Re: [hybi] New port and Tunneling?
Greg Wilkins <gregw@webtide.com> Mon, 16 August 2010 05:50 UTC
Return-Path: <gregw@webtide.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBD0A3A6958 for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 22:50:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.456
X-Spam-Level:
X-Spam-Status: No, score=-1.456 tagged_above=-999 required=5 tests=[AWL=-0.079, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_71=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TS0OS5rL0I7V for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 22:50:50 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 965FD3A6950 for <hybi@ietf.org>; Sun, 15 Aug 2010 22:50:50 -0700 (PDT)
Received: by fxm18 with SMTP id 18so3202930fxm.31 for <hybi@ietf.org>; Sun, 15 Aug 2010 22:51:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.104.148 with SMTP id p20mr4741010fao.11.1281937886239; Sun, 15 Aug 2010 22:51:26 -0700 (PDT)
Received: by 10.223.57.12 with HTTP; Sun, 15 Aug 2010 22:51:26 -0700 (PDT)
In-Reply-To: <20100816051831.GN27614@1wt.eu>
References: <a8358c0239c686dfd4753b55c6c34385.squirrel@sm.webmail.pair.com> <20100815221922.GJ27614@1wt.eu> <b13c89a75303a5d97edcb78926b385be.squirrel@sm.webmail.pair.com> <20100815234010.GM27614@1wt.eu> <52530df7491f03990cbfffd3eb49bcb6.squirrel@sm.webmail.pair.com> <AANLkTi==qsBWRDhxten+fV91bYiBhJ_vhSoqPNpsp3Pb@mail.gmail.com> <28d4e6c08e65e43899d59478e332a8aa.squirrel@sm.webmail.pair.com> <AANLkTikCKFCCWue5xqGhNssUSCuf_uEQyuCoW9GGH2N5@mail.gmail.com> <f5eacee9dece3b4feb6ebcd017bd5977.squirrel@sm.webmail.pair.com> <AANLkTikMY0CHSqvQU9uRHiDrmotQDP1dtWwkiLAOYr=9@mail.gmail.com> <20100816051831.GN27614@1wt.eu>
Date: Mon, 16 Aug 2010 15:51:26 +1000
Message-ID: <AANLkTi==Tf2zzNeP9jaRzuw7P+dnbsqhkVF046rk0k3S@mail.gmail.com>
From: Greg Wilkins <gregw@webtide.com>
To: Willy Tarreau <w@1wt.eu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org
Subject: Re: [hybi] New port and Tunneling?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 05:50:52 -0000
Willy, I agree with your analysis of the problem, but I remain hopeful that a better solution than Connection:close may be found, as this prevents the HTTP connection being used after a failed upgrade (by a BOSH/comet fallback). Having the server send a ws message after the handshake should be a good way to quickly detect this problem. Adding a simple checksum to the framing would also quickly detect most varieties of intermediaries not acting as pure tunnels. cheers On 16 August 2010 15:18, Willy Tarreau <w@1wt.eu> wrote: > Hi Greg, > > On Mon, Aug 16, 2010 at 01:09:22PM +1000, Greg Wilkins wrote: >> Shelby, >> >> >> The concerns I've mostly seen discussed is for an intermediary to pass >> the handshakes, but then not forward arbitrary data. >> >> However,I guess it is possible for a really stupid proxy to inject >> "HTTP headers" or similar into a websocket stream and corrupt data, >> specially if the data looked like a HTTP message. Perhaps that is >> an argument for a simple checksum in the framing mechanism (previously >> suggested and rejected because we are not trying to fix problems with >> TCP/IP - but this is a different use-case). > > What could very well happen in fact is that an intermediary does not > know that "101" requires all the chain to switch to tunnel mode, and > that it then considers the first data from the client as a second > request. It will send return "HTTP/1.1 400 Bad Request" in the response, > which does not look like a WS frame at all. That's why I was advocating > (and Jamie too) for the use of "Connection: close" in the request > headers. At least the intermediaries will know that they must close > after the first request is done. That will also improve fast fail on > incompatible components, because we won't have to wait for sending data. > > But I'm not worried for the rest. Having random headers inserted in the > 101 response is not a problem at all. And I don't see why any data could > get corrupted at all. At worst we could imagine that some IDS/IPS will > sometimes believe they see a known bad signature and reset the > connection as they sometimes do on HTTPS traffic, but there are many > other reasons for connection that we have to deal with. > > Regards, > Willy > >
- [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Vladimir Katardjiev
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Vladimir Katardjiev
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Adam Barth
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Adam Barth
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Dave Cridland
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Salvatore Loreto
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore