idnits 2.17.1 draft-ietf-httpbis-priority-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 05, 2020) is 1484 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 779 -- Looks like a reference, but probably isn't: '2' on line 781 -- Looks like a reference, but probably isn't: '3' on line 783 -- Looks like a reference, but probably isn't: '4' on line 793 -- Looks like a reference, but probably isn't: '5' on line 794 == Outdated reference: A later version (-34) exists of draft-ietf-quic-http-27 == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-27 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-header-structure-15 -- Obsolete informational reference (is this intentional?): RFC 7234 (Obsoleted by RFC 9111) Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP K. Oku 3 Internet-Draft Fastly 4 Intended status: Standards Track L. Pardue 5 Expires: September 6, 2020 Cloudflare 6 March 05, 2020 8 Extensible Prioritization Scheme for HTTP 9 draft-ietf-httpbis-priority-00 11 Abstract 13 This document describes a scheme for prioritizing HTTP responses. 14 This scheme expresses the priority of each HTTP response using 15 absolute values, rather than as a relative relationship between a 16 group of HTTP responses. 18 This document defines the Priority header field for communicating the 19 initial priority in an HTTP version-independent manner, as well as 20 HTTP/2 and HTTP/3 frames for reprioritizing the responses. These 21 share a common format structure that is designed to provide future 22 extensibility. 24 Note to Readers 26 _RFC EDITOR: please remove this section before publication_ 28 Discussion of this draft takes place on the HTTP working group 29 mailing list (ietf-http-wg@w3.org), which is archived at 30 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. 32 Working Group information can be found at https://httpwg.org/ [2]; 33 source code and issues list for this draft can be found at 34 https://github.com/httpwg/http-extensions/labels/priorities [3]. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at https://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on September 6, 2020. 53 Copyright Notice 55 Copyright (c) 2020 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (https://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 71 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 72 2. Motivation for Replacing HTTP/2 Priorities . . . . . . . . . 4 73 2.1. Disabling HTTP/2 Priorities . . . . . . . . . . . . . . . 5 74 3. Priority Parameters . . . . . . . . . . . . . . . . . . . . . 6 75 3.1. Urgency . . . . . . . . . . . . . . . . . . . . . . . . . 6 76 3.2. Incremental . . . . . . . . . . . . . . . . . . . . . . . 7 77 3.3. Defining New Parameters . . . . . . . . . . . . . . . . . 8 78 4. The Priority HTTP Header Field . . . . . . . . . . . . . . . 8 79 5. Reprioritization . . . . . . . . . . . . . . . . . . . . . . 8 80 5.1. HTTP/2 PRIORITY_UPDATE Frame . . . . . . . . . . . . . . 9 81 5.2. HTTP/3 PRIORITY_UPDATE Frame . . . . . . . . . . . . . . 10 82 6. Merging Client- and Server-Driven Parameters . . . . . . . . 11 83 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 84 7.1. Fairness . . . . . . . . . . . . . . . . . . . . . . . . 12 85 7.1.1. Coalescing Intermediaries . . . . . . . . . . . . . . 12 86 7.1.2. HTTP/1.x Back Ends . . . . . . . . . . . . . . . . . 13 87 7.1.3. Intentional Introduction of Unfairness . . . . . . . 14 88 8. Considerations . . . . . . . . . . . . . . . . . . . . . . . 14 89 8.1. Why use an End-to-End Header Field? . . . . . . . . . . . 14 90 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 91 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 92 10.1. Normative References . . . . . . . . . . . . . . . . . . 15 93 10.2. Informative References . . . . . . . . . . . . . . . . . 16 94 10.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 17 95 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 17 96 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 17 97 B.1. Since draft-kazuho-httpbis-priority-04 . . . . . . . . . 18 98 B.2. Since draft-kazuho-httpbis-priority-03 . . . . . . . . . 18 99 B.3. Since draft-kazuho-httpbis-priority-02 . . . . . . . . . 18 100 B.4. Since draft-kazuho-httpbis-priority-01 . . . . . . . . . 18 101 B.5. Since draft-kazuho-httpbis-priority-00 . . . . . . . . . 18 102 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 104 1. Introduction 106 It is common for an HTTP ([RFC7230]) resource representation to have 107 relationships to one or more other resources. Clients will often 108 discover these relationships while processing a retrieved 109 representation, leading to further retrieval requests. Meanwhile, 110 the nature of the relationship determines whether the client is 111 blocked from continuing to process locally available resources. For 112 example, visual rendering of an HTML document could be blocked by the 113 retrieval of a CSS file that the document refers to. In contrast, 114 inline images do not block rendering and get drawn incrementally as 115 the chunks of the images arrive. 117 To provide meaningful presentation of a document at the earliest 118 moment, it is important for an HTTP server to prioritize the HTTP 119 responses, or the chunks of those HTTP responses, that it sends. 121 HTTP/2 ([RFC7540]) provides such a prioritization scheme. A client 122 sends a series of PRIORITY frames to communicate to the server a 123 "priority tree"; this represents the client's preferred ordering and 124 weighted distribution of the bandwidth among the HTTP responses. 125 However, the design and implementation of this scheme has been 126 observed to have shortcomings, explained in Section 2. 128 This document defines the Priority HTTP header field that can be used 129 by both client and server to specify the precedence of HTTP responses 130 in a standardized, extensible, protocol-version-independent, end-to- 131 end format. Along with the protocol-version-specific frame for 132 reprioritization, this prioritization scheme acts as a substitute for 133 the original prioritization scheme of HTTP/2. 135 1.1. Notational Conventions 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in [RFC2119]. 141 The terms sh-token and sh-boolean are imported from 142 [STRUCTURED-HEADERS]. 144 Example HTTP requests and responses use the HTTP/2-style formatting 145 from [RFC7540]. 147 This document uses the variable-length integer encoding from 148 [I-D.ietf-quic-transport]. 150 2. Motivation for Replacing HTTP/2 Priorities 152 An important feature of any implementation of a protocol that 153 provides multiplexing is the ability to prioritize the sending of 154 information. This was an important realization in the design of 155 HTTP/2. Prioritization is a difficult problem, so it will always be 156 suboptimal, particularly if one endpoint operates in ignorance of the 157 needs of its peer. 159 HTTP/2 introduced a complex prioritization signaling scheme that used 160 a combination of dependencies and weights, formed into an unbalanced 161 tree. This scheme has suffered from poor deployment and 162 interoperability. 164 The rich flexibility of client-driven HTTP/2 prioritization tree 165 building is rarely exercised. Experience has shown that clients tend 166 to choose a single model optimized for a web use case and experiment 167 within the model constraints, or do nothing at all. Furthermore, 168 many clients build their prioritization tree in a unique way, which 169 makes it difficult for servers to understand their intent and act or 170 intervene accordingly. 172 Many HTTP/2 server implementations do not include support for the 173 priority scheme, some favoring instead bespoke server-driven schemes 174 based on heuristics and other hints, like the content type of 175 resources and the request generation order. For example, a server, 176 with knowledge of the document structure, might want to prioritize 177 the delivery of images that are critical to user experience above 178 other images, but below the CSS files. Since client trees vary, it 179 is impossible for the server to determine how such images should be 180 prioritized against other responses. 182 The HTTP/2 scheme allows intermediaries to coalesce multiple client 183 trees into a single tree that is used for a single upstream HTTP/2 184 connection. However, most intermediaries do not support this. The 185 scheme does not define a method that can be used by a server to 186 express the priority of a response. Without such a method, 187 intermediaries cannot coordinate client-driven and server-driven 188 priorities. 190 HTTP/2 describes denial-of-service considerations for 191 implementations. On 2019-08-13 Netflix issued an advisory notice 192 about the discovery of several resource exhaustion vectors affecting 193 multiple HTTP/2 implementations. One attack, [CVE-2019-9513] aka 194 "Resource Loop", is based on manipulation of the priority tree. 196 The HTTP/2 scheme depends on in-order delivery of signals, leading to 197 challenges in porting the scheme to protocols that do not provide 198 global ordering. For example, the scheme cannot be used in HTTP/3 199 [I-D.ietf-quic-http] without changing the signal and its processing. 