IETF Logo Mail Archive

Re: [hybi] WebSocket, TLS and intermediaries

Willy Tarreau <w@1wt.eu> Wed, 21 July 2010 12:20 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F6B23A67ED for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 05:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.743
X-Spam-Level:
X-Spam-Status: No, score=-3.743 tagged_above=-999 required=5 tests=[AWL=-1.700, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YL8PV7jeRj1z for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 05:20:51 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 0480C3A67B7 for <hybi@ietf.org>; Wed, 21 Jul 2010 05:20:50 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o6LCL1LK001375; Wed, 21 Jul 2010 14:21:01 +0200
Date: Wed, 21 Jul 2010 14:21:01 +0200
From: Willy Tarreau <w@1wt.eu>
To: Maciej Stachowiak <mjs@apple.com>
Message-ID: <20100721122101.GA1194@1wt.eu>
References: <h2w5c902b9e1004152345j992b815bz5f8d38f06a19181a@mail.gmail.com> <Pine.LNX.4.64.1004160701250.751@ps20323.dreamhostps.com> <4BC860FD.8080007@webtide.com> <Pine.LNX.4.64.1004161952530.751@ps20323.dreamhostps.com> <35EFEA5E-9017-48A1-BB66-A0AF947E159F@d2dx.com> <AANLkTinihlL2sn3Kiwtcl7QYKhFlvmj9lvmH4_z02xF7@mail.gmail.com> <FC1F510E-6D48-4D75-A356-F455C9FD5BD8@apple.com> <4C468EAE.4050507@gmx.de> <02BB0E0C-133B-4733-B053-A9D6E870F199@apple.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <02BB0E0C-133B-4733-B053-A9D6E870F199@apple.com>
User-Agent: Mutt/1.4.2.3i
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] WebSocket, TLS and intermediaries
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 12:20:52 -0000

On Wed, Jul 21, 2010 at 02:13:54AM -0700, Maciej Stachowiak wrote:
> HTTP pipelining is a clear example of a feature that is largely blocked by intermediaries not being updated enough.

It's not always a matter of not being "updated enough", but a matter of
"not always being implementable at all at a reasonable cost". Supporting
pipelining on intermediaries can require a very complex software architecture
with complex resource management to support multiple requests in flight,
sometimes for little added value. What is important though is that pipelined
requests all get processed in the correct order just as if they were not
pipelined. But are their still that many products that are incompatible
with pipelining ?

> When a protocol feature requires client or serve updates, then often it can be deployed incrementally when only a subset of clients or servers is updated, since they can come up with a way to signal to each other.

This is what was done with early WS implementations and multiple client and
server implementations have existed, BTW.

> However, if it is possible for intermediaries to get in the chain completely transparently, without any way for the client or server to know they exist, then it's quite difficult, perhaps impossible to come up with a reliable signal. In my opinion, to the extent we support intermediaries, the design should require at least one of the client or server to be explicitly aware of the intermediary.

Not necessarily, if we rely on standards and the intermediaries support those
standards, there is no need for the ends to know about them. Neither your
client nor your servers are aware of the number of routers and firewalls
in the chain because the service they offer relies on well established
standards and they act transparently. The same must be true with intermediaries
here. By using a standard HTTP handshake, standard-compliant intermediaries
can work without either of the client or server being aware of it. But if we
use non-standard derivative of well-established standards, of course we're
impacted a lot by standard-compliant intermediaries.

> We should not support magical transparent intermediaries where neither the client nor server has
>   an obvious way to detect its existence; in fact we should design the protocol to prevent such intermediaries from being created.

I disagree here. Intermediaries will be created whatever efforts you put to
try to make them fail. They will exist because people who deploy them need
them, and the quality of their implementation is no problem for them. The
dirtier we proceed, the uglier they will look like and the poorest the
resulting quality of service for the client.

There must not be "magical transparent intermediaries", there must be some
natural and implicit support for standard-compliant intermediaries so that
any new requirement can happen within a standard, and involves no "magics".

Regards,
Willy

v2.23.0 | Report a Bug | By Email