Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-forwarded-02.txt
Ben Niven-Jenkins <ben@niven-jenkins.co.uk> Wed, 02 May 2012 15:59 UTC
Return-Path: <ben@niven-jenkins.co.uk>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B871411E8085 for <apps-discuss@ietfa.amsl.com>; Wed, 2 May 2012 08:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.399
X-Spam-Level:
X-Spam-Status: No, score=-103.399 tagged_above=-999 required=5 tests=[AWL=-1.400, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8kw0OGzcgZt for <apps-discuss@ietfa.amsl.com>; Wed, 2 May 2012 08:59:19 -0700 (PDT)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.61]) by ietfa.amsl.com (Postfix) with ESMTP id A275021F8593 for <apps-discuss@ietf.org>; Wed, 2 May 2012 08:59:18 -0700 (PDT)
Received: from [81.134.152.4] (helo=xxx.corp.velocix.com) by mail4.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <ben@niven-jenkins.co.uk>) id 1SPbws-0000Tp-8x; Wed, 02 May 2012 16:58:38 +0100
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
In-Reply-To: <4FA02AEA.1080407@isode.com>
Date: Wed, 02 May 2012 16:59:15 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <29236FD5-51E7-4AC5-88EA-6B956E453D8A@niven-jenkins.co.uk>
References: <4FA02AEA.1080407@isode.com>
To: apps-discuss@ietf.org
X-Mailer: Apple Mail (2.1084)
X-Mailcore-Auth: 9600544
X-Mailcore-Domain: 172912
Cc: John Sullivan <jsullivan@velocix.com>
Subject: Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-forwarded-02.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 15:59:19 -0000
Colleagues,
I'm forwarding the following comments on draft-ietf-appsawg-http-forwarded-02 on behalf of John (cc'd) who is our resident HTTP expert but doesn't subscribe to the apps-discuss list.
Thanks
Ben
=== Start of John's comments:
0. First, I approve of the proposal in general: it is a big
improvement over the current situation with multiple non-standardised
headers partially/incompletely implemented by different software.
1. The ABNF gives:
forwarded-pair = token "=" ( token / quoted-string )
token = 1*( /[-!#$%&'*+.^_`|~0-9A-Z]/ ) # httpbis-p1 S3.2.4
It is a happy coincidence that an IPv4address without an optional
port happens to fall within the token syntax and therefore does
not need to be a quoted-string, but neither an IPv4address with
the optional port (which involves ":" which is not in tchar) or
an IPv6address with or without port (which involve "[", "]" and ":"
none of which are in tchar) are valid tokens and MUST be sent
as quoted-string.
What might casually seem to some to be the same syntax element
therefore has different quoting/escaping rules depending on its
exact makeup. Generators need to beware. Some might take the view
that it is safest and easiest to simply use quoted-string in all
cases, so consumers also need to beware that even an IPv4address
with no port might be sent as a quoted-string.
I think this should be explicitly called out, given this draft gets
it wrong itself (see below).
2. The example in S4 is both wrong and odd.
Forwarded: For=192.0.2.43,"for=[2001:db8:cafe::17]:47011"
Forwarded: proto=https;by=198.51.100.60
By #rule this expands to a 3-element list
For=192.0.2.43
"for=[2001:db8:cafe::17]:47011"
proto=https;by=198.51.100.60
The second element does not match the ABNF: the first quote should
be after the "=".
The third element, while valid, looks like it might have been
intended to be a run-on of the second thus creating a 2-element
list where the second element has 3 parameters. (It's not clear how
a client send an IPv6 request to an IPv4 endpoint though!) If this
is deliberate then fine, but it perhaps makes for a confusing example.
3. S5.1 ("by" parameter) says:
This is primarily added by reverse proxies that wish to forward this
information to the backend server.
I would add that this is especially useful for multi-homed proxies
where the address that the backend server sees the forwarded request
coming from is not the same as the address the proxy received the
request on. (Where the two addresses are the same it seems superfluous.)
4. S5.2 ("for" parameter) says:
The
last proxy's IP address, and optionally a port number, are, however,
readily available as the remote IP address of the TCP/IP connection.
As above, the inbound address is not necessarily the same as the
outbound address of the proxy. The "by" parameter where present might
be a more valuable source of the "proxy's IP address".
5. S6.1 (address identifiers) says:
The IPv6address SHOULD comply with textual representation
recommendations [RFC5952] (e.g., lowercase, zero compression).
But RFC 5952 defines a standard mechanism for generating the shortest
(most compressed) textual representation of an IPv6 literal.
6. S7 says:
As an example, the header field
Forwarded: for=192.0.2.43,for=[2001:db8:cafe::17],for=unknown
This is not valid syntax. The IPv6address contains non-tchars and must
be transmitted as a quoted-string.
7. S7 also says:
Note that this header field is relevant on a per request basis and
MUST NOT be cached.
It's not entirely clear where this comes from. Request headers are not
normally cached, unless the origin invokes the Vary mechanism. Is it
intended that this should disable the ability of an origin to say
"Vary: Forwarded"? I can't see why this needs to be done (and in any
case won't work with intermediates unaware of this specification.)
Also note that this header field MUST NOT be
preserved across redirects.
This seems to presume an intermediate which follows redirects internally,
preserving the original request state for each sub-request, and presents
the final target as a response to the original incoming request. This
seems to be an inadvisable thing to do in any case. (I had a vague idea
it was prohibited, but can't find specific language in httpbis that
provides guidance in either direction - apart from perhaps the p1-S3.1.1
direction to issue 301 responses to invalid request-lines rather than
transparently fixing them. That seems closely related.)
Instead, it might be worth noting when the incoming Forwarded header
should be preserved or discarded:
* Obviously a directly forwarded request should preserve/extend it.
* If a single incoming request causes an intermediate to make multiple
related inbound requests, then presumably one is a more direct
analog of the original request and should preserve/extend the header,
whereas the others are "internal" and should filter it out.
* Unless of course the intermediate has detected a content mismatch in
a 304 response and is following the httpbis-p4 S4.1 instructions to
repeat the request unconditionally, in which case the new request
is still basically a direct consequence of the origin request and
the header should probably be kept.
8. Because Via is well established and mandatory and this is new and
optional, consumers should also beware that the elements of Via may
not match the elements of Forwarded: so although proto= may be present
one will probably not be able to infer the corresponding HTTP version
number, or the software version taken from Via of a particular
intermediate identified within Forwarded. This remaining mismatch of
capabilities (which within the X-Forwarded-* family this specification
is intended to address) is perhaps unfortunate.
=== End of John's comments
On 1 May 2012, at 19:26, Alexey Melnikov wrote:
> Dear WG participants,
> I would like to initiate WG Last Call on draft-ietf-appsawg-http-forwarded-02.txt ("Forwarded HTTP Extension"). Please send your reviews, as well as expressions of support regarding document readiness for IESG (or not) either to the mailing list, or directly to WG chairs (Murray Kucherawy <msk@cloudmark.com> and myself). Comments like "I've read the document and it is Ok to publish" or "I've read the document and it has the following issues" are useful and would be gratefully accepted by chairs.
>
> The WGLC will end on Friday, May 18th.
>
> Thank you,
> Alexey as an APPSAWG co-chair.
>
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss
- [apps-discuss] WGLC: draft-ietf-appsawg-http-forw… Alexey Melnikov
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Willy Tarreau
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Ben Niven-Jenkins
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Julian Reschke
- [apps-discuss] WGLC comments on draft-ietf-appsaw… Julian Reschke
- Re: [apps-discuss] WGLC comments on draft-ietf-ap… Willy Tarreau
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Willy Tarreau
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… John Sullivan
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson
- Re: [apps-discuss] WGLC: draft-ietf-appsawg-http-… Andreas Petersson