[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01

Network Working Group                                      M. Nottingham
Internet-Draft
Intended status: Standards Track                        October 14, 2014
Expires: April 17, 2015


                    The Web Proxy Description Format
                   draft-nottingham-web-proxy-desc-01

Abstract

   This specification defines a simple means of configuring Web proxies,
   and places additional requirements upon them in order to promote
   improved interoperability, security, and error handling.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 17, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.





Nottingham               Expires April 17, 2015                 [Page 1]


Internet-Draft            Web Proxy Description             October 2014


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   4
   2.  WPD Proxies . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  The Web Proxy Description (WPD) Format  . . . . . . . . . . .   5
     3.1.  name  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.2.  desc  . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.3.  moreInfo  . . . . . . . . . . . . . . . . . . . . . . . .   6
     3.4.  proxies . . . . . . . . . . . . . . . . . . . . . . . . .   6
       3.4.1.  host  . . . . . . . . . . . . . . . . . . . . . . . .   6
       3.4.2.  port  . . . . . . . . . . . . . . . . . . . . . . . .   7
       3.4.3.  clientNetworks  . . . . . . . . . . . . . . . . . . .   7
     3.5.  forReferers . . . . . . . . . . . . . . . . . . . . . . .   7
     3.6.  alwaysDirect  . . . . . . . . . . . . . . . . . . . . . .   8
     3.7.  failDirect  . . . . . . . . . . . . . . . . . . . . . . .   9
     3.8.  exclusive . . . . . . . . . . . . . . . . . . . . . . . .   9
     3.9.  privateMode . . . . . . . . . . . . . . . . . . . . . . .   9
   4.  Discovering WPD Files . . . . . . . . . . . . . . . . . . . .   9
     4.1.  The web-proxy-desc well-known URI . . . . . . . . . . . .  10
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  11
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  11
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .  11
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  12
   Appendix A.  User Experience for WPDs . . . . . . . . . . . . . .  12
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  13

1.  Introduction

   Web proxies can be configured in a variety of ways, but existing
   approaches suffer from security, usability and interoperability
   issues.

   This specification defines:

   o  A simple format for describing a Web proxy ("WPD"; see Section 3)
      to facilitate configuration, and to allow proxies to be
      represented to users in a consistent way, and

   o  A way to discover the proxy description using a well-known URL
      (Section 4), so that direct configuration of a proxy is as simple
      as entering a hostname, and

   o  A set of additional requirements for proxies described in this
      fashion, as well as requirements for User Agents connecting to




Nottingham               Expires April 17, 2015                 [Page 2]


Internet-Draft            Web Proxy Description             October 2014


      them, designed to improve security, usability and
      interoperability.  See Section 2.

   It can be used in a variety of ways, but is designed to meet the
   following goals:

   o  Users should always be aware of a configured proxy and be able to
      confidently identify it, and

   o  Configuring a proxy should be a deliberate act, but simple to do
      for non-technical users, and

   o  Proxies should always respect the wishes of the end user and Web
      site, and

   o  Proxies should never reduce or compromise the security of
      connections, and improve it where possible, and

   o  Proxies should be able to reliably communicate with their end
      users regarding their policies and problems that are encountered.

   Furthermore, it is designed to be useful in the following cases:

   o  An end user wants to use a proxy network that provides improved
      performance, by re-compressing responses to http:// resources.

   o  An end user wants to use a proxy network that provides improved
      privacy, by routing requests through any number of intermediaries.

   o  An end user is required to use a proxy to access Internet
      resources by their network (e.g., a school, workplace or prison).

   o  A network wants to offer enhanced access to selected Web sites,
      through interposition of a proxy.

   Importantly, this specification does not address the automatic
   discovery of proxy configuration for a given network, because proxy
   configuration is a security-sensitive action, and ought never be
   performed without explicit user or administrator action.

   It is expected that the mechanisms described could be implemented by
   a single program (e.g., a Web browser), or through an Operating
   System facility.








Nottingham               Expires April 17, 2015                 [Page 3]


Internet-Draft            Web Proxy Description             October 2014


1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  WPD Proxies

   This specification defines a particular kind of HTTP proxy (as per
   [RFC7230] Section 2.3) known as a "WPD proxy" that has additional
   requirements placed upon it, as well as upon those using it.

