IETF Logo Mail Archive

Re: [hybi] New port and Tunneling?

"Shelby Moore" <shelby@coolpage.com> Mon, 16 August 2010 05:58 UTC

Return-Path: <shelby@coolpage.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 988F33A68AE for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 22:58:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.512
X-Spam-Level:
X-Spam-Status: No, score=-1.512 tagged_above=-999 required=5 tests=[AWL=0.487, BAYES_00=-2.599, J_CHICKENPOX_71=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CyPtapkES0XA for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 22:58:31 -0700 (PDT)
Received: from www5.webmail.pair.com (www5.webmail.pair.com [66.39.3.83]) by core3.amsl.com (Postfix) with SMTP id 32CAA3A6819 for <hybi@ietf.org>; Sun, 15 Aug 2010 22:58:30 -0700 (PDT)
Received: (qmail 92439 invoked by uid 65534); 16 Aug 2010 05:59:06 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Mon, 16 Aug 2010 01:59:06 -0400
Message-ID: <769fc557cb23a9a56ec7405ee3ae419e.squirrel@sm.webmail.pair.com>
In-Reply-To: <20100816051831.GN27614@1wt.eu>
References: <a8358c0239c686dfd4753b55c6c34385.squirrel@sm.webmail.pair.com> <20100815221922.GJ27614@1wt.eu> <b13c89a75303a5d97edcb78926b385be.squirrel@sm.webmail.pair.com> <20100815234010.GM27614@1wt.eu> <52530df7491f03990cbfffd3eb49bcb6.squirrel@sm.webmail.pair.com> <AANLkTi==qsBWRDhxten+fV91bYiBhJ_vhSoqPNpsp3Pb@mail.gmail.com> <28d4e6c08e65e43899d59478e332a8aa.squirrel@sm.webmail.pair.com> <AANLkTikCKFCCWue5xqGhNssUSCuf_uEQyuCoW9GGH2N5@mail.gmail.com> <f5eacee9dece3b4feb6ebcd017bd5977.squirrel@sm.webmail.pair.com> <AANLkTikMY0CHSqvQU9uRHiDrmotQDP1dtWwkiLAOYr=9@mail.gmail.com> <20100816051831.GN27614@1wt.eu>
Date: Mon, 16 Aug 2010 01:59:06 -0400
From: Shelby Moore <shelby@coolpage.com>
To: Willy Tarreau <w@1wt.eu>
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: hybi@ietf.org
Subject: Re: [hybi] New port and Tunneling?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2010 05:58:32 -0000

> Hi Greg,
>
> On Mon, Aug 16, 2010 at 01:09:22PM +1000, Greg Wilkins wrote:
>> Shelby,
>>
>>
>> The concerns I've mostly seen discussed is for an intermediary to pass
>> the handshakes, but then not forward arbitrary data.
>>
>> However,I guess it is possible for a really stupid proxy to inject
>> "HTTP headers" or similar into a websocket stream and corrupt data,
>> specially if the data looked like a HTTP message.    Perhaps that is
>> an argument for a simple checksum in the framing mechanism (previously
>> suggested and rejected because we are not trying to fix problems with
>> TCP/IP - but this is a different use-case).
>
> What could very well happen in fact is that an intermediary does not
> know that "101" requires all the chain to switch to tunnel mode, and
> that it then considers the first data from the client as a second
> request. It will send return "HTTP/1.1 400 Bad Request" in the response,

But what if the data (sometimes randomly) looks like a valid HTTP request,
then all sorts of domino-effect random things could happen?  So every time
HTTP is upgraded with new keywords and syntax, WebSocket is broken!

I suspect this is also a security hole of some sort.

> which does not look like a WS frame at all. That's why I was advocating
> (and Jamie too) for the use of "Connection: close" in the request
> headers. At least the intermediaries will know that they must close
> after the first request is done. That will also improve fast fail on
> incompatible components, because we won't have to wait for sending data.

Are you saying that the very first data sent will be guaranteed to always
be ill-formed HTTP, and so thus we can detect the "HTTP/1.1 400 Bad
Request" _always_ in a fast fail on incompatible components?  But what
about for proxies that always pass through and only take action on HTTP
they want to filter on?  You are making the assumption that every proxy in
the world will issue "HTTP/1.1 400 Bad Request" for a request it does not
understand.  Does the HTTP spec require proxies to reply or is pass
through allowed by the spec?


>
> But I'm not worried for the rest. Having random headers inserted in the
> 101 response is not a problem at all. And I don't see why any data could
> get corrupted at all. At worst we could imagine that some IDS/IPS will
> sometimes believe they see a known bad signature and reset the
> connection as they sometimes do on HTTPS traffic, but there are many
> other reasons for connection that we have to deal with.

If my comments above are correct, take that as flashback to our security
discussion that there is no way you can know your implementation is
"clean".  There are always cases unforseen.  The state machine is too
large to load in the human mind.  We discover specific cases as we come
across a reason to think about or experience them.

>
> Regards,
> Willy
>
>
>

v2.23.0 | Report a Bug | By Email