idnits 2.17.1 draft-ietf-httpbis-origin-frame-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: Because ORIGIN can change the set of origins a connection is used for over time, it is possible that a client might have more than one viable connection to an origin open at any time. When this occurs, clients SHOULD not emit new requests on any connection whose Origin Set is a proper subset of another connection's Origin Set, and SHOULD close it once all outstanding requests are satisfied. -- The document date (August 23, 2017) is 2428 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 5988 (Obsoleted by RFC 8288) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group M. Nottingham 3 Internet-Draft 4 Intended status: Standards Track E. Nygren 5 Expires: February 24, 2018 Akamai 6 August 23, 2017 8 The ORIGIN HTTP/2 Frame 9 draft-ietf-httpbis-origin-frame-04 11 Abstract 13 This document specifies the ORIGIN frame for HTTP/2, to indicate what 14 origins are available on a given connection. 16 Note to Readers 18 Discussion of this draft takes place on the HTTP working group 19 mailing list (ietf-http-wg@w3.org), which is archived at 20 https://lists.w3.org/Archives/Public/ietf-http-wg/. 22 Working Group information can be found at http://httpwg.github.io/; 23 source code and issues list for this draft can be found at 24 https://github.com/httpwg/http-extensions/labels/origin-frame. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on February 24, 2018. 43 Copyright Notice 45 Copyright (c) 2017 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 62 2. The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 3 63 2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2.2. Processing ORIGIN Frames . . . . . . . . . . . . . . . . 3 65 2.3. The Origin Set . . . . . . . . . . . . . . . . . . . . . 4 66 2.4. Authority, Push and Coalescing with ORIGIN . . . . . . . 5 67 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 69 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 70 5.1. Normative References . . . . . . . . . . . . . . . . . . 7 71 5.2. Informative References . . . . . . . . . . . . . . . . . 8 72 Appendix A. Non-Normative Processing Algorithm . . . . . . . . . 8 73 Appendix B. Operational Considerations for Servers . . . . . . . 9 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 76 1. Introduction 78 HTTP/2 [RFC7540] allows clients to coalesce different origins 79 [RFC6454] onto the same connection when certain conditions are met. 80 However, in certain cases, a connection is not usable for a coalesced 81 origin, so the 421 (Misdirected Request) status code ([RFC7540], 82 Section 9.1.2) was defined. 84 Using a status code in this manner allows clients to recover from 85 misdirected requests, but at the penalty of adding latency. To 86 address that, this specification defines a new HTTP/2 frame type, 87 "ORIGIN", to allow servers to indicate what origins a connection is 88 usable for. 90 Additionally, experience has shown that HTTP/2's requirement to 91 establish server authority using both DNS and the server's 92 certificate is onerous. This specification relaxes the requirement 93 to check DNS when the ORIGIN frame is in use. Doing so has 94 additional benefits, such as removing the latency associated with 95 some DNS lookups. 97 1.1. Notational Conventions 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 101 document are to be interpreted as described in [RFC2119]. 103 2. The ORIGIN HTTP/2 Frame 105 The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to 106 indicate what origin(s) [RFC6454] the server would like the client to 107 consider as members of the Origin Set (Section 2.3) for the 108 connection it occurs within. 110 2.1. Syntax 112 The ORIGIN frame type is 0xc (decimal 12), and contains zero to many 113 Origin-Entry. 115 +-------------------------------+-------------------------------+ 116 | Origin-Entry (*) ... 117 +-------------------------------+-------------------------------+ 119 An Origin-Entry is a length-delimited string: 121 +-------------------------------+-------------------------------+ 122 | Origin-Len (16) | ASCII-Origin? ... 123 +-------------------------------+-------------------------------+ 125 Specifically: 127 Origin-Len: An unsigned, 16-bit integer indicating the length, in 128 octets, of the ASCII-Origin field. 