QPACK security considerations #3575
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Behold Fixes: 1737
martinthomson
approved these changes
Apr 14, 2020
draft-ietf-quic-qpack.md
Outdated
|
|
||
| Note: | ||
|
|
||
| Padding schemes only provide limited protection against an attacker with these |
There was a problem hiding this comment.
Suggested change
| Padding schemes only provide limited protection against an attacker with these | |
| : Padding schemes only provide limited protection against an attacker with these |
draft-ietf-quic-qpack.md
Outdated
| table are attributed to an entity, and only the entity that created a particular | ||
| value can extract that value. | ||
|
|
||
| To improve compression performance of tqhis option, certain entries might be tagged as being public. For example, a web browser might make the values of the Accept-Encoding header field available in all requests. |
There was a problem hiding this comment.
Suggested change
| To improve compression performance of tqhis option, certain entries might be tagged as being public. For example, a web browser might make the values of the Accept-Encoding header field available in all requests. | |
| To improve compression performance of this option, certain entries might be | |
| tagged as being public. For example, a web browser might make the values of the | |
| Accept-Encoding header field available in all requests. |
draft-ietf-quic-qpack.md
Outdated
|
|
||
| Note: | ||
|
|
||
| Simply removing entries corresponding to the header field from the dynamic table |
There was a problem hiding this comment.
Suggested change
| Simply removing entries corresponding to the header field from the dynamic table | |
| : Simply removing entries corresponding to the header field from the dynamic table |
draft-ietf-quic-qpack.md
Outdated
Comment on lines
1270
to
1272
| that a large number of attempts to guess a header field value results in the | ||
| header field no more being compared to the dynamic table entries in future | ||
| messages, effectively preventing further guesses. |
There was a problem hiding this comment.
Suggested change
| that a large number of attempts to guess a header field value results in the | |
| header field no more being compared to the dynamic table entries in future | |
| messages, effectively preventing further guesses. | |
| that a large number of attempts to guess a header field value results in the | |
| header field not being compared to the dynamic table entries in future | |
| messages, effectively preventing further guesses. |
I had a little trouble with "no more".
draft-ietf-quic-qpack.md
Outdated
Comment on lines
1284
to
1286
| field value. Marking a header field as not using the dynamic table any more | ||
| might occur for shorter values more quickly or with higher probability than for | ||
| longer values. |
There was a problem hiding this comment.
Suggested change
| field value. Marking a header field as not using the dynamic table any more | |
| might occur for shorter values more quickly or with higher probability than for | |
| longer values. | |
| field value. Disabling access to the dynamic table for a header field might | |
| occur for shorter values more quickly or with higher probability than for longer | |
| values. |
draft-ietf-quic-qpack.md
Outdated
| Note that these criteria for deciding to use a never indexed literal | ||
| representation will evolve over time as new attacks are discovered. | ||
|
|
||
| ##. Static Huffman Encoding |
There was a problem hiding this comment.
Suggested change
| ##. Static Huffman Encoding | |
| ## Static Huffman Encoding |
draft-ietf-quic-qpack.md
Outdated
Comment on lines
1334
to
1335
| designed to limit both the peak and state amounts of memory allocated by an | ||
| endpoint. |
There was a problem hiding this comment.
Suggested change
| designed to limit both the peak and state amounts of memory allocated by an | |
| endpoint. | |
| designed to limit both the peak and stable amounts of memory allocated by an | |
| endpoint. |
There was a problem hiding this comment.
This error is in the HPACK RFC. Is it worth an errata?
There was a problem hiding this comment.
I'll let you manage that :) You can be the author of an RFC erratum. The glory!
draft-ietf-quic-qpack.md
Outdated
| QPACK through the definition of the maximum size of the dynamic table, and the | ||
| maximum number of blocking streams. In HTTP/3, these values are controlled by | ||
| the decoder through the setting parameter QPACK_MAX_TABLE_CAPACITY and | ||
| QPACK_BLOCKED_STREAMS, respectively (see Section |
There was a problem hiding this comment.
Suggested change
| QPACK_BLOCKED_STREAMS, respectively (see Section | |
| QPACK_BLOCKED_STREAMS, respectively (see |
draft-ietf-quic-qpack.md
Outdated
| HTTP/3, this is realized by setting an appropriate value for the | ||
| QPACK_MAX_TABLE_CAPACITY parameter. An encoder can limit the amount of state | ||
| memory it uses by signaling lower dynamic table size than the decoder allows | ||
| (see {{eviction}}). A decoder can limit the amount of state memory used for |
There was a problem hiding this comment.