   WPD Proxies MUST support HTTP/2 [I-D.ietf-httpbis-http2] over TLS for
   connections from clients.  Clients MUST use HTTP/2 over TLS to
   connect to a WPD proxy; if one cannot be established, the client MUST
   consider that proxy "failed."

   WPD Proxies MUST support forwarding requests with the "http" scheme
   [RFC7230], and SHOULD support the CONNECT method, as specified in
   [I-D.ietf-httpbis-http2] Section 8.3.

   [RFC7230] Section 5.7.2 requires proxies to honour the semantic of
   the "no-transform" cache-control directive, and append the 214
   (Transformation Applied) warn-code to other messages that have been
   transformed; WPD proxies MUST honour these requirements.

   When connecting to a WPD proxy, clients MUST validate the proxy
   hostname as per [RFC2818] Section 3.1.  If the proxy presents an
   invalid certificate, that proxy MUST be considered "failed" and not
   used (until a valid certificate is presented).

   User agents MUST use a CONNECT tunnel when retrieving URLs with the
   "https" scheme through WPD proxies.

   When user agents encounter 5xx responses to a CONNECT request from a
   WPD proxy, they MUST present the response to the end user, but MUST
   NOT present or process it as a response to the eventual request to be
   made through the tunnel (i.e., it has an unidentified payload, as per
   [RFC7231] Section 3.1.4.1).

   NOTE: Many user agents refuse to show an error response to a CONNECT
   to the user, in order to deal with the issues brought to light by
   [bad-proxy].  While effective in dealing with those attacks, doing so
   effectively disallows communication between the proxy and the end
   user; this requirement is designed to re-open that channel.

   If a WPD proxy becomes unresponsive, clients SHOULD consider it
   failed and attempt to use another proxy (if available) or inform the



Nottingham               Expires April 17, 2015                 [Page 4]


Internet-Draft            Web Proxy Description             October 2014


   end user (if not available).  Clients SHOULD regularly attempt to re-
   establish contact with failed WPD proxies (e.g., every minute).

   Requests for the "localhost" [RFC6761] and "local" [RFC6762] top-
   level domains MUST NOT be routed through a WPD proxy.

   Likewise, requests to the Loopback address blocks (127.0.0.0/8 and
   ::1/128) and the Link Local block (169.254.0.0/16 and fe80::/10) MUST
   NOT be routed through a WPD proxy; see [RFC6890].  Note that clients
   are not required to perform a reverse lookup on hostnames to conform
   to this requirement.

3.  The Web Proxy Description (WPD) Format

   WPD is a JSON [RFC7159] format that describes a Web proxy to
   potential clients.  Its root is an object containing WPD-specific
   object members.  For example:

   {
       "name": "ExampleCorp Web Proxy",
       "desc": "ExampleCorp's Proxy Gateway for Web access. Note that
                all traffic through this proxy is logged, and may be
                filtered for content.",
       "moreInfo": "https://inside.example.com/proxy/",
       "proxies": [
           {
               "host": "proxy.example.com",
               "port": 8080,
               "clientNetworks": ["192.0.2.0/24"]
           },
           {
               "host": "proxy1.example.com",
               "port": 8080,
               "clientNetworks": ["192.0.2.0/24"]
           }
       ],
       "alwaysDirect": ["example.com", "192.0.2.0/24"],
       "failDirect": False
   }

   When configuring a proxy through WPD, a user agent SHOULD present the
   relevant information contained within (i.e., the 'name', 'desc' and
   'moreInfo' members, the latter as a link) to the end user.  User
   agents SHOULD also make this information available to the end user
   whenever the WPD is in use.

   The remainder of this section defines the content of the WPD object
   members.  Unrecognized members SHOULD be ignored.



Nottingham               Expires April 17, 2015                 [Page 5]


Internet-Draft            Web Proxy Description             October 2014


3.1.  name

   A string containing a short, memorable name for the proxy; typically
   64 characters or less.  This member MUST be present for the WPD to be
   considered valid.

3.2.  desc

   A string containing a textual description of the proxy's function(s);
   typically 256 characters or less.  This member MUST be present for
   the WPD to be considered valid.

3.3.  moreInfo

   A string containing a URL [RFC3986] that leads to more information
   about the proxy, its operation, who operates it, etc.  The URL MUST
   have a scheme of "https" [RFC7230], and MUST be able to respond with
   an HTML [W3C.CR-html5-20140731] representation.  This member MUST be
   present for the WPD to be considered valid.

3.4.  proxies

   An array containing one or more proxy objects; each proxy object
   represents a HTTP proxy endpoint that can be used when this WPD is
   configured.  See Section 2 for requirements specific to these
   proxies, as well as those clients connecting to them.

   Proxy objects' members are defined by the following subsections;
   unrecognized members SHOULD be ignored.

   The ordering of proxy objects within the proxies array is not
   significant; clients MAY choose any proxy they wish (as long as the
   specific requirement so the proxy object are met), and MAY use more
   than one at a time.

   NOTE: the array of proxy objects is functionally similar to, but not
   as expressive as, the commonly-used "proxy.pac" format.  While it
   would be expedient for WPD to just reference a proxy.pac, feedback so
   far is that proxy.pac has a number of deficiencies, and
   interoperability is poor.  Therefore, this document specifies the
   proxy object instead, in order to gather feedback on an alternative
   approach.

3.4.1.  host

   A string containing the host (as per [RFC3986], section 3.2.2) of the
   proxy.  This member MUST be present.




Nottingham               Expires April 17, 2015                 [Page 6]


Internet-Draft            Web Proxy Description             October 2014


3.4.2.  port

   A number representing the port that the proxy is listening on.  This
   member MUST be present, and MUST be an integer.

3.4.3.  clientNetworks

   An array containing strings; each string contains a classless prefix
   (see [RFC4632]) which the proxy can be used within.  Clients MUST NOT
   attempt to use the proxy if their IP address is not within one of the
   stated ranges.

   This member is optional.

   For example, if the value of clientNetworks is

   [ "192.168.1.0/32", "192.168.2.0/24" ]

   then the only clients that could use the proxy would have IP
   addresses in the ranges 192.168.1.0 to 192.168.1.3 and 192.168.2.0 to
   192.168.2.255.

   Note that by their nature private networks (as specified in
   [RFC1918]) are not unique, and therefore there may be false
   positives.  As such, clients SHOULD NOT automatically configure a WPD
   based upon clientNetworks when the IP address is in these ranges,
   although they MAY notify the user of a WPD's possible applicability,
   and SHOULD use additional information to correlate a WPD to its
   proper network.  For example, the MAC address of the network's
   gateway (as discovered by ARP [RFC0826]) can be used to disambiguate
   multiple instances of the same network.

3.5.  forReferers

   An array containing strings; each string is a host (as per [RFC3986]
   Section 3.2.2).

   When forReferers is present, Clients MUST use the WPD's proxies to
   access these hosts, hostnames that have the host as a root, and for
   traffic generated by that content.  They MUST NOT be used for other
   traffic.

   This member is optional.

   For example, if the value of forReferers is

   [ "friendface.example.com" ]




Nottingham               Expires April 17, 2015                 [Page 7]


Internet-Draft            Web Proxy Description             October 2014


   then requests to "friendface.example.com",
   "www.friendface.example.com", "app.friendface.example.com" etc. would
   use the associated proxies; likewise, if processing a response from
   one of these hosts generated further requests to "images.example.net"
   and "scripts.example.org", they would also use the proxies.

   Note that alwaysDirect takes precedence over forReferers.

   TODO: tighten up what "processing" means here; the intent is to omit
   a href

3.6.  alwaysDirect

   An array containing strings; each string is one of:

   o  a host (as per [RFC3986] Section 3.2.2),

   o  a classless prefix [RFC4632].

   o  the string "CONNECT".

   Clients MUST NOT use the WPD's proxies to access nominated hosts and
   hostnames that have the a nominated host as its root.  Likewise,
   clients MUST NOT use the WPD's proxies to access bare IP addresses
   that fall within the classless prefix.

   If the string "CONNECT" (case-sensitive) appears in alwaysDirect, it
   indicates that requests that require establishment of a tunnel (e.g.,
   for "https" URLs) MUST NOT use the WPD's proxies, but instead ought
   to be made directly to the origin (i.e., without a tunnel).

