idnits 2.17.1 draft-ietf-httpbis-origin-frame-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 11, 2018) is 2291 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 378 -- Looks like a reference, but probably isn't: '2' on line 380 -- Looks like a reference, but probably isn't: '3' on line 382 ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 6962 (Obsoleted by RFC 9162) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP M. Nottingham 3 Internet-Draft 4 Intended status: Standards Track E. Nygren 5 Expires: July 15, 2018 Akamai 6 January 11, 2018 8 The ORIGIN HTTP/2 Frame 9 draft-ietf-httpbis-origin-frame-05 11 Abstract 13 This document specifies the ORIGIN frame for HTTP/2, to indicate what 14 origins are available on a given connection. 16 Note to Readers 18 Discussion of this draft takes place on the HTTP working group 19 mailing list (ietf-http-wg@w3.org), which is archived at 20 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. 22 Working Group information can be found at http://httpwg.github.io/ 23 [2]; source code and issues list for this draft can be found at 24 https://github.com/httpwg/http-extensions/labels/origin-frame [3]. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on July 15, 2018. 43 Copyright Notice 45 Copyright (c) 2018 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 62 2. The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 3 63 2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 2.2. Processing ORIGIN Frames . . . . . . . . . . . . . . . . 4 65 2.3. The Origin Set . . . . . . . . . . . . . . . . . . . . . 5 66 2.4. Authority, Push and Coalescing with ORIGIN . . . . . . . 6 67 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 68 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 69 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 70 5.1. Normative References . . . . . . . . . . . . . . . . . . 7 71 5.2. Informative References . . . . . . . . . . . . . . . . . 8 72 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 73 Appendix A. Non-Normative Processing Algorithm . . . . . . . . . 9 74 Appendix B. Operational Considerations for Servers . . . . . . . 9 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 77 1. Introduction 79 HTTP/2 [RFC7540] allows clients to coalesce different origins 80 [RFC6454] onto the same connection when certain conditions are met. 81 However, in certain cases, a connection is not usable for a coalesced 82 origin, so the 421 (Misdirected Request) status code ([RFC7540], 83 Section 9.1.2) was defined. 85 Using a status code in this manner allows clients to recover from 86 misdirected requests, but at the penalty of adding latency. To 87 address that, this specification defines a new HTTP/2 frame type, 88 "ORIGIN", to allow servers to indicate what origins a connection is 89 usable for. 91 Additionally, experience has shown that HTTP/2's requirement to 92 establish server authority using both DNS and the server's 93 certificate is onerous. This specification relaxes the requirement 94 to check DNS when the ORIGIN frame is in use. Doing so has 95 additional benefits, such as removing the latency associated with 96 some DNS lookups. 98 1.1. Notational Conventions 100 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 101 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 102 "OPTIONAL" in this document are to be interpreted as described in BCP 103 14 [RFC2119] [RFC8174] when, and only when, they appear in all 104 capitals, as shown here. 106 2. The ORIGIN HTTP/2 Frame 108 This document defines a new HTTP/2 frame type ([RFC7540], Section 4) 109 called ORIGIN, that allows a server to indicate what origin(s) 110 [RFC6454] the server would like the client to consider as members of 111 the Origin Set (Section 2.3) for the connection it occurs within. 113 2.1. Syntax 115 The ORIGIN frame type is 0xc (decimal 12), and contains zero or more 116 instances of the Origin-Entry field. 118 +-------------------------------+-------------------------------+ 119 | Origin-Entry (*) ... 120 +-------------------------------+-------------------------------+ 122 An Origin-Entry is a length-delimited string: 124 +-------------------------------+-------------------------------+ 125 | Origin-Len (16) | ASCII-Origin? ... 126 +-------------------------------+-------------------------------+ 128 Specifically: 130 Origin-Len: An unsigned, 16-bit integer indicating the length, in 131 octets, of the ASCII-Origin field. 133 Origin: An OPTIONAL sequence of characters containing the ASCII 134 serialization of an origin ([RFC6454], Section 6.2) that the 135 sender asserts this connection is or could be authoritative for. 137 The ORIGIN frame does not define any flags. However, future updates 138 to this specification MAY define flags. See Section 2.2. 