IETF Logo Mail Archive

Re: [hybi] [Editorial Errata Reported] RFC6455 (3473)

Martin Thomson <martin.thomson@gmail.com> Fri, 01 February 2013 14:27 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0377721F8FF4 for <hybi@ietfa.amsl.com>; Fri, 1 Feb 2013 06:27:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.074
X-Spam-Level:
X-Spam-Status: No, score=-4.074 tagged_above=-999 required=5 tests=[AWL=-0.476, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EmEmTUXyEwo for <hybi@ietfa.amsl.com>; Fri, 1 Feb 2013 06:27:38 -0800 (PST)
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by ietfa.amsl.com (Postfix) with ESMTP id C848C21F8DF8 for <hybi@ietf.org>; Fri, 1 Feb 2013 06:27:34 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id es5so2980958wgb.5 for <hybi@ietf.org>; Fri, 01 Feb 2013 06:27:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; bh=8uVqdEn2HTmFq3PtJA9zZhUyhyKybeTEVtTPdFFwsKo=; b=rhwJaZPx9oFMXdsa2xsxPwq3wh7ipuaf04vvZFSchDu7Xbmb0tcBOyTVzprBdkAFSY XME0zVAC8C39PpoMqFqYj5JCPIWCBrg7zciXYASjQadxvd8Jxz4MqC2jmSwq8mlCHVX0 bqEPKueTAOJ9lgtAWjVooeZsMqaLEh1Td6hysyR462VI+6d1GamJ8kG6VD82nOXmSY99 a+o0AJe7qsgJg0HQANNC/Ioctu+Hzc2JkEasJCpnTHPAzyirBmsa5yFx+jrp1kKjrjsS PrfudFDwTOQjwt+tXHlMCVnLykLjLaJDfmzJnaJ4h495n1dgoFHcCLAJifaPfUMo3yaY RLnA==
MIME-Version: 1.0
X-Received: by 10.194.123.105 with SMTP id lz9mr22210254wjb.43.1359728853596; Fri, 01 Feb 2013 06:27:33 -0800 (PST)
Received: by 10.194.161.234 with HTTP; Fri, 1 Feb 2013 06:27:33 -0800 (PST)
In-Reply-To: <20130201073846.78956B1E003@rfc-editor.org>
References: <20130201073846.78956B1E003@rfc-editor.org>
Date: Fri, 01 Feb 2013 23:27:33 +0900
Message-ID: <CABkgnnVO_qfFAKY28y_VL5vjXdUYtuAV5vNtFLpAFUk9zPiJkQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "hybi@ietf.org" <hybi@ietf.org>, presnick@qti.qualcomm.com, ifette+ietf@google.com, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>, Barry Leiba <barryleiba@computer.org>
Subject: Re: [hybi] [Editorial Errata Reported] RFC6455 (3473)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2013 14:27:39 -0000

Is this "host and port" or "IP and port" ?  That too is unclear.  If
I'm sharding a.example.com and b.example.com and they are served on
the same VIP, is the expectation that wss://a.example.com/ and
wss://b.example.com/ can't have concurrent connection attempts?

On 1 February 2013 16:38, RFC Errata System <rfc-editor@rfc-editor.org> wrote:
>
> The following errata report has been submitted for RFC6455,
> "The WebSocket Protocol".
>
> --------------------------------------
> You may review the report below and at:
> http://www.rfc-editor.org/errata_search.php?rfc=6455&eid=3473
>
> --------------------------------------
> Type: Editorial
> Reported by: Adam Rice <ricea@chromium.org>
>
> Section: 4.1
>
> Original Text
> -------------
>    2.  If the client already has a WebSocket connection to the remote
>        host (IP address) identified by /host/ and port /port/ pair, even
>        if the remote host is known by another name, the client MUST wait
>        until that connection has been established or for that connection
>        to have failed.  There MUST be no more than one connection in a
>        CONNECTING state.  If multiple connections to the same IP address
>        are attempted simultaneously, the client MUST serialize them so
>        that there is no more than one connection at a time running
>        through the following steps.
>
> Corrected Text
> --------------
>    2.  If the client already has a WebSocket connection to the remote
>        host (IP address) identified by /host/ and port /port/ pair, even
>        if the remote host is known by another name, the client MUST wait
>        until that connection has been established or for that connection
>        to have failed.  There MUST be no more than one connection in a
>        CONNECTING state.  If multiple connections to the same /host/ and
>        /port/ pair are attempted simultaneously, the client MUST serialize
>        them so that there is no more than one connection at a time running
>        through the following steps.
>
> Notes
> -----
> The original wording makes it ambiguous whether distinct ports on the same host are considered distinct for throttling purposes. The first sentence implies that the throttling should be applied per (host,port) pair, whereas the final sentence implies it is only based on IP address.
>
> Implementations of both interpretations appear to exist in the wild.
>
> I propose disambiguating in favour of the (host,port) interpretation, because the host-only interpretation allows for a potential denial-of-service attack targeted against hosts which drop packets to unused ports.
>
> For example, an attacker from a different origin can create several hundred WebSockets to "wss://google.com:81/". Each one will attempt to connect in serial, and take tens of seconds to time out.
>
> If the user then attempts to use an application which legitimately uses a WebSocket to "wss://google.com:443/", then due to the throttling to google.com it will not be able to connect until all of the attacker's connections have timed out.
>
> The user will perceive that the legitimate application is malfunctioning, since there is no visible sign that they are being attacked. From the server end, the attack is only apparent in the firewall logs. The actual rate of SYN packets dropped will be small and unlikely to trigger an alert.
>
> On the other hand, with the (host,port) interpretation, connections to google.com:81 do not block connections to google.com:443, and this attack is completely ineffective.
>
> Instructions:
> -------------
> This errata is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party (IESG)
> can log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6455 (draft-ietf-hybi-thewebsocketprotocol-17)
> --------------------------------------
> Title               : The WebSocket Protocol
> Publication Date    : December 2011
> Author(s)           : I. Fette, A. Melnikov
> Category            : PROPOSED STANDARD
> Source              : BiDirectional or Server-Initiated HTTP
> Area                : Applications
> Stream              : IETF
> Verifying Party     : IESG
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi

v2.23.0 | Report a Bug | By Email