[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Internet Engineering Task Force                             M. Lentczner
Internet-Draft                                     Linden Research, Inc.
Intended status: Informational                                D. Preston
Expires: September 5, 2009                                 March 4, 2009


                              Reverse HTTP
                        draft-lentczner-rhttp-00

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on September 5, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This memo explains a method for making HTTP requests to a host that
   cannot be contacted directly.  Typically, such a host is behind a
   firewall and/or a network address translation system.



Lentczner & Preston     Expires September 5, 2009               [Page 1]

Internet-Draft                Reverse HTTP                    March 2009


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . . . 3
   2.  Protocol  . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
     2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     2.2.  Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     2.3.  Example . . . . . . . . . . . . . . . . . . . . . . . . . . 4
   3.  Considerations  . . . . . . . . . . . . . . . . . . . . . . . . 5
     3.1.  Host Header . . . . . . . . . . . . . . . . . . . . . . . . 5
     3.2.  Connection  . . . . . . . . . . . . . . . . . . . . . . . . 5
     3.3.  Persistent Connections  . . . . . . . . . . . . . . . . . . 5
     3.4.  Fall Back . . . . . . . . . . . . . . . . . . . . . . . . . 6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . . . 6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
   6.  Normative References  . . . . . . . . . . . . . . . . . . . . . 7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 7


































Lentczner & Preston     Expires September 5, 2009               [Page 2]

Internet-Draft                Reverse HTTP                    March 2009


1.  Introduction

   HTTP has become widely used as an application layer transport.
   Systems such as XML-RPC and SOAP, as well as numerous "web APIs" such
   as the Flickr API, all use HTTP as a method for having a client make
   requests of a server.

   The design of HTTP is such that the entity that initiates the TCP
   connection over which HTTP flows is also the entity that issues the
   request.  When building applications over HTTP where the hosts
   involved can both function as TCP servers, this is no problem: When
   either host wishes to invoke an function on the other, it can
   initiate a TCP connection to the other, and acting as the client in
   the HTTP protocol, issue the request.

   In many HTTP based applications, one of the hosts cannot function as
   an HTTP server.  Typically, the host may be behind a firewall, or not
   have a publicly routable IP address.  In this case, application layer
   interfaces can no longer be symmetric: If a host needs to invoke a
   function on a host that cannot function as an HTTP server, than that
   function cannot be easily layered on top of HTTP.  Typical designs to
   work around this constraint involve different encodings and semantics
   for requests from the server host to the non-server host, and the use
   of the long-poll technique.

   Reverse HTTP is designed to enable the application layer encoding and
   semantics to be built upon HTTP uniformly for requests in either
   direction between a non-server host and server host.  Since the non-
   server host cannot be contacted directly, the non-server host still
   needs to establish the TCP connection, but once the Reverse HTTP
   protocol is negotiated, the full HTTP protocol is used in the reverse
   of the normal direction: from the server to the client

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


2.  Protocol

2.1.  Overview

   A Reverse HTTP connection is established between hosts A and B as
   follows:





Lentczner & Preston     Expires September 5, 2009               [Page 3]

Internet-Draft                Reverse HTTP                    March 2009


   1.  Host A establishes a TCP connection to host B.

   2.  Host A makes an HTTP request to host B. This request indicates
       A's willingness to engage in Reverse HTTP, and supplies any
       identification, authentication and authorization needed by B. The
       request is signaled by the Upgrade header in the request.
       Typically, the request is also indicated by a particular URL, and
       the other information encoded in the URL, body, or cookies, but
       applications are free to use any methods they wish for these
       purposes.

   3.  Host B signals its agreement to enter into Reverse HTTP by use of
       a 101 status code and the Upgrade header in its response.  At the
       conclusion of this response, the original HTTP connection is
       considered abandoned, and a new HTTP connection is established
       where host B is in the role of client and host A in the role of
       server.  From then on, request messages can be sent from B, with
       responses from A.

2.2.  Upgrade

   The switch to Reverse HTTP is signaled via HTTP's Upgrade header and
   upgrade mechanism, as described in sections 14.42 and 10.1.2. of
   RFC2616 [RFC2616].

   The protocol token used in the Upgrade header is:
   PTTH/1.0

   Section 10.1.2 of HTTP [RFC2616] defines the precise point of the
   protocol switch: Directly after the empty line of the response
   message containing the Upgrade header.  At this point, the new
   connection proceeds with the full HTTP protocol, as if the TCP
   connection had just been established, but with the parties in
   reverse: the original server acting as the HTTP client, sending
   request messages, and the original client acting as the HTTP server,
   sending response messages.