Suggested change
| (see {{eviction}}). A decoder can limit the amount of state memory used for | |
| (see {{eviction}}). | |
| A decoder can limit the amount of state memory used for |
LPardue
approved these changes
Apr 14, 2020
draft-ietf-quic-qpack.md
Outdated
| recovered successfully. However, values with low entropy remain vulnerable. | ||
|
|
||
| Attacks of this nature are possible any time that two mutually distrustful | ||
| entities control requests or responses that are placed onto a single HTTP/2 |
There was a problem hiding this comment.
Suggested change
| entities control requests or responses that are placed onto a single HTTP/2 | |
| entities control requests or responses that are placed onto a single HTTP/3 |
draft-ietf-quic-qpack.md
Outdated
| A decoder can limit the amount of state memory used for the dynamic table by | ||
| setting an appropriate value for the maximum size of the dynamic table. In | ||
| HTTP/3, this is realized by setting an appropriate value for the | ||
| QPACK_MAX_TABLE_CAPACITY parameter. An encoder can limit the amount of state |
There was a problem hiding this comment.
nit: the doc is inconsistent about QPACK_MAX_TABLE_CAPACITY vs SETTINGS_QPACK_MAX_TABLE_CAPACITY. I don't know what the answer is
There was a problem hiding this comment.
The text seems to consistently use SETTINGS_ variants, but the table omits it. I'll fix these to match the text, but SETTINGS_ seems redundant in the table. I'll resolve the inconsistency in another PR.
There was a problem hiding this comment.
It's an (unstated) norm to omit SETTINGS_ in cases where it's already blatantly obvious that we're discussing a setting. You'll find similar variance in 7540, 7541, and HTTP/3.
draft-ietf-quic-qpack.md
Outdated
| setting an appropriate value for the maximum size of the dynamic table. In | ||
| HTTP/3, this is realized by setting an appropriate value for the | ||
| QPACK_MAX_TABLE_CAPACITY parameter. An encoder can limit the amount of state | ||
| memory it uses by signaling lower dynamic table size than the decoder allows |
There was a problem hiding this comment.
Suggested change
| memory it uses by signaling lower dynamic table size than the decoder allows | |
| memory it uses by signaling a lower dynamic table size than the decoder allows |
draft-ietf-quic-qpack.md
Outdated
| (see {{eviction}}). A decoder can limit the amount of state memory used for | ||
| blocked streams by setting an appropriate value for the maximum number of | ||
| blocked streams. In HTTP/3, this is realized by setting an appropriate value | ||
| for the QPACK_BLOCKED_STREAMS parameter. An encoder can limit the amount of |
There was a problem hiding this comment.
nit: QPACK_BLOCKED_STREAMS vs. SETTINGS_QPACK_BLOCKED_STREAMS
martinthomson
added
-qpack
editorial
MikeBishop
approved these changes
Apr 16, 2020
| An implementation has to set a limit for the values it accepts for integers, as | ||
| well as for the encoded length (see {{prefixed-integers}}). In the same way, it | ||
| has to set a limit to the length it accepts for string literals (see | ||
| {{string-literals}}). |
There was a problem hiding this comment.
I believe we have a minimum size which MUST be supported; should that be mentioned here?
There was a problem hiding this comment.
@MikeBishop : I can't quite figure an elegant way to mention the minimum here. It is already mentioned in the referenced section.
bencebeky
approved these changes
Apr 22, 2020
draft-ietf-quic-qpack.md
Outdated
| SETTINGS_QPACK_BLOCKED_STREAMS, respectively (see | ||
| {{maximum-dynamic-table-capacity}} and {{blocked-streams}}). The limit on the | ||
| size of the dynamic table takes into account both the size of the data stored in | ||
| the dynamic table, plus a small allowance for overhead. The limit on the number |
There was a problem hiding this comment.
"both" does not flow well with "plus". Either s/", plus"/" and"/, or remove "both".
|
@afrind I think this is inches of getting landed |
Feedback from Mike Co-authored-by: Mike Bishop <mbishop@evequefou.be>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Behold
Fixes #1737