140 2.2. Processing ORIGIN Frames 142 The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints 143 that do not support this frame can safely ignore it upon receipt. 145 When received by an implementing client, it is used to initialise and 146 manipulate the Origin Set (see Section 2.3), thereby changing how the 147 client establishes authority for origin servers (see Section 2.4). 149 The ORIGIN frame MUST be sent on stream 0; an ORIGIN frame on any 150 other stream is invalid and MUST be ignored. 152 Likewise, the ORIGIN frame is only valid on connections with the "h2" 153 protocol identifier, or when specifically nominated by the protocol's 154 definition; it MUST be ignored when received on a connection with the 155 "h2c" protocol identifier. 157 This specification does not define any flags for the ORIGIN frame, 158 but future updates to this specification (through IETF consensus) 159 might use them to change its semantics. The first four flags (0x1, 160 0x2, 0x4 and 0x8) are reserved for backwards-incompatible changes, 161 and therefore when any of them are set, the ORIGIN frame containing 162 them MUST be ignored by clients conforming to this specification, 163 unless the flag's semantics are understood. The remaining flags are 164 reserved for backwards-compatible changes, and do not affect 165 processing by clients conformant to this specification. 167 The ORIGIN frame describes a property of the connection, and 168 therefore is processed hop-by-hop. An intermediary MUST NOT forward 169 ORIGIN frames. Clients configured to use a proxy MUST ignore any 170 ORIGIN frames received from it. 172 Each ASCII-Origin field in the frame's payload MUST be parsed as an 173 ASCII serialisation of an origin ([RFC6454], Section 6.2). If 174 parsing fails, the field MUST be ignored. 176 Note that the ORIGIN frame does not support wildcard names (e.g., 177 "*.example.com") in Origin-Entry. As a result, sending ORIGIN when a 178 wildcard certificate is in use effectively disables any origins that 179 are not explicitly listed in the ORIGIN frame(s) (when the client 180 understands ORIGIN). 182 See Appendix A for an illustrative algorithm for processing ORIGIN 183 frames. 185 2.3. The Origin Set 187 The set of origins (as per [RFC6454]) that a given connection might 188 be used for is known in this specification as the Origin Set. 190 By default, the Origin Set for a connection is uninitialised. When 191 an ORIGIN frame is first received and successfully processed by a 192 client, the connection's Origin Set is defined to contain an initial 193 origin. The initial origin is composed from: 195 o Scheme: "https" 197 o Host: the value sent in Server Name Indication (SNI, [RFC6066], 198 Section 3), converted to lower case; if SNI is not present, the 199 remote address of the connection (i.e., the server's IP address) 201 o Port: the remote port of the connection (i.e., the server's port) 203 The contents of that ORIGIN frame (and subsequent ones) allows the 204 server to incrementally add new origins to the Origin Set, as 205 described in Section 2.2. 207 The Origin Set is also affected by the 421 (Misdirected Request) 208 response status code, defined in [RFC7540], Section 9.1.2. Upon 209 receipt of a response with this status code, implementing clients 210 MUST create the ASCII serialisation of the corresponding request's 211 origin (as per [RFC6454], Section 6.2) and remove it from the 212 connection's Origin Set, if present. 214 Note: When sending an ORIGIN frame to a connection that is 215 initialised as an Alternative Service [RFC7838], the initial 216 origin set (Section 2.3) will contain an origin with the 217 appropriate scheme and hostname (since Alternative Services 218 specifies that the origin's hostname be sent in SNI). However, it 219 is possible that the port will be different than that of the 220 intended origin, since the initial origin set is calculated using 221 the actual port in use, which can be different for the alternative 222 service. In this case, the intended origin needs to be sent in 223 the ORIGIN frame explicitly. 225 For example, a client making requests for "https://example.com" is 226 directed to an alternative service at ("h2", "x.example.net", 227 "8443"). If this alternative service sends an ORIGIN frame, the 228 initial origin will be "https://example.com:8443". The client 229 will not be able to use the alternative service to make requests 230 for "https://example.com" unless that origin is explicitly 231 included in the ORIGIN frame. 233 2.4. Authority, Push and Coalescing with ORIGIN 235 Section 10.1 of [RFC7540] uses both DNS and the presented TLS 236 certificate to establish the origin server(s) that a connection is 237 authoritative for, just as HTTP/1.1 does in [RFC7230]. 239 Furthermore, Section 9.1.1 of [RFC7540] explicitly allows a 240 connection to be used for more than one origin server, if it is 241 authoritative. This affects what responses can be considered 242 authoritative, both for direct responses to requests and for server 243 push (see [RFC7540], Section 8.2.2). Indirectly, it also affects 244 what requests will be sent on a connection, since clients will 245 generally only send requests on connections that they believe to be 246 authoritative for the origin in question. 248 Once an Origin Set has been initialised for a connection, clients 249 that implement this specification use it to help determine what the 250 connection is authoritative for. Specifically, such clients MUST NOT 251 consider a connection to be authoritative for an origin not present 252 in the Origin Set, and SHOULD use the connection for all requests to 253 origins in the Origin Set for which the connection is authoritative, 254 unless there are operational reasons for opening a new connection. 256 Note that for a connection to be considered authoritative for a given 257 origin, the server is still required to authenticate with certificate 258 that passes suitable checks; see Section 9.1.1 of [RFC7540] for more 259 information. This includes verifying that the host matches a 260 "dNSName" value from the certificate "subjectAltName" field (using 261 the rules defined in [RFC2818]; see also [RFC5280], Section 4.2.1.6). 263 Additionally, clients MAY avoid consulting DNS to establish the 264 connection's authority for new requests to origins in the Origin Set; 265 however, those that do so face new risks, as explained in Section 4. 267 Because ORIGIN can change the set of origins a connection is used for 268 over time, it is possible that a client might have more than one 269 viable connection to an origin open at any time. When this occurs, 270 clients SHOULD NOT emit new requests on any connection whose Origin 271 Set is a proper subset of another connection's Origin Set, and SHOULD 272 close it once all outstanding requests are satisfied. 274 The Origin Set is unaffected by any alternative services [RFC7838] 275 advertisements made by the server. Advertising an alternative 276 service does not affect whether a server is authoritative. 278 3. IANA Considerations 280 This specification adds an entry to the "HTTP/2 Frame Type" registry. 282 o Frame Type: ORIGIN 284 o Code: 0xc 286 o Specification: [this document] 288 4. Security Considerations 290 Clients that blindly trust the ORIGIN frame's contents will be 291 vulnerable to a large number of attacks. See Section 2.4 for 292 mitigations. 294 Relaxing the requirement to consult DNS when determining authority 295 for an origin means that an attacker who possesses a valid 296 certificate no longer needs to be on-path to redirect traffic to 297 them; instead of modifying DNS, they need only convince the user to 298 visit another Web site in order to coalesce connections to the target 299 onto their existing connection. 301 As a result, clients opting not to consult DNS ought to employ some 302 alternative means to establish a high degree of confidence that the 303 certificate is legitimate. For example, clients might skip 304 consulting DNS only if they receive proof of inclusion in a 305 Certificate Transparency log [RFC6962] or they have a recent OCSP 306 response [RFC6960] (possibly using the "status_request" TLS extension 307 [RFC6066]) showing that the certificate was not revoked. 309 The Origin Set's size is unbounded by this specification, and thus 310 could be used by attackers to exhaust client resources. To mitigate 311 this risk, clients can monitor their state commitment and close the 312 connection if it is too high. 314 5. References 316 5.1. Normative References 318 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 319 Requirement Levels", BCP 14, RFC 2119, 320 DOI 10.17487/RFC2119, March 1997, 321 . 323 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 324 DOI 10.17487/RFC2818, May 2000, 325 . 327 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 328 Housley, R., and W. Polk, "Internet X.509 Public Key 329 Infrastructure Certificate and Certificate Revocation List 330 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 331 . 333 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) 334 Extensions: Extension Definitions", RFC 6066, 335 DOI 10.17487/RFC6066, January 2011, 336 . 338 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 339 DOI 10.17487/RFC6454, December 2011, 340 . 342 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 343 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 344 DOI 10.17487/RFC7540, May 2015, 345 . 347 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 348 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 349 May 2017, . 351 5.2. Informative References 353 [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., 354 Galperin, S., and C. Adams, "X.509 Internet Public Key 355 Infrastructure Online Certificate Status Protocol - OCSP", 356 RFC 6960, DOI 10.17487/RFC6960, June 2013, 357 . 359 [RFC6962] Laurie, B., Langley, A., and E. Kasper, "Certificate 360 Transparency", RFC 6962, DOI 10.17487/RFC6962, June 2013, 361 . 363 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 364 Protocol (HTTP/1.1): Message Syntax and Routing", 365 RFC 7230, DOI 10.17487/RFC7230, June 2014, 366 . 368 [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP 369 Alternative Services", RFC 7838, DOI 10.17487/RFC7838, 370 April 2016, . 372 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 373 DOI 10.17487/RFC8288, October 2017, 374 . 376 5.3. URIs 378 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ 380 [2] http://httpwg.github.io/ 382 [3] https://github.com/httpwg/http-extensions/labels/origin-frame 384 Appendix A. Non-Normative Processing Algorithm 386 The following algorithm illustrates how a client could handle 387 received ORIGIN frames: 389 1. If the client is configured to use a proxy for the connection, 390 ignore the frame and stop processing. 392 2. If the connection is not identified with the "h2" protocol 393 identifier or another protocol that has explicitly opted into 394 this specification, ignore the frame and stop processing. 396 3. If the frame occurs upon any stream except stream 0, ignore the 397 frame and stop processing. 399 4. If any of the flags 0x1, 0x2, 0x4 or 0x8 are set, ignore the 400 frame and stop processing. 402 5. If no previous ORIGIN frame on the connection has reached this 403 step, initialise the Origin Set as per Section 2.3. 405 6. For each "Origin-Entry" in the frame payload: 407 1. Parse "ASCII-Origin" as an ASCII serialization of an origin 408 ([RFC6454], Section 6.2) and let the result be 409 "parsed_origin". If parsing fails, skip to the next "Origin- 410 Entry". 412 2. Add "parsed_origin" to the Origin Set. 414 Appendix B. Operational Considerations for Servers 416 The ORIGIN frame allows a server to indicate for which origins a 417 given connection ought be used. The set of origins advertised using 418 this mechanism is under control of the server; servers are not 419 obligated to use it, or to advertise all origins which they might be 420 able to answer a request for. 422 For example, it can be used to inform the client that the connection 423 is to only be used for the SNI-based origin, by sending an empty 424 ORIGIN frame. Or, a larger number of origins can be indicated by 425 including a payload. 427 Generally, this information is most useful to send before sending any 428 part of a response that might initiate a new connection; for example, 429 "Link" header fields [RFC8288] in a response HEADERS, or links in the 430 response body. 432 Therefore, the ORIGIN frame ought be sent as soon as possible on a 433 connection, ideally before any HEADERS or PUSH_PROMISE frames. 435 However, if it's desirable to associate a large number of origins 436 with a connection, doing so might introduce end-user perceived 437 latency, due to their size. As a result, it might be necessary to 438 select a "core" set of origins to send initially, expanding the set 439 of origins the connection is used for with subsequent ORIGIN frames 440 later (e.g., when the connection is idle). 442 That said, senders are encouraged to include as many origins as 443 practical within a single ORIGIN frame; clients need to make 444 decisions about creating connections on the fly, and if the origin 445 set is split across many frames, their behaviour might be suboptimal. 447 Senders take note that, as per Section 4, Step 5 of [RFC6454], the 448 values in an ORIGIN header need to be case-normalised before 449 serialisation. 451 Finally, servers that host alternative services [RFC7838] will need 452 to explicitly advertise their origins when sending ORIGIN, because 453 the default contents of the Origin Set (as per Section 2.3) do not 454 contain any Alternative Services' origins, even if they have been 455 used previously on the connection. 457 Authors' Addresses 459 Mark Nottingham 461 Email: mnot@mnot.net 462 URI: https://www.mnot.net/ 464 Erik Nygren 465 Akamai 467 Email: nygren@akamai.com