MASQUE A. Chernyakhovsky Internet-Draft D. McCall Intended status: Standards Track D. Schinazi Expires: 28 February 2022 Google LLC 27 August 2021 The CONNECT-IP HTTP Method draft-cms-masque-connect-ip-02 Abstract This document describes the CONNECT-IP HTTP method. CONNECT-IP is similar to CONNECT-UDP, but allows transmitting IP packets, without being limited to just TCP like CONNECT or UDP like CONNECT-UDP. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Multiplexed Application Substrate over QUIC Encryption Working Group mailing list (masque@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/masque/. Source for this draft and an issue tracker can be found at https://github.com/DavidSchinazi/draft-cms-masque-connect-ip. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 28 February 2022. Chernyakhovsky, et al. Expires 28 February 2022 [Page 1] Internet-Draft CONNECT-IP August 2021 Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions and Definitions . . . . . . . . . . . . . . . 3 2. The CONNECT-IP Method . . . . . . . . . . . . . . . . . . . . 3 3. Transmitting IP Packets using HTTP Datagrams . . . . . . . . 4 4. Forwarding of IP Packets . . . . . . . . . . . . . . . . . . 4 5. Capsules . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. ADDRESS_ASSIGN Capsule . . . . . . . . . . . . . . . . . 5 5.2. ADDRESS_REQUEST Capsule . . . . . . . . . . . . . . . . . 6 5.3. SHUTDOWN Capsule . . . . . . . . . . . . . . . . . . . . 6 6. Extensibility Considerations . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8.1. HTTP Method . . . . . . . . . . . . . . . . . . . . . . . 7 8.2. Capsule Type Registrations . . . . . . . . . . . . . . . 8 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 9.1. Normative References . . . . . . . . . . . . . . . . . . 8 9.2. Informative References . . . . . . . . . . . . . . . . . 9 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 9 A.1. Consumer VPN . . . . . . . . . . . . . . . . . . . . . . 9 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction This document describes the CONNECT-IP HTTP method. CONNECT-IP is similar to CONNECT-UDP, but allows transmitting IP packets, without being limited to just TCP like CONNECT or UDP like CONNECT-UDP. CONNECT-IP allows endpoints to set up an IP tunnel between one another. This can be used to implement a consumer VPN, point-to- point and point-to-network capabilities as described in [REQS]. Chernyakhovsky, et al. Expires 28 February 2022 [Page 2] Internet-Draft CONNECT-IP August 2021 1.1. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. In this document, we use the term "proxy" to refer to the HTTP server that responds to the CONNECT-IP request. If there are HTTP intermediaries (as defined in Section 2.3 of [RFC7230]) between the client and the proxy, those are referred to as "intermediaries" in this document. 2. The CONNECT-IP Method The CONNECT-IP method establishes a stream to an endpoint server that then permits the exchange of control data, such as IP address information and other relevant information for successfully transmitting IP datagrams between hosts. The request-target of a CONNECT-IP request is a URI [URI] which uses the "https" scheme and a client-specified path. When using HTTP/2 [H2] or later, CONNECT-IP requests use HTTP pseudo-headers with the following requirements: * The ":method" pseudo-header field is set to "CONNECT-IP". * The ":scheme" pseudo-header field is set to "https". * The ":path" pseudo-header field is set to the value provided by the client. That value MUST NOT be empty. * The ":authority" pseudo-header field contains the host and port of the proxy. The target of a CONNECT-IP request is the server providing the CONNECT-IP featureset, not an individual endpoint with which a connection is desired. A CONNECT-IP request that does not conform to these restrictions is malformed (see [H2], Section 8.1.2.6). Any 2xx (Successful) response indicates that the proxy is willing to open an IP tunnel between it and the client. Any response other than a successful response indicates that the tunnel has not yet been formed. Chernyakhovsky, et al. Expires 28 February 2022 [Page 3] Internet-Draft CONNECT-IP August 2021 A proxy MUST NOT send any Transfer-Encoding or Content-Length header fields in a 2xx (Successful) response to CONNECT-IP. A client MUST treat a successful response to CONNECT-IP containing any Content- Length or Transfer-Encoding header fields as malformed. A payload within a CONNECT-IP request message has no defined semantics; a CONNECT-IP request with a non-empty payload is malformed. Note that the CONNECT-IP stream is used to convey control messages, but they are not semantically part of the request or response themselves. Responses to the CONNECT-IP method are not cacheable. The lifetime of the tunnel is tied to the CONNECT-IP stream. Closing the stream (via the FIN bit on a QUIC STREAM frame, or a QUIC RESET_STREAM frame) closes the associated tunnel. 