idnits 2.17.1 draft-ietf-httpbis-priority-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 13, 2020) is 1376 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 815 -- Looks like a reference, but probably isn't: '2' on line 817 -- Looks like a reference, but probably isn't: '3' on line 819 -- Looks like a reference, but probably isn't: '4' on line 829 -- Looks like a reference, but probably isn't: '5' on line 830 == Outdated reference: A later version (-34) exists of draft-ietf-quic-http-29 == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-29 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7540 (Obsoleted by RFC 9113) -- Obsolete informational reference (is this intentional?): RFC 7234 (Obsoleted by RFC 9111) Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP K. Oku 3 Internet-Draft Fastly 4 Intended status: Standards Track L. Pardue 5 Expires: January 14, 2021 Cloudflare 6 July 13, 2020 8 Extensible Prioritization Scheme for HTTP 9 draft-ietf-httpbis-priority-01 11 Abstract 13 This document describes a scheme for prioritizing HTTP responses. 14 This scheme expresses the priority of each HTTP response using 15 absolute values, rather than as a relative relationship between a 16 group of HTTP responses. 18 This document defines the Priority header field for communicating the 19 initial priority in an HTTP version-independent manner, as well as 20 HTTP/2 and HTTP/3 frames for reprioritizing the responses. These 21 share a common format structure that is designed to provide future 22 extensibility. 24 Note to Readers 26 _RFC EDITOR: please remove this section before publication_ 28 Discussion of this draft takes place on the HTTP working group 29 mailing list (ietf-http-wg@w3.org), which is archived at 30 https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. 32 Working Group information can be found at https://httpwg.org/ [2]; 33 source code and issues list for this draft can be found at 34 https://github.com/httpwg/http-extensions/labels/priorities [3]. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at https://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on January 14, 2021. 53 Copyright Notice 55 Copyright (c) 2020 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (https://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 71 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 72 2. Motivation for Replacing HTTP/2 Priorities . . . . . . . . . 4 73 2.1. Disabling HTTP/2 Priorities . . . . . . . . . . . . . . . 5 74 3. Priority Parameters . . . . . . . . . . . . . . . . . . . . . 6 75 3.1. Urgency . . . . . . . . . . . . . . . . . . . . . . . . . 6 76 3.2. Incremental . . . . . . . . . . . . . . . . . . . . . . . 7 77 3.3. Defining New Parameters . . . . . . . . . . . . . . . . . 8 78 4. The Priority HTTP Header Field . . . . . . . . . . . . . . . 8 79 5. Reprioritization . . . . . . . . . . . . . . . . . . . . . . 8 80 5.1. HTTP/2 PRIORITY_UPDATE Frame . . . . . . . . . . . . . . 9 81 5.2. HTTP/3 PRIORITY_UPDATE Frame . . . . . . . . . . . . . . 10 82 6. Merging Client- and Server-Driven Parameters . . . . . . . . 11 83 7. Client Scheduling . . . . . . . . . . . . . . . . . . . . . . 12 84 8. Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . 12 85 8.1. Coalescing Intermediaries . . . . . . . . . . . . . . . . 13 86 8.2. HTTP/1.x Back Ends . . . . . . . . . . . . . . . . . . . 13 87 8.3. Intentional Introduction of Unfairness . . . . . . . . . 14 88 9. Why use an End-to-End Header Field? . . . . . . . . . . . . . 14 89 10. Security Considerations . . . . . . . . . . . . . . . . . . . 15 90 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 91 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 92 12.1. Normative References . . . . . . . . . . . . . . . . . . 16 93 12.2. Informative References . . . . . . . . . . . . . . . . . 17 94 12.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 18 95 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 18 96 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 18 97 B.1. Since draft-ietf-httpbis-priority-00 . . . . . . . . . . 18 98 B.2. Since draft-kazuho-httpbis-priority-04 . . . . . . . . . 19 99 B.3. Since draft-kazuho-httpbis-priority-03 . . . . . . . . . 19 100 B.4. Since draft-kazuho-httpbis-priority-02 . . . . . . . . . 19 101 B.5. Since draft-kazuho-httpbis-priority-01 . . . . . . . . . 