   Note that when a "bare" IP address or classless prefix is used in
   alwaysDirect, clients are not required to perform a reverse lookup on
   hostnames; these forms are only intended for accessing URLs that use
   the IP-literal or IPv4address forms.

   This member is optional.

   For example, if the value of alwaysDirect is:

   [ "example.com", "192.168.5/24" ]

   then requests to "example.com", "www.example.com", "foo.example.com"
   etc would not use any proxy.  Likewise, requests whose URL authority
   were bare IP addresses in the range 192.168.5.0 to 192.168.5.255
   would not use any proxy.





Nottingham               Expires April 17, 2015                 [Page 8]


Internet-Draft            Web Proxy Description             October 2014


3.7.  failDirect

   A boolean indicating whether the client should attempt to directly
   access the origin server if all applicable proxies are unavailable.

   When False, clients MUST NOT attempt to directly access the origin
   server when no proxy is available, but instead SHOULD inform the user
   that the proxy is unavailable.

   When True, clients MAY do so.  If failDirect is not present, clients
   MAY default to this behavior.

3.8.  exclusive

   A boolean indicating whether the client is required to route all
   network traffic through the proxy.

   When True, clients MUST NOT initiate network traffic to any host
   except a valid WPD (once its identity and location are established),
   and MUST NOT allow network traffic from any host except valid WPDs.
   This includes all traffic from and to the client, no matter how it is
   generated or handled (e.g., browser "plug-ins").

   This directive is designed to accommodate privacy-enhancing proxies;
   therefore, clients that cannot reasonably assure conformance to the
   requirements in this section MUST NOT allow a WPD with this flag set
   to be configured.

3.9.  privateMode

   A boolean indicating whether the client should be configured in
   "private mode" when this WPD is active.

   When True, clients SHOULD configure "private mode" browsing.

4.  Discovering WPD Files

   To facilitate easy configuration of WPD proxies, this specification
   defines a well-known URI [RFC5785].  Doing so allows a proxy's
   description to be found with a simple hostname; e.g.,
   "proxy.example.net" or even just "example.net".

   Clients MUST NOT use the DHCP "WPAD" mechanism to discover WPDs.








Nottingham               Expires April 17, 2015                 [Page 9]


Internet-Draft            Web Proxy Description             October 2014


4.1.  The web-proxy-desc well-known URI

   The "web-proxy-desc" well-known URI allows discovery of a Web Proxy
   Description (Section 3).

   This well-known URI is only valid when used with the "https" URI
   Scheme [RFC7230]; it MUST NOT be used with "http" URIs.  In other
   words, WPD discovery is always protected by TLS [RFC5246].

   The description found at this location is considered valid for its
   freshness lifetime, as defined in [RFC7234] Section 4.2.  Once stale,
   clients SHOULD refresh it and apply any changes.

   If the WPD is not retrievable (e.g., a 404 response status), invalid
   (as per JSON [RFC7159] or the requirements in Section 3), or its
   certificate is not valid for the host (as per [RFC2818] Section 3.1),
   the client MUST NOT use the WPD, and if a user agent, SHOULD inform
   the end user.

   The well-known URI MAY use proactive content negotiation ([RFC7231]
   Section 3.4.1) to select an appropriate language for the response
   representation.  Therefore, clients SHOULD send an Accept-Language
   request header field ([RFC7231] Section 5.3.5) when they wish to
   advertise their configured language.

   The registration template is:

   o  URI suffix: web-proxy-desc

   o  Change controller: IETF

   o  Specification document(s): [this document]

   o  Related information: only to be used with 'https' scheme

5.  IANA Considerations

   This specification registers a new well-known URI, as per [RFC5785].
   See Section 4.1 for the template.

6.  Security Considerations

   If a user can be convinced to configure a WPD hostname as their
   proxy, that host can observe all unencrypted traffic by the client.
   As such, WPD configuration interfaces ought only allow configuration
   of proxies once their identity is validated (as required), and the
   user ought to be given access to all relevant information about the
   WPD proxy (i.e., 'name', 'desc' and 'moreInfo', the latter as a



Nottingham               Expires April 17, 2015                [Page 10]


Internet-Draft            Web Proxy Description             October 2014


   link).  Furthermore, WPD proxies ought only be configured as the
   result of an intentional act, not as a side effect of normal Web
   browsing.