130 Origin: An OPTIONAL sequence of characters containing the ASCII 131 serialization of an origin ([RFC6454], Section 6.2) that the 132 sender believes this connection is or could be authoritative for. 134 The ORIGIN frame does not define any flags. However, future updates 135 to this specification MAY define flags. See Section 2.2. 137 2.2. Processing ORIGIN Frames 139 The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints 140 that do not support this frame can safely ignore it upon receipt. 142 When received by an implementing client, it is used to initialise and 143 manipulate the Origin Set (see Section 2.3), thereby changing how the 144 client establishes authority for origin servers (see Section 2.4). 146 The origin frame MUST be sent on stream 0; an ORIGIN frame on any 147 other stream is invalid and MUST be ignored. 149 Likewise, the ORIGIN frame is only valid on connections with the "h2" 150 protocol identifier, or when specifically nominated by the protocol's 151 definition; it MUST be ignored when received on a connection with the 152 "h2c" protocol identifier. 154 This specification does not define any flags for the ORIGIN frame, 155 but future updates might use them to change its semantics. The first 156 four flags (0x1, 0x2, 0x4 and 0x8) are reserved for backwards- 157 incompatible changes, and therefore when any of them are set, the 158 ORIGIN frame containing them MUST be ignored by clients conforming to 159 this specification, unless the flag's semantics are understood. The 160 remaining flags are reserved for backwards-compatible changes, and do 161 not affect processing by clients conformant to this specification. 163 The ORIGIN frame describes a property of the connection, and 164 therefore is processed hop-by-hop. An intermediary MUST NOT forward 165 ORIGIN frames. Clients configured to use a proxy MUST ignore any 166 ORIGIN frames received from it. 168 Each ASCII-Origin field in the frame's payload MUST be parsed as an 169 ASCII serialisation of an origin ([RFC6454], Section 6.2). If 170 parsing fails, the field MUST be ignored. 172 See Appendix A for an illustrative algorithm for processing ORIGIN 173 frames. 175 2.3. The Origin Set 177 The set of origins (as per [RFC6454]) that a given connection might 178 be used for is known in this specification as the Origin Set. 180 By default, the Origin Set for a connection is uninitialised. When 181 an ORIGIN frame is first received and successfully processed by a 182 client, the connection's Origin Set is defined to contain an initial 183 origin. The initial origin is composed from: 185 o Scheme: "https" 187 o Host: the value sent in Server Name Indication (SNI, [RFC6066] 188 Section 3), converted to lower case 190 o Port: the remote port of the connection (i.e., the server's port) 191 The contents of that ORIGIN frame (and subsequent ones) allows the 192 server to incrementally add new origins to the Origin Set, as 193 described in Section 2.2. 195 The Origin Set is also affected by the 421 (Misdirected Request) 196 response status code, defined in [RFC7540] Section 9.1.2. Upon 197 receipt of a response with this status code, implementing clients 198 MUST create the ASCII serialisation of the corresponding request's 199 origin (as per [RFC6454], Section 6.2) and remove it from the 200 connection's Origin Set, if present. 202 Note: When sending an ORIGIN frame to a connection that is 203 initialised as an Alternative Service [RFC7838], the initial 204 origin set Section 2.3 will contain an origin with the appropriate 205 scheme and hostname (since Alternative Services specifies that the 206 origin's hostname be sent in SNI). However, it is possible that 207 the port will be different than that of the intended origin, since 208 the initial origin set is calculated using the actual port in use, 209 which can be different for the alternative service. In this case, 210 the intended origin needs to be sent in the ORIGIN frame 211 explicitly. 213 For example, a client making requests for "https://example.com" is 214 directed to an alternative service at ("h2", "x.example.net", 215 "8443"). If this alternative service sends an ORIGIN frame, the 216 initial origin will be "https://example.com:8443". The client 217 will not be able to use the alternative service to make requests 218 for "https://example.com" unless that origin is explicitly 219 included in the ORIGIN frame. 221 2.4. Authority, Push and Coalescing with ORIGIN 223 [RFC7540], Section 10.1 uses both DNS and the presented TLS 224 certificate to establish the origin server(s) that a connection is 225 authoritative for, just as HTTP/1.1 does in [RFC7230]. 