-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpConnPoolImplMixed could result in many unused upstream connections #15947
Comments
@alyssawilk thoughts? |
You can never be sure which way this is going to go, and you either take a CPU penalty by assuming H1 (and doing unnecessary handshakes) or a latency penalty and assuming H2 (and queueing streams for a connection which can't handle them in parallel). The current implementation defaults to the former, but there's no reason we can't allow the latter with a config knob. |
Thank you for the response. I do agree that HTTP/1.1 has this behavior, but my question is specific to the combination of conditions listed where upstream is likely to negotiate h2 (but not always). If downstream is h2 then it is very cheap to send lots of requests, which would trigger lots of upstream TLS handshakes. The amplification is due to the difference in cost of creating a new h2 stream vs an upstream TLS handshake. |
I agree that the ALPN pool would do extra work in this case, but again with years worth of proxies that terminate HTTP/1 and forward HTTP/1.1 back (which is still a common mode for folks who haven't updated its infrastructure) I really don't think it qualifies as an attack or a bug, just a config knob which would be good to have. You can cause as many handshakes if you control the upstream by simply closing connections after use, or sending GOAWAYs after a single request. |
Thanks again. We would certainly appreciate the config knob (to assume h2 and limit upstream connections in the mixed pool) in our environment. |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
…envoyproxy#20789) Risk Level: low (off by default) Testing: unit + integration Docs Changes: n/a Release Notes: n/a Runtime guard: envoy.reloadable_features.allow_concurrency_for_alpn_pool Part of envoyproxy#20696 part of envoyproxy#15947 Signed-off-by: Alyssa Wilk <alyssar@chromium.org> Signed-off-by: Andre Vehreschild <vehre@x41-dsec.de>
…envoyproxy#20789) Risk Level: low (off by default) Testing: unit + integration Docs Changes: n/a Release Notes: n/a Runtime guard: envoy.reloadable_features.allow_concurrency_for_alpn_pool Part of envoyproxy#20696 part of envoyproxy#15947 Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Title:
HttpConnPoolImplMixed
unused connectionsDescription:
Consider a scenario with the following conditions:
HttpConnPoolImplMixed
is required (possibly because some percentage of upstream servers are expected to still use http/1.1)HttpConnPoolImplMixed::instantiateActiveClient
sets theconcurrent_stream_limit
to 1, which results in a new upstream connection for every downstream h2 stream, and each of the upstream connections would start a TLS handshake. The first connection that negotiates h2 would then be associated with all/most of the downstream streams, resulting in a bunch of unused h2 connections.I understand that the connection-per-stream behavior is expected if upstream is mostly http/1.1, but could this be considered an amplification attack if upstream is expected to negotiate h2 most of the time, given that every downstream stream will result in an expensive TLS handshake?
The text was updated successfully, but these errors were encountered: