idnits 2.17.1 draft-hutton-httpbis-connect-protocol-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 27, 2014) is 3584 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) == Outdated reference: A later version (-17) exists of draft-ietf-rtcweb-transports-05 == Outdated reference: A later version (-16) exists of draft-ietf-rtcweb-use-cases-and-requirements-14 -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force A. Hutton 3 Internet-Draft Unify 4 Intended status: Standards Track J. Uberti 5 Expires: December 29, 2014 Google 6 M. Thomson 7 Mozilla 8 June 27, 2014 10 HTTP Connect - Tunnel Protocol For WebRTC 11 draft-hutton-httpbis-connect-protocol-00 13 Abstract 15 This document describes a mechanism to enable HTTP Clients to provide 16 an indication within a HTTP Connect request as to which protocol will 17 be used within the tunnel established to the Server identified by the 18 target resource. The tunneled protocol is declared using the Tunnel- 19 Protocol HTTP Request header field. Label usage relating to the use 20 of HTTP Connect by WebRTC clients (e.g. turn, webrtc) are described 21 in this document. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on December 29, 2014. 40 Copyright Notice 42 Copyright (c) 2014 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 59 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. The Tunnel-Protocol HTTP Request Header Field . . . . . . . . 3 61 3.1. Header Field Values . . . . . . . . . . . . . . . . . . . 3 62 3.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 4 63 3.3. TURN as the Tunnel Protocol . . . . . . . . . . . . . . . 4 64 3.4. ICE-TCP / WebRTC as the Tunnel Protocol . . . . . . . . . 4 65 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 66 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 67 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 68 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 69 6.2. Informative References . . . . . . . . . . . . . . . . . 6 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 72 1. Introduction 74 The HTTP Connect method (Section 4.3.6 of [RFC7231]) requests that 75 the recipient establish a tunnel to the destination origin server 76 identified by the request-target and thereafter forward packets, in 77 both directions, until the tunnel is closed. Such tunnels are 78 commonly used to create end-to-end virtual connections, through one 79 or more proxies, which may then be secured using TLS (Transport Layer 80 Security, [RFC5246]). 82 The RTCWEB use cases and requirements document 83 [I-D.ietf-rtcweb-use-cases-and-requirements] includes a requirement 84 that a WebRTC Client must be able to send streams and data to a peer 85 in the presence of Firewalls that only allow traffic via a HTTP 86 Proxy, when Firewall policy allows WebRTC traffic. To facilitate 87 this and to allow such a HTTP Proxy to be provided with an indication 88 that WebRTC related real-time media is to be included in the tunnel 89 this specification defines the Tunnel-Protocol Request header field 90 and associated labels. This allows the proxy to identify the 91 protocol being used in the tunnel as early as possible therefore 92 enabling the proxy to make informed policy decisions. The type of 93 policy decisions the proxy may make is not specified here but may 94 include rejecting the request with a HTTP status code responses or 95 prioritizing connections. As described in Section 4.3.6 of [RFC7231] 96 and 2xx response indicates consent for the client to switch to tunnel 97 mode. 99 The HTTP Tunnel-Protocol header field may be used in conjunction with 100 and complements the application layer next protocol extension 101 [I-D.ietf-tls-applayerprotoneg] specified for TLS [RFC5246]". In the 102 scenario where the HTTP Connect is used to establish a TLS tunnel 103 then the HTTP Tunnel-Protocol may be used to carry the same next 104 protocol label as carried within the TLS handshake. However, the 105 Tunnel-Protocol is an indication rather a negotiation since the HTTP 106 Proxy does not implement the tunneled protocol. ALPN Labels are 107 already defined for TURN in [I-D.patil-tram-alpn] and WebRTC 108 [I-D.thomson-rtcweb-alpn] and are re-used here. 110 1.1. Requirements Language 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in RFC 2119 [RFC2119]. 116 2. Use Cases 118 The following two use cases are considered: 120 o The WebRTC Client issues a HTTP CONNECT request to the HTTP proxy 121 with the TURN server address in the Request URI. 123 o The WebRTC Client issues a HTTP CONNECT request to the HTTP proxy 124 with the TCP address of a WebRTC peer in the Request URI. This is 125 used in the case of establishing ICE-TCP [RFC6544] with a WebRTC 126 Peer. 128 3. The Tunnel-Protocol HTTP Request Header Field 130 The client MAY include the Tunnel-Protocol Request Header field in a 131 HTTP Connect request to indicate the application layer protocol 132 within the tunnel. 