Re: [hybi] Straw-poll on Masking options

[Willy Tarreau <w@1wt.eu>]

On Wed, Jan 12, 2011 at 06:27:19PM -0500, John Tamplin wrote:
> On Wed, Jan 12, 2011 at 6:00 PM, Willy Tarreau <w@1wt.eu> wrote:
> 
> > I personally have no objection against the XOR mask involving either or
> > both nonces provided that it only applies to payload, so as not to make
> > multiplexing impossible later.
> >
> 
> I don't think applying the mask to the payload or the entire frame matters
> regarding multiplexing - I believe the mux is going to have to unmask the
> inner frames anyway [assuming they were masked at all - the initial use case
> is a browser implementing muxing talking to a server (or frontend acting as
> a server] that implements the MUX extension to reduce the number of
> connections).

Not necessarily John. Imagine for instance a mux which makes use of the
Host+path + maybe some other requests elements to aggregate multiple
streams over a single connection and forward it to a server. It will
know what stream goes where. However, if it wants to correctly
interleave frames, it must know their lengths, which means having
access to the framing (which almost only contains the length BTW).

Imagine you have two client streams A and B with frames numbered
1 to 4 of various lengths :

  A : 11222222222333333344444444444
  B : 11111122222222333333333333344

The mux would send that to C :

      A(11)B(111111)A(22222222222)B(2222222)...

This does not require decoding the payload though. However, if there is
no way to read the framing, multiplexing is not possible.

The only ones which will need to read the payload are the ones which
will accept the connection on behalf of the server. Since they will
share nonces with the client, if the keying depends on nonces, then
it will have to decode on one side to recode on the other one, which
becomes quite inefficient.

Regards,
Willy