201 Considering the problems with deployment and adaptability to HTTP/3, 202 retaining the HTTP/2 priority scheme increases the complexity of the 203 entire system without any evidence that the value it provides offsets 204 that complexity. In fact, multiple experiments from independent 205 research have shown that simpler schemes can reach at least 206 equivalent performance characteristics compared to the more complex 207 HTTP/2 setups seen in practice, at least for the web use case. 209 2.1. Disabling HTTP/2 Priorities 211 The problems and insights set out above are motivation for allowing 212 endpoints to opt out of using the HTTP/2 priority scheme, in favor of 213 using an alternative such as the scheme defined in this 214 specification. The SETTINGS_DEPRECATE_HTTP2_PRIORITIES setting 215 described below enables endpoints to understand their peer's 216 intention. The value of the parameter MUST be 0 or 1. Any value 217 other than 0 or 1 MUST be treated as a connection error (see 218 [RFC7540]; Section 5.4.1) of type PROTOCOL_ERROR. 220 Endpoints MUST send this SETTINGS parameter as part of the first 221 SETTINGS frame. When the peer receives the first SETTINGS frame, it 222 learns the sender has deprecated the HTTP/2 priority scheme if it 223 receives the SETTINGS_DEPRECATE_HTTP2_PRIORITIES parameter with the 224 value of 1. 226 A sender MUST NOT change the SETTINGS_DEPRECATE_HTTP2_PRIORITIES 227 parameter value after the first SETTINGS frame. Detection of a 228 change by a receiver MUST be treated as a connection error of type 229 PROTOCOL_ERROR. 231 Until the client receives the SETTINGS frame from the server, the 232 client SHOULD send both the priority signal defined in the HTTP/2 233 priority scheme and also that of this prioritization scheme. Once 234 the client learns that the HTTP/2 priority scheme is deprecated, it 235 SHOULD stop sending the HTTP/2 priority signals. If the client 236 learns that the HTTP/2 priority scheme is not deprecated, it SHOULD 237 stop sending PRIORITY_UPDATE frames (Section 5.1), but MAY continue 238 sending the Priority header field (Section 4), as it is an end-to-end 239 signal that might be useful to nodes behind the server that the 240 client is directly connected to. 242 The SETTINGS frame precedes any priority signal sent from a client in 243 HTTP/2, so a server can determine if it should respect the HTTP/2 244 scheme before building state. 246 3. Priority Parameters 248 The priority information is a sequence of key-value pairs, providing 249 room for future extensions. Each key-value pair represents a 250 priority parameter. 252 The Priority HTTP header field (Section 4) is an end-to-end way to 253 transmit this set of parameters when a request or a response is 254 issued. In order to reprioritize a request, HTTP-version-specific 255 frames (Section 5.1 and Section 5.2) are used by clients to transmit 256 the same information on a single hop. If intermediaries want to 257 specify prioritization on a multiplexed HTTP connection, they SHOULD 258 use a PRIORITY_UPDATE frame and SHOULD NOT change the Priority header 259 field. 261 In both cases, the set of priority parameters is encoded as a 262 Structured Headers Dictionary ([STRUCTURED-HEADERS]). 264 This document defines the urgency("u") and incremental("i") 265 parameters. When receiving an HTTP request that does not carry these 266 priority parameters, a server SHOULD act as if their default values 267 were specified. Note that handling of omitted parameters is 268 different when processing an HTTP response; see Section 6. 270 Unknown parameters, parameters with out-of-range values or values of 271 unexpected types MUST be ignored. 273 3.1. Urgency 275 The urgency parameter ("u") takes an integer between 0 and 7, in 276 descending order of priority. This range provides sufficient 277 granularity for prioritizing responses for ordinary web browsing, at 278 minimal complexity. 280 The value is encoded as an sh-integer. The default value is 1. 282 This parameter indicates the sender's recommendation, based on the 283 expectation that the server would transmit HTTP responses in the 284 order of their urgency values if possible. The smaller the value, 285 the higher the precedence. 287 The following example shows a request for a CSS file with the urgency 288 set to "0": 290 :method = GET 291 :scheme = https 292 :authority = example.net 293 :path = /style.css 294 priority = u=0 296 A client that fetches a document that likely consists of multiple 297 HTTP resources (e.g., HTML) SHOULD assign the default urgency level 298 to the main resource. This convention allows servers to refine the 299 urgency using knowledge specific to the web-site (see Section 6). 