idnits 2.17.1 draft-ietf-httpbis-origin-frame-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: Because ORIGIN can change the set of origins a connection is used for over time, it is possible that a client might have more than one viable connection to an origin open at any time. When this occurs, clients SHOULD not emit new requests on any connection whose Origin Set is a subset of another connection's Origin Set, and SHOULD close it once all outstanding requests are satisfied. -- The document date (April 20, 2017) is 2561 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 5988 (Obsoleted by RFC 8288) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group M. Nottingham 3 Internet-Draft 4 Intended status: Standards Track E. Nygren 5 Expires: October 22, 2017 Akamai 6 April 20, 2017 8 The ORIGIN HTTP/2 Frame 9 draft-ietf-httpbis-origin-frame-03 11 Abstract 13 This document specifies the ORIGIN frame for HTTP/2, to indicate what 14 origins are available on a given connection. 16 Note to Readers 18 Discussion of this draft takes place on the HTTP working group 19 mailing list (ietf-http-wg@w3.org), which is archived at 20 https://lists.w3.org/Archives/Public/ietf-http-wg/ . 22 Working Group information can be found at http://httpwg.github.io/ ; 23 source code and issues list for this draft can be found at 24 https://github.com/httpwg/http-extensions/labels/origin-frame . 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on October 22, 2017. 43 Copyright Notice 45 Copyright (c) 2017 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 62 2. The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 3 63 2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2.2. Processing ORIGIN Frames . . . . . . . . . . . . . . . . 3 65 2.3. The Origin Set . . . . . . . . . . . . . . . . . . . . . 4 66 2.4. Authority, Push and Coalescing with ORIGIN . . . . . . . 5 67 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 69 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 5.1. Normative References . . . . . . . . . . . . . . . . . . 6 71 5.2. Informative References . . . . . . . . . . . . . . . . . 7 72 Appendix A. Non-Normative Processing Algorithm . . . . . . . . . 7 73 Appendix B. Operational Considerations for Servers . . . . . . . 8 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 76 1. Introduction 78 HTTP/2 [RFC7540] allows clients to coalesce different origins 79 [RFC6454] onto the same connection when certain conditions are met. 80 However, in certain cases, a connection is is not usable for a 81 coalesced origin, so the 421 (Misdirected Request) status code 82 ([RFC7540], Section 9.1.2) was defined. 84 Using a status code in this manner allows clients to recover from 85 misdirected requests, but at the penalty of adding latency. To 86 address that, this specification defines a new HTTP/2 frame type, 87 "ORIGIN", to allow servers to indicate what origins a connection is 88 usable for. 90 Additionally, experience has shown that HTTP/2's requirement to 91 establish server authority using both DNS and the server's 92 certificate is onerous. This specification relaxes the requirement 93 to check DNS when the ORIGIN frame is in use. Doing so has 94 additional benefits, such as removing the latency associated with 95 some DNS lookups, and improving DNS privacy. 97 1.1. Notational Conventions 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 101 document are to be interpreted as described in [RFC2119]. 103 2. The ORIGIN HTTP/2 Frame 105 The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to 106 indicate what origin(s) [RFC6454] the server would like the client to 107 consider as members of the Origin Set (Section 2.3) for the 108 connection it occurs within. 110 2.1. Syntax 112 The ORIGIN frame type is 0xc (decimal 12). 114 +-------------------------------+-------------------------------+ 115 | Origin-Len (16) | ASCII-Origin? (*) ... 116 +-------------------------------+-------------------------------+ 118 The ORIGIN frame's payload contains the following fields, sets of 119 which may be repeated within the frame to indicate multiple origins: 121 Origin-Len: An unsigned, 16-bit integer indicating the length, in 122 octets, of the ASCII-Origin field. 124 Origin: An optional sequence of characters containing the ASCII 125 serialization of an origin ([RFC6454], Section 6.2) that the 126 sender believes this connection is or could be authoritative for. 128 The ORIGIN frame does not define any flags. However, future updates 129 to this specification MAY define flags. See Section 2.2. 131 2.2. Processing ORIGIN Frames 133 The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints 134 that do not support this frame can safely ignore it upon receipt. 136 When received by an implementing client, it is used to initialise and 137 manipulate the Origin Set (see Section 2.3), thereby changing how the 138 client establishes authority for origin servers (see Section 2.4). 