IETF Logo Mail Archive

Re: [hybi] #1: HTTP Compliance

Willy Tarreau <w@1wt.eu> Wed, 21 July 2010 23:03 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A12E3A659C for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 16:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.497
X-Spam-Level:
X-Spam-Status: No, score=-3.497 tagged_above=-999 required=5 tests=[AWL=-1.454, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yEmD4K50DeG2 for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 16:03:40 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id E6DC93A6809 for <hybi@ietf.org>; Wed, 21 Jul 2010 16:03:39 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o6LN3oLB007127; Thu, 22 Jul 2010 01:03:50 +0200
Date: Thu, 22 Jul 2010 01:03:50 +0200
From: Willy Tarreau <w@1wt.eu>
To: Ian Hickson <ian@hixie.ch>
Message-ID: <20100721230350.GF6475@1wt.eu>
References: <068.d07026741c6694cd80652d2a7d34f236@tools.ietf.org> <4BF106AD.6020506@webtide.com> <A42E692A-7210-4FF1-AB4F-CFB3E8C38756@apple.com> <AANLkTinorjXFsTH=TvhhF-+e3Eyen8EA2qL7wFCmqpYe@mail.gmail.com> <Pine.LNX.4.64.1007212247590.7242@ps20323.dreamhostps.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.64.1007212247590.7242@ps20323.dreamhostps.com>
User-Agent: Mutt/1.4.2.3i
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] #1: HTTP Compliance
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 23:03:41 -0000

On Wed, Jul 21, 2010 at 10:54:47PM +0000, Ian Hickson wrote:
> On Wed, 21 Jul 2010, John Tamplin wrote:
> > On Mon, May 17, 2010 at 5:29 AM, Maciej Stachowiak <mjs@apple.com> wrote:
> > > 
> > > Ian has claimed that the extra bytes after the request help WebSocket 
> > > fail early in the face of unaware proxies, though we do not yet have 
> > > data showing this to be the case. We do know that without this, often 
> > > the handshake will appear to succeed but transmitting messages will 
> > > fail, for the network setups of many users.
> > >
> > > I don't think anyone has indicated a practical problem caused by the 
> > > extra bytes.
> > 
> > I believe we have already had a real-world practical case where they did 
> > cause a problem:
> > 
> >    - client sends WebSocket request that goes through a proxy, random bytes
> >    are not advertised in the Content-length
> >    - proxy doesn't know WebSocket, passes along connection to real server
> >    which does implement WebSocket
> >    - server waits reading random bytes which were not forwarded
> >    - server drops the connection after a timeout
> 
> Success! :-)

I fail to see how failing through perfectly valid components can be qualified
as a success. It really seems that your goal is to ensure a general failure :-(

> > Thus the random bytes did succeed in preventing a WebSocket connection 
> > across a non-WS compliant proxy, but:
> > 
> >    1. the proxy was actually capable of forwarding the connection if the
> >    server had completed the request
> 
> That's easy to resolve. The simplest solution that comes to mind is having 
> the server send back the 101 straight away, and having the proxy send the 
> bytes on as soon as it sees the 101.

Ah goodness, it sounds like you finally got that one !

> (Note: from a conformance standpoint, the "server" includes the proxy.)

as seen from the client, yes. As seen from the proxy or the server or any
intermediate between them, no :-)

> >    2. we had to wait for a timeout, so this was not a fast-fail situation
> 
> Fast-fail is ideal, but not really necessary (there's plenty of other 
> situations that fail very slowly). We just don't want false positives. If 
> there's a way of tweaking the protocol so we don't get false positives, 
> and still fulfills our other requirements, but that fails faster, that 
> would be great.

Please check my proposal in a separate mail. I should detect more unreliable
components, work through more reliable ones and avoid one round-trip.

Willy

v2.23.0 | Report a Bug | By Email