227 Furthermore, [RFC7540] Section 9.1.1 explicitly allows a connection 228 to be used for more than one origin server, if it is authoritative. 229 This affects what requests can be sent on the connection, both in 230 HEADERS frame by the client and as PUSH_PROMISE frames from the 231 server ([RFC7540], Section 8.2.2). 233 Once an Origin Set has been initialised for a connection, clients 234 that implement this specification use it to help determine what the 235 connection is authoritative for. Specifically, such clients MUST NOT 236 consider a connection to be authoritative for an origin not present 237 in the Origin Set, and SHOULD use the connection for all requests to 238 origins in the Origin Set for which the connection is authoritative, 239 unless there are operational reasons for opening a new connection. 241 Note that for a connection to be considered authoritative for a given 242 origin, the client is still required to obtain a certificate that 243 passes suitable checks; see [RFC7540] Section 9.1.1 for more 244 information. This includes verifying that the host matches a 245 "dNSName" value from the certificate "subjectAltName" field (using 246 the wildcard rules defined in [RFC2818]; see also [RFC5280] 247 Section 4.2.1.6). 249 Additionally, clients MAY avoid consulting DNS to establish the 250 connection's authority for new requests; however, those that do so 251 face new risks, as explained in Section 4 253 Because ORIGIN can change the set of origins a connection is used for 254 over time, it is possible that a client might have more than one 255 viable connection to an origin open at any time. When this occurs, 256 clients SHOULD not emit new requests on any connection whose Origin 257 Set is a proper subset of another connection's Origin Set, and SHOULD 258 close it once all outstanding requests are satisfied. 260 The Origin Set is unaffected by any alternative services [RFC7838] 261 advertisements made by the server. Advertising an alternative 262 service does not affect whether a server is authoritative. 264 3. IANA Considerations 266 This specification adds an entry to the "HTTP/2 Frame Type" registry. 268 o Frame Type: ORIGIN 270 o Code: 0xc 272 o Specification: [this document] 274 4. Security Considerations 276 Clients that blindly trust the ORIGIN frame's contents will be 277 vulnerable to a large number of attacks. See Section 2.4 for 278 mitigations. 280 Relaxing the requirement to consult DNS when determining authority 281 for an origin means that an attacker who possesses a valid 282 certificate no longer needs to be on-path to redirect traffic to 283 them; instead of modifying DNS, they need only convince the user to 284 visit another Web site in order to coalesce connections to the target 285 onto their existing connection. 287 As a result, clients opting not to consult DNS ought to employ some 288 alternative means to increase confidence that the certificate is 289 legitimate. Examples of mechanisms that can give additional 290 confidence in a certificate include checking for a Signed Certificate 291 Timestamp [RFC6929] and performing certificate revocation checks. 293 Clients opting not to consult DNS ought to do so only if they have a 294 high degree of confidence that the certificate is legitimate. For 295 instance, clients might skip consulting DNS only if they receive 296 proof of inclusion in a Certificate Transparency log [RFC6929] or 297 they have a recent OCSP response [RFC6960] (possibly using the 298 "status_request" TLS extension [RFC6066]) showing that the 299 certificate was not revoked. 301 The Origin Set's size is unbounded by this specification, and thus 302 could be used by attackers to exhaust client resources. To mitigate 303 this risk, clients can monitor their state commitment and close the 304 connection if it is too high. 306 5. References 308 5.1. Normative References 310 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 311 Requirement Levels", BCP 14, RFC 2119, 312 DOI 10.17487/RFC2119, March 1997, . 315 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 316 DOI 10.17487/RFC2818, May 2000, . 319 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 320 Housley, R., and W. Polk, "Internet X.509 Public Key 321 Infrastructure Certificate and Certificate Revocation List 322 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 323 . 325 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) 326 Extensions: Extension Definitions", RFC 6066, 327 DOI 10.17487/RFC6066, January 2011, . 