[e2e] t/tcp and web services
David G. Andersen
dga at lcs.mit.edu
Thu Dec 11 23:59:40 PST 2003
On Fri, Dec 12, 2003 at 08:22:29AM +0100, Michael Welzl quacked:
> Dear all,
>
> Here's a question:
>
> Why is RFC 1644 still experimental when Web Services
> typically run SOAP over HTTP over regular TCP?
T/TCP has pretty bad and unrectified security problems.
Or, to quote RFC1644:
"Security Considerations
Security issues are not discussed in this memo. "
It makes address spoofing attacks worse against some
services, particularly rsh and the like, and makes it
easier to DDoS both a server and use servers as DDoS
amplifiers against chosen victims. There are circumstances
in which T/TCP is a nice thing to use, but a publically
available webserver isn't one of them -- unfortunately,
since that's what it was really designed for.
TCP's setup overhead, particularly w.r.t. SOAP and long-running
sessions over HTTP, are already addressed through the use
of persistent connections. T/TCP makes life better for
single-shot requests, but persistent connections make the
usual SOAP/etc., cases good enough for people to not worry
about.
-Dave
> I wonder why this inefficiency isn't bypassed one
> way or another... I remember that there was a long
> thread about SOAP's capability of sending binary data
> in ASCII (*yuck*) approx 2 years ago or so ... but I
> wonder why nobody seems to do anything about it?
>
> ...or is this taken care of, and I just missed it?
>
> Best regards,
> Michael
--
work: dga at lcs.mit.edu me: dga at pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
More information about the end2end-interest
mailing list