301 The lowest urgency level (7) is reserved for background tasks such as 302 delivery of software updates. This urgency level SHOULD NOT be used 303 for fetching responses that have impact on user interaction. 305 3.2. Incremental 307 The incremental parameter ("i") takes an sh-boolean as the value that 308 indicates if an HTTP response can be processed incrementally, i.e. 309 provide some meaningful output as chunks of the response arrive. 311 The default value of the incremental parameter is false ("0"). 313 A server might distribute the bandwidth of a connection between 314 incremental responses that share the same urgency, hoping that 315 providing those responses in parallel would be more helpful to the 316 client than delivering the responses one by one. 318 If a client makes concurrent requests with the incremental parameter 319 set to false, there is no benefit serving responses in parallel 320 because the client is not going to process those responses 321 incrementally. Serving non-incremental responses one by one, in the 322 order in which those requests were generated is considered to be the 323 best strategy. 325 The following example shows a request for a JPEG file with the 326 urgency parameter set to "5" and the incremental parameter set to 327 "true". 329 :method = GET 330 :scheme = https 331 :authority = example.net 332 :path = /image.jpg 333 priority = u=5, i 335 3.3. Defining New Parameters 337 When attempting to extend priorities, care must be taken to ensure 338 any use of existing parameters are either unchanged or modified in a 339 way that is backwards compatible for peers that are unaware of the 340 extended meaning. 342 For example, if there is a need to provide more granularity than 343 eight urgency levels, it would be possible to subdivide the range 344 using an additional parameter. Implementations that do not recognize 345 the parameter can safely continue to use the less granular eight 346 levels. 348 Alternatively, the urgency can be augmented. For example, a 349 graphical user agent could send a "visible" parameter to indicate if 350 the resource being requested is within the viewport. 352 4. The Priority HTTP Header Field 354 The Priority HTTP header field can appear in requests and responses. 355 A client uses it to specify the priority of the response. A server 356 uses it to inform the client that the priority was overwritten. An 357 intermediary can use the Priority information from client requests 358 and server responses to correct or amend the precedence to suit it 359 (see Section 6). 361 The Priority header field is an end-to-end signal of the request 362 priority from the client or the response priority from the server. 364 As is the ordinary case for HTTP caching ([RFC7234]), a response with 365 a Priority header field might be cached and re-used for subsequent 366 requests. When an origin server generates the Priority response 367 header field based on properties of an HTTP request it receives, the 368 server is expected to control the cacheability or the applicability 369 of the cached response, by using header fields that control the 370 caching behavior (e.g., Cache-Control, Vary). 372 5. Reprioritization 374 After a client sends a request, it may be beneficial to change the 375 priority of the response. As an example, a web browser might issue a 376 prefetch request for a JavaScript file with the urgency parameter of 377 the Priority request header field set to "u=7" (background). Then, 378 when the user navigates to a page which references the new JavaScript 379 file, while the prefetch is in progress, the browser would send a 380 reprioritization frame with the priority field value set to "u=0". 382 In HTTP/2 and HTTP/3, after a request message is sent on a stream, 383 the stream transitions to a state that prevents the client from 384 sending additional frames on the stream. Therefore, a client cannot 385 reprioritize a response by using the Priority header field. 386 Modifying this behavior would require a semantic change to the 387 protocol, but this is avoided by restricting the stream on which a 388 PRIORITY_UPDATE frame can be sent. In HTTP/2 the frame is on stream 389 zero and in HTTP/3 it is sent on the control stream 390 ([I-D.ietf-quic-http], Section 6.2.1). 