330 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 331 DOI 10.17487/RFC6454, December 2011, . 334 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 335 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 336 DOI 10.17487/RFC7540, May 2015, . 339 5.2. Informative References 341 [RFC5988] Nottingham, M., "Web Linking", RFC 5988, 342 DOI 10.17487/RFC5988, October 2010, . 345 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User 346 Service (RADIUS) Protocol Extensions", RFC 6929, 347 DOI 10.17487/RFC6929, April 2013, . 350 [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., 351 Galperin, S., and C. Adams, "X.509 Internet Public Key 352 Infrastructure Online Certificate Status Protocol - OCSP", 353 RFC 6960, DOI 10.17487/RFC6960, June 2013, 354 . 356 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 357 Protocol (HTTP/1.1): Message Syntax and Routing", 358 RFC 7230, DOI 10.17487/RFC7230, June 2014, 359 . 361 [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP 362 Alternative Services", RFC 7838, DOI 10.17487/RFC7838, 363 April 2016, . 365 Appendix A. Non-Normative Processing Algorithm 367 The following algorithm illustrates how a client could handle 368 received ORIGIN frames: 370 1. If the client is configured to use a proxy for the connection, 371 ignore the frame and stop processing. 373 2. If the connection is not identified with the "h2" protocol 374 identifier or another protocol that has explicitly opted into 375 this specification, ignore the frame and stop processing. 377 3. If the frame occurs upon any stream except stream 0, ignore the 378 frame and stop processing. 380 4. If any of the flags 0x1, 0x2, 0x4 or 0x8 are set, ignore the 381 frame and stop processing. 383 5. If no previous ORIGIN frame on the connection has reached this 384 step, initialise the Origin Set as per Section 2.3. 386 6. For each "Origin-Entry" in the frame payload: 388 1. Parse "ASCII-Origin" as an ASCII serialization of an origin 389 ([RFC6454], Section 6.2) and let the result be 390 "parsed_origin". If parsing fails, skip to the next "Origin- 391 Entry". 393 2. Add "parsed_origin" to the Origin Set. 395 Appendix B. Operational Considerations for Servers 397 The ORIGIN frame allows a server to indicate for which origins a 398 given connection ought be used. The set of origins advertised using 399 this mechanism is under control of the server; servers are not 400 obligated to use it, or to advertise all origins which they might be 401 able to answer a request for. 403 For example, it can be used to inform the client that the connection 404 is to only be used for the SNI-based origin, by sending an empty 405 ORIGIN frame. Or, a larger number of origins can be indicated by 406 including a payload. 408 Generally, this information is most useful to send before sending any 409 part of a response that might initiate a new connection; for example, 410 "Link" headers [RFC5988] in a response HEADERS, or links in the 411 response body. 413 Therefore, the ORIGIN frame ought be sent as soon as possible on a 414 connection, ideally before any HEADERS or PUSH_PROMISE frames. 416 However, if it's desirable to associate a large number of origins 417 with a connection, doing so might introduce end-user perceived 418 latency, due to their size. As a result, it might be necessary to 419 select a "core" set of origins to send initially, expanding the set 420 of origins the connection is used for with subsequent ORIGIN frames 421 later (e.g., when the connection is idle). 423 That said, senders are encouraged to include as many origins as 424 practical within a single ORIGIN frame; clients need to make 425 decisions about creating connections on the fly, and if the origin 426 set is split across many frames, their behaviour might be suboptimal. 428 Senders take note that, as per [RFC6454] Section 4, the values in an 429 ORIGIN header need to be case-normalised before serialisation. 431 Finally, servers that host alternative services [RFC7838] will need 432 to explicitly advertise their origins when sending ORIGIN, because 433 the default contents of the Origin Set (as per Section 2.3) do not 434 contain any Alternative Services' origins, even if they have been 435 used previously on the connection. 437 Authors' Addresses 439 Mark Nottingham 441 Email: mnot@mnot.net 442 URI: https://www.mnot.net/ 444 Erik Nygren 445 Akamai 447 Email: nygren@akamai.com