From nobody Fri Mar 20 10:41:18 2020
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 077FD3A0D60
 for <quic-issues@ietfa.amsl.com>; Fri, 20 Mar 2020 10:41:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.089
X-Spam-Level: 
X-Spam-Status: No, score=-3.089 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001,
 T_SPF_TEMPERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id cRAavkWYEORG for <quic-issues@ietfa.amsl.com>;
 Fri, 20 Mar 2020 10:40:58 -0700 (PDT)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 00B503A0D6F
 for <quic-issues@ietf.org>; Fri, 20 Mar 2020 10:40:47 -0700 (PDT)
Date: Fri, 20 Mar 2020 10:40:46 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
 s=pf2014; t=1584726046;
 bh=l5nmX0y4ffFDhfjJO8EnG5hNw049h0CzN9qRKSAs6Ec=;
 h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
 List-Archive:List-Post:List-Unsubscribe:From;
 b=bHJii2q+HtQyuyGcqAFL9oJkYaETqAVQbV9DVGiqF82CNlr9YJuJs1ZMG+Ny1c6tp
 iSHqYVfKwohDpDak1wKmKyYRQhHcOULDFBzf8z211FaZNmd+6Bj0cAzZtnQoQEGYE+
 OkCnkvLG86g4XehrpB5q+WSKhX0g9HYNkYP9XcM8=
From: Lucas Pardue <notifications@github.com>
Reply-To: quicwg/base-drafts
 <reply+AFTOJK2KBWA4NMAZ3FRR2HV4QDQR5EVBNHHCFTHBIQ@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3531/review/378680616@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3531@github.com>
References: <quicwg/base-drafts/pull/3531@github.com>
Subject: Re: [quicwg/base-drafts] Import HTTP/2 Security Considerations (#3531)
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_5e75001eb49c4_1d113fe6a44cd96473696";
 charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: LPardue
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/lHnUCltrh6srmxSIuxyyv9AQ2Bk>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG
 <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 17:41:15 -0000


----==_mimepart_5e75001eb49c4_1d113fe6a44cd96473696
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

LPardue commented on this pull request.

@MikeBishop these comments/suggestion address my earlier one about use of headers. I might be applying things wrong.

> +- the inclusion of uppercase header field names, or
+- the inclusion of invalid characters in header field names or values

```suggestion
- the inclusion of uppercase field names, or
- the inclusion of invalid characters in field names or values
```

> +features are strictly bounded.
+
+The number of PUSH_PROMISE frames is constrained in a similar fashion.  A client
+that accepts server push SHOULD limit the number of Push IDs it issues at a
+time.
+
+Processing capacity cannot be guarded as effectively as state capacity.
+
+The ability to send undefined protocol elements which the peer is required to
+ignore can be abused to cause a peer to expend additional processing time.  This
+might be done by setting multiple undefined SETTINGS parameters, unknown frame
+types, or unknown stream types.  Note, however, that some uses are entirely
+legitimate, such as optional-to-understand extensions and padding to increase
+resistance to traffic analysis.
+
+Header compression also offers some opportunities to waste processing resources;

Is it still called "header compression" in a post-header world?

> +A server that receives a larger header block than it is willing to handle can
+send an HTTP 431 (Request Header Fields Too Large) status code {{?RFC6585}}.  A
+client can discard responses that it cannot process.

Is this behaviour restricted to encoded blocks of Header field sections? Could a large trailer section trigger it?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3531#pullrequestreview-378680616
----==_mimepart_5e75001eb49c4_1d113fe6a44cd96473696
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p></p>=0D
<p><b>@LPardue</b> commented on this pull request.</p>=0D
=0D
<p><a class=3D"user-mention" data-hovercard-type=3D"user" data-hovercard-=
url=3D"/users/MikeBishop/hovercard" data-octo-click=3D"hovercard-link-cli=
ck" data-octo-dimensions=3D"link_type:self" href=3D"https://github.com/Mi=
keBishop">@MikeBishop</a> these comments/suggestion address my earlier on=
e about use of headers. I might be applying things wrong.</p><hr>=0D
=0D
<p>In <a href=3D"https://github.com/quicwg/base-drafts/pull/3531#discussi=
on_r395788454">draft-ietf-quic-http.md</a>:</p>=0D
<pre style=3D'color:#555'>&gt; +- the inclusion of uppercase header field=
 names, or=0D
+- the inclusion of invalid characters in header field names or values=0D=

