Google

vasilvv@google.com

General HTTP Working Group Internet-Draft This document describes the use of TLS Application-Level Protocol Settings (ALPS) in HTTP/2 and HTTP/3. Additionally, it defines a set of additional HTTP SETTINGS parameters that would normally be impractical without ALPS. Discussion Venues Discussion of this document takes place on the HTTPBIS Working Group mailing list (httpbis@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/httpbis/. Source for this draft and an issue tracker can be found at https://github.com/vasilvv/httpbis-alps.

Introduction HTTP/2 defines a mechanism for exchanging the protocol settings using a SETTINGS frame (, Section 6.5). HTTP/3 uses a similar mechanism (, Section 7.2.4). One of the properties of the mechanism as defined by both of those protocols is that the parties start out without having access to the entirety of the peer's settings. This means that they have to initially operate using the default settings, and after receiving the SETTINGS frame, they have to find a way to transition from the default to the exchanged settings. HTTP is commonly used in conjunction with TLS. TLS performs its own handshake that precedes any data being exchanged by the HTTP layer itself. The TLS Application-Level Protocol Settings extension allows settings negotiation to be performed within the TLS handshake, thus making the result immediately available to the HTTP layer as soon as the handshake completes. This removes the need for synchronizing settings, and makes them available earlier than they would be otherwise. This document defines how ALPS is used with HTTP/2 and HTTP/3, and introduces certain new settings that would not be practical without ALPS.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Use of ALPS in HTTP If ALPS is successfully negotiated during the TLS handshake for an HTTP/2 connection, the ALPS payload for both peers SHALL be a sequence of HTTP/2 frames. Frames SHALL NOT be present in ALPS unless they are explicitly allowed to be there; this document only allows the SETTINGS frame (, Section 6.5.1). Sending a SETTINGS frame in ALPS supersedes the requirement to send a SETTINGS frame at the beginning of the connection. All settings exchanged via ALPS SHALL be automatically treated as acknowledged. If ALPS is successfully negotiated during TLS handshake for an HTTP/3 connection, the ALPS payload for both peers SHALL be a sequence of HTTP/3 frames. Frames SHALL NOT be present in ALPS unless they are explicitly allowed to be there; this document only allows the SETTINGS frame (, Section 7.2.4). Sending a SETTINGS frame in ALPS supersedes the requirement to send a SETTINGS frame at the beginning of the control stream. Since settings exchanged through ALPS are always available at the beginning of the connection, some HTTP extensions may opt to require those to be sent through ALPS. Such extensions are exempt from the initialization requirements of the Section 7.2.4.2 of .

New Settings In addition to specifying the use of ALPS, this document introduces a way for an endpoint to use HTTP/2 and HTTP/3 without any form of header compression. Previously, using SETTINGS to opt into the use of header compression would result in the first flight of requests being sent fully uncompressed; ALPS provides settings before any of the requests are sent, thus removing that concern. The following new HTTP/2 setting is introduced:

SETTINGS_HPACK_ENABLE_STATIC_TABLES (0x??):

May be "0" or "1". If set to "0", the only allowed HPACK instructions are "Literal Header Field without Indexing" and "Literal Header Field Never Indexed" (Sections 6.2.2 and 6.2.3 of ), with index set to "0", and the "H" bit set to zero for both string literals. The default value is "1".

The following new HTTP/3 setting is introduced:

SETTINGS_QPACK_ENABLE_STATIC_TABLES (0x??):

May be "0" or "1". If set to "0", the only allowed QPACK instruction is "Literal Field Line Without Name Reference", with the "H" bit set to zero for both string literals. The default value is "1".

Those settings MUST be supported by any endpoint that uses ALPS in conjunction with HTTP/2 or HTTP/3. Both of those settings MUST NOT be sent outside of the ALPS.

Security Considerations In ALPS, both client and server settings are sent encrypted. Settings communicated through ALPS are presented to all clients before they are authenticated; thus, if a server relies on TLS client authentication and considers its settings private, it MUST NOT use the mechanism defined in this document.

IANA Considerations IANA will add an "Allowed in ALPS" column to the "HTTP/2 Frames" section of the "Hypertext Transfer Protocol version 2 (HTTP/2) Parameters" registry, with a value set to "Yes" for SETTINGS (0x4), and to "No" for all other previously defined settings. IANA will add the following entry into the "HTTP/2 Settings" table:

Code

0x??

Name

HPACK_ENABLE_STATIC_TABLES

Initial Value

1

ALPS Only

Yes

Reference

This document

TODO: Add HTTP/3 once IANA has an HTTP/3 registry.

Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Akamai Technologies Google This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP's existing semantics remain unchanged. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This specification defines HPACK, a compression format for efficiently representing HTTP header fields, to be used in HTTP/2.

Acknowledgments This document has benefited from contributions and suggestions from David Benjamin, Nick Harper, David Schinazi, and many others.