HTTP Working Group                                         M. Nottingham
Internet-Draft                                                 E. Nygren
Intended status: Standards Track                                  Akamai
Expires: April 1, August 17, 2017                               February 13, 2017                                September 28, 2016

                        The ORIGIN HTTP/2 Frame
                   draft-ietf-httpbis-origin-frame-01
                   draft-ietf-httpbis-origin-frame-02

Abstract

   This document specifies the ORIGIN frame for HTTP/2, to indicate what
   origins are available on a given connection.

Note to Readers

   Discussion of this draft takes place on the HTTP working group
   mailing list (ietf-http-wg@w3.org), which is archived at
   https://lists.w3.org/Archives/Public/ietf-http-wg/ .

   Working Group information can be found at http://httpwg.github.io/ ;
   source code and issues list for this draft can be found at
   https://github.com/httpwg/http-extensions/labels/origin-frame .

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 1, August 17, 2017.

Copyright Notice

   Copyright (c) 2016 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Notational Conventions  . . . . . . . . . . . . . . . . .   2   3
   2.  The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . .   2   3
     2.1.  The Origin Set  Syntax  . . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.2.  Processing ORIGIN Frames  . . . . . . . . . . . . . . . .   3
     2.3.  The Origin Set  . . . . . . . . . . . . . . . . . . . . .   4
     2.4.  Authority, Push and Coalescing with ORIGIN  . . . . . . .   5
   3.  Security  IANA Considerations . . . . . . . . . . . . . . . . . . .   5 . .   6
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     5.2.  Informative References  . .   5 . . . . . . . . . . . . . . .   7
   Appendix A.  Non-Normative Processing Algorithm . . . . . . . . .   7
   Appendix B.  Operational Considerations for Servers . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5   8

1.  Introduction

   HTTP/2 [RFC7540] allows clients to coalesce different origins
   [RFC6454] onto the same connection when certain conditions are met.
   However, in certain cases, a connection is is not usable for a
   coalesced origin, so the 421 (Misdirected Request) status code
   ([RFC7540], Section 9.1.2) was defined.

   Using a status code in this manner allows clients to recover from
   misdirected requests, but at the penalty of adding latency.  To
   address that, this specification defines a new HTTP/2 frame type,
   "ORIGIN", to allow servers to indicate what origins a connection is
   usable for.

   Additionally, experience has shown that HTTP/2's requirement to
   establish server authority using both DNS and the server's
   certificate is onerous.  This specification relaxes the requirement
   to check DNS when the ORIGIN frame is in use.  Doing so has
   additional benefits, such as removing the latency associated with
   some DNS lookups, and improving DNS privacy.

1.1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  The ORIGIN HTTP/2 Frame

   The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to
   indicate what origin(s) [RFC6454] the server would like the client to
   consider as members of the Origin Set (Section 2.1) 2.3) for the
   connection it occurs within.

2.1.  Syntax

   The ORIGIN frame type is 0xb (decimal 11).

   +-------------------------------+-------------------------------+
   |         Origin-Len (16)       | Origin? ASCII-Origin? (*)           ...
   +-------------------------------+-------------------------------+

   The ORIGIN frame's payload contains the following fields, sets of
   which may be repeated within the frame to indicate multiple origins:

   Origin-Len:  An unsigned, 16-bit integer indicating the length, in
      octets, of the Origin ASCII-Origin field.

   Origin:  An optional sequence of characters containing the ASCII
      serialization of an origin ([RFC6454], Section 6.2) that the
      sender believes this connection is or could be authoritative for.

   The ORIGIN frame defines the following flags:

   CLEAR (0x1):  Indicates does not define any flags.  However, future updates
   to this specification MAY define flags.  See Section 2.2.

2.2.  Processing ORIGIN Frames

   The ORIGIN frame is a non-critical extension to HTTP/2.  Endpoints
   that do not support this frame can safely ignore it upon receipt.

   When received by an implementing client, it is used to initialise and
   manipulate the Origin Set (see Section 2.3), thereby changing how the
   client establishes authority for origin servers (see Section 2.4).

   The origin frame MUST be reset to sent on stream 0; an empty
      set before processing the contents of the ORIGIN frame it occurs upon.

   REMOVE (0x2):  Indicates that on any
   other stream is invalid and MUST be ignored.

   Likewise, the origin(s) carried in ORIGIN frame is only valid on connections with the payload
      must "h2"
   protocol identifier, or when specifically nominated by the protocol's
   definition; it MUST be removed from ignored when received on a connection with the Origin Set, if present; if
   "h2c" protocol identifier.

   This specification does not present,
      it/they have no effect.

2.1. define any flags for the ORIGIN frame,
   but future updates might use them to change its semantics.  The first
   four flags (0x1, 0x2, 0x4 and 0x8) are reserved for backwards-
   incompatible changes, and therefore when any of them are set, the
   ORIGIN frame containing them MUST be ignored by clients conforming to
   this specification.  The remaining flags are reserved for backwards-
   compatible changes, and do not affect processing by clients
   conformant to this specification.

