Re: [hybi] New port and Tunneling?
"Shelby Moore" <shelby@coolpage.com> Sun, 15 August 2010 23:41 UTC
Return-Path: <shelby@coolpage.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B60543A65A5 for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 16:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.28
X-Spam-Level:
X-Spam-Status: No, score=-0.28 tagged_above=-999 required=5 tests=[AWL=-0.695, BAYES_40=-0.185, J_CHICKENPOX_46=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P25IhaWp8IP6 for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 16:41:47 -0700 (PDT)
Received: from www5.webmail.pair.com (www5.webmail.pair.com [66.39.3.83]) by core3.amsl.com (Postfix) with SMTP id A0BFC3A67F2 for <hybi@ietf.org>; Sun, 15 Aug 2010 16:41:47 -0700 (PDT)
Received: (qmail 36281 invoked by uid 65534); 15 Aug 2010 23:42:23 -0000
Received: from 121.97.54.174 ([121.97.54.174]) (SquirrelMail authenticated user shelby@coolpage.com) by sm.webmail.pair.com with HTTP; Sun, 15 Aug 2010 19:42:23 -0400
Message-ID: <282fc32e462c5fcb7088f80fa5907dd5.squirrel@sm.webmail.pair.com>
In-Reply-To: <b13c89a75303a5d97edcb78926b385be.squirrel@sm.webmail.pair.com>
References: <7ffabb591b2292c9b81abecfaec3cdb6.squirrel@sm.webmail.pair.com> <20100815210332.GH27614@1wt.eu> <a8358c0239c686dfd4753b55c6c34385.squirrel@sm.webmail.pair.com> <20100815221922.GJ27614@1wt.eu> <b13c89a75303a5d97edcb78926b385be.squirrel@sm.webmail.pair.com>
Date: Sun, 15 Aug 2010 19:42:23 -0400
From: Shelby Moore <shelby@coolpage.com>
To: Willy Tarreau <w@1wt.eu>
User-Agent: SquirrelMail/1.4.20
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: hybi@ietf.org
Subject: Re: [hybi] New port and Tunneling?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: shelby@coolpage.com
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Aug 2010 23:41:48 -0000
>> Give me one port that is supposed to remain open and I install a remote >> proxy on it in order to bypass all mandatory filtering that makes the >> web boring (but safe) to use from the internal network. > > You might as well just hack the browser, so then you need to close > port 80 too. AFAIR, Skype also uses port 80 (remember an issue of it interfering with XAMPP), so I don't understand what will stop malware from using port 80, even without hacking the browser? Security (insurance) is a fallacy that > results in abject poverty. Rather bring the fence down and just reboot > your computer when you click a bad link and your computer starts > misbehaving. Give the control back to the user. End this slavery and > restore freedom. > >> >>> > Right now the success rate of tests appears lower >>> > with HTTP than with TLS, but in my opinion, it will increase once the >>> > protocol is ratified, because proxy vendors will simply add support >>> for >>> > it in their proxies. >>> > >>> > If you open a dedicated port, it's very interesting in order to >>> reduce >>> > the number of round trips, but you'll still miss a part of the >>> population. >>> >>> See my point above, maybe the part is not larger than what will be >>> missed >>> with HTTP Upgrade, once the unknown soft fails are experience in the >>> wild. >>> There will need to be fallback to Comet/BOSH no matter what we do. So >>> why not go for the simplest solution that gives us the most robust >>> channel? >> >> The time to detect the failure can be huge. > > My other post earlier today I suggested to startup Comet/BOSH in parallel > and use them while you are awaiting the timeout, so no delay at all. > >> Via a proxy it's generally >> fast, you get an immediate rejection. > > I read in the archives of this list thatu can get a soft fail at any time > with corrupted or delayed data. Isn't there concern about what > transparent proxies will do if look at the bi-directional data? Okay > maybe TLS is immediate rejection with no potential soft fail/false > positive? But any way I think the startup delay is not an issue if you > start up Comet/BOSH in parallel. > >> But via a blocked firewall, it >> takes several seconds before you can decide that the port is closed. > > Agreed, but see my points above. > >> >>> > Also, TLS as proposed by Adam looks very promising. But it still has >>> the >>> > inconvenient that it will never be blindly opened in many enterprises >>> due >>> > to the impossibility to analyse it. >>> >>> The tunneled specific port can be analyzed. >> >> yes that's a good point. > > Thank you. > >> >>> > And it does not easily allow server >>> > stickiness for a user connecting to the WS port of the HTTP server he >>> was >>> > on. >>> >>> I don't understand. >> >> On the server side, you generally don't have one single server, in fact >> you have a farm of servers. Sometimes just 2, sometimes 10, or even 100. >> For every requests that come in, a server is selected to process the >> request. Stickiness is what ensures that a user will have all of its >> session processed by the same server in the farm. It is very important, >> otherwise each request would go to a different server and the server >> context would be lost between clicks. >> >> When implementing WebSocket in web applications, you'll most likely >> have to share contexts between the web server and the websocket server. >> That means that most often you'll want them to run on the same server, >> so you want to be able to associate a client's WebSocket connection >> request with its HTTP counterpart, in order to direct him to the same >> server. With an HTTP handshake, it's quite easy, just send the same >> cookies. With a dedicated port, something has to be explicitly designed >> in the new protocol to make this possible. TLS has the same issue. > > > Because the webpage from served from the same server? > > Interesting point. > > Might be easy to solve with the tunneling algorithm I shared, because you > could have each server emit a different packet signature to which the > client sent the same signature replies. > >> >>> > However, having TLS as a complement of HTTP would be very nice and it >>> > could probably make sense to try it by default. >>> >>> How about TLS as a complement to specific port+tunnel? Seems like a >>> better combination. >>> >>> Hard fail -> TLS or Comet/BOSH (configurable choice, or let application >>> layer implement) >> >> See above ;-) > > After replying to all your points, I repeat the question. > >> >> Regards, >> Willy >> >> >> > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi > >
- [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Greg Wilkins
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Vladimir Katardjiev
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Vladimir Katardjiev
- Re: [hybi] New port and Tunneling? Willy Tarreau
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Adam Barth
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Adam Barth
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Dave Cridland
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Salvatore Loreto
- Re: [hybi] New port and Tunneling? Shelby Moore
- Re: [hybi] New port and Tunneling? Shelby Moore