Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-forwarded-02.txt
Ben Niven-Jenkins <ben@niven-jenkins.co.uk> Wed, 02 May 2012 15:59 UTC
Return-Path: <ben@niven-jenkins.co.uk>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B871411E8085 for <apps-discuss@ietfa.amsl.com>; Wed, 2 May 2012 08:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.399
X-Spam-Level:
X-Spam-Status: No, score=-103.399 tagged_above=-999 required=5 tests=[AWL=-1.400, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8kw0OGzcgZt for <apps-discuss@ietfa.amsl.com>; Wed, 2 May 2012 08:59:19 -0700 (PDT)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.61]) by ietfa.amsl.com (Postfix) with ESMTP id A275021F8593 for <apps-discuss@ietf.org>; Wed, 2 May 2012 08:59:18 -0700 (PDT)
Received: from [81.134.152.4] (helo=xxx.corp.velocix.com) by mail4.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <ben@niven-jenkins.co.uk>) id 1SPbws-0000Tp-8x; Wed, 02 May 2012 16:58:38 +0100
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
In-Reply-To: <4FA02AEA.1080407@isode.com>
Date: Wed, 02 May 2012 16:59:15 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <29236FD5-51E7-4AC5-88EA-6B956E453D8A@niven-jenkins.co.uk>
References: <4FA02AEA.1080407@isode.com>
To: apps-discuss@ietf.org
X-Mailer: Apple Mail (2.1084)
X-Mailcore-Auth: 9600544
X-Mailcore-Domain: 172912
Cc: John Sullivan <jsullivan@velocix.com>
Subject: Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-forwarded-02.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 15:59:19 -0000
Colleagues, I'm forwarding the following comments on draft-ietf-appsawg-http-forwarded-02 on behalf of John (cc'd) who is our resident HTTP expert but doesn't subscribe to the apps-discuss list. Thanks Ben === Start of John's comments: 0. First, I approve of the proposal in general: it is a big improvement over the current situation with multiple non-standardised headers partially/incompletely implemented by different software. 1. The ABNF gives: forwarded-pair = token "=" ( token / quoted-string ) token = 1*( /[-!#$%&'*+.^_`|~0-9A-Z]/ ) # httpbis-p1 S3.2.4 It is a happy coincidence that an IPv4address without an optional port happens to fall within the token syntax and therefore does not need to be a quoted-string, but neither an IPv4address with the optional port (which involves ":" which is not in tchar) or an IPv6address with or without port (which involve "[", "]" and ":" none of which are in tchar) are valid tokens and MUST be sent as quoted-string. What might casually seem to some to be the same syntax element therefore has different quoting/escaping rules depending on its exact makeup. Generators need to beware. Some might take the view that it is safest and easiest to simply use quoted-string in all cases, so consumers also need to beware that even an IPv4address with no port might be sent as a quoted-string. I think this should be explicitly called out, given this draft gets it wrong itself (see below). 2. The example in S4 is both wrong and odd. Forwarded: For=192.0.2.43,"for=[2001:db8:cafe::17]:47011" Forwarded: proto=https;by=198.51.100.60 By #rule this expands to a 3-element list For=192.0.2.43 "for=[2001:db8:cafe::17]:47011" proto=https;by=198.51.100.60 The second element does not match the ABNF: the first quote should be after the "=". The third element, while valid, looks like it might have been intended to be a run-on of the second thus creating a 2-element list where the second element has 3 parameters. (It's not clear how a client send an IPv6 request to an IPv4 endpoint though!) If this is deliberate then fine, but it perhaps makes for a confusing example. 3. S5.1 ("by" parameter) says: This is primarily added by reverse proxies that wish to forward this information to the backend server. I would add that this is especially useful for multi-homed proxies where the address that the backend server sees the forwarded request coming from is not the same as the address the proxy received the request on. (Where the two addresses are the same it seems superfluous.) 4. S5.2 ("for" parameter) says: The last proxy's IP address, and optionally a port number, are, however, readily available as the remote IP address of the TCP/IP connection. As above, the inbound address is not necessarily the same as the outbound address of the proxy. The "by" parameter where present might be a more valuable source of the "proxy's IP address". 5. S6.1 (address identifiers) says: The IPv6address SHOULD comply with textual representation recommendations [RFC5952] (e.g., lowercase, zero compression). But RFC 5952 defines a standard mechanism for generating the shortest (most compressed) textual representation of an IPv6 literal. 6. S7 says: As an example, the header field Forwarded: for=192.0.2.43,for=[2001:db8:cafe::17],for=unknown This is not valid syntax. The IPv6address contains non-tchars and must be transmitted as a quoted-string. 7. S7 also says: Note that this header field is relevant on a per request basis and MUST NOT be cached. It's not entirely clear where this comes from. Request headers are not normally cached, unless the origin invokes the Vary mechanism. Is it intended that this should disable the ability of an origin to say "Vary: Forwarded"? I can't see why this needs to be done (and in any case won't work with intermediates unaware of this specification.) Also note that this header field MUST NOT be preserved across redirects. This seems to presume an intermediate which follows redirects internally, preserving the original request state for each sub-request, and presents the final target as a response to the original incoming request. This seems to be an inadvisable thing to do in any case. (I had a vague idea it was prohibited, but can't find specific language in httpbis that provides guidance in either direction - apart from perhaps the p1-S3.1.1 direction to issue 301 responses to invalid request-lines rather than transparently fixing them. That seems closely related.) Instead, it might be worth noting when the incoming Forwarded header should be preserved or discarded: * Obviously a directly forwarded request should preserve/extend it. * If a single incoming request causes an intermediate to make multiple related inbound requests, then presumably one is a more direct analog of the original request and should preserve/extend the header, whereas the others are "internal" and should filter it out. * Unless of course the intermediate has detected a content mismatch in a 304 response and is following the httpbis-p4 S4.1 instructions to repeat the request unconditionally, in which case the new request is still basically a direct consequence of the origin request and the header should probably be kept. 8. Because Via is well established and mandatory and this is new and optional, consumers should also beware that the elements of Via may not match the elements of Forwarded: so although proto= may be present one will probably not be able to infer the corresponding HTTP version number, or the software version taken from Via of a particular intermediate identified within Forwarded. This remaining mismatch of capabilities (which within the X-Forwarded-* family this specification is intended to address) is perhaps unfortunate. === End of John's comments On 1 May 2012, at 19:26, Alexey Melnikov wrote: > Dear WG participants, > I would like to initiate WG Last Call on draft-ietf-appsawg-http-forwarded-02.txt ("Forwarded HTTP Extension"). Please send your reviews, as well as expressions of support regarding document readiness for IESG (or not) either to the mailing list, or directly to WG chairs (Murray Kucherawy <msk@cloudmark.com> and myself). Comments like "I've read the document and it is Ok to publish" or "I've read the document and it has the following issues" are useful and would be gratefully accepted by chairs. > > The WGLC will end on Friday, May 18th. > > Thank you, > Alexey as an APPSAWG co-chair. > > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss
- [apps-discuss] WGLC: draft-ietf-appsawg-http-forw… Alexey Melnikov
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Willy Tarreau
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Ben Niven-Jenkins
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Julian Reschke
- [apps-discuss] WGLC comments on draft-ietf-appsaw… Julian Reschke
- Re: [apps-discuss] WGLC comments on draft-ietf-ap… Willy Tarreau
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Willy Tarreau
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… John Sullivan
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson