IETF Logo Mail Archive

Re: [hybi] Call for interest: multiplexing dedicated for WebSocket

Tobias Oberstein <tobias.oberstein@tavendo.de> Thu, 30 May 2013 08:30 UTC

Return-Path: <tobias.oberstein@tavendo.de>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6ACC21F96B5 for <hybi@ietfa.amsl.com>; Thu, 30 May 2013 01:30:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OCl4zMapJNWE for <hybi@ietfa.amsl.com>; Thu, 30 May 2013 01:30:32 -0700 (PDT)
Received: from EXHUB020-3.exch020.serverdata.net (exhub020-3.exch020.serverdata.net [206.225.164.30]) by ietfa.amsl.com (Postfix) with ESMTP id E91A121F8A03 for <hybi@ietf.org>; Thu, 30 May 2013 01:30:31 -0700 (PDT)
Received: from [109.193.209.160] (109.193.209.160) by smtpx20.serverdata.net (206.225.164.35) with Microsoft SMTP Server (TLS) id 8.3.264.0; Thu, 30 May 2013 01:30:30 -0700
Message-ID: <51A70DF9.5010601@tavendo.de>
Date: Thu, 30 May 2013 10:29:45 +0200
From: Tobias Oberstein <tobias.oberstein@tavendo.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Takeshi Yoshino <tyoshino@google.com>
References: <CAH9hSJZxr+aG7GZa4f-dUOTGj4bnJ+3XxivUX4jei5CMyqN4LQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C319646@EXVMBX020-12.exch020.serverdata.net> <CAH9hSJYrrbSM3TTSKCQ=AMcwCfE4zqNAa1kuAvecrXZTLqy2gQ@mail.gmail.com> <634914A010D0B943A035D226786325D4422C3DA774@EXVMBX020-12.exch020.serverdata.net> <CAHixhFrTk79A07BjQCgvep_+bmA4rGG1ZvqmoS6gsQYNPyPoZA@mail.gmail.com> <CAH9hSJYFa+bqN=e7x87W+Xvq-st70nbzUXniQaPme2fzspCjWA@mail.gmail.com>
In-Reply-To: <CAH9hSJYFa+bqN=e7x87W+Xvq-st70nbzUXniQaPme2fzspCjWA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080708080102070705040802"
Cc: "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Call for interest: multiplexing dedicated for WebSocket
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 08:30:37 -0000

Am 30.05.2013 09:28, schrieb Takeshi Yoshino:
> On Thu, May 30, 2013 at 1:12 PM, Adam Rice <ricea@google.com 
> <mailto:ricea@google.com>> wrote:
>
>         So d) - f) cannot be multiplexed over the same physical WS as
>         a) - c)?
>
>         Or can an implementation just "silently" transport a)-c) also
>         over wss, and hence multiplex all of a) - f) over 1 physical WS?
>
>
>     The handshake does not currently include the schema, so there
>     would be no way to communicate to the server that a)-c) were
>     supposed to be ws:, not wss:.
>
>
> Right. I missed that point.
>
>     Even if this was amended, both client and server would have to be
>     careful that no ambient authority leaked from the wss: channels to
>     the ws: channels. For example: the client would have to be careful
>     not to send "secure" cookies with the ws: handshakes, and the
>     server would have to be careful not to apply any authority
>     contained in a client TLS certificate to the ws: logical channels.
>
>     For this reason, I think it would be easiest not to attempt to
>     multiplex ws: and wss: onto a single TCP/IP connection.
>
>
> Compression contexts, etc. also need to be isolated carefully to 
> protect it from attack like CRIME.

I also agree with Adam. To summarize, given the possible "issues" of

- client cert based auth
- "secure" cookies / ambient authority
- compression contexts / CRIME

(plus complexities like: what if an app opens ws://domain.com, and then 
_later_ opens wss://domain.com? Upgrade to TLS not possible anymore .. 
cannot TLS handshake in the middle of an already established non-TLS TCP 
where some traffic already traveled .. the WS handshake at least.)

I think it would be good to include explicit text into the MUX draft, e.g.

"""
An implementation MUST NOT multiplex multiple logical channels to 
WebSocket addresses with different schemes (ws: versus wss:) on a single 
physical WebSocket connection.

For example, two WebSocket connections to ws://domain.com and 
wss://domain.com must not be shared on a single physical WebSocket 
connection to domain.com.
"""

I also think it would be helpful to include explicit text describing 
what WebSocket addresses are eligible for sharing, e.g.

"""
An implementation MAY multiplex multiple logical channels to different 
WebSocket addresses if and only if the WebSocket addresses share the 
same WebSocket scheme, the hostname resolves to the same IP address and 
the same port.

For example, connections to all of the following WebSocket addresses may 
be multiplexed over a single physical WebSocket connection (assum 
domain.com, domain2.com and sub1.domain.com all resolve to the same IP 
address):

ws://domain.com
ws://domain.com:80
ws://domain.com/foo
ws://domain.com:80/foo
ws://domain.com/bar
ws://domain2.com
ws://sub1.domain.com
ws://sub1.domain.com:80
ws://sub1.domain.com:80/bar

Note: When a WS address does not specify an explicit port, the port is 
the default port for the given WS scheme (ws: = 80 and wss: = 443).
"""




/Tobias

v2.23.0 | Report a Bug | By Email