Slashdot Mirror

← Back to Stories (view on slashdot.org)

Varnish Author Suggests SPDY Should Be Viewed As a Prototype

Posted by Soulskill on from the final-version-needs-lasers-don't-ask-why dept.

An anonymous reader writes "The author of Varnish, Poul-Henning Kamp, has written an interesting critique of SPDY and the other draft protocols trying to become HTTP 2.0. He suggests none of the candidates make the cut. Quoting: 'Overall, I find the design approach taken in SPDY deeply flawed. For instance identifying the standardized HTTP headers, by a 4-byte length and textual name, and then applying a deflate compressor to save bandwidth is totally at odds with the job of HTTP routers which need to quickly extract the Host: header in order to route the traffic, preferably without committing extensive resources to each request. ... It is still unclear for me if or how SPDY can be used on TCP port 80 or if it will need a WKS allocation of its own, which would open a ton of issues with firewalling, filtering and proxying during deployment. (This is one of the things which makes it hard to avoid the feeling that SPDY really wants to do away with all the "middle-men") With my security-analyst hat on, I see a lot of DoS potential in the SPDY protocol, many ways in which the client can make the server expend resources, and foresee a lot of complexity in implementing the server side to mitigate and deflect malicious traffic.'"

7 of 136 comments (clear)

  1. Re:his criticism is not true in practice by Mad+Merlin · · Score: 5, Informative

    TFA is talking about in reverse proxies (of which Varnish is one of many), which are very commonplace. In fact, you're seeing this page through (at least) one, as Slashdot uses Varnish.

    --
    Game! - Where the stick is mightier than the sword!
  2. Rethink HTTP with something else by Skapare · · Score: 5, Interesting

    Much of what the web has become is no longer fitting the "fetch a document" model that HTTP (and GOPHER before it) are designed to do. This is why we have hacks like cookie managed sessions. We are effectively treating the document as a fat UDP datagram. The replacement ... and I do mean replacement, for HTTP, should integrate the session management with it, among other things. The replacement needs to hold the TCP connection (or better, the SCTP session), in place as a matter of course, integrated into the design, instead of patched around as HTTP does now. With SCTP, each stream can manage its own start and end, with a simpler encryption startup based on encrypted session management on stream 0. Then you can have multiple streams for a variety of serviced functions from nailed up streams for continuous audio/video, to streams used on the fly for document fetch. No chunking is needed since it's all done in SCTP.

    --
    now we need to go OSS in diesel cars
  3. Re:Internet Explorer on Windows XP by Short+Circuit · · Score: 4, Insightful

    By the time a replacement of HTTP 2 is standardized, XP will be fully out of support. I get flamed whenever I say this, but it will be time to let XP die. I'm considering replacing my grandmother's box with an ASUS Transformer, as that'll handle all of her needs. (*And* the rest of my family won't say 'we don't know how to reboot the router because we don't know how to use the Linux netbook you set her up with.) Quickbooks runs on Vista and Win7. Tools and other things which require Windows XP are becoming scarcer, and workarounds and alternatives are becoming cheaper.

    Eventually, XP will be like that DOS box that sits in some shops...used only for some specific, very limited purposes. Any shop cheaping out and still using it in lab environments (such as call centers) can work around it by installing a global self-signed cert and using a proxy server to rewrap SSL and TLS connections. Yes, this is bad behavior. So is continuing to use XP. At some point, the rest of Internet needs to move on.

    --
    tasks(723) drafts(105) languages(484) examples(29106)
  4. Re:While I hate the transfer syntaxes we have by Skapare · · Score: 4, Informative

    s/Cute/Ugly/

    XML is for marking up documents, not serializing data structures.

    Now suppose we make HTTP based on XML. During the HTTP header parse, we need the schema. Fetch it. With what? With HTTP. Now we need to parse more XML and need another schema we have to get with HTTP which then has to be parsed ...

    XML is not for protocols. JSON is at least more usable. Some simpler formats exist, too.

    --
    now we need to go OSS in diesel cars
  5. Oh yes XML, that efficiently parsable mess by Viol8 · · Score: 4, Insightful

    As a static data format its just about passable, but as a low overhead network protocol??

    Wtf have you been smoking??

  6. Re:While I hate the transfer syntaxes we have by jimmifett · · Score: 5, Insightful

    Ideally, you give the schema to the other side and they can validate the message before sending to you, catching possible errors there. You validate against same schema on your side as a safety net to week out junk data and messages from users that don't validate. It also allows you to enforce types and limitations on values in a consistent manner.

    JSON is good for quick and dirty communications when you are both the sender and the consumer of messages and can be lazy and not care too much about junk data.

    Both have their uses, but you have to know when to use which.

  7. Re:HTTP wouldn't pass muster by jandrese · · Score: 4, Interesting

    The flipside of this is that a lot of the proposals to replace HTTP suffer badly from the second system effect, where the protocol designer decides to add proper support for all of the edge cases and ends up with a protocol that is gigantic and difficult to implement.

    --

    I read the internet for the articles.