19 102 B.6. Since draft-kazuho-httpbis-priority-00 . . . . . . . . . 19 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 105 1. Introduction 107 It is common for an HTTP ([RFC7230]) resource representation to have 108 relationships to one or more other resources. Clients will often 109 discover these relationships while processing a retrieved 110 representation, leading to further retrieval requests. Meanwhile, 111 the nature of the relationship determines whether the client is 112 blocked from continuing to process locally available resources. For 113 example, visual rendering of an HTML document could be blocked by the 114 retrieval of a CSS file that the document refers to. In contrast, 115 inline images do not block rendering and get drawn incrementally as 116 the chunks of the images arrive. 118 To provide meaningful presentation of a document at the earliest 119 moment, it is important for an HTTP server to prioritize the HTTP 120 responses, or the chunks of those HTTP responses, that it sends. 122 HTTP/2 ([RFC7540]) provides such a prioritization scheme. A client 123 sends a series of PRIORITY frames to communicate to the server a 124 "priority tree"; this represents the client's preferred ordering and 125 weighted distribution of the bandwidth among the HTTP responses. 126 However, the design and implementation of this scheme has been 127 observed to have shortcomings, explained in Section 2. 129 This document defines the Priority HTTP header field that can be used 130 by both client and server to specify the precedence of HTTP responses 131 in a standardized, extensible, protocol-version-independent, end-to- 132 end format. Along with the protocol-version-specific frame for 133 reprioritization, this prioritization scheme acts as a substitute for 134 the original prioritization scheme of HTTP/2. 136 1.1. Notational Conventions 138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 140 document are to be interpreted as described in [RFC2119]. 142 The terms sh-token and sh-boolean are imported from 143 [STRUCTURED-HEADERS]. 145 Example HTTP requests and responses use the HTTP/2-style formatting 146 from [RFC7540]. 148 This document uses the variable-length integer encoding from 149 [I-D.ietf-quic-transport]. 151 2. Motivation for Replacing HTTP/2 Priorities 153 An important feature of any implementation of a protocol that 154 provides multiplexing is the ability to prioritize the sending of 155 information. This was an important realization in the design of 156 HTTP/2. Prioritization is a difficult problem, so it will always be 157 suboptimal, particularly if one endpoint operates in ignorance of the 158 needs of its peer. 160 HTTP/2 introduced a complex prioritization signaling scheme that used 161 a combination of dependencies and weights, formed into an unbalanced 162 tree. This scheme has suffered from poor deployment and 163 interoperability. 165 The rich flexibility of client-driven HTTP/2 prioritization tree 166 building is rarely exercised. Experience has shown that clients tend 167 to choose a single model optimized for a web use case and experiment 168 within the model constraints, or do nothing at all. Furthermore, 169 many clients build their prioritization tree in a unique way, which 170 makes it difficult for servers to understand their intent and act or 171 intervene accordingly. 173 Many HTTP/2 server implementations do not include support for the 174 priority scheme, some favoring instead bespoke server-driven schemes 175 based on heuristics and other hints, like the content type of 176 resources and the request generation order. For example, a server, 177 with knowledge of the document structure, might want to prioritize 178 the delivery of images that are critical to user experience above 179 other images, but below the CSS files. Since client trees vary, it 180 is impossible for the server to determine how such images should be 181 prioritized against other responses. 183 The HTTP/2 scheme allows intermediaries to coalesce multiple client 184 trees into a single tree that is used for a single upstream HTTP/2 185 connection. However, most intermediaries do not support this. The 186 scheme does not define a method that can be used by a server to 187 express the priority of a response. Without such a method, 188 intermediaries cannot coordinate client-driven and server-driven 189 priorities. 