WGLC for transport: What is fragmentation in section 21.6?

[gorryfair]

I don’t understand what section 21.6 is about… the title seems to suggests it is about IP Fragmentation and Reassembly Attacks, but elsewhere the spec already prohibits IP Fragmentation in section 14? And I have seen no encouragement to do any form of network-layer fragmentation - so I don’t understand a security consideration in this topic. Is this therefiore some other thing? It may about something different where a sender originates data with “holes” of missing packet to try and exercise the server? or soemthing? What is this?

[DavidSchinazi]

Hi @gorryfair, 21.6 is titled "Stream Fragmentation and Reassembly Attacks". It refers to streams, not IP packets. The attack involves sending stream frames with holes such as STREAM: id=3, offset=0, len=1 and STREAM: id=3, offset=10000000, len=1 some receivers might allocate the entire stream receive buffer between 0 and 10000001.

I found the section pretty clear, but we should make it clear to everyone - could you perhaps suggest text that would make it clearer?

[gorryfair]

OK. I see. I can try a PR, if I can find words that avoid "fragment":

Is this close enough to start: /An adversarial sender might intentionally omit to send portions of the stream data causing the receiver to commit resources for the omitted data, this could cause a disproportionate receive buffer memory commitment and/or creation of a large and inefficient data structure.

[DavidSchinazi]

Do we really need to avoid the term "fragment"? It's not the only overloaded networking term in the spec. Perhaps adding a "Note that stream fragmentation is unrelated to IP fragmentation" could suffice?

[janaiyengar]

I don't think this clarification is necessary. The context makes it clear what fragmentation this is, and talking about IP fragmentation only leads to confuse the reader. (I like the first part of your PR though, as I've noted on my review of it.)