Re: [hybi] Multiple connections serialization and proxies

[Greg Wilkins <gregw@webtide.com>]

Martin,

You are correct in noting that the DOS protection is simply to
serialized connections.

However, one of the prime victims of this would be any application
that needs multiple "connections"  to/from the server.  We've seen from
the SPDY analysis that RTT is on the critical path for rendering
webpages, so *IF* multiple websocket connections are to be encouraged,
then this serialization could potentially be a significant latency
on some applications.

My preference would be to enable the use of a single connection
with multiplexing - so that multiple "connections" would not need to
suffer the cost of any RTT for TCP, TLS etc. and would certainly
not need to be serialized with other "connections" establishment.

As you and Jamie have pointed out, this would need to be done
properly, by which I mean:
 + no imposition on minimal implmentations of websocket.
 + equal semantics to dedicated connection websocket.
 + transparent to websocket API users.

cheers




Thomson, Martin wrote:
>> Correct, there is no mechanism, but also no need for one since reuse
>> and multiplexing don't occur.  If they're added, a virtual connection
>> mechanism will be at the same time.
> 
> I think that I misread the referenced section.
> 
> Just re-read it.
> 
> So, the only protection against multi-connection-DOS from the one client is to request that the client not have more than one connection attempt in progress at a time.
> 
> This only works if the client doesn't get rejected straight away, otherwise, the round trip time is the only limiting factor, which isn't that great.
> 
> Some (security considerations) advice on what a server might do to take advantage of the client-side requirement would be good.
> 
> --Martin