[NNTP] STREAMING diffs (take 2)
Russ Allbery
rra at stanford.edu
Mon Jun 13 13:18:23 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> Russ Allbery wrote:
>> Same here. I don't understand. Surely the use of deferrals and the
>> interaction between CHECK and TAKETHIS are protocol issues?
> The vulnerability that we're discussing isn't inherent in the design of
> the CHECK command. Its only present in server implementations which
> choose to "lock" a particular message-id that it receives from a CHECK
> command. You can certainly write a server which isn't subject to this
> attack.
Yeah, but does anyone? I thought that approach was pretty much universal
in servers that implement streaming, since otherwise you get a ton of
duplicates, particularly of large articles. Or you end up not getting
articles if you go the other direction and refuse articles promised but
not sent by another connection.
> As I said, I'm not going to argue strongly against adding your suggested
> text, but it seems like BCP stuff to me. Then again, I might be full of
> shit.
I can see the point about it being BCP stuff, but we aren't splitting
implementation best practices from protocol issues currently in the NNTP
documents. It feels very borderline to me, I guess.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list