draft-ietf-httpbis-tunnel-protocol-02.txt   draft-ietf-httpbis-tunnel-protocol-03.txt 
HTTP Working Group A. Hutton HTTP Working Group A. Hutton
Internet-Draft Unify Internet-Draft Unify
Intended status: Standards Track J. Uberti Intended status: Standards Track J. Uberti
Expires: September 25, 2015 Google Expires: October 20, 2015 Google
M. Thomson M. Thomson
Mozilla Mozilla
March 24, 2015 April 18, 2015
The Tunnel-Protocol HTTP Header Field The ALPN HTTP Header Field
draft-ietf-httpbis-tunnel-protocol-02 draft-ietf-httpbis-tunnel-protocol-03
Abstract Abstract
This specification allows HTTP CONNECT requests to indicate what This specification allows HTTP CONNECT requests to indicate what
protocol will be used within the tunnel once established, using the protocol will be used within the tunnel once established, using the
Tunnel-Protocol header field. ALPN header field.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
Discussion of this draft takes place on the HTTPBIS working group Discussion of this draft takes place on the HTTPBIS working group
mailing list (ietf-http-wg@w3.org), which is archived at [1]. mailing list (ietf-http-wg@w3.org), which is archived at [1].
Working Group information can be found at [2] and [3]; source code Working Group information can be found at [2] and [3]; source code
and issues list for this draft can be found at [4]. and issues list for this draft can be found at [4].
Status of This Memo Status of This Memo
skipping to change at page 1, line 43 skipping to change at page 1, line 43
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 25, 2015. This Internet-Draft will expire on October 20, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. The Tunnel-Protocol HTTP Header Field . . . . . . . . . . . . 3 2. The ALPN HTTP Header Field . . . . . . . . . . . . . . . . . 3
2.1. Header Field Values . . . . . . . . . . . . . . . . . . . 3 2.1. Header Field Values . . . . . . . . . . . . . . . . . . . 3
2.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1. Normative References . . . . . . . . . . . . . . . . . . 5 5.1. Normative References . . . . . . . . . . . . . . . . . . 5
5.2. Informative References . . . . . . . . . . . . . . . . . 5 5.2. Informative References . . . . . . . . . . . . . . . . . 5
5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction 1. Introduction
The HTTP CONNECT method (Section 4.3.6 of [RFC7231]) requests that The HTTP CONNECT method (Section 4.3.6 of [RFC7231]) requests that
the recipient establish a tunnel to the identified origin server and the recipient establish a tunnel to the identified origin server and
thereafter forward packets, in both directions, until the tunnel is thereafter forward packets, in both directions, until the tunnel is
closed. Such tunnels are commonly used to create end-to-end virtual closed. Such tunnels are commonly used to create end-to-end virtual
connections, through one or more proxies. connections, through one or more proxies.
The HTTP Tunnel-Protocol header field identifies the protocol that The HTTP ALPN header field identifies the protocol that will be
will be spoken within the tunnel, using the Application Layer spoken within the tunnel, using the Application Layer Protocol
Protocol Negotiation identifier (ALPN, [RFC7301]). Negotiation identifier (ALPN, [RFC7301]).
When the CONNECT method is used to establish a tunnel, the Tunnel- When the CONNECT method is used to establish a tunnel, the ALPN
Protocol header field can be used to identify the protocol that the header field can be used to identify the protocol that the client
client intends to use with that tunnel. For a tunnel that is then intends to use with that tunnel. For a tunnel that is then secured
secured using TLS [RFC5246], the header field carries the same using TLS [RFC5246], the header field carries the same application
application protocol label as will be carried within the TLS protocol label as will be carried within the TLS handshake. If there
handshake. If there are multiple possible application protocols, all are multiple possible application protocols, all of those application
of those application protocols are indicated. protocols are indicated.
The Tunnel-Protocol header field carries an indication of client The ALPN header field carries an indication of client intent only.
intent only. In TLS, the final choice of application protocol is In TLS, the final choice of application protocol is made by the
made by the server from the set of choices presented by the client. server from the set of choices presented by the client. Other
Other protocols could negotiate protocols differently. protocols could negotiate protocols differently.
Proxies do not implement the tunneled protocol, though they might Proxies do not implement the tunneled protocol, though they might
choose to make policy decisions based on the value of the header choose to make policy decisions based on the value of the header
field. For example, a proxy could use the application protocol to field. For example, a proxy could use the application protocol to
select appropriate traffic prioritization. select appropriate traffic prioritization.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. The Tunnel-Protocol HTTP Header Field 2. The ALPN HTTP Header Field
Clients include the Tunnel-Protocol header field in an HTTP CONNECT Clients include the ALPN header field in an HTTP CONNECT request to
request to indicate the application layer protocol that will be used indicate the application layer protocol that will be used within the
within the tunnel, or the set of protocols that might be used within tunnel, or the set of protocols that might be used within the tunnel.
the tunnel.
2.1. Header Field Values 2.1. Header Field Values
Valid values for the protocol field are taken from the "Application- Valid values for the protocol field are taken from the "Application-
Layer Protocol Negotiation (ALPN) Protocol ID" registry ([5]) Layer Protocol Negotiation (ALPN) Protocol ID" registry ([5])
established by [RFC7301]. established by [RFC7301].