392 This document specifies a new PRIORITY_UPDATE frame type for HTTP/2 393 ([RFC7540]) and HTTP/3 ([I-D.ietf-quic-http]) which enables 394 reprioritization. It carries updated priority parameters and 395 references the target of the reprioritization based on a version- 396 specific identifier; in HTTP/2 this is the Stream ID, in HTTP/3 this 397 is either the Stream ID or Push ID. 399 Unlike the header field, the reprioritization frame is a hop-by-hop 400 signal. 402 5.1. HTTP/2 PRIORITY_UPDATE Frame 404 The HTTP/2 PRIORITY_UPDATE frame (type=0xF) carries the stream ID of 405 the response that is being reprioritized, and the updated priority in 406 ASCII text, using the same representation as that of the Priority 407 header field value. 409 The Stream Identifier field ([RFC7540], Section 4.1) in the 410 PRIORITY_UPDATE frame header MUST be zero (0x0). 412 0 1 2 3 413 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 414 +---------------------------------------------------------------+ 415 |R| Stream ID (31) | 416 +---------------------------------------------------------------+ 417 | Priority Field Value (*) ... 418 +---------------------------------------------------------------+ 420 Figure 1: HTTP/2 PRIORITY_UPDATE Frame Payload 422 The PRIORITY_UPDATE frame payload has the following fields: 424 R: A reserved 1-bit field. The semantics of this bit are undefined, 425 and the bit MUST remain unset (0x0) when sending and MUST be 426 ignored when receiving. 428 Stream ID: A 31-bit stream identifier for the stream that is the 429 target of the priority update. 431 Priority Field Value: The priority update value in ASCII text, 432 encoded using Structured Headers. 434 The HTTP/2 PRIORITY_UPDATE frame MUST NOT be sent prior to opening 435 the stream. If a PRIORITY_UPDATE is received prior to the stream 436 being opened, it MAY be treated as a connection error of type 437 PROTOCOL_ERROR. 439 TODO: add more description of how to handle things like receiving 440 PRIORITY_UPDATE on wrong stream, a PRIORITY_UPDATE with an invalid 441 ID, etc. 443 5.2. HTTP/3 PRIORITY_UPDATE Frame 445 The HTTP/3 PRIORITY_UPDATE frame (type=0xF) carries the identifier of 446 the element that is being reprioritized, and the updated priority in 447 ASCII text, using the same representation as that of the Priority 448 header field value. 450 The PRIORITY_UPDATE frame MUST be sent on the control stream 451 ([I-D.ietf-quic-http], Section 6.2.1). 453 0 1 2 3 454 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 455 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 456 |T| Empty | Prioritized Element ID (i) ... 457 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 458 | Priority Field Value (*) ... 459 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 461 Figure 2: HTTP/3 PRIORITY_UPDATE Frame Payload 463 The PRIORITY_UPDATE frame payload has the following fields: 465 T (Prioritized Element Type): A one-bit field indicating the type of 466 element being prioritized. A value of 0 indicates a 467 reprioritization for a Request Stream, so the Prioritized Element 468 ID is interpreted as a Stream ID. A value of 1 indicates a 469 reprioritization for a Push stream, so the Prioritized Element ID 470 is interpreted as a Push ID. 472 Empty: A seven-bit field that has no semantic value. 474 Prioritized Element ID: The stream ID or push ID that is the target 475 of the priority update. 477 Priority Field Value: The priority update value in ASCII text, 478 encoded using Structured Headers. 480 The HTTP/3 PRIORITY_UPDATE frame MUST NOT be sent with an invalid 481 identifier, including before the request stream has been opened or 482 before a promised request has been received. If a server receives a 483 PRIORITY_UPDATE specifying a push ID that has not been promised, it 484 SHOULD be treated as a connection error of type H3_ID_ERROR. 486 Because the HTTP/3 PRIORITY_UPDATE frame is sent on the control 487 stream and there are no ordering guarantees between streams, a client 488 that reprioritizes a request before receiving the response data might 489 cause the server to receive a PRIORITY_UPDATE for an unknown request. 490 If the request stream ID is within bidirectional stream limits, the 491 PRIORITY_UPDATE frame SHOULD be buffered until the stream is opened 492 and applied immediately after the request message has been processed. 493 Holding PRIORITY_UPDATES consumes extra state on the peer, although 494 the size of the state is bounded by bidirectional stream limits. 495 There is no bound on the number of PRIORITY_UPDATES that can be sent, 496 so an endpoint SHOULD store only the most recently received frame. 