3. Transmitting IP Packets using HTTP Datagrams IP packets are sent using HTTP Datagrams [HTTP-DGRAM]. The HTTP Datagram Payload contains a full IP packet, from the IP Version field until the last byte of the IP Payload. In order to use HTTP Datagrams, the CONNECT-IP client will first decide whether or not to use HTTP Datagram Contexts and then register its context ID (or lack thereof) using the corresponding registration capsule, see [HTTP-DGRAM]. Since HTTP Datagrams require prior negotiation (for example, in HTTP/3 it is necessary to both send and receive the H3_DATAGRAM SETTINGS Parameter), clients MUST NOT send any HTTP Datagrams until they have established support on a given connection. If negotiation of HTTP Datagrams fails (for example if an HTTP/3 SETTINGS frame was received without the H3_DATAGRAM SETTINGS Parameter), the client MUST consider its CONNECT-IP request as failed. 4. Forwarding of IP Packets Since CONNECT-IP allows the transmission of IP packets over HTTP, CONNECT-IP endpoints will most often forward these packets to and from traditional IP interfaces. As such, CONNECT-IP endpoints act as IP routers. When a CONNECT-IP endpoint receives an HTTP Datagram containing an IP packet, it will parse the packet's IP header, perform any local policy checks (e.g., source address validation), check their routing table to pick an outbound interface, and then use an implementation-specific mechanism (such as raw sockets) to send the IP packet on that interface. Chernyakhovsky, et al. Expires 28 February 2022 [Page 4] Internet-Draft CONNECT-IP August 2021 Conversely, when a CONNECT-IP endpoint receives an IP packet whose destination address does not match any local addresses, it consults its routing table to pick a forwarding destination, and if the table points to a CONNECT-IP tunnel, the endpoint performs the same forwarding checks before transmitting the packet inside the tunnel. Note that CONNECT-IP endpoints will decrement the IP Hop Count (or TTL) upon encapsulation but not decapsulation. In other words, the Hop Count is decremented right before an IP packet is transmitted in an HTTP Datagram. This prevents infinite loops in the presence of routing loops, and matches the choices in IPsec [IPSEC]. Endpoints MAY implement additional filtering policies on the IP packets they forward. 5. Capsules 5.1. ADDRESS_ASSIGN Capsule The ADDRESS_ASSIGN capsule allows an endpoint to inform its peer that it has assigned an IP address to it. It allows assigning a prefix which can contain multiple addresses. This capsule uses a Capsule Type of 0xfff100. Its value uses the following format: ADDRESS_ASSIGN Capsule { IP Version (8), IP Address (32..128), IP Prefix Length (8), } Figure 1: ADDRESS_ASSIGN Capsule Format IP Version: IP Version of this address assignment. MUST be either 4 or 6. IP Address: Assigned IP address. If the IP Version field has value 4, the IP Address field SHALL have a length of 32 bits. If the IP Version field has value 6, the IP Address field SHALL have a length of 128 bits. IP Prefix Length: Length of the IP Prefix assigned, in bits. MUST be lesser or equal to the length of the IP Address field, in bits. Chernyakhovsky, et al. Expires 28 February 2022 [Page 5] Internet-Draft CONNECT-IP August 2021 5.2. ADDRESS_REQUEST Capsule The ADDRESS_REQUEST capsule allows an endpoint to request assignment of an IP address from its peer. It allows the endpoint to optionally indicate a preference for which address it would get assigned. This capsule uses a Capsule Type of 0xfff101. Its value uses the following format: ADDRESS_REQUEST Capsule { IP Version (8), IP Address (32..128), IP Prefix Length (8), } Figure 2: ADDRESS_REQUEST Capsule Format IP Version: IP Version of this address request. MUST be either 4 or 6. IP Address: Requested IP address. If the IP Version field has value 4, the IP Address field SHALL have a length of 32 bits. If the IP Version field has value 6, the IP Address field SHALL have a length of 128 bits. IP Prefix Length: Length of the IP Prefix requested, in bits. MUST be lesser or equal to the length of the IP Address field, in bits. Upon receiving the ADDRESS_REQUEST capsule, an endpoint SHOULD assign an IP address to its peer, and then respond with an ADDRESS_ASSIGN capsule to inform the peer of the assignment. 5.3. SHUTDOWN Capsule The SHUTDOWN capsule allows an endpoint to communicate to its peer that it is about to close the CONNECT-IP stream, with a string explaining the reason for the shutdown. This capsule uses a Capsule Type of 0xfff105. Its value uses the following format: SHUTDOWN Capsule { Reason Phrase (..), } Figure 3: SHUTDOWN Capsule Format Reason Phrase: Additional diagnostic information for the shutdown. Chernyakhovsky, et al. Expires 28 February 2022 [Page 6] Internet-Draft CONNECT-IP August 2021 This SHOULD be a UTF-8 encoded string [UTF8], though the frame does not carry information, such as language tags, that would aid comprehension by any entity other than the one that created the text. Note that the SHUTDOWN capsule is informational, the tunnel is only