[Standards-JIG] NEW: JEP-0170 (Recommended Order of Stream Feature Negotiation)

Jacek Konieczny jajcus at jajcus.net
Wed Jan 11 20:47:35 UTC 2006


On Wed, Jan 11, 2006 at 12:55:06PM -0700, Peter Saint-Andre wrote:
> Jesus Cea wrote:
> 
> >Since compression can add a lot of overhead to the server, especially
> >memory, I would rather suggest to first autenticate and then negociate
> >compression. I imagine a trivial attact: simply open a lot of
> >connections to a jabber server, negociate compression and go to sleep.
> >Each connection can eat easily 500 Kbytes. 1000 connections eats 500
> >Megabytes.
> 
> Good point. In fact the server probably should not even advertise the 
> compression feature until after authentication...

IMHO that could be a deployment source. Some may want to compress all
the SASL data, when the bandwith is expensive. The <stream:features/>
element may occur before and after SASL, so why not allow using
compression in those two places? Announcing compression when it is
already in use should be forbidden only.

Greets,
        Jacek



More information about the Standards mailing list