OneConnect, HTTP pipelining and security

Question

We have a relatively large and secure web-site running behind bigip. Currently we don't have OneConnect enabled, but are considering it in order to make the system perform better. &nbsp;
&nbsp;It says in the docs that pipelined requests are not supported - I wonder what this means in practical terms for Opera users. Anyone?&nbsp;
&nbsp;Are there any risks for requests getting intermingled when using oneconnect?&nbsp;&nbsp;&nbsp;&nbsp;

hooleylist · Answer

Hi Stefan, 
&nbsp;  
&nbsp; I expect any client that tries to pipeline requests would have them serialized on the serverside.  Though I think that happens with an HTTP profile without OneConnect anyhow.  You could test this fairly quickly using a client that has pipelining enabled. 
&nbsp;  
&nbsp; Aaron

stephanmanthey · Answer

The RFC:  
   A client that supports persistent connections MAY "pipeline" its
   requests (i.e., send multiple requests without waiting for each
   response). A server MUST send its responses to those requests in the
   same order that the requests were received.

In case you apply OneConnect it would be required to avoid connection pooling for pipelined requests. Otherwise there would be no way to demultiplex the server replies as there is no concept of message identifier in the http protocol, afaik.

Forum Discussion

OneConnect, HTTP pipelining and security

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Ensuring Security in Continuous Integration and Continuous Deployment (CI/CD) Pipelines

Integrating NGINX Controller to CICD Pipeline

F5 Security Podcasts

Lightboard Lessons: OneConnect

Certifications for security professionals

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS