[Twisted-Python] Large Transfers

Uwe C. Schroeder uwe at oss4u.com
Sat May 10 12:20:30 EDT 2003 

On Saturday 10 May 2003 09:01 am, Bernhard Herzog wrote:
> Moshe Zadka <m at moshez.org> writes:
> > On Sat, 10 May 2003, "Uwe C. Schroeder" <uwe at oss4u.com> wrote:
> > > in  another thread we had the "pb size limitation" issue. However it
> > > still doesn't make too much sense to me, so probably someone of the
> > > core developers can enlighten me.
> >
> > The explanation is that the *other side* doesn't trust you -- maybe
> > you're trying to DoS it? This is a good design decision: you want
> > multiple processes to not trust each other. As an aside, whenever you
> > hear the word "trust" you should think "lack of security" -- by
> > extension, "distrust" is "more secure".
>
> ISTM that this approach doesn't really give you much security. It only
> helps against accidentally large chunks of data.
>
> The tests, AFAICT, simply check the length (as defined by the len
> builtin) of lists, tuples and strings. So if the sender can't send e.g.
> [0] * 1000000, it could just as well send [[0] * 1000 for i in range(1000)]
> which would consume roughly the same amount of memory on the receiver's
> side but would pass all the SIZE_LIMT tests. Using a large dictionary
> seems to work too.

Since a DoS is basically bombarding the target, neither approach will 
guarantee security. For the receiver it might be even worse to get 1M calls 
with 100 bytes each.
To really get security here you'd have to limit the number of calls in a 
certain timeframe as well as the maximum size of each call.

> A better solution for limiting the size seems to be a limit on the
> number of bytes accepted by the receiver for a single PB call.

as far as I understand it the 640k ARE the limit for one single PB call.

>
> Anyway, limits on the data size should be configurable IMO so that
> programmers can set the limit based on the needs of their applications.

This might be correct, however if you design a certain protocol you usually 
imply certain restrictions. From that point of view I must say Glyph is 
having a point here.

	UC

--
Open Source Solutions 4U, LLC	2570 Fleetwood Drive
Phone:  +1 650 872 2425		San Bruno, CA 94066
Cell:   +1 650 302 2405		United States
Fax:    +1 650 872 2417

More information about the Twisted-Python mailing list