IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Zhong Yu <zhong.j.yu@gmail.com> Tue, 07 December 2010 22:36 UTC

Return-Path: <zhong.j.yu@gmail.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E36EF3A68D2 for <hybi@core3.amsl.com>; Tue, 7 Dec 2010 14:36:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.05
X-Spam-Level:
X-Spam-Status: No, score=-3.05 tagged_above=-999 required=5 tests=[AWL=-0.051, BAYES_00=-2.599, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8t7cQWDZLHlt for <hybi@core3.amsl.com>; Tue, 7 Dec 2010 14:36:38 -0800 (PST)
Received: from mail-ey0-f171.google.com (mail-ey0-f171.google.com [209.85.215.171]) by core3.amsl.com (Postfix) with ESMTP id F14FE3A68C1 for <hybi@ietf.org>; Tue, 7 Dec 2010 14:36:37 -0800 (PST)
Received: by eyg5 with SMTP id 5so507707eyg.16 for <hybi@ietf.org>; Tue, 07 Dec 2010 14:38:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=IAWJfN7aIfTWktDuXtYAQqYGIz1IstIgXHyUh6OBvds=; b=d75R5GK8PSkdkX+RHS9ZboVXpGU6rYb/DKs2EOGsilo0zR5Ii/LPG0peuRUEi9Oayv fjoyh1JtKvK/zFGX1oi3khzyayD3LvC1VrAg/dDtRbPJuApb79D01C4CNgE1FhibzpRQ nuTpG1DZ610o0MDm+94OQppNR3eOfo2dnncEY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=aoUiAGCryiDaOeKkOsurRoAWgJIfeQBgXBWrb87m5tPeQmyRBSSpyDfn6MjMTd/lG7 eheqycGsduzeuDBZqFSRvK+kAYCYnm7BDKzsmzZ3Qn0LwljQae0b1u36oLHHkpnUUisJ jAHQQQgV0OHl7hzL+ild4N4MqXlQMO1/8hF1o=
MIME-Version: 1.0
Received: by 10.213.11.8 with SMTP id r8mr1446469ebr.26.1291761482300; Tue, 07 Dec 2010 14:38:02 -0800 (PST)
Received: by 10.213.16.142 with HTTP; Tue, 7 Dec 2010 14:38:02 -0800 (PST)
In-Reply-To: <3605.1291714925.544875@puncture>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <AANLkTimwiGKdy2eHve9eDezMZg+duuK-AMWpeCR4GH3m@mail.gmail.com> <AB6151A1-A334-469F-BC74-1FA73E6B689A@mnot.net> <221B3DED-A3CC-4961-9CCF-48B6EBCB241F@apple.com> <3605.1291714925.544875@puncture>
Date: Tue, 07 Dec 2010 16:38:02 -0600
Message-ID: <AANLkTik4zgrqqbzWSmuRjS78Ur5ZOeejnP=Zu2usXh6D@mail.gmail.com>
From: Zhong Yu <zhong.j.yu@gmail.com>
To: Dave Cridland <dave@cridland.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Server-Initiated HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 22:36:41 -0000

On Tue, Dec 7, 2010 at 3:42 AM, Dave Cridland <dave@cridland.net> wrote:
> On Mon Dec  6 23:27:02 2010, Maciej Stachowiak wrote:
>>
>> I'd like to see more detail on the data than is found in the paper, but it
>> seems to show a real-world hazard with use of Upgrade, since many
>> intermediaries do not understand it and at least a few are confused into
>> treating subsequent traffic as additional HTTP requests and responses.
>
> That's a subtle misread of the paper.
>
> The paper shows that many intermediaries treat any traffic as HTTP requests
> and responses until they find a CONNECT, after which they treat the traffic
> as opaque except in a tiny minority of cases (what, 4 out of 54,000?).

I do not think the paper corroborates that argument at all.

Quoting the paper: "In our experiments, we observed two proxies which
appear not to understand CONNECT but simply to treat the request as an
ordinary request and then separately route subsequent requests, with
all routing based on IP address."

Sounds simple and clear, but let's dig a little deeper. The
experiments sent bytes in the following form (as far as we know, from
conversations on this mailing list)

  CONNECT websocket.invalid:443 HTTP/1.1
  Host: websocket.invalid:443
  Sec-WebSocket-Key: <connection-key>
  Sec-WebSocket-Metadata: <metadata>

  GET /script.php/<random> HTTP/1.1
  Host: target.com

that is, two HTTP requests, well formed. An HTTP interceptor that
understands CONNECT will treat the load(all bytes after the connect
request) as opaque and forward them to the server verbatim.

On the other hand, a "CONNECT-agnostic" HTTP interceptor, one that
does not "understand CONNECT but simply to treat the request as an
ordinary request and then separately route subsequent requests, with
all routing based on IP address", will do ... pretty much the same
thing! It could have parsed the load into a HTTP request, then sent
the request to the server as is, effectively forwarding the load to
the server verbatim. Neither the client nor the server could detect
the fact that this interceptor parsed the load as HTTP requests.

Some CONNECT-agnostic interceptors may have touched the 2nd request in
some way, allowing the server to detect them. The two proxies
described in the paper may have done something like that. It would
nice if the authors tell us how exactly they are detected.

Other than that though, how many other interceptors are
CONNECT-agnostic? I don't see how you can even make a wild guess based
on the experiments conducted.

See also my previous inquires about the experiments (yet to be answered)
http://www.ietf.org/mail-archive/web/hybi/current/msg04971.html
http://www.ietf.org/mail-archive/web/hybi/current/msg04972.html

- Zhong Yu

v2.23.0 | Report a Bug | By Email