498 TODO: add more description of how to handle things like receiving 499 PRIORITY_UPDATE on wrong stream, a PRIORITY_UPDATE with an invalid 500 ID, etc. 502 6. Merging Client- and Server-Driven Parameters 504 It is not always the case that the client has the best understanding 505 of how the HTTP responses deserve to be prioritized. The server 506 might have additional information that can be combined with the 507 client's indicated priority in order to improve the prioritization of 508 the response. For example, use of an HTML document might depend 509 heavily on one of the inline images; existence of such dependencies 510 is typically best known to the server. Or, a server that receives 511 requests for a font [RFC8081] and images with the same urgency might 512 give higher precedence to the font, so that a visual client can 513 render textual information at an early moment. 515 An origin can use the Priority response header field to indicate its 516 view on how an HTTP response should be prioritized. An intermediary 517 that forwards an HTTP response can use the parameters found in the 518 Priority response header field, in combination with the client 519 Priority request header field, as input to its prioritization 520 process. No guidance is provided for merging priorities, this is 521 left as an implementation decision. 523 Absence of a priority parameter in an HTTP response indicates the 524 server's disinterest in changing the client-provided value. This is 525 different from the logic being defined for the request header field, 526 in which omission of a priority parameter implies the use of their 527 default values (see Section 3). 529 As a non-normative example, when the client sends an HTTP request 530 with the urgency parameter set to "5" and the incremental parameter 531 set to "true" 533 :method = GET 534 :scheme = https 535 :authority = example.net 536 :path = /menu.png 537 priority = u=5, i 539 and the origin responds with 541 :status = 200 542 content-type = image/png 543 priority = u=1 545 the intermediary might alter its understanding of the urgency from 546 "5" to "1", because it prefers the server-provided value over the 547 client's. The incremental value continues to be "true", the value 548 specified by the client, as the server did not specify the 549 incremental("i") parameter. 551 7. Security Considerations 553 7.1. Fairness 555 As a general guideline, a server SHOULD NOT use priority information 556 for making schedule decisions across multiple connections, unless it 557 knows that those connections originate from the same client. Due to 558 this, priority information conveyed over a non-coalesced HTTP 559 connection (e.g., HTTP/1.1) might go unused. 561 The remainder of this section discusses scenarios where unfairness is 562 problematic and presents possible mitigations, or where unfairness is 563 desirable. 565 TODO: Discuss if we should add a signal that mitigates this issue. 566 For example, we might add a SETTINGS parameter that indicates the 567 next hop that the connection is NOT coalesced (see 568 https://github.com/kazuho/draft-kazuho-httpbis-priority/issues/99). 570 7.1.1. Coalescing Intermediaries 572 When an intermediary coalesces HTTP requests coming from multiple 573 clients into one HTTP/2 or HTTP/3 connection going to the backend 574 server, requests that originate from one client might have higher 575 precedence than those coming from others. 577 It is sometimes beneficial for the server running behind an 578 intermediary to obey to the value of the Priority header field. As 579 an example, a resource-constrained server might defer the 580 transmission of software update files that would have the background 581 urgency being associated. However, in the worst case, the asymmetry 582 between the precedence declared by multiple clients might cause 583 responses going to one end client to be delayed totally after those 584 going to another. 586 In order to mitigate this fairness problem, when a server responds to 587 a request that is known to have come through an intermediary, the 588 server SHOULD prioritize the response as if it was assigned the 589 priority of "u=1, i" (i.e. round-robin) regardless of the value of 590 the Priority header field being transmitted, unless the server knows 591 the intermediary is not coalescing requests from multiple clients. 