IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Adrien de Croy <adrien@qbik.com> Tue, 07 December 2010 06:41 UTC

Return-Path: <adrien@qbik.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB9373A691C for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 22:41:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.549
X-Spam-Level:
X-Spam-Status: No, score=-6.549 tagged_above=-999 required=5 tests=[AWL=-3.950, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IvBkVHOSG7qy for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 22:41:26 -0800 (PST)
Received: from smtp.qbik.com (smtp.qbik.com [210.55.214.35]) by core3.amsl.com (Postfix) with ESMTP id EEBF23A6911 for <hybi@ietf.org>; Mon, 6 Dec 2010 22:41:25 -0800 (PST)
Received: From [192.168.1.10] (unverified [125.237.244.120]) by SMTP Server [210.55.214.35] (WinGate SMTP Receiver v7.0.0 (Build 3093)) with SMTP id <0017835814@smtp.qbik.com>; Tue, 7 Dec 2010 19:42:47 +1300
Message-ID: <4CFDD767.2080507@qbik.com>
Date: Tue, 07 Dec 2010 19:42:47 +1300
From: Adrien de Croy <adrien@qbik.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Willy Tarreau <w@1wt.eu>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <20101126000352.ad396b9a.eric@bisonsystems.net> <AANLkTimzQyG4hugOvHqoNrBrZFA4fGbGXQ7MZ2i+68dO@mail.gmail.com> <BB947F6D-15AA-455D-B830-5E12C80C1ACD@mnot.net> <81870DB1-B177-4253-8233-52C4168BE99D@apple.com> <F4D1B715-3606-4E9A-BFB2-8B7BC11BE331@mnot.net> <20101207061028.GM19364@1wt.eu>
In-Reply-To: <20101207061028.GM19364@1wt.eu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Mon, 06 Dec 2010 23:22:27 -0800
Cc: hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2010 06:41:29 -0000

from a proxy / firewall vendor perspective, overloading yet more 
functionality over port 80 CONNECT is something that will simply cause 
us more work, and require us to put more resources into dealing with the 
sort of requests made by CONNECT.

It's bad enough already having malware use CONNECT, so you have to lock 
it down.

Trying to distinguish legitimate use from undesired use gets more 
difficult the more you put over this.

It means you pretty much need to put a firewall and protocol sniffing on 
top of your tunneled connections.

So, where does this lead?  Everyone starts using port 80 for everything, 
and in the end port 80 will be where TCP is now.  Highly restricted.

Except for the additional overhead and complexity = bugs, worse 
performance and security problems.

Maybe we need to stop and think about why the other ports are blocked, 
which compels us to try and circumvent company policy by looking for 
back-door ways to get connectivity.

Mark's comments about an arms-race are spot on.

Whilst you may get good odds of a successful connection now, wait a few 
years when people start locking CONNECT down and it will likely be no 
better than TCP on a different port is now.  Except coaching customers 
to lock down CONNECT is a PITN.

Cheers

Adrien


On 7/12/2010 7:10 p.m., Willy Tarreau wrote:
> On Tue, Dec 07, 2010 at 01:13:28PM +1100, Mark Nottingham wrote:
>> On 07/12/2010, at 12:30 PM, Maciej Stachowiak wrote:
>>
>>> On Dec 6, 2010, at 4:53 PM, Mark Nottingham wrote:
>>>
>>>> I don't think that's the relevant aspect here. "Another port" could be port 80 or port 443 (nasty, and you wouldn't make it the default, but I think you see where I'm going).
>>>>
>>>> The question is why it's necessary to run both HTTP and WebSockets traffic over the *same* port simultaneously -- something that AFAICT is taken as axiomatic, and I'm really wondering why.
>>> Web developers will likely want to operate both a WebSocket service and an HTTP service on the same server, since WebSocket services are likely to be most useful in combination with a Web application that makes use of them. At the same time, they will want their WebSocket traffic to go through firewalls properly. It would be a significant burden if a WebSocket service required a separate domain name, physical or virtual server, and possibly SSL cert.
>>>
>>> Thus desire to have a single piece of server software that can dispatch connects to HTTP applications or Web applications as appropriate.
>> You don't need a different domain name, hardware, OS instance or certificate to listen to a different port, and if you have a wildcard SSL cert, you can use the same cert for the same port number on two different hosts.
> In my opinion the problem is not here, but the adoption rate depending
> on the port. Many organisations implement URL filtering on port 80,
> white-list based filtering on 443 and nothing else around. If you want
> to deploy a site which quickly gets a lot of traffic, port 80 clearly
> is the most suited, which is even more true considering that long polling
> mechanisms already work over that port.
>
> Also, being able to switch from HTTP to WS over a same socket for some
> services can save one round trip, but that's marginal in most situations,
> except from mobile phones.
>
> Regards,
> Willy
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

v2.23.0 | Report a Bug | By Email