Re: [quicwg/base-drafts] QPACK security considerations (#3575)

afrind <> Tue, 14 April 2020 22:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D72623A11D1 for <>; Tue, 14 Apr 2020 15:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.863
X-Spam-Status: No, score=-1.863 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GwYLrZJA1n1T for <>; Tue, 14 Apr 2020 15:46:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 744903A11CF for <>; Tue, 14 Apr 2020 15:46:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9FB86E0BC6 for <>; Tue, 14 Apr 2020 15:46:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1586904380; bh=T1IOuC+e34tNXplSOJklO+mbYMJwWnAJ23YNoWwmLCA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=QTPUx/UdfEdc2MinwEoEqvKHCDXQm0bEV73JeSUNuLkFOEbwylrVW/QlVPwMm1SMa YPk5a6Nb06GP4P090heBwfmypBFiQrUiGu8qBy9C9iN4YYobMIT75oqahR1jjM/bG0 tQ5c9tbjHRVKjyWZTtT/fVKNcLTlzwPGGM3ekeZ4=
Date: Tue, 14 Apr 2020 15:46:20 -0700
From: afrind <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3575/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] QPACK security considerations (#3575)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e963d3c906aa_b953fd7708cd96c415229"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: afrind
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Apr 2020 22:46:23 -0000

@afrind commented on this pull request.

> +The amount of memory used by the compressor is limited by the protocol using
+QPACK through the definition of the maximum size of the dynamic table, and the
+maximum number of blocking streams. In HTTP/3, these values are controlled by
+the decoder through the setting parameter QPACK_MAX_TABLE_CAPACITY and
+QPACK_BLOCKED_STREAMS, respectively (see Section
+{{maximum-dynamic-table-capacity}} and {{blocked-streams}}). The limit on the
+size of the dynamic table takes into account both the size of the data stored in
+the dynamic table, plus a small allowance for overhead.  The limit on the number
+of blocked streams is only a proxy for the maximum amount of memory required by
+the decoder.  The actual maximum amount of memory will depend on how much memory
+the decoder uses to track each blocked stream.
+A decoder can limit the amount of state memory used for the dynamic table by
+setting an appropriate value for the maximum size of the dynamic table. In
+HTTP/3, this is realized by setting an appropriate value for the
+QPACK_MAX_TABLE_CAPACITY parameter. An encoder can limit the amount of state

The text seems to consistently use SETTINGS_ variants, but the table omits it.  I'll fix these to match the text, but SETTINGS_ seems redundant in the table.  I'll resolve the inconsistency in another PR.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: