Re: [hybi] workability (or otherwise) of HTTP upgrade
Zhong Yu <zhong.j.yu@gmail.com> Tue, 07 December 2010 22:36 UTC
Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E36EF3A68D2 for <hybi@core3.amsl.com>; Tue, 7 Dec 2010 14:36:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.05
X-Spam-Level:
X-Spam-Status: No, score=-3.05 tagged_above=-999 required=5 tests=[AWL=-0.051, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8t7cQWDZLHlt for <hybi@core3.amsl.com>; Tue, 7 Dec 2010 14:36:38 -0800 (PST)
Received: from mail-ey0-f171.google.com (mail-ey0-f171.google.com [209.85.215.171]) by core3.amsl.com (Postfix) with ESMTP id F14FE3A68C1 for <hybi@ietf.org>; Tue, 7 Dec 2010 14:36:37 -0800 (PST)
Received: by eyg5 with SMTP id 5so507707eyg.16 for <hybi@ietf.org>; Tue, 07 Dec 2010 14:38:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=IAWJfN7aIfTWktDuXtYAQqYGIz1IstIgXHyUh6OBvds=; b=d75R5GK8PSkdkX+RHS9ZboVXpGU6rYb/DKs2EOGsilo0zR5Ii/LPG0peuRUEi9Oayv fjoyh1JtKvK/zFGX1oi3khzyayD3LvC1VrAg/dDtRbPJuApb79D01C4CNgE1FhibzpRQ nuTpG1DZ610o0MDm+94OQppNR3eOfo2dnncEY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=aoUiAGCryiDaOeKkOsurRoAWgJIfeQBgXBWrb87m5tPeQmyRBSSpyDfn6MjMTd/lG7 eheqycGsduzeuDBZqFSRvK+kAYCYnm7BDKzsmzZ3Qn0LwljQae0b1u36oLHHkpnUUisJ jAHQQQgV0OHl7hzL+ild4N4MqXlQMO1/8hF1o=
MIME-Version: 1.0
Received: by 10.213.11.8 with SMTP id r8mr1446469ebr.26.1291761482300; Tue, 07 Dec 2010 14:38:02 -0800 (PST)
Received: by 10.213.16.142 with HTTP; Tue, 7 Dec 2010 14:38:02 -0800 (PST)
In-Reply-To: <3605.1291714925.544875@puncture>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <AANLkTimwiGKdy2eHve9eDezMZg+duuK-AMWpeCR4GH3m@mail.gmail.com> <AB6151A1-A334-469F-BC74-1FA73E6B689A@mnot.net> <221B3DED-A3CC-4961-9CCF-48B6EBCB241F@apple.com> <3605.1291714925.544875@puncture>
Date: Tue, 07 Dec 2010 16:38:02 -0600
Message-ID: <AANLkTik4zgrqqbzWSmuRjS78Ur5ZOeejnP=Zu2usXh6D@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Dave Cridland <dave@cridland.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Server-Initiated HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 22:36:41 -0000
On Tue, Dec 7, 2010 at 3:42 AM, Dave Cridland <dave@cridland.net> wrote: > On Mon Dec 6 23:27:02 2010, Maciej Stachowiak wrote: >> >> I'd like to see more detail on the data than is found in the paper, but it >> seems to show a real-world hazard with use of Upgrade, since many >> intermediaries do not understand it and at least a few are confused into >> treating subsequent traffic as additional HTTP requests and responses. > > That's a subtle misread of the paper. > > The paper shows that many intermediaries treat any traffic as HTTP requests > and responses until they find a CONNECT, after which they treat the traffic > as opaque except in a tiny minority of cases (what, 4 out of 54,000?). I do not think the paper corroborates that argument at all. Quoting the paper: "In our experiments, we observed two proxies which appear not to understand CONNECT but simply to treat the request as an ordinary request and then separately route subsequent requests, with all routing based on IP address." Sounds simple and clear, but let's dig a little deeper. The experiments sent bytes in the following form (as far as we know, from conversations on this mailing list) CONNECT websocket.invalid:443 HTTP/1.1 Host: websocket.invalid:443 Sec-WebSocket-Key: <connection-key> Sec-WebSocket-Metadata: <metadata> GET /script.php/<random> HTTP/1.1 Host: target.com that is, two HTTP requests, well formed. An HTTP interceptor that understands CONNECT will treat the load(all bytes after the connect request) as opaque and forward them to the server verbatim. On the other hand, a "CONNECT-agnostic" HTTP interceptor, one that does not "understand CONNECT but simply to treat the request as an ordinary request and then separately route subsequent requests, with all routing based on IP address", will do ... pretty much the same thing! It could have parsed the load into a HTTP request, then sent the request to the server as is, effectively forwarding the load to the server verbatim. Neither the client nor the server could detect the fact that this interceptor parsed the load as HTTP requests. Some CONNECT-agnostic interceptors may have touched the 2nd request in some way, allowing the server to detect them. The two proxies described in the paper may have done something like that. It would nice if the authors tell us how exactly they are detected. Other than that though, how many other interceptors are CONNECT-agnostic? I don't see how you can even make a wild guess based on the experiments conducted. See also my previous inquires about the experiments (yet to be answered) http://www.ietf.org/mail-archive/web/hybi/current/msg04971.html http://www.ietf.org/mail-archive/web/hybi/current/msg04972.html - Zhong Yu
- [hybi] workability (or otherwise) of HTTP upgrade Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Julian Reschke
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Julian Reschke
- Re: [hybi] workability (or otherwise) of HTTP upg… Jamie Lokier
- Re: [hybi] workability (or otherwise) of HTTP upg… William A. Rowe Jr.
- Re: [hybi] workability (or otherwise) of HTTP upg… William A. Rowe Jr.
- Re: [hybi] workability (or otherwise) of HTTP upg… Roy T. Fielding
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Eric Rescorla
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Eric Rescorla
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Roy T. Fielding
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Adrien de Croy
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Dave Cridland
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Joe Mason
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… William A. Rowe Jr.
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Adam Barth
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Brian McKelvey
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Jack Moffitt
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… Maciej Stachowiak
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Adrien de Croy
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Collin Jackson
- Re: [hybi] workability (or otherwise) of HTTP upg… Mark Nottingham
- Re: [hybi] workability (or otherwise) of HTTP upg… SM
- Re: [hybi] workability (or otherwise) of HTTP upg… Pat McManus @Mozilla
- Re: [hybi] workability (or otherwise) of HTTP upg… Scott Ferguson
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Gabriel Montenegro
- Re: [hybi] workability (or otherwise) of HTTP upg… Simon Pieters
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Simon Pieters
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… John Tamplin
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Bjoern Hoehrmann
- Re: [hybi] workability (or otherwise) of HTTP upg… Greg Wilkins
- Re: [hybi] workability (or otherwise) of HTTP upg… Martin J. Dürst
- Re: [hybi] workability (or otherwise) of HTTP upg… Willy Tarreau
- Re: [hybi] workability (or otherwise) of HTTP upg… Simon Pieters
- Re: [hybi] workability (or otherwise) of HTTP upg… James Graham
- Re: [hybi] workability (or otherwise) of HTTP upg… Michael
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu
- Re: [hybi] workability (or otherwise) of HTTP upg… Zhong Yu