IETF Logo Mail Archive

Re: [hybi] Review of draft-ietf-hybi-thewebsocketprotocol-13

Iñaki Baz Castillo <ibc@aliax.net> Tue, 06 September 2011 17:36 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19EC221F8B62; Tue, 6 Sep 2011 10:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S+kVMW5Ol+5I; Tue, 6 Sep 2011 10:36:10 -0700 (PDT)
Received: from mail-qw0-f52.google.com (mail-qw0-f52.google.com [209.85.216.52]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1BF21F8B5D; Tue, 6 Sep 2011 10:36:10 -0700 (PDT)
Received: by qwb8 with SMTP id 8so5637574qwb.25 for <multiple recipients>; Tue, 06 Sep 2011 10:37:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.184.12 with SMTP id ci12mr4035890qab.270.1315330676871; Tue, 06 Sep 2011 10:37:56 -0700 (PDT)
Received: by 10.229.79.207 with HTTP; Tue, 6 Sep 2011 10:37:56 -0700 (PDT)
In-Reply-To: <2E9037FF-84E3-4DAE-877C-592CB2DEA9A7@bbn.com>
References: <942CCA6B-B784-441B-96CA-3506FFC439E1@bbn.com> <4E620046.2000400@isode.com> <E566DD99-64E5-47DF-A24C-3AA4E2EA20CA@bbn.com> <634914A010D0B943A035D226786325D422C0EB8DED@EXVMBX020-12.exch020.serverdata.net> <2E9037FF-84E3-4DAE-877C-592CB2DEA9A7@bbn.com>
Date: Tue, 06 Sep 2011 19:37:56 +0200
Message-ID: <CALiegfmn0e8Ei9x-KnH3Ejh3TBHy2gv-dfHMStoTYxZrjWH-Sg@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: General Area Review Team <gen-art@ietf.org>, "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Review of draft-ietf-hybi-thewebsocketprotocol-13
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 17:36:11 -0000

2011/9/6 Richard L. Barnes <rbarnes@bbn.com>:
> In all of these examples, the implementation is imposing "some limit" (the streamer just has an effective zero limit).  The exhaustion/DoS possibilities arise when an implementation doesn't enforce a limit -- just keeps growing the buffer as long as frames keep coming.  That's the reason for making the recommendation for "some limit" a MUST instead of a MAY -- if you don't enforce some limit, then someone on the other end can force you to accept unlimited data.

This is not a good argument. Think in HTTP. I can send an HTTP request
with "infinite" headers to a HTTP server expecting that the server
would buffer all of them and suffer of DoS. See:

  http://ha.ckers.org/slowloris/

And note that HTTP protocol does NOT provide something like "HTTP
headers max size" negotiation at all. It's up to the HTTP server to
determine whether to consider incoming request as a DoS or not and act
according.

And what I've explained aslo applies to any other headers-based text
protocol and others (SIP, XMPP, FTP....).



-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email