Re: [hybi] Multiple connections serialization and proxies

["Thomson, Martin" <Martin.Thomson@andrew.com>]

This raises a point that needs to be highlighted, particularly for the BWTP on WS proposal:

If connections are identified purely by the domain name of the host, and re-used based solely on that name, then no other state can be accumulated against that connection.

This includes the sub-protocol details, any state like common headers (BWTP uses channels to isolate this, so it might be OK), and all application-layer state tied to the connection.

The only state that can be established is that that could be considered invariant for the life of the connection and it's many (potential) uses.

For instance,

App A establishes WS connection to example.com with sub-protocol foo.

App B requests WS connection to example.com also, but with sub-protocol bar.  It cannot signal this sub-protocol use to example.com if it re-uses the connection established by App A.

Similarly, if App A establishes state on the connection (for example, using one of the BWTP channel headers), then this state could interfere with state that B attempts to establish:

App A logs in and sets the user name to 'alice'.  App B logs in and sets the user name to 'bob'.  Are requests that follow authorized based on alice's permissions, or bob's?

Keep in mind that applications will assume that this 'connection' is theirs to use.  In many cases, the connection will be dedicated, and will persist, so how will the proverbial 'inexpert' server developer know how to cope with an unexplained error like this?

This is made even worse if an intermediary attempts (legitimately) to multiplex streams...

--Martin


> -----Original Message-----
> From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of
> Christian Biesinger
> Sent: Friday, 23 April 2010 5:24 AM
> To: Wellington Fernando de Macedo
> Cc: hybi@ietf.org
> Subject: Re: [hybi] Multiple connections serialization and proxies
> 
> Note that if you want websockets to be similar to HTTP, it should
> always use host names instead of IP addresses for connection limits.
> At least Firefox uses hostnames for HTTP's limit, I'm not quite sure
> on the other browsers.
> 
> -christian
> 
> On Thu, Apr 22, 2010 at 8:49 PM, Wellington Fernando de Macedo
> <wfernandom2004@gmail.com> wrote:
> > Hi again,
> >
> > We (Ian, Christian Biesinger and me) have talked about this issue.
> We've
> > decided that, when under proxies, Mozilla's implementation will
> serialize
> > the connections using the host names.
> >
> > Ian, can you update the spec accordingly, please?
> >
> > Wellington.
> >
> > Em 21/4/2010 15:51, Wellington Fernando de Macedo escreveu:
> >
> > Hi,
> >
> > A question has been raised in the Mozilla implementation. The spec
> states:
> >
> >    1.   If the user agent already has a WebSocket connection to the
> >         remote host (IP address) identified by /host/, even if known
> by
> >         another name, wait until that connection has been established
> or
> >         for that connection to have failed.
> >
> > However, when the WS is under proxies, we can't leak the host names
> to the
> > DNS server. In this case, what should be done? I think the spec
> should
> > clarify this.
> >
> > Wellington.
> >
> >
> > _______________________________________________
> > hybi mailing list
> > hybi@ietf.org
> > https://www.ietf.org/mailman/listinfo/hybi
> >
> >
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi