| < draft-saintandre-xdash-considered-harmful-00.txt | draft-saintandre-xdash-considered-harmful-01.txt > | |||
|---|---|---|---|---|
| Network Working Group P. Saint-Andre | Network Working Group P. Saint-Andre | |||
| Internet-Draft Cisco Systems, Inc. | Internet-Draft Cisco | |||
| Intended status: BCP July 2, 2010 | Intended status: BCP October 19, 2010 | |||
| Expires: January 3, 2011 | Expires: April 22, 2011 | |||
| "X-" Considered Harmful | "X-" Considered Harmful | |||
| draft-saintandre-xdash-considered-harmful-00 | draft-saintandre-xdash-considered-harmful-01 | |||
| Abstract | Abstract | |||
| Many application protocols use named parameters to represent data | Many application protocols use named parameters to represent data | |||
| (for example, header fields in Internet mail messages and HTTP | (for example, header fields in Internet mail messages and HTTP | |||
| requests). Historically, protocol designers and implementers have | requests). Historically, protocol designers and implementers have | |||
| often differentiated between "official" and "unofficial" parameters | often differentiated between "standard" and "experimental" parameters | |||
| by prefixing unofficial parameters with the string "X-". This | by prefixing experimental parameters with the string "X-". This | |||
| document argues that on balance the "X-" convention has more costs | document argues that, on balance, the "X-" convention has more costs | |||
| than benefits. | than benefits. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 3, 2011. | This Internet-Draft will expire on April 22, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Argument . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 | 2. Argument . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Informative References . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Informative References . . . . . . . . . . . . . . . . . . . . 5 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 | ||||
| 1. Argument | 1. Introduction | |||
| Many application protocols use named parameters to represent data | Many application protocols use named parameters to represent data | |||
| (for example, header fields in Internet mail messages and HTTP | (for example, header fields in Internet mail messages and HTTP | |||
| requests). Historically, protocol designers and implementers have | requests). Historically, protocol designers and implementers have | |||
| often differentiated between "official" and "unofficial" parameters | often differentiated between "standard" and "experimental" parameters | |||
| by prefixing unofficial parameters with the string "X-" (often | by prefixing experimental parameters with the string "X-", where the | |||
| pronounced "ex dash"). This document argues that on balance the "X-" | "X" stands for "eXperimental". This document argues that on balance | |||
| convention has more costs than benefits. | the "X-" convention has more costs than benefits. | |||
| The "X-" prefix has been in use since at least the publication of | 2. Argument | |||
| [RFC1154] in 1990, which set forth the following rule: | ||||
| The "X-" convention has been in use for email header fields since the | ||||
| publication of [RFC822] in 1982, which distinguished between | ||||
| Extension-fields and user-defined-fields as follows: | ||||
| The prefatory string "X-" will never be used in the names of | ||||
| Extension-fields. This provides user-defined fields with a | ||||
| protected set of names. | ||||
| That rule was restated by [RFC1154] as follows: | ||||
| Keywords beginning with "X-" are permanently reserved to | Keywords beginning with "X-" are permanently reserved to | |||
| implementation-specific use. No standard registered encoding | implementation-specific use. No standard registered encoding | |||
| keyword will ever begin with "X-". | keyword will ever begin with "X-". | |||
| This convention continued with various specifications for MIME | This convention continued with various specifications for MIME | |||
| [RFC2045] [RFC2046] [RFC2047], email [RFC2821] [RFC5321], HTTP | [RFC2045] [RFC2046] [RFC2047], email [RFC2821] [RFC5321], HTTP | |||
| [RFC2068] [RFC2616], and other technologies. | [RFC2068] [RFC2616], and other technologies. | |||
| The primary problem with the "X-" convention is that experimental or | ||||
| implementation-specific parameters have a tendency to become | ||||
| standardized (whether de jure or de facto), thus introducing the need | ||||
| for migration from the "X-" name to the standardized name. | ||||
| Migration, in turn, introduces interoperability issues because older | ||||
| implementations will support only the "X-" name and newer | ||||
| implementations might support only the standardized name. To | ||||
| preserve interoperability, newer implementations simply support the | ||||
| "X-" name forever, which means that the experimental name becomes a | ||||
| de facto standard (thus obviating the need for segregation of the | ||||
| name spaces in the first place). We can see this phenomenon at work | ||||
| in [RFC2068]: | ||||
| For compatibility with previous implementations of HTTP, | ||||
| applications should consider "x-gzip" and "x-compress" to be | ||||
| equivalent to "gzip" and "compress" respectively. | ||||
| One of the original reasons for segregation of name spaces into | ||||
| standard and experimental areas was the perceived difficulty of | ||||
| registering names. However, the solution to that problem has been | ||||
| simpler registration rules, such as those provided by [RFC3864] and | ||||
| [RFC4288], as well as separate registries for permanent and | ||||
| provisional names. Indeed, [RFC4288] explicitly calls out the | ||||
| implications for experimental names: | ||||
| [W]ith the simplified registration procedures described above for | ||||
| vendor and personal trees, it should rarely, if ever, be necessary | ||||
| to use unregistered experimental types. Therefore, use of both | ||||
| "x-" and "x." forms is discouraged. | ||||
| In some limited situations, segregating a name space can be | ||||
| justified; for example, when the names need to be very small (as in | ||||
| [RFC5646]) or when the names have significant meaning. However, in | ||||
| general, segregating experimental or implementation-specific | ||||
| parameters into an "X-" ghetto has few if any benefits, and has at | ||||
| least one significant interoperability cost. The practice is at best | ||||
| useless and at worst harmful. | ||||
| The primary objections to discarding the "X-" convention are: | The primary objections to discarding the "X-" convention are: | |||
| o Implementers are easily confused. However, implementers already | o Implementers are easily confused. However, implementers already | |||
| are quite flexible about using both prefixed and non-prefixed | are quite flexible about using both prefixed and non-prefixed | |||
| names based on what works in the field, so the distinction between | names based on what works in the field, so the distinction between | |||
| de facto names (e.g., "X-foo") and de jure names (e.g., "foo") is | de facto names (e.g., "X-foo") and de jure names (e.g., "foo") is | |||
| meaningless to them. | meaningless to them. | |||
| o Collisions are undesirable. However, names are cheap, so an | o Collisions are undesirable. However, names are usually cheap, so | |||
| implementation-specific name of "foo" does not prevent a standards | an experimental or implementation-specific name of "foo" does not | |||
| development organization from issuing a similarly creative name | prevent a standards development organization from issuing a | |||
| such as "bar". | similarly creative name such as "bar". | |||
| The primary problem with the "X-" convention is that implementation- | ||||
| specific parameters have a tendency to seep into the standardization | ||||
| space, introducing the need for migration from the "X-" name to the | ||||
| standardized name. Migration, in turn, introduces interoperability | ||||
| issues because older implementations will support only the "X-" name | ||||
| and newer implementations might support only the standardized name. | ||||
| To preserve interoperability, newer implementations simply support | ||||
| the "X-" name forever, which means that the unofficial name is a | ||||
| standard de facto (if not de jure). We can see this phenomenon at | ||||
| work in [RFC2068]: | ||||
| For compatibility with previous implementations of HTTP, | ||||
| applications should consider "x-gzip" and "x-compress" to be | ||||
| equivalent to "gzip" and "compress" respectively. | ||||
| Therefore, segregating implementation-specific parameters into an | Therefore, this document recommends against the creation of new names | |||
| "X-" ghetto has few if any benefits and at least one significant | with the special "X-" prefix in IETF protocols. | |||
| interoperability cost. The practice is at best useless and at worst | ||||
| harmful. | ||||
| 2. Security Considerations | 3. Security Considerations | |||
| Interoperability and migration issues with security-critical | Interoperability and migration issues with security-critical | |||
| paramaters can result in unnecessary vulnerabilities. | paramaters can result in unnecessary vulnerabilities. | |||
| 3. IANA Considerations | 4. IANA Considerations | |||
| This document has no actions for the IANA. | This document has no actions for the IANA. | |||
| 4. Informative References | 5. Acknowledgements | |||
| Thanks to Adam Barth, Dave Crocker, Martin Duerst, Paul Hoffman, | ||||
| Graham Klyne, Alexey Melnikov, Mark Nottingham, and Randy Presuhn for | ||||
| feedback. | ||||
| 6. Informative References | ||||
| [RFC822] Crocker, D., "Standard for the format of ARPA Internet | ||||
| text messages", STD 11, RFC 822, August 1982. | ||||
| [RFC1154] Robinson, D. and R. Ullmann, "Encoding header field for | [RFC1154] Robinson, D. and R. Ullmann, "Encoding header field for | |||
| internet messages", RFC 1154, April 1990. | internet messages", RFC 1154, April 1990. | |||
| [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part One: Format of Internet Message | Extensions (MIME) Part One: Format of Internet Message | |||
| Bodies", RFC 2045, November 1996. | Bodies", RFC 2045, November 1996. | |||
| [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail | |||
| Extensions (MIME) Part Two: Media Types", RFC 2046, | Extensions (MIME) Part Two: Media Types", RFC 2046, | |||
| skipping to change at page 4, line 47 ¶ | skipping to change at page 5, line 42 ¶ | |||
| Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", | Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", | |||
| RFC 2068, January 1997. | RFC 2068, January 1997. | |||
| [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext | |||
| Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. | |||
| [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, | [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821, | |||
| April 2001. | April 2001. | |||
| [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration | ||||
| Procedures for Message Header Fields", BCP 90, RFC 3864, | ||||
| September 2004. | ||||
| [RFC4288] Freed, N. and J. Klensin, "Media Type Specifications and | ||||
| Registration Procedures", BCP 13, RFC 4288, December 2005. | ||||
| [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, | |||
| October 2008. | October 2008. | |||
| [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying | ||||
| Languages", BCP 47, RFC 5646, September 2009. | ||||
| Author's Address | Author's Address | |||
| Peter Saint-Andre | Peter Saint-Andre | |||
| Cisco Systems, Inc. | Cisco | |||
| 1899 Wyknoop Street, Suite 600 | 1899 Wyknoop Street, Suite 600 | |||
| Denver, CO 80202 | Denver, CO 80202 | |||
| USA | USA | |||
| Phone: +1-303-308-3282 | Phone: +1-303-308-3282 | |||
| Email: psaintan@cisco.com | Email: psaintan@cisco.com | |||
| End of changes. 17 change blocks. | ||||
| 47 lines changed or deleted | 98 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||