closed when its corresponding CONNECT-IP stream is closed. Endpoints MAY close the tunnel with a reason phrase by sending the SHUTDOWN capsule with the FIN bit set on the underlying QUIC STREAM frame that carried it. 6. Extensibility Considerations CONNECT-IP can be extended via multiple mechanisms to increase functionality. There are three main ways to extend CONNECT-IP: HTTP headers, Capsule Types, and HTTP Datagram Registration Extension Data. For example, an authentication extension could define an HTTP header that allows endpoints to send authentication credentials to their peer during the creation of the tunnel. Alternatively, one could specify an extension that defines a new Capsule Type which allows exchanging DNS configuration between endpoints. Additionally, an extension to CONNECT-IP can use multiple HTTP Datagram Contexts [HTTP-DGRAM] simultaneously to compress some IP packets by associating the compression context with an HTTP Datagram Context ID. 7. Security Considerations There are significant risks in allowing arbitrary clients to establish a tunnel to arbitrary servers, as that could allow bad actors to send traffic and have it attributed to the proxy. Proxies that support CONNECT-IP SHOULD restrict its use to authenticated users. The HTTP Authorization header [AUTH] MAY be used to authenticate clients. More complex authentication schemes are out of scope for this document but can be implemented using CONNECT-IP extensions. Since CONNECT-IP endpoints can proxy IP packets send by their peer, they SHOULD follow the guidance in [BCP38] to help prevent denial of service attacks. 8. IANA Considerations 8.1. HTTP Method This document will request IANA to register "CONNECT-IP" in the HTTP Method Registry (IETF review) maintained at . Chernyakhovsky, et al. Expires 28 February 2022 [Page 7] Internet-Draft CONNECT-IP August 2021 +-------------+------+------------+---------------+ | Method Name | Safe | Idempotent | Reference | +-------------+------+------------+---------------+ | CONNECT-IP | no | no | This document | +-------------+------+------------+---------------+ 8.2. Capsule Type Registrations This document will request IANA to add the following values to the "HTTP Capsule Types" registry created by [HTTP-DGRAM]: +----------+---------------------+---------------------+---------------+ | Value | Type | Description | Reference | +----------+---------------------+---------------------+---------------+ | 0xfff100 | ADDRESS_ASSIGN | Address Assignment | This document | | 0xfff101 | ADDRESS_REQUEST | Address Request | This document | | 0xfff105 | SHUTDOWN | Shutdown Reason | This document | +----------+---------------------+---------------------+---------------+ 9. References 9.1. Normative References [BCP38] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, . [H2] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext Transfer Protocol Version 2 (HTTP/2)", RFC 7540, DOI 10.17487/RFC7540, May 2015, . [HTTP-DGRAM] Schinazi, D. and L. Pardue, "Using Datagrams with HTTP", Work in Progress, Internet-Draft, draft-ietf-masque-h3- datagram-03, 12 July 2021, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Chernyakhovsky, et al. Expires 28 February 2022 [Page 8] Internet-Draft CONNECT-IP August 2021 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [UTF8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, . 9.2. Informative References [AUTH] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Authentication", RFC 7235, DOI 10.17487/RFC7235, June 2014, . [IPSEC] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005, . [REQS] Chernyakhovsky, A., McCall, D., and D. Schinazi, "Requirements for a MASQUE Protocol to Proxy IP Traffic", Work in Progress, Internet-Draft, draft-ietf-masque-ip- proxy-reqs-03, 27 August 2021, . Appendix A. Examples A.1. Consumer VPN In this scenario, the client will typically receive a single IP address that the proxy has picked from a pool of addresses it maintains. The client will route all traffic through the tunnel. The exchange could look as follows: Chernyakhovsky, et al. Expires 28 February 2022 [Page 9] Internet-Draft CONNECT-IP August 2021 Client Server ADDRESS_REQUEST --------> IP Version = 4 IP Address = 0.0.0.0 IP Prefix Length = 0 <-------- ADDRESS_ASSIGN IP Version = 4 IP Address = 192.0.2.42 IP Prefix Length = 32 Acknowledgments The design of CONNECT-IP was inspired by discussions in the MASQUE working group around [REQS]. The authors would like to thank participants in those discussions for their feedback. Authors' Addresses Alex Chernyakhovsky Google LLC 1600 Amphitheatre Parkway Mountain View, California 94043, United States of America Email: achernya@google.com Dallas McCall Google LLC 1600 Amphitheatre Parkway Mountain View, California 94043, United States of America Email: dallasmccall@google.com David Schinazi Google LLC 1600 Amphitheatre Parkway Mountain View, California 94043, United States of America Email: dschinazi.ietf@gmail.com Chernyakhovsky, et al. Expires 28 February 2022 [Page 10]