idnits 2.17.1 draft-ietf-httpbis-h2-websockets-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 4 characters in excess of 72. -- The draft header indicates that this document updates RFC6455, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: o On requests bearing the :protocol pseudo-header, the :authority pseudo-header field is interpreted according to Section 8.1.2.3 of [RFC7540] instead of Section 8.3 of [RFC7540]. In particular the server MUST not make a new TCP connection to the host and port indicated by the :authority. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: [RFC6455] requires the use of Connection and Upgrade headers that are not part of HTTP/2. They MUST not be included in the CONNECT request defined here. -- The document date (May 2, 2018) is 2179 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP P. McManus 3 Internet-Draft Mozilla 4 Updates: 6455 (if approved) May 2, 2018 5 Intended status: Standards Track 6 Expires: November 3, 2018 8 Bootstrapping WebSockets with HTTP/2 9 draft-ietf-httpbis-h2-websockets-03 11 Abstract 13 This document defines a mechanism for running the WebSocket Protocol 14 over a single stream of an HTTP/2 connection. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on November 3, 2018. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter . . . 3 53 4. The Extended CONNECT Method . . . . . . . . . . . . . . . . . 3 54 5. Using Extended CONNECT To Bootstrap The WebSocket Protocol . 4 55 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 6. Design Considerations . . . . . . . . . . . . . . . . . . . . 5 57 7. About Intermediaries . . . . . . . . . . . . . . . . . . . . 6 58 8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 59 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 60 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 61 11. Normative References . . . . . . . . . . . . . . . . . . . . 7 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 64 1. Introduction 66 The Hypertext Transfer Protocol (HTTP) provides compatible resource- 67 level semantics across different versions but it does not offer 68 compatibility at the connection management level. Other protocols, 69 such as WebSockets, that rely on connection management details of 70 HTTP must be updated for new versions of HTTP. 72 The WebSocket Protocol [RFC6455] uses the HTTP/1.1 [RFC7230] Upgrade 73 mechanism to transition a TCP connection from HTTP into a WebSocket 74 connection. A different approach must be taken with HTTP/2 75 [RFC7540]. HTTP/2 does not allow connection-wide headers and status 76 codes such as the Upgrade and Connection request headers or the 101 77 response code due to its multiplexing nature. These are all required 78 by the [RFC6455] opening handshake. 80 Being able to bootstrap WebSockets from HTTP/2 allows one TCP 81 connection to be shared by both protocols and extends HTTP/2's more 82 efficient use of the network to WebSockets. 84 This document extends the HTTP/2 CONNECT method. The extension 85 allows the substitution of a new protocol name to connect to rather 86 than the external host normally used by CONNECT. The result is a 87 tunnel on a single HTTP/2 stream that can carry data for WebSockets 88 (or any other protocol). The other streams on the connection may 89 carry more extended CONNECT tunnels, traditional HTTP/2 data, or a 90 mixture of both. 92 This tunneled stream will be multiplexed with other regular streams 93 on the connection and enjoys the normal priority, cancellation, and 94 flow control features of HTTP/2. 96 Streams that successfully establish a WebSocket connection using a 97 tunneled stream and the modifications to the opening handshake 98 defined in this document then use the traditional WebSocket Protocol, 99 treating the stream as if were the TCP connection in that 100 specification. 102 2. Terminology 104 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 105 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 106 and "OPTIONAL" are to be interpreted as described in BCP 14, 107 [RFC2119]. 109 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter 111 This document adds a new SETTINGS Parameter to those defined by 112 [RFC7540], Section 6.5.2. 114 The new parameter name is SETTINGS_ENABLE_CONNECT_PROTOCOL. The 115 value of the parameter MUST be 0 or 1. 117 Upon receipt of SETTINGS_ENABLE_CONNECT_PROTOCOL with a value of 1, a 118 client MAY use the Extended CONNECT definition of this document when 119 creating new streams. Receipt of this parameter by a server does not 120 have any impact. 122 A sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter 123 with the value of 0 after previously sending a value of 1. 125 The use of a SETTINGS Parameter to opt-in to an otherwise 126 incompatible protocol change is a use of "Extending HTTP/2" defined 127 by Section 5.5 of [RFC7540]. If a client were to use the provisions 128 of the extended CONNECT method defined in this document without first 129 receiving a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter, a non- 130 supporting peer would detect a malformed request and generate a 131 stream error (Section 8.1.2.6 of [RFC7540]). 133 4. The Extended CONNECT Method 135 Usage of the CONNECT method in HTTP/2 is defined by Section 8.3 of 136 [RFC7540]. This extension modifies the method in the following ways: 138 o A new pseudo-header :protocol MAY be included on request HEADERS 139 indicating the desired protocol to be spoken on the tunnel created 140 by CONNECT. The pseudo-header is single valued and contains a 141 value from the HTTP Upgrade Token Registry defined by [RFC7230]. 143 o On requests bearing the :protocol pseudo-header, the :scheme and 144 :path pseudo-header fields MUST be included. 146 o On requests bearing the :protocol pseudo-header, the :authority 147 pseudo-header field is interpreted according to Section 8.1.2.3 of 148 [RFC7540] instead of Section 8.3 of [RFC7540]. In particular the 149 server MUST not make a new TCP connection to the host and port 150 indicated by the :authority. 152 Upon receiving a CONNECT request bearing the :protocol pseudo-header 153 the server establishes a tunnel to another service of the protocol 154 type indicated by the pseudo-header. This service may or may not be 155 co-located with the server. 157 5. Using Extended CONNECT To Bootstrap The WebSocket Protocol 159 The pseudo-header :protocol MUST be included in the CONNECT request 160 and it MUST have a value of "websocket" to initiate a WebSocket 161 connection on an HTTP/2 stream. Other HTTP request and response 162 headers, such as those for manipulating cookies, may be included in 163 the HEADERS with the CONNECT method as usual. This request replaces 164 the GET-based request in [RFC6455] and is used to process the 165 WebSockets opening handshake. 167 The scheme of the Target URI [RFC7230] MUST be "https" for "wss" 168 schemed WebSockets and "http" for "ws" schemed WebSockets. The 169 websocket URI is still used for proxy autoconfiguration. 171 [RFC6455] requires the use of Connection and Upgrade headers that are 172 not part of HTTP/2. They MUST not be included in the CONNECT request 173 defined here. 175 [RFC6455] requires the use of a Host header which is also not part of 176 HTTP/2. The Host information is conveyed as part of the :authority 177 pseudo-header which is required on every HTTP/2 transaction. 179 Implementations using this extended CONNECT to bootstrap WebSockets 180 do not do the processing of the [RFC6455] Sec-WebSocket-Key and Sec- 181 WebSocket-Accept headers as that functionality has been superseded by 182 the :protocol pseudo-header. 184 The Sec-WebSocket-Version, Origin [RFC6454], Sec-WebSocket-Protocol, 185 and Sec-WebSocket-Extensions headers are used on the CONNECT request 186 and response headers in the same way as defined in [RFC6455]. Note 187 that HTTP/1 header names were case-insensitive and HTTP/2 requires 188 they be encoded as lower case. 190 After successfully processing the opening handshake, the peers should 191 proceed with The WebSocket Protocol [RFC6455] using the HTTP/2 stream 192 from the CONNECT transaction as if it were the TCP connection 193 referred to in [RFC6455]. The state of the WebSocket connection at 194 this point is OPEN as defined by [RFC6455], Section 4.1. 196 The HTTP/2 stream closure is also analogous to the TCP connection of 197 [RFC6455]. Orderly TCP level closures are represented as END_STREAM 198 ([RFC7540] Section 6.1) flags and RST exceptions are represented with 199 the RST_STREAM ([RFC7540] Section 6.4) frame with the CANCEL 200 ([RFC7540] Secion 7) error code. 202 5.1. Example 204 [[ From Client ]] [[ From Server ]] 206 SETTINGS 207 SETTINGS_ENABLE_CONNECT_PROTOCOL = 1 209 HEADERS + END_HEADERS 210 :method = CONNECT 211 :protocol = websocket 212 :scheme = https 213 :path = /chat 214 :authority = server.example.com 215 sec-websocket-protocol = chat, superchat 216 sec-websocket-extensions = permessage-deflate 217 sec-websocket-version = 13 218 origin = http://www.example.com 220 HEADERS + END_HEADERS 221 :status = 200 222 sec-websocket-protocol = chat 224 DATA 225 WebSocket Data 227 DATA + END_STREAM 228 WebSocket Data 230 DATA + END_STREAM 231 WebSocket Data 233 6. Design Considerations 235 A more native integration with HTTP/2 is certainly possible with 236 larger additions to HTTP/2. This design was selected to minimize the 237 solution complexity while still addressing the primary concern of 238 running HTTP/2 and WebSockets concurrently. 240 7. About Intermediaries 242 This document does not change how WebSockets interacts with HTTP 243 forward proxies. If a client wishing to speak WebSockets connects 244 via HTTP/2 to an HTTP proxy it should continue to use a traditional 245 (i.e. not with a :protocol pseudo-header) CONNECT to tunnel through 246 that proxy to the WebSocket server via HTTP. 248 The resulting version of HTTP on that tunnel determines whether 249 WebSockets is initiated directly or via a modified CONNECT request 250 described in this document. 252 8. Security Considerations 254 [RFC6455] ensures that non-WebSockets clients, especially 255 XMLHttpRequest based clients, cannot make a WebSocket connection. 256 Its primary mechanism for doing that is the use of Sec- prefixed 257 request headers that cannot be created by XMLHttpRequest-based 258 clients. This specification addresses that concern in two ways: 260 o The CONNECT method is prohibited from being used by XMLHttpRequest 262 o The use of a pseudo-header is something that is connection 263 specific and HTTP/2 does not ever allow to be created outside of 264 the protocol stack. 266 9. IANA Considerations 268 This document establishes an entry for the HTTP/2 Settings Registry 269 that was established by Section 11.3 of [RFC7540]. 271 Name: SETTINGS_ENABLE_CONNECT_PROTOCOL 273 Code: 0x8 275 Initial Value: 0 277 Specification: This document 279 10. Acknowledgments 281 The 2017 HTTP Workshop had a very productive discussion that helped 282 determine the key problem and acceptable level of solution 283 complexity. 285 11. Normative References 287 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 288 Requirement Levels", BCP 14, RFC 2119, 289 DOI 10.17487/RFC2119, March 1997, 290 . 292 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 293 DOI 10.17487/RFC6454, December 2011, 294 . 296 [RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol", 297 RFC 6455, DOI 10.17487/RFC6455, December 2011, 298 . 300 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 301 Protocol (HTTP/1.1): Message Syntax and Routing", 302 RFC 7230, DOI 10.17487/RFC7230, June 2014, 303 . 305 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 306 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 307 DOI 10.17487/RFC7540, May 2015, 308 . 310 Author's Address 312 Patrick McManus 313 Mozilla 315 Email: mcmanus@ducksong.com