Re: Design: Ignored Unknown Frame Types and Intermediaries

Roberto Peon <grmocg@gmail.com> Sun, 12 May 2013 18:17 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD8E221F87C5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 12 May 2013 11:17:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.079
X-Spam-Level:
X-Spam-Status: No, score=-10.079 tagged_above=-999 required=5 tests=[AWL=0.519, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5RHuJTNrP0k for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 12 May 2013 11:17:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 40A5221F8BB7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 12 May 2013 11:17:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UbaoB-0006gb-3i for ietf-http-wg-dist@listhub.w3.org; Sun, 12 May 2013 18:15:43 +0000
Resent-Date: Sun, 12 May 2013 18:15:43 +0000
Resent-Message-Id: <E1UbaoB-0006gb-3i@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <grmocg@gmail.com>) id 1Ubanx-0006fn-L0 for ietf-http-wg@listhub.w3.org; Sun, 12 May 2013 18:15:29 +0000
Received: from mail-ob0-f182.google.com ([209.85.214.182]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <grmocg@gmail.com>) id 1Ubanv-0006Le-Eu for ietf-http-wg@w3.org; Sun, 12 May 2013 18:15:29 +0000
Received: by mail-ob0-f182.google.com with SMTP id va2so410363obc.13 for <ietf-http-wg@w3.org>; Sun, 12 May 2013 11:15:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=C4oFWvw2iPUn57uIiax0UJnbVO8kiseJdQiME9iOevY=; b=kjkG2WlvljnI7yYEkhmk1MsU/LpEij1L/aJwUTO8yDtohSBGE+3XgtZSBp4m2JYfh5 fyIlvkTcVCqrDOs0MiFCMYROzRcWbDqdH/UPIiNjtlRH65FcOodsVwIIvUoD8hx5x0IA Jv+jX9P4kr/RrPm3ZRJziZvFilP6dmLTMMxm4abZYO5o+TDIN3MRYRVGAxpiwGt6ZbO3 HyKbV0gXKFPD5sbl02Lj991XdWIfZyIQTWP6lI9CDLVqJ4fuIExI0RecnuHSRK7dPi2i Rrph/lZAaBoF0QBNV85cijmF/8tiCGTAyWpN4Joz+4OQLVUYZ4FqqGJrpLSBAKkytwMQ l40Q==
MIME-Version: 1.0
X-Received: by 10.182.44.227 with SMTP id h3mr11238335obm.16.1368382501467; Sun, 12 May 2013 11:15:01 -0700 (PDT)
Received: by 10.76.130.139 with HTTP; Sun, 12 May 2013 11:15:01 -0700 (PDT)
In-Reply-To: <09C78900-966B-46B0-AB97-1394FD05849A@checkpoint.com>
References: <CABP7Rbfko48A0yAceDeHfQKR7S6aW7AAAqCZroaZzTScTooOvw@mail.gmail.com> <09C78900-966B-46B0-AB97-1394FD05849A@checkpoint.com>
Date: Sun, 12 May 2013 11:15:01 -0700
Message-ID: <CAP+FsNe2L2aZbDhM4OiWmh7b7f0HkrVfGwa6aKkD2ohNNKJHxg@mail.gmail.com>
From: Roberto Peon <grmocg@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Cc: James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary=001a11c2f402eac10804dc896095
Received-SPF: pass client-ip=209.85.214.182; envelope-from=grmocg@gmail.com; helo=mail-ob0-f182.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.688, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Ubanv-0006Le-Eu 6337c560269f807e84b43bfdfe623d79
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Design: Ignored Unknown Frame Types and Intermediaries
Archived-At: <http://www.w3.org/mid/CAP+FsNe2L2aZbDhM4OiWmh7b7f0HkrVfGwa6aKkD2ohNNKJHxg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17953
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I believe that the simplest thing is that, when you don't understand it,
you ignore it.

If that frame was required at some semantic level, then you should have
rev'd the version number or changed the version string in some other way at
the start of communication. That is easy and robust.

This does imply that changing any state which the baseline protocol of that
version depends upon is a no-no, but doesn't preclude changing state which
the baseline protocol of that version *doesn't* know about.

Making that a MUST, i.e. something like:
And endpoint may use frames with opcodes other than those defined in this
specification, however it MUST NOT do so if ignoring such a frame would
cause an unexpected stream or session error, either directly or indirectly.
-=R


On Sat, May 11, 2013 at 9:58 PM, Yoav Nir <ynir@checkpoint.com> wrote:

>
> On May 11, 2013, at 6:27 PM, James M Snell <jasnell@gmail.com> wrote:
>
> > In the current draft, endpoints are required to "ignore" unknown and
> > unsupported frame types. What's not yet clear, however, is whether
> > such frames are required to be forwarded on by intermediaries that do
> > not support them.
> >
> > In other words, A talks to C via reverse proxy B. A sends a stream
> > that includes EXTENSION_FRAME_TYPE that is unknown to B. Is B...
> >
> > A) Required to drop the frame silently without forwarding it on to C
> > B) Required to always forward the frame on to C
> > C) Neither, B can do whatever it wants
> >
> > There is an obvious impact here on the future deployment of new
> > extension frame types. If the answer is A or C, we'll have to wait on
> > infrastructure support to use new frame types, which would be
> > unfortunate.
> >
> > - James
>
> I think (C) is the only answer. Consider two types of proxies: an SSL
> accelerator and a firewall. The SSL accelerator doesn't want to break
> anything, so it will forward everything (B), while a firewall doesn't let
> things pass which it doesn't understand (A). I think this will be the
> behavior for these two kinds of proxy regardless of what we specify.
>
> Since the UA can never know in advance what the server will support, there
> has to be some "extension support discovery" anyways. Perhaps if we had
> that in the SETTINGS frame, the proxy could filter out.  For example, add a
> SETTINGS_SUPPORTED_EXTENSION, which will hold an extension supported by the
> sender. You will need multiple settings values for multiple extensions. The
> server would send the same list as the client, filtered down to the list of
> extensions that it supports. A proxy could trim the list further to remove
> things it's going to drop.
>
> Yoav
>