idnits 2.17.1 draft-ietf-httpbis-h2-websockets-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC6455, but the abstract doesn't seem to directly say this. It does mention RFC6455 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 31, 2018) is 2151 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 322 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP P. McManus 3 Internet-Draft Mozilla 4 Updates: 6455 (if approved) May 31, 2018 5 Intended status: Standards Track 6 Expires: December 2, 2018 8 Bootstrapping WebSockets with HTTP/2 9 draft-ietf-httpbis-h2-websockets-06 11 Abstract 13 This document defines a mechanism for running the WebSocket Protocol 14 (RFC 6455) over a single stream of an HTTP/2 connection. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on December 2, 2018. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter . . . 3 53 4. The Extended CONNECT Method . . . . . . . . . . . . . . . . . 4 54 5. Using Extended CONNECT To Bootstrap the WebSocket Protocol . 4 55 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 6. Design Considerations . . . . . . . . . . . . . . . . . . . . 6 57 7. About Intermediaries . . . . . . . . . . . . . . . . . . . . 6 58 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 59 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 62 10.2. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 63 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 66 1. Introduction 68 The Hypertext Transfer Protocol (HTTP) [RFC7230] provides compatible 69 resource-level semantics across different versions but it does not 70 offer compatibility at the connection management level. Other 71 protocols, such as WebSockets, that rely on connection management 72 details of HTTP must be updated for new versions of HTTP. 74 The WebSocket Protocol [RFC6455] uses the HTTP/1.1 Upgrade mechanism 75 (Section 6.7 of [RFC7230]) to transition a TCP connection from HTTP 76 into a WebSocket connection. A different approach must be taken with 77 HTTP/2 [RFC7540]. HTTP/2 does not allow connection-wide headers and 78 status codes such as the Upgrade and Connection request headers or 79 the 101 response code due to its multiplexing nature. These are all 80 required by the [RFC6455] opening handshake. 82 Being able to bootstrap WebSockets from HTTP/2 allows one TCP 83 connection to be shared by both protocols and extends HTTP/2's more 84 efficient use of the network to WebSockets. 86 This document extends the HTTP CONNECT method (as specified for 87 HTTP/2 in Section 8.3 of [RFC7540]). The extension allows the 88 substitution of a new protocol name to connect to rather than the 89 external host normally used by CONNECT. The result is a tunnel on a 90 single HTTP/2 stream that can carry data for WebSockets (or any other 91 protocol). The other streams on the connection may carry more 92 extended CONNECT tunnels, traditional HTTP/2 data, or a mixture of 93 both. 95 This tunneled stream will be multiplexed with other regular streams 96 on the connection and enjoys the normal priority, cancellation, and 97 flow control features of HTTP/2. 99 Streams that successfully establish a WebSocket connection using a 100 tunneled stream and the modifications to the opening handshake 101 defined in this document then use the traditional WebSocket Protocol, 102 treating the stream as if were the TCP connection in that 103 specification. 105 2. Terminology 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 109 "OPTIONAL" in this document are to be interpreted as described in BCP 110 14 [RFC2119] [RFC8174] when, and only when, they appear in all 111 capitals, as shown here. 113 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter 115 This document adds a new SETTINGS Parameter to those defined by 116 [RFC7540], Section 6.5.2. 118 The new parameter name is SETTINGS_ENABLE_CONNECT_PROTOCOL. The 119 value of the parameter MUST be 0 or 1. 121 Upon receipt of SETTINGS_ENABLE_CONNECT_PROTOCOL with a value of 1, a 122 client MAY use the Extended CONNECT definition of this document when 123 creating new streams. Receipt of this parameter by a server does not 124 have any impact. 126 A sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter 127 with the value of 0 after previously sending a value of 1. 129 The use of a SETTINGS Parameter to opt-in to an otherwise 130 incompatible protocol change is a use of "Extending HTTP/2" defined 131 by Section 5.5 of [RFC7540]. Specifically, the addition a new 132 pseudo-header ":protocol" and the change in meaning of the 133 ":authority" pseudo-header in Section 4 require opt-in negotiation. 134 If a client were to use the provisions of the extended CONNECT method 135 defined in this document without first receiving a 136 SETTINGS_ENABLE_CONNECT_PROTOCOL parameter, a non-supporting peer 137 would detect a malformed request and generate a stream error 138 (Section 8.1.2.6 of [RFC7540]). 140 4. The Extended CONNECT Method 142 Usage of the CONNECT method in HTTP/2 is defined by Section 8.3 of 143 [RFC7540]. This extension modifies the method in the following ways: 145 o A new pseudo-header :protocol MAY be included on request HEADERS 146 indicating the desired protocol to be spoken on the tunnel created 147 by CONNECT. The pseudo-header is single valued and contains a 148 value from the HTTP Upgrade Token Registry located at 149 https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade- 150 tokens.xhtml [1]. 152 o On requests bearing the :protocol pseudo-header, the :scheme and 153 :path pseudo-header fields MUST be included. 155 o On requests bearing the :protocol pseudo-header, the :authority 156 pseudo-header field is interpreted according to Section 8.1.2.3 of 157 [RFC7540] instead of Section 8.3 of [RFC7540]. In particular the 158 server MUST NOT make a new TCP connection to the host and port 159 indicated by the :authority. 161 Upon receiving a CONNECT request bearing the :protocol pseudo-header 162 the server establishes a tunnel to another service of the protocol 163 type indicated by the pseudo-header. This service may or may not be 164 co-located with the server. 166 5. Using Extended CONNECT To Bootstrap the WebSocket Protocol 168 The pseudo-header :protocol MUST be included in the CONNECT request 169 and it MUST have a value of "websocket" to initiate a WebSocket 170 connection on an HTTP/2 stream. Other HTTP request and response 171 headers, such as those for manipulating cookies, may be included in 172 the HEADERS with the CONNECT method as usual. This request replaces 173 the GET-based request in [RFC6455] and is used to process the 174 WebSockets opening handshake. 176 The scheme of the Target URI (Section 5.1 of [RFC7230]) MUST be 177 "https" for "wss" schemed WebSockets and "http" for "ws" schemed 178 WebSockets. The websocket URI is still used for proxy 179 autoconfiguration. 181 [RFC6455] requires the use of Connection and Upgrade headers that are 182 not part of HTTP/2. They MUST NOT be included in the CONNECT request 183 defined here. 185 [RFC6455] requires the use of a Host header which is also not part of 186 HTTP/2. The Host information is conveyed as part of the :authority 187 pseudo-header which is required on every HTTP/2 transaction. 189 Implementations using this extended CONNECT to bootstrap WebSockets 190 do not do the processing of the [RFC6455] Sec-WebSocket-Key and Sec- 191 WebSocket-Accept headers as that functionality has been superseded by 192 the :protocol pseudo-header. 194 The Origin [RFC6454], Sec-WebSocket-Version, Sec-WebSocket-Protocol, 195 and Sec-WebSocket-Extensions headers are used on the CONNECT request 196 and response headers in the same way as defined in [RFC6455]. Note 197 that HTTP/1 header names were case-insensitive and HTTP/2 requires 198 they be encoded as lower case. 200 After successfully processing the opening handshake, the peers should 201 proceed with the WebSocket Protocol [RFC6455] using the HTTP/2 stream 202 from the CONNECT transaction as if it were the TCP connection 203 referred to in [RFC6455]. The state of the WebSocket connection at 204 this point is OPEN as defined by [RFC6455], Section 4.1. 206 The HTTP/2 stream closure is also analogous to the TCP connection of 207 [RFC6455]. Orderly TCP level closures are represented as END_STREAM 208 ([RFC7540], Section 6.1) flags and RST exceptions are represented 209 with the RST_STREAM ([RFC7540], Section 6.4) frame with the CANCEL 210 ([RFC7540], Section 7) error code. 212 5.1. Example 213 [[ From Client ]] [[ From Server ]] 215 SETTINGS 216 SETTINGS_ENABLE_CONNECT_[..] = 1 218 HEADERS + END_HEADERS 219 :method = CONNECT 220 :protocol = websocket 221 :scheme = https 222 :path = /chat 223 :authority = server.example.com 224 sec-websocket-protocol = chat, superchat 225 sec-websocket-extensions = permessage-deflate 226 sec-websocket-version = 13 227 origin = http://www.example.com 229 HEADERS + END_HEADERS 230 :status = 200 231 sec-websocket-protocol = chat 233 DATA 234 WebSocket Data 236 DATA + END_STREAM 237 WebSocket Data 239 DATA + END_STREAM 240 WebSocket Data 242 6. Design Considerations 244 A more native integration with HTTP/2 is certainly possible with 245 larger additions to HTTP/2. This design was selected to minimize the 246 solution complexity while still addressing the primary concern of 247 running HTTP/2 and WebSockets concurrently. 249 7. About Intermediaries 251 This document does not change how WebSockets interacts with HTTP 252 forward proxies. If a client wishing to speak WebSockets connects 253 via HTTP/2 to an HTTP proxy it should continue to use a traditional 254 (i.e. not with a :protocol pseudo-header) CONNECT to tunnel through 255 that proxy to the WebSocket server via HTTP. 257 The resulting version of HTTP on that tunnel determines whether 258 WebSockets is initiated directly or via a modified CONNECT request 259 described in this document. 261 8. Security Considerations 263 [RFC6455] ensures that non-WebSockets clients, especially 264 XMLHttpRequest based clients, cannot make a WebSocket connection. 265 Its primary mechanism for doing that is the use of Sec- prefixed 266 request headers that cannot be created by XMLHttpRequest-based 267 clients. This specification addresses that concern in two ways: 269 o XMLHttpRequest also prohibits use of the CONNECT method in 270 addition to Sec- prefixed request headers. 272 o The use of a pseudo-header is something that is connection 273 specific and HTTP/2 does not ever allow to be created outside of 274 the protocol stack. 276 9. IANA Considerations 278 This document establishes an entry for the HTTP/2 Settings Registry 279 that was established by Section 11.3 of [RFC7540]. 281 Name: SETTINGS_ENABLE_CONNECT_PROTOCOL 283 Code: 0x8 285 Initial Value: 0 287 Specification: This document 289 10. References 291 10.1. Normative References 293 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 294 Requirement Levels", BCP 14, RFC 2119, 295 DOI 10.17487/RFC2119, March 1997, 296 . 298 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 299 DOI 10.17487/RFC6454, December 2011, 300 . 302 [RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol", 303 RFC 6455, DOI 10.17487/RFC6455, December 2011, 304 . 306 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 307 Protocol (HTTP/1.1): Message Syntax and Routing", 308 RFC 7230, DOI 10.17487/RFC7230, June 2014, 309 . 311 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 312 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 313 DOI 10.17487/RFC7540, May 2015, 314 . 316 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 317 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 318 May 2017, . 320 10.2. URIs 322 [1] https://www.iana.org/assignments/http-upgrade-tokens/http- 323 upgrade-tokens.xhtml 325 Acknowledgments 327 The 2017 HTTP Workshop had a very productive discussion that helped 328 determine the key problem and acceptable level of solution 329 complexity. 331 Author's Address 333 Patrick McManus 334 Mozilla 336 Email: mcmanus@ducksong.com