IETF Logo Mail Archive

Re: [hybi] WebSocket, TLS and intermediaries

Maciej Stachowiak <mjs@apple.com> Wed, 21 July 2010 12:33 UTC

Return-Path: <mjs@apple.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 960EF3A69CA for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 05:33:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0zpZ3uCCwqv for <hybi@core3.amsl.com>; Wed, 21 Jul 2010 05:33:34 -0700 (PDT)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 454BA3A69A4 for <hybi@ietf.org>; Wed, 21 Jul 2010 05:33:34 -0700 (PDT)
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id 9EC89A479EAF for <hybi@ietf.org>; Wed, 21 Jul 2010 05:33:50 -0700 (PDT)
X-AuditID: 1180711d-b7b98ae000002f4b-70-4c46e92ed842
Received: from gertie.apple.com (gertie.apple.com [17.151.62.15]) by relay13.apple.com (Apple SCV relay) with SMTP id D3.58.12107.E29E64C4; Wed, 21 Jul 2010 05:33:50 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from [17.151.79.117] by gertie.apple.com (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008; 32bit)) with ESMTPSA id <0L5W00J8XQWD6T40@gertie.apple.com> for hybi@ietf.org; Wed, 21 Jul 2010 05:33:50 -0700 (PDT)
From: Maciej Stachowiak <mjs@apple.com>
In-reply-to: <20100721122101.GA1194@1wt.eu>
Date: Wed, 21 Jul 2010 05:33:49 -0700
Message-id: <D9C43C2E-B6D8-4D3F-9146-1D2CA9264EF2@apple.com>
References: <h2w5c902b9e1004152345j992b815bz5f8d38f06a19181a@mail.gmail.com> <Pine.LNX.4.64.1004160701250.751@ps20323.dreamhostps.com> <4BC860FD.8080007@webtide.com> <Pine.LNX.4.64.1004161952530.751@ps20323.dreamhostps.com> <35EFEA5E-9017-48A1-BB66-A0AF947E159F@d2dx.com> <AANLkTinihlL2sn3Kiwtcl7QYKhFlvmj9lvmH4_z02xF7@mail.gmail.com> <FC1F510E-6D48-4D75-A356-F455C9FD5BD8@apple.com> <4C468EAE.4050507@gmx.de> <02BB0E0C-133B-4733-B053-A9D6E870F199@apple.com> <20100721122101.GA1194@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.1081)
X-Brightmail-Tracker: AAAAAQAAAZE=
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] WebSocket, TLS and intermediaries
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2010 12:33:35 -0000

On Jul 21, 2010, at 5:21 AM, Willy Tarreau wrote:

> 
> Not necessarily, if we rely on standards and the intermediaries support those
> standards, there is no need for the ends to know about them. Neither your
> client nor your servers are aware of the number of routers and firewalls
> in the chain because the service they offer relies on well established
> standards and they act transparently.

Yes, but the core protocols of the Internet (IP, TCP, UDP, ICMP, etc) have update time scales on the order of decades. Even with exhaustion of the address space staring us down, rolling out IPv6 is a massive engineering undertaking. And indeed, if you try to use IPv6 on your home network today, it will matter to you whether the intermediaries between you and your other endpoint support it.

The bottom line is this: if you allow intermediaries to participate without the explicit knowledge of either endpoint, it may take decades to roll out significant protocol changes. All communication will be reduced to the least common denominator of the worst-behaving intermediaries. That may be a cost worth bearing for low-level protocols, but it is completely unacceptable for an application-level protocol in an area of high innovation.

> The same must be true with intermediaries
> here. By using a standard HTTP handshake, standard-compliant intermediaries
> can work without either of the client or server being aware of it.

And likewise they can (and apparently often will) fail without either the client or the server being aware of it. This mistake has already been made with HTTP, let's learn from it instead of repeating it.

> 
>> We should not support magical transparent intermediaries where neither the client nor server has
>>  an obvious way to detect its existence; in fact we should design the protocol to prevent such intermediaries from being created.
> 
> I disagree here. Intermediaries will be created whatever efforts you put to
> try to make them fail. They will exist because people who deploy them need
> them, and the quality of their implementation is no problem for them.

That's exactly the problem - low-quality intermediaries are not a problem for the people running them, but they create global negative externalities.

Regards,
Maciej

v2.23.0 | Report a Bug | By Email