140 The origin frame MUST be sent on stream 0; an ORIGIN frame on any 141 other stream is invalid and MUST be ignored. 143 Likewise, the ORIGIN frame is only valid on connections with the "h2" 144 protocol identifier, or when specifically nominated by the protocol's 145 definition; it MUST be ignored when received on a connection with the 146 "h2c" protocol identifier. 148 This specification does not define any flags for the ORIGIN frame, 149 but future updates might use them to change its semantics. The first 150 four flags (0x1, 0x2, 0x4 and 0x8) are reserved for backwards- 151 incompatible changes, and therefore when any of them are set, the 152 ORIGIN frame containing them MUST be ignored by clients conforming to 153 this specification, unless the flag's semantics are understood. The 154 remaining flags are reserved for backwards-compatible changes, and do 155 not affect processing by clients conformant to this specification. 157 The ORIGIN frame describes a property of the connection, and 158 therefore is processed hop-by-hop. An intermediary MUST NOT forward 159 ORIGIN frames. Clients configured to use a proxy MUST ignore any 160 ORIGIN frames received from it. 162 Each ASCII-Origin field in the frame's payload MUST be parsed as an 163 ASCII serialisation of an origin ([RFC6454], Section 6.2). If 164 parsing fails, the field MUST be ignored. 166 See Appendix A for an illustrative algorithm for processing ORIGIN 167 frames. 169 2.3. The Origin Set 171 The set of origins (as per [RFC6454]) that a given connection might 172 be used for is known in this specification as the Origin Set. 174 By default, a connections's Origin Set is uninitialised. When an 175 ORIGIN frame is first received and successfully processed by a 176 client, the connection's Origin Set is defined to contain a single 177 origin, composed from: 179 o Scheme: "https" 181 o Host: the value sent in Server Name Indication ([RFC6066] 182 Section 3), converted to lower case 184 o Port: the remote port of the connection (i.e., the server's port) 186 The contents of that ORIGIN frame (and subsequent ones) allows the 187 server to incrementally add new origins to the Origin Set, as 188 described in Section 2.2. 190 The Origin Set is also affected by the 421 (Misdirected Request) 191 response status code, defined in [RFC7540] Section 9.1.2. Upon 192 receipt of a response with this status code, implementing clients 193 MUST create the ASCII serialisation of the corresponding request's 194 origin (as per [RFC6454], Section 6.2) and remove it from the 195 connection's Origin Set, if present. 197 2.4. Authority, Push and Coalescing with ORIGIN 199 [RFC7540], Section 10.1 uses both DNS and the presented TLS 200 certificate to establish the origin server(s) that a connection is 201 authoritative for, just as HTTP/1.1 does in [RFC7230]. Furthermore, 202 [RFC7540] Section 9.1.1 explicitly allows a connection to be used for 203 more than one origin server, if it is authoritative. This affects 204 what requests can be sent on the connection, both in HEADERS frame by 205 the client and as PUSH_PROMISE frames from the server. 207 Once an Origin Set has been initialised for a connection, clients 208 that implement this specification change these behaviors in the 209 following ways: 211 o Clients MUST NOT consult DNS to establish the connection's 212 authority for new requests. The TLS certificate MUST stil be used 213 to do so, as described in [RFC7540] Section 9.1.1. 215 o Clients sending a new request SHOULD use an existing connection if 216 the request's origin is in that connection's Origin Set, unless 217 there are operational reasons for creating a new connection. 219 o Clients MUST use the Origin Set to determine whether a received 220 PUSH_PROMISE is authoritative, as described in [RFC7540], 221 Section 8.2.2. 223 Note that clients are still required to perform checks on the 224 certificate presented by the server for each origin that a connection 225 is used for; see [RFC7540] Section 9.1.1 for more information. This 226 includes verifying that the host matches a "dNSName" value from the 227 certificate "subjectAltName" field (using the wildcard rules defined 228 in [RFC2818]; see also [RFC5280] Section 4.2.1.6). 230 Because ORIGIN can change the set of origins a connection is used for 231 over time, it is possible that a client might have more than one 232 viable connection to an origin open at any time. When this occurs, 233 clients SHOULD not emit new requests on any connection whose Origin 234 Set is a subset of another connection's Origin Set, and SHOULD close 235 it once all outstanding requests are satisfied. 237 3. IANA Considerations 239 This specification adds an entry to the "HTTP/2 Frame Type" registry. 241 o Frame Type: ORIGIN 243 o Code: 0xc 245 o Specification: [this document] 247 4. Security Considerations 249 Clients that blindly trust the ORIGIN frame's contents will be 250 vulnerable to a large number of attacks. See Section 2.4 for 251 mitigations. 253 Relaxing the requirement to consult DNS when determining authority 254 for an origin means that an attacker who possesses a valid 255 certificate no longer needs to be on-path to redirect traffic to 256 them; instead of modifying DNS, they need only convince the user to 257 visit another Web site, in order to coalesce connections to the 258 target onto their existing connection. 260 5. References 262 5.1. Normative References 264 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 265 Requirement Levels", BCP 14, RFC 2119, 266 DOI 10.17487/RFC2119, March 1997, 267 . 269 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 270 DOI 10.17487/RFC2818, May 2000, 271 . 273 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 274 Housley, R., and W. Polk, "Internet X.509 Public Key 275 Infrastructure Certificate and Certificate Revocation List 276 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 277 . 279 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) 280 Extensions: Extension Definitions", RFC 6066, 281 DOI 10.17487/RFC6066, January 2011, 282 . 284 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 285 DOI 10.17487/RFC6454, December 2011, 286 . 288 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 289 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 290 DOI 10.17487/RFC7540, May 2015, 291 . 293 5.2. Informative References 295 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, 296 DOI 10.17487/RFC5988, October 2010, 297 . 299 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 300 Protocol (HTTP/1.1): Message Syntax and Routing", 301 RFC 7230, DOI 10.17487/RFC7230, June 2014, 302 . 304 [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP 305 Alternative Services", RFC 7838, DOI 10.17487/RFC7838, 306 April 2016, . 308 Appendix A. Non-Normative Processing Algorithm 310 The following algorithm illustrates how a client could handle 311 received ORIGIN frames: 313 1. If the client is configured to use a proxy for the connection, 314 ignore the frame and stop processing. 316 2. If the connection is not identified with the "h2" protocol 317 identifier or another protocol that has explicitly opted into 318 this specification, ignore the frame and stop processing. 320 3. If the frame occurs upon any stream except stream 0, ignore the 321 frame and stop processing. 323 4. If any of the flags 0x1, 0x2, 0x4 or 0x8 are set, ignore the 324 frame and stop processing. 326 5. If no previous ORIGIN frame on the connection has reached this 327 step, initialise the Origin Set as per Section 2.3. 329 6. For each Origin field "origin_raw" in the frame payload: 331 1. Parse "origin_raw" as an ASCII serialization of an origin 332 ([RFC6454], Section 6.2) and let the result be 333 "parsed_origin". If parsing fails, skip to the next 334 "origin_raw". 336 2. Add "parsed_origin" to the Origin Set. 338 Appendix B. Operational Considerations for Servers 340 The ORIGIN frame allows a server to indicate for which origins a 341 given connection ought be used. 343 For example, it can be used to inform the client that the connection 344 is to only be used for the SNI-based origin, by sending an empty 345 ORIGIN frame. Or, a larger number of origins can be indicated by 346 including a payload. 348 Generally, this information is most useful to send before sending any 349 part of a response that might initiate a new connection; for example, 350 "Link" headers [RFC5988] in a response HEADERS, or links in the 351 response body. 353 Therefore, the ORIGIN frame ought be sent as soon as possible on a 354 connection, ideally before any HEADERS or PUSH_PROMISE frames. 356 However, if it's desirable to associate a large number of origins 357 with a connection, doing so might introduce end-user perceived 358 latency, due to their size. As a result, it might be necessary to 359 select a "core" set of origins to send initially, expanding the set 360 of origins the connection is used for with subsequent ORIGIN frames 361 later (e.g., when the connection is idle). 363 That said, senders are encouraged to include as many origins as 364 practical within a single ORIGIN frame; clients need to make 365 decisions about creating connections on the fly, and if the origin 366 set is split across many frames, their behaviour might be suboptimal. 368 Senders take note that, as per [RFC6454] Section 4, the values in an 369 ORIGIN header need to be case-normalised before serialisation. 371 Finally, servers that host alternative services [RFC7838] will need 372 to explicitly advertise their origins when sending ORIGIN, because 373 the default contents of the Origin Set (as per Section 2.3) do not 374 contain any Alternative Services' origins, even if they have been 375 used previously on the connection. 377 Authors' Addresses 379 Mark Nottingham 381 Email: mnot@mnot.net 382 URI: https://www.mnot.net/ 384 Erik Nygren 385 Akamai 387 Email: nygren@akamai.com