[e2e] t/tcp and web services

David G. Andersen dga at lcs.mit.edu
Thu Dec 11 23:59:40 PST 2003

On Fri, Dec 12, 2003 at 08:22:29AM +0100, Michael Welzl quacked:
> Dear all,
> Here's a question:
> Why is RFC 1644 still experimental when Web Services
> typically run SOAP over HTTP over regular TCP?

T/TCP has pretty bad and unrectified security problems.
Or, to quote RFC1644:

"Security Considerations
    Security issues are not discussed in this memo. "

It makes address spoofing attacks worse against some
services, particularly rsh and the like, and makes it
easier to DDoS both a server and use servers as DDoS
amplifiers against chosen victims.  There are circumstances
in which T/TCP is a nice thing to use, but a publically
available webserver isn't one of them -- unfortunately,
since that's what it was really designed for.

TCP's setup overhead, particularly w.r.t. SOAP and long-running
sessions over HTTP, are already addressed through the use
of persistent connections.  T/TCP makes life better for
single-shot requests, but persistent connections make the
usual SOAP/etc., cases good enough for people to not worry


> I wonder why this inefficiency isn't bypassed one
> way or another... I remember that there was a long
> thread about SOAP's capability of sending binary data
> in ASCII (*yuck*) approx 2 years ago or so ... but I
> wonder why nobody seems to do anything about it?
> ...or is this taken care of, and I just missed it?
> Best regards,
> Michael

work: dga at lcs.mit.edu                          me:  dga at pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/
      I do not accept unsolicited commercial email.  Do not spam me.

More information about the end2end-interest mailing list