134 3.1. Header Field Values 136 Valid values for the protocol field are taken from the registry 137 established in [I-D.ietf-tls-applayerprotoneg]. For the purposes of 138 WebRTC, the values "webrtc" [I-D.thomson-rtcweb-alpn] and "turn" 139 [I-D.patil-tram-alpn] are applicable. 141 3.2. Syntax 143 The ABNF (Augmented Backus-Naur Form) syntax for the Tunnel-Protocol 144 header field is given below. It is based on the Generic Grammar 145 defined in Section 2 of [RFC7230]. 147 Tunnel-Protocol = "Tunnel-Protocol":" protocol | protocol-extension 149 protocol = "webrtc" | "turn" 151 protocol-extension = token 153 3.3. TURN as the Tunnel Protocol 155 The RTCWEB transports specification [I-D.ietf-rtcweb-transports] 156 requires that a WebRTC client support the modes of TURN that uses TCP 157 and TLS between the client and the TURN server in order to deal with 158 firewalls blocking UDP traffic. In the case where HTTP Connect is 159 used to establish a tunnel to the TURN server the client SHOULD 160 include the "Tunnel-Protocol" header field with the value "turn" 161 [I-D.patil-tram-alpn] as shown in the example below. 163 CONNECT turn_server.example.com:5349 HTTP/1.1 164 Host: turn_server.example.com:5349 165 Tunnel-Protocol: turn 167 3.4. ICE-TCP / WebRTC as the Tunnel Protocol 169 [I-D.ietf-rtcweb-transports] also requires that a WebRTC client 170 support ICE-TCP [RFC6544] as a mechanism to allow webrtc applications 171 to communicate to peers with public IP addresses across UDP-blocking 172 firewalls without using a TURN server. In this case the client 173 SHOULD include the "Tunnel-Protocol" header field with the value 174 "webrtc" [I-D.thomson-rtcweb-alpn] as shown in the example below. 176 CONNECT 198.51.100.0:8999 HTTP/1.1 177 Host: 198.51.100.0:8999 178 Tunnel-Protocol: webrtc 180 Note: The protocol "c_webrtc" described in [I-D.thomson-rtcweb-alpn] 181 is not relevent in this context and when used at the TLS layer the 182 client SHOULD use "webrtc" in the Tunnel-Protocol header. OPEN ISSUE 183 - Is this correct? 185 4. IANA Considerations 187 To Be Added 189 5. Security Considerations 191 In case of using HTTP CONNECT to a TURN server the security 192 consideration of [RFC7231], Section-4.3.6] apply. It states that 193 there "are significant risks in establishing a tunnel to arbitrary 194 servers, particularly when the destination is a well-known or 195 reserved TCP port that is not intended for Web traffic. Proxies that 196 support CONNECT SHOULD restrict its use to a limited set of known 197 ports or a configurable whitelist of safe request targets." 199 The Tunnel-Protocol request header field described in this document 200 is an optional header and HTTP Proxies may of course not support the 201 header and therefore ignore it. If the header is not present or 202 ignored then the proxy has no explicit indication as to the purpose 203 of the tunnel on which to provide consent, this is the generic case 204 that exists without the Tunnel-Protocol header. 206 6. References 208 6.1. Normative References 210 [I-D.patil-tram-alpn] 211 Patil, P., Reddy, T., Salgueiro, G., and M. Petit- 212 Huguenin, "Application Layer Protocol Negotiation (ALPN) 213 for Session Traversal Utilities for NAT (STUN)", draft- 214 patil-tram-alpn-00 (work in progress), April 2014. 216 [I-D.thomson-rtcweb-alpn] 217 Thomson, M., "Application Layer Protocol Negotiation for 218 Web Real-Time Communications (WebRTC)", draft-thomson- 219 rtcweb-alpn-00 (work in progress), April 2014. 221 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 222 Requirement Levels", BCP 14, RFC 2119, March 1997. 224 [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 225 (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 226 2014. 228 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 229 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. 231 6.2. Informative References 233 [I-D.ietf-rtcweb-transports] 234 Alvestrand, H., "Transports for RTCWEB", draft-ietf- 235 rtcweb-transports-05 (work in progress), June 2014. 237 [I-D.ietf-rtcweb-use-cases-and-requirements] 238 Holmberg, C., Hakansson, S., and G. Eriksson, "Web Real- 239 Time Communication Use-cases and Requirements", draft- 240 ietf-rtcweb-use-cases-and-requirements-14 (work in 241 progress), February 2014. 243 [I-D.ietf-tls-applayerprotoneg] 244 Friedl, S., Popov, A., Langley, A., and S. Emile, 245 "Transport Layer Security (TLS) Application Layer Protocol 246 Negotiation Extension", draft-ietf-tls-applayerprotoneg-05 247 (work in progress), March 2014. 249 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 250 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 252 [RFC6544] Rosenberg, J., Keranen, A., Lowekamp, B., and A. Roach, 253 "TCP Candidates with Interactive Connectivity 254 Establishment (ICE)", RFC 6544, March 2012. 256 Authors' Addresses 258 Andrew Hutton 259 Unify 260 Technology Drive 261 Nottingham NG9 1LA 262 UK 264 Email: andrew.hutton@unify.com 266 Justin Uberti 267 Google 268 747 6th Ave S 269 Kirkland, WA 98033 270 US 272 Email: justin@uberti.name 273 Martin Thomson 274 Mozilla 275 331 E Evelyn Street 276 Mountain View, CA 94041 277 US 279 Email: martin.thomson@gmail.com