On Sat, Oct 25, 2008 at 3:48 PM, Artur Hefczyc <[EMAIL PROTECTED]> wrote: > Hi, > > I am glad somebody has responded to my post :-) > >>> Without tests I can't really say how much the resource usage would grow >>> but I can imagine it could be significant. >>> One of the reason for a good performance in Tigase server is a very >>> lightweight XML parser I have written. >>> >> >> Just so you know, that parser is not a conforming XML parser. Tigase >> happily accepts data that is not XML-well-formed, and happily routes >> or delivers it. > > That's true but please note that XMPP stream is not really XML stream > either. > I would rather call my parser: XMPP parser then. > >
I meant invalid XML, like <[EMAIL PROTECTED]/>. This when routed could result in all sorts of DoS scenarios. Most servers and clients would terminate connections when they receive this. >>> And please note. All these increased resource usage would be only needed >>> because _sometimes_ it _may_ happen that maybe 1/1mln packet might have >>> incorrect XMLNS...... >>> >>> I am not sure if this is worth the cost. >>> >> >> What is the cost? Has anyone actually tried determining the actual cost? >> >>> >> >> I just don't think the cost of simply validating namespaces is >> significant, and it certainly is not prohibitive. >> > > This cost might be ignored on the client side but on the server side > everything counts. Imagine you have to parse XMPP packets on > 150k active connections. The traffic during my load tests was > 10k packets/sec. Every instruction you add to the data processing is > multiplied by the number of packets. > > Of course if the XMLNS validation would be 1% of all operations > performed by the parser it could be probably ignored. > I think, however that XMLNS validation could require even > more processing than all other parser tasks. > > Artur > -- > Artur Hefczyc > http://www.tigase.org/ > http://artur.hefczyc.net/ > >