2.2. Syntax 2.2. Syntax
The ABNF (Augmented Backus-Naur Form) syntax for the Tunnel-Protocol The ABNF (Augmented Backus-Naur Form) syntax for the ALPN header
header field is given below. It is based on the Generic Grammar field is given below. It is based on the Generic Grammar defined in
defined in Section 2 of [RFC7230]. Section 2 of [RFC7230].
Tunnel-Protocol = "Tunnel-Protocol":" 1#protocol-id ALPN = "ALPN":" 1#protocol-id
protocol-id = token ; percent-encoded ALPN protocol identifier protocol-id = token ; percent-encoded ALPN protocol identifier
ALPN protocol names are octet sequences with no additional ALPN protocol names are octet sequences with no additional
constraints on format. Octets not allowed in tokens ([RFC7230], constraints on format. Octets not allowed in tokens ([RFC7230],
Section 3.2.6) MUST be percent-encoded as per Section 2.1 of Section 3.2.6) MUST be percent-encoded as per Section 2.1 of
[RFC3986]. Consequently, the octet representing the percent [RFC3986]. Consequently, the octet representing the percent
character "%" (hex 25) MUST be percent-encoded as well. character "%" (hex 25) MUST be percent-encoded as well.
In order to have precisely one way to represent any ALPN protocol In order to have precisely one way to represent any ALPN protocol
name, the following additional constraints apply: name, the following additional constraints apply:
skipping to change at page 4, line 12 skipping to change at page 4, line 12
o When using percent-encoding, uppercase hex digits MUST be used. o When using percent-encoding, uppercase hex digits MUST be used.
With these constraints, recipients can apply simple string comparison With these constraints, recipients can apply simple string comparison
to match protocol identifiers. to match protocol identifiers.
For example: For example:
CONNECT www.example.com HTTP/1.1 CONNECT www.example.com HTTP/1.1
Host: www.example.com Host: www.example.com
Tunnel-Protocol: h2, http%2F1.1 ALPN: h2, http%2F1.1
3. IANA Considerations 3. IANA Considerations
HTTP header fields are registered within the "Message Headers" HTTP header fields are registered within the "Message Headers"
registry maintained at [6]. This document defines and registers the registry maintained at [6]. This document defines and registers the
Tunnel-Protocol header field, according to [RFC3864] as follows: ALPN header field, according to [RFC3864] as follows:
Header Field Name: Tunnel-Protocol Header Field Name: ALPN
Protocol: http Protocol: http
Status: Standard Status: Standard
Reference: Section 2 Reference: Section 2
Change Controller: IETF (iesg@ietf.org) - Internet Engineering Task Change Controller: IETF (iesg@ietf.org) - Internet Engineering Task
Force Force
skipping to change at page 4, line 42 skipping to change at page 4, line 42
In case of using HTTP CONNECT to a TURN server ("Traversal Using In case of using HTTP CONNECT to a TURN server ("Traversal Using
Relays around NAT", [RFC5766]) the security considerations of Relays around NAT", [RFC5766]) the security considerations of
Section 4.3.6 of [RFC7231] apply. It states that there "are Section 4.3.6 of [RFC7231] apply. It states that there "are
significant risks in establishing a tunnel to arbitrary servers, significant risks in establishing a tunnel to arbitrary servers,
particularly when the destination is a well-known or reserved TCP particularly when the destination is a well-known or reserved TCP
port that is not intended for Web traffic. Proxies that support port that is not intended for Web traffic. Proxies that support
CONNECT SHOULD restrict its use to a limited set of known ports or a CONNECT SHOULD restrict its use to a limited set of known ports or a
configurable whitelist of safe request targets." configurable whitelist of safe request targets."
The Tunnel-Protocol header field described in this document is an The ALPN header field described in this document is an OPTIONAL
OPTIONAL header field. Clients and HTTP proxies could choose to not header field. Clients and HTTP proxies could choose to not support
support the header and therefore fail to provide it, or ignore it the header and therefore fail to provide it, or ignore it when
when present. If the header is not available or ignored, a proxy present. If the header is not available or ignored, a proxy cannot
cannot identify the purpose of the tunnel and use this as input to identify the purpose of the tunnel and use this as input to any
any authorization decision regarding the tunnel. This is authorization decision regarding the tunnel. This is
indistinguishable from the case where either client or proxy does not indistinguishable from the case where either client or proxy does not
support the Tunnel-Protocol header field. support the ALPN header field.
The value of the Tunnel-Protocol header field could be falsified by a The value of the ALPN header field could be falsified by a client.
client. If the data being sent through the tunnel is encrypted (for If the data being sent through the tunnel is encrypted (for example,
example, with TLS [RFC5246]), then the proxy might not be able to with TLS [RFC5246]), then the proxy might not be able to directly
directly inspect the data to verify that the claimed protocol is the inspect the data to verify that the claimed protocol is the one which
one which is actually being used, though a proxy might be able to is actually being used, though a proxy might be able to perform
perform traffic analysis [TRAFFIC]. A proxy therefore cannot rely on traffic analysis [TRAFFIC]. A proxy therefore cannot rely on the
the value of the Tunnel-Protocol header field as a policy input in value of the ALPN header field as a policy input in all cases.
all cases.
5. References 5. References
5.1. Normative References 5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997, Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
 End of changes. 19 change blocks. 
48 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/