593 A server can determine if a request came from an intermediary through 594 configuration, or by consulting if that request contains one of the 595 following header fields: 597 o Forwarded, X-Forwarded-For ([RFC7239]) 599 o Via ([RFC7230], Section 5.7.1) 601 Responding to requests coming through an intermediary in a round- 602 robin manner works well when the network bottleneck exists between 603 the intermediary and the end client, as the intermediary would be 604 buffering the responses and then be forwarding the chunks of those 605 buffered responses based on the prioritization scheme it implements. 606 A sophisticated server MAY use a weighted round-robin reflecting the 607 urgencies expressed in the requests, so that less urgent responses 608 would receive less bandwidth in case the bottleneck exists between 609 the server and the intermediary. 611 7.1.2. HTTP/1.x Back Ends 613 It is common for CDN infrastructure to support different HTTP 614 versions on the front end and back end. For instance, the client- 615 facing edge might support HTTP/2 and HTTP/3 while communication to 616 back end servers is done using HTTP/1.1. Unlike with connection 617 coalescing, the CDN will "de-mux" requests into discrete connections 618 to the back end. As HTTP/1.1 and older do not provide a way to 619 concurrently transmit multiple responses, there is no immediate 620 fairness issue in protocol. However, back end servers MAY still use 621 client headers for request scheduling. Back end servers SHOULD only 622 schedule based on client priority information where that information 623 can be scoped to individual end clients. Authentication and other 624 session information might provide this linkability. 626 7.1.3. Intentional Introduction of Unfairness 628 It is sometimes beneficial to deprioritize the transmission of one 629 connection over others, knowing that doing so introduces a certain 630 amount of unfairness between the connections and therefore between 631 the requests served on those connections. 633 For example, a server might use a scavenging congestion controller on 634 connections that only convey background priority responses such as 635 software update images. Doing so improves responsiveness of other 636 connections at the cost of delaying the delivery of updates. 638 Also, a client MAY use the priority values for making local 639 scheduling choices for the requests it initiates. 641 8. Considerations 643 8.1. Why use an End-to-End Header Field? 645 Contrary to the prioritization scheme of HTTP/2 that uses a hop-by- 646 hop frame, the Priority header field is defined as end-to-end. 648 The rationale is that the Priority header field transmits how each 649 response affects the client's processing of those responses, rather 650 than how relatively urgent each response is to others. The way a 651 client processes a response is a property associated to that client 652 generating that request. Not that of an intermediary. Therefore, it 653 is an end-to-end property. How these end-to-end properties carried 654 by the Priority header field affect the prioritization between the 655 responses that share a connection is a hop-by-hop issue. 657 Having the Priority header field defined as end-to-end is important 658 for caching intermediaries. Such intermediaries can cache the value 659 of the Priority header field along with the response, and utilize the 660 value of the cached header field when serving the cached response, 661 only because the header field is defined as end-to-end rather than 662 hop-by-hop. 664 It should also be noted that the use of a header field carrying a 665 textual value makes the prioritization scheme extensible; see the 666 discussion below. 668 9. IANA Considerations 670 This specification registers the following entry in the Permanent 671 Message Header Field Names registry established by [RFC3864]: 673 Header field name: Priority 674 Applicable protocol: http 676 Status: standard 678 Author/change controller: IETF 680 Specification document(s): This document 682 Related information: n/a 684 This specification registers the following entry in the HTTP/2 685 Settings registry established by [RFC7540]: 687 Name: SETTINGS_DEPRECATE_HTTP2_PRIORITIES 689 Code: 0x9 691 Initial value: 0 693 Specification: This document 695 This specification registers the following entry in the HTTP/2 Frame 696 Type registry established by [RFC7540]: 698 Frame Type: PRIORITY_UPDATE 700 Code: 0xF 702 Specification: This document 704 This specification registers the following entries in the HTTP/3 705 Frame Type registry established by [I-D.ietf-quic-http]: 707 Frame Type: PRIORITY_UPDATE 709 Code: 0xF 711 Specification: This document 713 10. References 715 10.1. Normative References 717 [I-D.ietf-quic-http] 718 Bishop, M., "Hypertext Transfer Protocol Version 3 719 (HTTP/3)", draft-ietf-quic-http-27 (work in progress), 720 February 2020. 