Re: [hybi] Review of draft-ietf-hybi-thewebsocketprotocol-13
Iñaki Baz Castillo <ibc@aliax.net> Tue, 06 September 2011 17:36 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19EC221F8B62; Tue, 6 Sep 2011 10:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.646
X-Spam-Level:
X-Spam-Status: No, score=-2.646 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S+kVMW5Ol+5I; Tue, 6 Sep 2011 10:36:10 -0700 (PDT)
Received: from mail-qw0-f52.google.com (mail-qw0-f52.google.com [209.85.216.52]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1BF21F8B5D; Tue, 6 Sep 2011 10:36:10 -0700 (PDT)
Received: by qwb8 with SMTP id 8so5637574qwb.25 for <multiple recipients>; Tue, 06 Sep 2011 10:37:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.184.12 with SMTP id ci12mr4035890qab.270.1315330676871; Tue, 06 Sep 2011 10:37:56 -0700 (PDT)
Received: by 10.229.79.207 with HTTP; Tue, 6 Sep 2011 10:37:56 -0700 (PDT)
In-Reply-To: <2E9037FF-84E3-4DAE-877C-592CB2DEA9A7@bbn.com>
References: <942CCA6B-B784-441B-96CA-3506FFC439E1@bbn.com> <4E620046.2000400@isode.com> <E566DD99-64E5-47DF-A24C-3AA4E2EA20CA@bbn.com> <634914A010D0B943A035D226786325D422C0EB8DED@EXVMBX020-12.exch020.serverdata.net> <2E9037FF-84E3-4DAE-877C-592CB2DEA9A7@bbn.com>
Date: Tue, 06 Sep 2011 19:37:56 +0200
Message-ID: <CALiegfmn0e8Ei9x-KnH3Ejh3TBHy2gv-dfHMStoTYxZrjWH-Sg@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: General Area Review Team <gen-art@ietf.org>, "hybi@ietf.org" <hybi@ietf.org>
Subject: Re: [hybi] Review of draft-ietf-hybi-thewebsocketprotocol-13
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 17:36:11 -0000
2011/9/6 Richard L. Barnes <rbarnes@bbn.com>: > In all of these examples, the implementation is imposing "some limit" (the streamer just has an effective zero limit). The exhaustion/DoS possibilities arise when an implementation doesn't enforce a limit -- just keeps growing the buffer as long as frames keep coming. That's the reason for making the recommendation for "some limit" a MUST instead of a MAY -- if you don't enforce some limit, then someone on the other end can force you to accept unlimited data. This is not a good argument. Think in HTTP. I can send an HTTP request with "infinite" headers to a HTTP server expecting that the server would buffer all of them and suffer of DoS. See: http://ha.ckers.org/slowloris/ And note that HTTP protocol does NOT provide something like "HTTP headers max size" negotiation at all. It's up to the HTTP server to determine whether to consider incoming request as a DoS or not and act according. And what I've explained aslo applies to any other headers-based text protocol and others (SIP, XMPP, FTP....). -- Iñaki Baz Castillo <ibc@aliax.net>
- [hybi] Review of draft-ietf-hybi-thewebsocketprot… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Iñaki Baz Castillo
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Alexey Melnikov
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Willy Tarreau
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Philipp Serafin
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Iñaki Baz Castillo
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Iñaki Baz Castillo
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Iñaki Baz Castillo
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Willy Tarreau
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Bjoern Hoehrmann
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Tobias Oberstein
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Iñaki Baz Castillo
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Iñaki Baz Castillo
- Re: [hybi] [Gen-art] Review of draft-ietf-hybi-th… Alexey Melnikov
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Alexey Melnikov
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Richard L. Barnes
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Alexey Melnikov
- Re: [hybi] Review of draft-ietf-hybi-thewebsocket… Greg Wilkins