Re: Design Issue: Max Concurrent Streams Limit and Unidirectional Streams

"Poul-Henning Kamp" <phk@phk.freebsd.dk> Fri, 26 April 2013 06:53 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B20B021F97ED for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Apr 2013 23:53:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJ71tfFC2DC6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 25 Apr 2013 23:53:10 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9F921F97E9 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 25 Apr 2013 23:53:10 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UVcVw-0001bT-6L for ietf-http-wg-dist@listhub.w3.org; Fri, 26 Apr 2013 06:52:12 +0000
Resent-Date: Fri, 26 Apr 2013 06:52:12 +0000
Resent-Message-Id: <E1UVcVw-0001bT-6L@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1UVcVr-0001aY-1g for ietf-http-wg@listhub.w3.org; Fri, 26 Apr 2013 06:52:07 +0000
Received: from phk.freebsd.dk ([130.225.244.222]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <phk@phk.freebsd.dk>) id 1UVcVq-0005F0-E6 for ietf-http-wg@w3.org; Fri, 26 Apr 2013 06:52:06 +0000
Received: from critter.freebsd.dk (critter.freebsd.dk [192.168.61.3]) by phk.freebsd.dk (Postfix) with ESMTP id 746EA89FC1; Fri, 26 Apr 2013 06:51:20 +0000 (UTC)
Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.6/8.14.6) with ESMTP id r3Q6pJdq002859; Fri, 26 Apr 2013 06:51:19 GMT (envelope-from phk@phk.freebsd.dk)
To: James M Snell <jasnell@gmail.com>
cc: Martin Thomson <martin.thomson@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In-reply-to: <CABP7Rbc49-VPGggp3auHCRDKCc6BYfTwO2pZzg68Kfgi_VQdCg@mail.gmail.com>
From: "Poul-Henning Kamp" <phk@phk.freebsd.dk>
References: <CABP7RbdBe-Xkx+CMvpN=_oNAqm6SyLyL+XNHRUKSqn8mjSDw1Q@mail.gmail.com> <CABkgnnW=Ve=9p2do5PncTVswTYCZqt-LMK50SYCKV1r8zEg=SQ@mail.gmail.com> <CABP7Rbc=hYTxuGm7jn=eDipbA23UW3MUc_jx2ALHfqHQt94OJg@mail.gmail.com> <CABkgnnVoHv+Wf=oYN=RSq2GHod-KrZ5gPq-gYmNvcRpMWFjNEQ@mail.gmail.com> <CABP7RbdH+YnH2V8HX=1YzrT-m06ggdXNGqvEMwng2nDv5AeXXg@mail.gmail.com> <CABkgnnXrku1B8ehWWeCCaWBeTfhsWGTagHTKbA3F_HYe0Fux0Q@mail.gmail.com> <CABP7Rbc49-VPGggp3auHCRDKCc6BYfTwO2pZzg68Kfgi_VQdCg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Date: Fri, 26 Apr 2013 06:51:19 +0000
Message-ID: <2858.1366959079@critter.freebsd.dk>
Received-SPF: none client-ip=130.225.244.222; envelope-from=phk@phk.freebsd.dk; helo=phk.freebsd.dk
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-3.443, RP_MATCHES_RCVD=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UVcVq-0005F0-E6 e3e226695aac330054a15e25e96b4fae
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Design Issue: Max Concurrent Streams Limit and Unidirectional Streams
Archived-At: <http://www.w3.org/mid/2858.1366959079@critter.freebsd.dk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17597
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

In message <CABP7Rbc49-VPGggp3auHCRDKCc6BYfTwO2pZzg68Kfgi_VQdCg@mail.gmail.com>;
, James M Snell writes:

>For instance, if the intermediary allows the
>client to open 10 concurrent streams, and the client opens and
>half-closes those streams at too high of a rate without giving the
>server time to properly respond, the intermediary can hold new streams
>for a period of time or reject the new streams until the server
>catches up.

It worries me to no end, that nobody here has even mentioned "DoS" with
a single word.

Denial-Of-Service mitigation has to be built into HTTP/2.0 from the
bottom up.

The default rule should be that any frame which fails any validation
should cause instant and silent session termination.

And we might as well write that into the standard, because that's what
any high-performance implementation will be forced to implement anyway.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.