722 [I-D.ietf-quic-transport] 723 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 724 and Secure Transport", draft-ietf-quic-transport-27 (work 725 in progress), February 2020. 727 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 728 Requirement Levels", BCP 14, RFC 2119, 729 DOI 10.17487/RFC2119, March 1997, 730 . 732 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 733 Protocol (HTTP/1.1): Message Syntax and Routing", 734 RFC 7230, DOI 10.17487/RFC7230, June 2014, 735 . 737 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 738 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 739 DOI 10.17487/RFC7540, May 2015, 740 . 742 [STRUCTURED-HEADERS] 743 Nottingham, M. and P. Kamp, "Structured Headers for HTTP", 744 draft-ietf-httpbis-header-structure-15 (work in progress), 745 January 2020. 747 10.2. Informative References 749 [CVE-2019-9513] 750 Common Vulnerabilities and Exposures, "CVE-2019-9513", 751 March 2019, . 754 [I-D.lassey-priority-setting] 755 Lassey, B. and L. Pardue, "Declaring Support for HTTP/2 756 Priorities", draft-lassey-priority-setting-00 (work in 757 progress), July 2019. 759 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 760 Procedures for Message Header Fields", BCP 90, RFC 3864, 761 DOI 10.17487/RFC3864, September 2004, 762 . 764 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 765 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 766 RFC 7234, DOI 10.17487/RFC7234, June 2014, 767 . 769 [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", 770 RFC 7239, DOI 10.17487/RFC7239, June 2014, 771 . 773 [RFC8081] Lilley, C., "The "font" Top-Level Media Type", RFC 8081, 774 DOI 10.17487/RFC8081, February 2017, 775 . 777 10.3. URIs 779 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ 781 [2] https://httpwg.org/ 783 [3] https://github.com/httpwg/http-extensions/labels/priorities 785 [4] http://tools.ietf.org/agenda/83/slides/slides-83-httpbis-5.pdf 787 [5] https://github.com/pmeenan/http3-prioritization-proposal 789 Appendix A. Acknowledgements 791 Roy Fielding presented the idea of using a header field for 792 representing priorities in http://tools.ietf.org/agenda/83/slides/ 793 slides-83-httpbis-5.pdf [4]. In https://github.com/pmeenan/http3- 794 prioritization-proposal [5], Patrick Meenan advocates for 795 representing the priorities using a tuple of urgency and concurrency. 796 The ability to deprecate HTTP/2 prioritization is based on 797 [I-D.lassey-priority-setting], authored by Brad Lassey and Lucas 798 Pardue, with modifications based on feedback that was not 799 incorporated into an update to that document. 801 The motivation for defining an alternative to HTTP/2 priorities is 802 drawn from discussion within the broad HTTP community. Special 803 thanks to Roberto Peon, Martin Thomson and Netflix for text that was 804 incorporated explicitly in this document. 806 In addition to the people above, this document owes a lot to the 807 extensive discussion in the HTTP priority design team, consisting of 808 Alan Frindell, Andrew Galloni, Craig Taylor, Ian Swett, Kazuho Oku, 809 Lucas Pardue, Matthew Cox, Mike Bishop, Roberto Peon, Robin Marx, Roy 810 Fielding. 812 Appendix B. Change Log 813 B.1. Since draft-kazuho-httpbis-priority-04 815 o Minimize semantics of Urgency levels (#1023, #1026) 817 o Reduce guidance about how intermediary implements merging priority 818 signals (#1026) 820 o Remove mention of CDN-Loop (#1062) 822 o Editorial changes 824 o Make changes due to WG adoption 826 o Removed outdated Consideration (#118) 828 B.2. Since draft-kazuho-httpbis-priority-03 830 o Changed numbering from "[-1,6]" to "[0,7]" (#78) 832 o Replaced priority scheme negotiation with HTTP/2 priority 833 deprecation (#100) 835 o Shorten parameter names (#108) 837 o Expand on considerations (#105, #107, #109, #110, #111, #113) 839 B.3. Since draft-kazuho-httpbis-priority-02 841 o Consolidation of the problem statement (#61, #73) 843 o Define SETTINGS_PRIORITIES for negotiation (#58, #69) 845 o Define PRIORITY_UPDATE frame for HTTP/2 and HTTP/3 (#51) 847 o Explain fairness issue and mitigations (#56) 849 B.4. Since draft-kazuho-httpbis-priority-01 851 o Explain how reprioritization might be supported. 853 B.5. Since draft-kazuho-httpbis-priority-00 855 o Expand urgency levels from 3 to 8. 857 Authors' Addresses 859 Kazuho Oku 860 Fastly 862 Email: kazuhooku@gmail.com 864 Lucas Pardue 865 Cloudflare 867 Email: lucaspardue.24.7@gmail.com