7.  Acknowledgements

   Thanks to Patrick McManus for his feedback and suggestions.

8.  References

8.1.  Normative References

   [I-D.ietf-httpbis-http2]
              Belshe, M., Peon, R., and M. Thomson, "Hypertext Transfer
              Protocol version 2", draft-ietf-httpbis-http2-14 (work in
              progress), July 2014.

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
              E. Lear, "Address Allocation for Private Internets", BCP
              5, RFC 1918, February 1996.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
              (CIDR): The Internet Address Assignment and Aggregation
              Plan", BCP 122, RFC 4632, August 2006.

   [RFC6761]  Cheshire, S. and M. Krochmal, "Special-Use Domain Names",
              RFC 6761, February 2013.

   [RFC6762]  Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
              February 2013.

   [RFC6890]  Cotton, M., Vegoda, L., Bonica, R., and B. Haberman,
              "Special-Purpose IP Address Registries", BCP 153, RFC
              6890, April 2013.

   [RFC7159]  Bray, T., "The JavaScript Object Notation (JSON) Data
              Interchange Format", RFC 7159, March 2014.





Nottingham               Expires April 17, 2015                [Page 11]


Internet-Draft            Web Proxy Description             October 2014


   [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
              2014.

   [RFC7234]  Fielding, R., Nottingham, M., and J. Reschke, "Hypertext
              Transfer Protocol (HTTP/1.1): Caching", RFC 7234, June
              2014.

   [W3C.CR-html5-20140731]
              Berjon, R., Faulkner, S., Leithead, T., Navara, E.,
              O'Connor, E., and S. Pfeiffer, "HTML5", World Wide
              Web Consortium CR CR-html5-20140731, July 2014,
              <http://www.w3.org/TR/2014/CR-html5-20140731>.

8.2.  Informative References

   [RFC0826]  Plummer, D., "Ethernet Address Resolution Protocol: Or
              converting network protocol addresses to 48.bit Ethernet
              address for transmission on Ethernet hardware", STD 37,
              RFC 826, November 1982.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5785]  Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
              Uniform Resource Identifiers (URIs)", RFC 5785, April
              2010.

   [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.

   [bad-proxy]
              Chen, S., Mao, Z., Wang, Y., and M. Zhang, "Pretty-Bad-
              Proxy: An Overlooked Adversary in Browsers' HTTPS
              Deployments", January 2009, <research.microsoft.com/
              jump/79323>.

Appendix A.  User Experience for WPDs

   There are a variety of ways to present proxy configuration to users
   and administrators, so this specification does not constrain how this
   is done.  That said, guidance for the common case (visual Web
   browsers) can be helpful in assuring consistent user experience.

   One of the core principles of this specification is that WPDs need to
   be explicitly configured, either by the end user or an administrator
   on their behalf.  This is because using a proxy is a security-
   sensitive operation; if an attacker can automatically configure a



Nottingham               Expires April 17, 2015                [Page 12]


Internet-Draft            Web Proxy Description             October 2014


   proxy, or convince a user to do so as part of accessing a site, they
   can gain access to the user's traffic, even when the user leaves the
   attacking network.

   Therefore, a user agent might allow configuration by entering a
   hostname (e.g., "example.net"), whereupon it retrieves the WPD,
   validates its certificate and contents, and present its information
   to the end user for confirmation.

   Once a WPD is confirmed, a user agent might "remember" it for future
   use; e.g., by allowing quick configuration through a drop-down menu.
   When a WPD nominates clientNetworks and the client does not have a
   suitable IP address, the drop-down might make that option
   unavailable.

   It is envisioned that only a single WPD ought be configured at a
   time; combining WPDs leads to ambiguity regarding precedence and
   therefore user confusion.

   When a WPD is active, its ought be visible to the end user, to remind
   them of its presence, and to offer more information about the
   configured proxy.

Author's Address

   Mark Nottingham

   Email: mnot@mnot.net
   URI:   http://www.mnot.net/






















Nottingham               Expires April 17, 2015                [Page 13]


Html markup produced by rfcmarkup 1.123, available from https://tools.ietf.org/tools/rfcmarkup/