   The ORIGIN frame describes a property of the connection, and
   therefore is processed hop-by-hop.  An intermediary MUST NOT forward
   ORIGIN frames.  Clients configured to use a proxy MUST ignore any
   ORIGIN frames received from it.

   Each ASCII-Origin field in the frame's payload MUST be parsed as an
   ASCII serialisation of an origin ([RFC6454], Section 6.2).  If
   parsing fails, the field MUST be ignored.

   See Appendix A for an illustrative algorithm for processing ORIGIN
   frames.

2.3.  The Origin Set

   The set of origins (as per [RFC6454]) that a given connection might
   be used for is known in this specification as the Origin Set.

   When

   By default, a connection connections's Origin Set is uninitialised.  When an
   ORIGIN frame is first established, its received and successfully processed by a
   client, the connection's Origin Set is defined to
   be those origins that contain a single
   origin, composed from:

   o  Scheme: "https"

   o  Host: the client would normally consider value sent in Server Name Indication ([RFC6066]
      Section 3), converted to lower case

   o  Port: the remote port of the connection authoritative for; see [RFC7540], Section 10.1. (i.e., the server's port)

   The contents of that ORIGIN frame (and subsequent ones) allows the
   server to modify the Origin Set. In
   particular:

   1.  A server can incrementally add to its members by sending an ORIGIN frame
       (without any flags set);

   2.  A server can prune one or more new origins from it to the Origin Set, as
   described in Section 2.2.

   The Origin Set is also affected by sending an
       ORIGIN frame the 421 (Misdirected Request)
   response status code, defined in [RFC7540] Section 9.1.2.  Upon
   receipt of a response with this status code, implementing clients
   MUST create the REMOVE flag set;

   3.  A server can ASCII serialisation of the corresponding request's
   origin (as per [RFC6454], Section 6.2) and remove all its members it from the
   connection's Origin Set, if present.

2.4.  Authority, Push and then add zero or more
       members by sending an ORIGIN frame Coalescing with the CLEAR flag set ORIGIN

   [RFC7540], Section 10.1 uses both DNS and a
       payload containing the new origins.

   Adding presented TLS
   certificate to establish the Origin Set (cases 1 and 3 above) does not imply origin server(s) that
   the a connection is
   authoritative for the added origins (in the sense
   of [RFC7540], for, just as HTTP/1.1 does in [RFC7230].  Furthermore,
   [RFC7540] Section 10.1) on its own; this MUST 9.1.1 explicitly allows a connection to be used for
   more than one origin server, if it is authoritative.  This affects
   what requests can be established sent on the connection, both in HEADERS frame by
   some other mechanism.

   A
   the client and as PUSH_PROMISE frames from the server.

   Once an Origin Set has been initialised for a connection, clients
   that implements implement this specification change these behaviors in the
   following ways:

   o  Clients MUST NOT use a connection consult DNS to establish the connection's
      authority for new requests.  The TLS certificate MUST stil be used
      to do so, as described in [RFC7540] Section 9.1.1.

   o  Clients sending a given origin unless that new request SHOULD use an existing connection if
      the request's origin appears is in the that connection's Origin Set Set, unless
      there are operational reasons for creating a new connection.

   o  Clients MUST use the connection, regardless of Origin Set to determine whether or not it believes a received
      PUSH_PROMISE is authoritative, as described in [RFC7540],
      Section 8.2.2.

   Note that clients are still required to perform checks on the
   certificate presented by the server for each origin that a connection
   is authoritative used for; see [RFC7540] Section 9.1.1 for more information.  This
   includes verifying that origin.

2.2.  Processing ORIGIN Frames

   The the host matches a "dNSName" value from the
   certificate "subjectAltName" field (using the wildcard rules defined
   in [RFC2818]; see also [RFC5280] Section 4.2.1.6).

   Because ORIGIN frame can change the set of origins a connection is used for
   over time, it is possible that a non-critical extension client might have more than one
   viable connection to HTTP/2.  Endpoints
   that do not support this frame can safely ignore it upon receipt. an origin open at any time.  When received by this occurs,
   clients SHOULD not emit new requests on any connection whose Origin
   Set is a client, subset of another connection's Origin Set, and SHOULD close
   it can once all outstanding requests are satisfied.

3.  IANA Considerations

   This specification adds an entry to the "HTTP/2 Frame Type" registry.

   o  Frame Type: ORIGIN

   o  Code: 0xb

   o  Specification: [this document]

4.  Security Considerations

   Clients that blindly trust the ORIGIN frame's contents will be used
   vulnerable to inform HTTP/2 connection
   coalescing (see a large number of attacks.  See Section 2.1), but does not relax 2.4 for
   mitigations.

   Relaxing the requirement
   there that the server is authoritative.

   The to consult DNS when determining authority
   for an origin frame MUST be sent on stream 0; means that an ORIGIN frame on any
   other stream is invalid and MUST attacker who possesses a valid
   certificate no longer needs to be ignored.

   The ORIGIN frame is processed hop-by-hop.  An intermediary MUST NOT
   forward ORIGIN frames.  Clients configured on-path to redirect traffic to
   them; instead of modifying DNS, they need only convince the user to
   visit another Web site, in order to coalesce connections to the
   target onto their existing connection.

