Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard

Julian Reschke <julian.reschke@gmx.de> Sat, 03 September 2011 13:16 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A2821F886A for <hybi@ietfa.amsl.com>; Sat, 3 Sep 2011 06:16:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.243
X-Spam-Level:
X-Spam-Status: No, score=-104.243 tagged_above=-999 required=5 tests=[AWL=-1.644, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QENApKs4aArF for <hybi@ietfa.amsl.com>; Sat, 3 Sep 2011 06:16:15 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id F283221F85FE for <hybi@ietf.org>; Sat, 3 Sep 2011 06:16:14 -0700 (PDT)
Received: (qmail invoked by alias); 03 Sep 2011 13:17:52 -0000
Received: from p508FBF10.dip.t-dialin.net (EHLO [192.168.178.36]) [80.143.191.16] by mail.gmx.net (mp022) with SMTP; 03 Sep 2011 15:17:52 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+HIZNk3ySHLbbwCg/qwt2zgXu/KTxBn8UQI8XKZR rholeZsCxfeYsz
Message-ID: <4E6228F9.2030108@gmx.de>
Date: Sat, 03 Sep 2011 15:17:45 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: "Roy T. Fielding" <fielding@gbiv.com>
References: <20110711140229.17432.23519.idtracker@ietfa.amsl.com> <5355F3EF-DD59-4D3C-9578-84043A3B8E90@gbiv.com> <4E620772.9090900@gmx.de>
In-Reply-To: <4E620772.9090900@gmx.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Server-Initiated HTTP <hybi@ietf.org>, ietf@ietf.org, iesg@iesg.org
Subject: Re: [hybi] IESG note?, was: Last Call: <draft-ietf-hybi-thewebsocketprotocol-10.txt> (The WebSocket protocol) to Proposed Standard
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Sep 2011 13:16:16 -0000

On 2011-09-03 12:54, Julian Reschke wrote:
> Hi,
>
> I believe that almost everything Roy says below is non-controversial; if
> we can tune the language to be less offensive it might fit well into the
> Introduction (and not require an IESG Note to get into the document).
>
> Best regards, Julian
> ...

Like that...:

    The WebSocket protocol is designed with an assumption that
    TCP port 80 or 443 will be used for the sake of tunneling raw
    socket exchanges over HTTP.  The result is a convoluted and
    inefficient exchange of hashed data for the sake of bypassing

s/convoluted and inefficient/complex/

    intermediaries that may be routing, authenticating, filtering,
    or verifying traffic on those ports.  The sole reason for using

s/sole//

    ports 80 and 443, and hence requiring the hashed data exchange,
    is because many organizations use TCP port blocking at firewalls
    to prevent unexpected network traffic, but allow the HTTP ports
    to remain open because they are expected to be used for normal
    Web request traffic.  WebSocket deliberately bypasses network
    management constraints in order to enable Web application
    developers to send arbitrary data though a trusted port.

    Naturally, the WebSocket protocol does not have the same network
    characteristics as HTTP.  The messages exchanged are likely to
    be smaller, more interactive, and delivered asynchronously over
    a long-lived connection.  Unfortunately, those are the same
    characteristics of typical denial-of-service attacks over HTTP.
    Organizations deploying WebSockets should be aware that existing
    network equipment or software monitoring on those ports may need
    to be updated or replaced.

Best regards, Julian