</pre>=0D
=E2=AC=87=EF=B8=8F Suggested change=0D
<pre style=3D"color: #555">-- the inclusion of uppercase header field nam=
es, or=0D
-- the inclusion of invalid characters in header field names or values=0D=

+- the inclusion of uppercase field names, or=0D
+- the inclusion of invalid characters in field names or values=0D
</pre>=0D
=0D
=0D
<hr>=0D
=0D
<p>In <a href=3D"https://github.com/quicwg/base-drafts/pull/3531#discussi=
on_r395790135">draft-ietf-quic-http.md</a>:</p>=0D
<pre style=3D'color:#555'>&gt; +features are strictly bounded.=0D
+=0D
+The number of PUSH_PROMISE frames is constrained in a similar fashion.  =
A client=0D
+that accepts server push SHOULD limit the number of Push IDs it issues a=
t a=0D
+time.=0D
+=0D
+Processing capacity cannot be guarded as effectively as state capacity.=0D=

+=0D
+The ability to send undefined protocol elements which the peer is requir=
ed to=0D
+ignore can be abused to cause a peer to expend additional processing tim=
e.  This=0D
+might be done by setting multiple undefined SETTINGS parameters, unknown=
 frame=0D
+types, or unknown stream types.  Note, however, that some uses are entir=
ely=0D
+legitimate, such as optional-to-understand extensions and padding to inc=
rease=0D
+resistance to traffic analysis.=0D
+=0D
+Header compression also offers some opportunities to waste processing re=
sources;=0D
</pre>=0D
<p>Is it still called "header compression" in a post-header world?</p>=0D=

=0D
<hr>=0D
=0D
<p>In <a href=3D"https://github.com/quicwg/base-drafts/pull/3531#discussi=
on_r395791766">draft-ietf-quic-http.md</a>:</p>=0D
<pre style=3D'color:#555'>&gt; +A server that receives a larger header bl=
ock than it is willing to handle can=0D
+send an HTTP 431 (Request Header Fields Too Large) status code {{?RFC658=
5}}.  A=0D
+client can discard responses that it cannot process.=0D
</pre>=0D
<p>Is this behaviour restricted to encoded blocks of Header field section=
s? Could a large trailer section trigger it?</p>=0D
=0D
<p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m=
dash;<br />You are receiving this because you are subscribed to this thre=
ad.<br />Reply to this email directly, <a href=3D"https://github.com/quic=
wg/base-drafts/pull/3531#pullrequestreview-378680616">view it on GitHub</=
a>, or <a href=3D"https://github.com/notifications/unsubscribe-auth/AFTOJ=
KZQFN2VTUYCYSRAH23RIOTB5ANCNFSM4LOVOONA">unsubscribe</a>.<img src=3D"http=
s://github.com/notifications/beacon/AFTOJKYPQE6FE3U3767C6SLRIOTB5A5CNFSM4=
LOVOONKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZ=
GOC2JDKKA.gif" height=3D"1" width=3D"1" alt=3D"" /></p>=0D
<script type=3D"application/ld+json">[=0D
{=0D
"@context": "http://schema.org",=0D
"@type": "EmailMessage",=0D
"potentialAction": {=0D
"@type": "ViewAction",=0D
"target": "https://github.com/quicwg/base-drafts/pull/3531#pullrequestrev=
iew-378680616",=0D
"url": "https://github.com/quicwg/base-drafts/pull/3531#pullrequestreview=
-378680616",=0D
"name": "View Pull Request"=0D
},=0D
"description": "View this Pull Request on GitHub",=0D
"publisher": {=0D
"@type": "Organization",=0D
"name": "GitHub",=0D
"url": "https://github.com"=0D
}=0D
}=0D
]</script>=

----==_mimepart_5e75001eb49c4_1d113fe6a44cd96473696--