-g@mail.gmail.com>
In-Reply-To: <CAG0m4gR36f3yg27Bgp5gWAH=PZdc8oy-M-GeA-XKgzpQ2DLr-g@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 19 May 2023 14:30:50 -0700
Message-ID: <CAPDSy+6OdPeNUYiUDYmzPXS4Gv6is2osM=SUmpScZYuiQfuQuQ@mail.gmail.com>
To: Dragana Damjanovic <dragana.damjano@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000003e05b905fc12a376"
Received-SPF: pass client-ip=2a00:1450:4864:20::62f; envelope-from=dschinazi.ietf@gmail.com; helo=mail-ej1-x62f.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=dschinazi.ietf@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1q07go-000HX9-Hd 47446cebf8c848d85d5739948e76d888
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WebSockets and masking
Archived-At: <https://www.w3.org/mid/CAPDSy+6OdPeNUYiUDYmzPXS4Gv6is2osM=SUmpScZYuiQfuQuQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51040
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Dragana, and thanks for writing this up!

I agree with you that the main motivations for masking don't matter as much
when WebSocket runs over TLS or QUIC (though AEADs without random IVs allow
a collaborating client and server to predict the next keymat...). However,
it's not clear to me why the overhead of masking matters. I wouldn't expect
the XOR to be visible on CPU traces. Is this masking causing noticeable
performance issues in your environment?

Thanks,
David

On Fri, May 19, 2023 at 2:11 PM Dragana Damjanovic <
dragana.damjano@gmail.com> wrote:

> Hi,
>
> I wrote a draft that proposes adding an extension to WebSockets to
> negotiate "no-masking". The extension should be used only if intermediaries
> cannot see unencrypted traffic. In this case, the masking is not needed,
> and omitting it would reduce needed processing. The proposal has some
> problems, but I would like to hear the opinion of the group and if people
> are interested in such a feature.
>
>
> https://www.ietf.org/archive/id/draft-damjanovic-websockets-nomasking-00.html
>
>
> A problem that I have identified with the proposal is that it will require
> TLS terminating middleboxes to change (they will need to remove the
> extension from the list), otherwise, servers behind them could wrongly
> negotiate the extension. This is not optimal.
>
> Other approaches I have considered:
>
> - making it HTTP/2- and HTTP/3-only feature and negotiating it via
> settings (In this way it cannot be transfer to unencripted part of a path).
> This is not ideal.
>
> - Creating a new header for the feature and adding it to the “Connection”
> header in the case of HTTP/1.1 and transferring it as a setting in the case
> of HTTP/2 and HTTP/3, and
>
> - creating a new version of the WebSocket protocol, but the negotiation of
> a new version is not ideal for this purpose and may have the same problems
> as my proposal in the draft.
>
>
> Other ideas are welcome.
>
> I would like to hear your opinion.
>
> Best,
>
> Dragana
>

v2.23.0 | Report a Bug | By Email