5.  References

5.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use a proxy MUST ignore
   any ORIGIN frames received from it. in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818,
              DOI 10.17487/RFC2818, May 2000,
              <http://www.rfc-editor.org/info/rfc2818>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <http://www.rfc-editor.org/info/rfc5280>.

   [RFC6066]  Eastlake 3rd, D., "Transport Layer Security (TLS)
              Extensions: Extension Definitions", RFC 6066,
              DOI 10.17487/RFC6066, January 2011,
              <http://www.rfc-editor.org/info/rfc6066>.

   [RFC6454]  Barth, A., "The Web Origin Concept", RFC 6454,
              DOI 10.17487/RFC6454, December 2011,
              <http://www.rfc-editor.org/info/rfc6454>.

   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
              DOI 10.17487/RFC7540, May 2015,
              <http://www.rfc-editor.org/info/rfc7540>.

5.2.  Informative References

   [RFC5988]  Nottingham, M., "Web Linking", RFC 5988,
              DOI 10.17487/RFC5988, October 2010,
              <http://www.rfc-editor.org/info/rfc5988>.

   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
              Protocol (HTTP/1.1): Message Syntax and Routing",
              RFC 7230, DOI 10.17487/RFC7230, June 2014,
              <http://www.rfc-editor.org/info/rfc7230>.

   [RFC7838]  Nottingham, M., McManus, P., and J. Reschke, "HTTP
              Alternative Services", RFC 7838, DOI 10.17487/RFC7838,
              April 2016, <http://www.rfc-editor.org/info/rfc7838>.

Appendix A.  Non-Normative Processing Algorithm

   The following algorithm illustrates how a client can could handle
   received ORIGIN frames:

   1.  If the client is configured to use a proxy, proxy for the connection,
       ignore the frame and stop processing.

   2.  If the connection is not identified with the "h2" protocol
       identifier or another protocol that has explicitly opted into
       this specification, ignore the frame and stop processing.

   3.  If the frame occurs upon any stream except stream 0, ignore the
       frame and stop processing.

   3.

   4.  If any of the CLEAR flag is flags 0x1, 0x2, 0x4 or 0x8 are set, remove all members from ignore the
       frame and stop processing.

   5.  If no previous ORIGIN frame on the connection has reached this
       step, initialise the Origin Set.

   4. Set as per Section 2.3.

   6.  For each Origin field "origin_raw" in the frame payload:

       1.  Parse "origin_raw" as an ASCII serialization of an origin
           ([RFC6454], Section 6.2) and let the result be
           "parsed_origin".

       2.  If the REMOVE flag is set, remove any member of the Origin
           Set that is the same as "parsed_origin" (as per [RFC6454],
           Section 5), and continue parsing fails, skip to the next "parsed_origin".

       3.  Otherwise, add
           "origin_raw".

       2.  Add "parsed_origin" to the Origin Set.

3.  Security

Appendix B.  Operational Considerations

   Clients for Servers

   The ORIGIN frame allows a server to indicate for which origins a
   given connection ought be used.

   For example, it can be used to inform the client that blindly trust the connection
   is to only be used for the SNI-based origin, by sending an empty
   ORIGIN frame's contents will frame.  Or, a larger number of origins can be
   vulnerable indicated by
   including a payload.

   Generally, this information is most useful to send before sending any
   part of a response that might initiate a new connection; for example,
   "Link" headers [RFC5988] in a response HEADERS, or links in the
   response body.

   Therefore, the ORIGIN frame ought be sent as soon as possible on a
   connection, ideally before any HEADERS or PUSH_PROMISE frames.

   However, if it's desirable to associate a large number of attacks; hence origins
   with a connection, doing so might introduce end-user perceived
   latency, due to their size.  As a result, it might be necessary to
   select a "core" set of origins to send initially, expanding the reinforcement that
   this specification does not relax set
   of origins the requirement connection is used for server
   authority in [RFC7540], with subsequent ORIGIN frames
   later (e.g., when the connection is idle).

   Senders should note that, as per [RFC6454] Section 10.1.

4.  Normative References

   [RFC2119]  Bradner, S., "Key words for use 4, the values in RFCs
   an ORIGIN header need to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC6454]  Barth, A., "The Web be case-normalised before serialisation.

   Finally, servers that allow alternative services [RFC7838] will need
   to explicitly advertise those origins when sending ORIGIN, because
   the default contents of the Origin Concept", RFC 6454,
              DOI 10.17487/RFC6454, December 2011,
              <http://www.rfc-editor.org/info/rfc6454>.

   [RFC7540]  Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
              Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
              DOI 10.17487/RFC7540, May 2015,
              <http://www.rfc-editor.org/info/rfc7540>. Set (as per Section 2.3) do not
   contain any Alternative Services, even if they have been used
   previously on the connection.

Authors' Addresses

   Mark Nottingham
   Akamai

   Email: mnot@mnot.net
   URI:   https://www.mnot.net/
   Erik Nygren
   Akamai

   Email: nygren@akamai.com