2.3.  Example

   In this example, host A will contact host B, and indicate it's
   willingness to enter into Reverse HTTP, and then process request
   messages from B:









Lentczner & Preston     Expires September 5, 2009               [Page 4]

Internet-Draft                Reverse HTTP                    March 2009


   A --> B: POST /message-queue?id=iamsam HTTP/1.1
            Host: b.example.com
            Upgrade: PTTH/1.0
            Connection: Upgrade

   A <-- B: HTTP/1.1 101 Switching Protocols
            Upgrade: PTTH/1.0
            Connection: Upgrade

   A <-- B: GET /status HTTP/1.1
            Host:

   A --> B: HTTP/1.1 200 OK
            Content-type: text/plain
            Content-Length: 4

            Good


3.  Considerations

3.1.  Host Header

   Section 14.23 of HTTP [RFC2616] requires that all HTTP/1.1 requests
   have a Host header.  However, if the URI requested doesn't include an
   internet host, then the Host field is empty.  In the case of Reverse
   HTTP, the URI requested refers to a resource on Host A, which does
   not have an host name or IP accessible to Host B. As such, the Host
   field in request messages from B SHOULD contain an empty Host field.

3.2.  Connection

   The Upgrade mechanism is defined to be a hop-by-hop level in HTTP.
   As such, the Upgrade header is required to be listed in a Connection
   header in both the request message and the response message.  Reverse
   HTTP, however, is establishing an end-to-end establishment of an HTTP
   connection in the reverse direction.  Thus, Reverse HTTP upgrade can
   only be used with a proxy if the proxy is willing to establish
   Reverse HTTP on the next hop, or the CONNECT verb is used with the
   proxy to first establish a tunnel.  Where Reverse HTTP is used over
   HTTPS connections, there is no problem, even in the face of proxies,
   because those proxies establish an end-to-end tunnel that constitutes
   a single HTTP hop.

3.3.  Persistent Connections

   Once established, the HTTP connection operating in reverse is just
   like any other HTTP connection.  In particular, the persistent



Lentczner & Preston     Expires September 5, 2009               [Page 5]

Internet-Draft                Reverse HTTP                    March 2009


   connection mechanisms of both HTTP 1.0 and 1.1 are available.  In
   this way, a host can establish a bi-directional HTTP based
   communication to another host using two TCP connections: One running
   a persistent HTTP connection to the remote host, and another, after
   negotiating Reverse HTTP, running a persistent HTTP connection from
   the remote host back to itself.

3.4.  Fall Back

   Applications can be developed where not all hosts have to understand
   Reverse HTTP.  If the non-server host doesn't understand Reverse
   HTTP, then the server will not see an Upgrade token of PTTH/1.0 and
   so will know to fall back to some other application method of routing
   requests to the non-server host.  If the server doesn't understand
   Reverse HTTP, then it will respond to the HTTP request, ignoring the
   Upgrade token.  In such cases, the non-server host will see a
   response that corresponds to the fall back method.

   The actual method of fall back is beyond the scope of this memo.  The
   authors have experimented with various forms including JSON and XML
   encoding of application level requests, and more generic encoding of
   HTTP messages into HTTP message bodies.  In general, existing
   applications can migrate to Reverse HTTP and keep their existing
   techniques as fall back.


4.  Security Considerations

   Reverse HTTP introduces no new security concerns beyond those known
   with HTTP.  However, as it applies HTTP in a novel way, the common
   security concerns need to be applied to the parties in reverse.  In
   particular, client software that initiates Reverse HTTP must realize
   that it will act as a server once the upgrade is complete, and so
   prepare it self for almost all the same issues any HTTP server must
   be concerned with.  The security concerns can be lessened somewhat in
   that the client need not be prepared for arbitrary requests from the
   Internet.  HTTP requests can only come from the host the client
   chooses to connect and establish Reverse HTTP to.  Standard
   precautions, such as negotiating TLS or using HTTPS, should be use so
   that the client can rule out man-in-the-middle and impersonation
   attacks.


5.  IANA Considerations

   This document asks IANA to register the token PTTH in the HTTP
   Upgrade Token registry.




Lentczner & Preston     Expires September 5, 2009               [Page 6]

Internet-Draft                Reverse HTTP                    March 2009


6.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.


Authors' Addresses

   Mark Lentczner
   Linden Research, Inc.
   945 Battery St.
   San Francisco, CA  94111
   US

   Phone: +1 415 243 9000
   Email: zero@lindenlab.com


   Donovan Preston

   Email: dsposx@mac.com


























Lentczner & Preston     Expires September 5, 2009               [Page 7]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/