191 HTTP/2 describes denial-of-service considerations for 192 implementations. On 2019-08-13 Netflix issued an advisory notice 193 about the discovery of several resource exhaustion vectors affecting 194 multiple HTTP/2 implementations. One attack, [CVE-2019-9513] aka 195 "Resource Loop", is based on manipulation of the priority tree. 197 The HTTP/2 scheme depends on in-order delivery of signals, leading to 198 challenges in porting the scheme to protocols that do not provide 199 global ordering. For example, the scheme cannot be used in HTTP/3 200 [I-D.ietf-quic-http] without changing the signal and its processing. 202 Considering the problems with deployment and adaptability to HTTP/3, 203 retaining the HTTP/2 priority scheme increases the complexity of the 204 entire system without any evidence that the value it provides offsets 205 that complexity. In fact, multiple experiments from independent 206 research have shown that simpler schemes can reach at least 207 equivalent performance characteristics compared to the more complex 208 HTTP/2 setups seen in practice, at least for the web use case. 210 2.1. Disabling HTTP/2 Priorities 212 The problems and insights set out above are motivation for allowing 213 endpoints to opt out of using the HTTP/2 priority scheme, in favor of 214 using an alternative such as the scheme defined in this 215 specification. The SETTINGS_DEPRECATE_HTTP2_PRIORITIES setting 216 described below enables endpoints to understand their peer's 217 intention. The value of the parameter MUST be 0 or 1. Any value 218 other than 0 or 1 MUST be treated as a connection error (see 219 [RFC7540], Section 5.4.1) of type PROTOCOL_ERROR. 221 Endpoints MUST send this SETTINGS parameter as part of the first 222 SETTINGS frame. When the peer receives the first SETTINGS frame, it 223 learns the sender has deprecated the HTTP/2 priority scheme if it 224 receives the SETTINGS_DEPRECATE_HTTP2_PRIORITIES parameter with the 225 value of 1. 227 A sender MUST NOT change the SETTINGS_DEPRECATE_HTTP2_PRIORITIES 228 parameter value after the first SETTINGS frame. Detection of a 229 change by a receiver MUST be treated as a connection error of type 230 PROTOCOL_ERROR. 232 Until the client receives the SETTINGS frame from the server, the 233 client SHOULD send both the priority signal defined in the HTTP/2 234 priority scheme and also that of this prioritization scheme. Once 235 the client learns that the HTTP/2 priority scheme is deprecated, it 236 SHOULD stop sending the HTTP/2 priority signals. If the client 237 learns that the HTTP/2 priority scheme is not deprecated, it SHOULD 238 stop sending PRIORITY_UPDATE frames (Section 5.1), but MAY continue 239 sending the Priority header field (Section 4), as it is an end-to-end 240 signal that might be useful to nodes behind the server that the 241 client is directly connected to. 243 The SETTINGS frame precedes any priority signal sent from a client in 244 HTTP/2, so a server can determine if it should respect the HTTP/2 245 scheme before building state. 247 3. Priority Parameters 249 The priority information is a sequence of key-value pairs, providing 250 room for future extensions. Each key-value pair represents a 251 priority parameter. 253 The Priority HTTP header field (Section 4) is an end-to-end way to 254 transmit this set of parameters when a request or a response is 255 issued. In order to reprioritize a request, HTTP-version-specific 256 frames (Section 5.1 and Section 5.2) are used by clients to transmit 257 the same information on a single hop. If intermediaries want to 258 specify prioritization on a multiplexed HTTP connection, they SHOULD 259 use a PRIORITY_UPDATE frame and SHOULD NOT change the Priority header 260 field. 262 In both cases, the set of priority parameters is encoded as a 263 Structured Headers Dictionary ([STRUCTURED-HEADERS]). 265 This document defines the urgency("u") and incremental("i") 266 parameters. When receiving an HTTP request that does not carry these 267 priority parameters, a server SHOULD act as if their default values 268 were specified. Note that handling of omitted parameters is 269 different when processing an HTTP response; see Section 6. 271 Unknown parameters, parameters with out-of-range values or values of 272 unexpected types MUST be ignored. 274 3.1. Urgency 276 The urgency parameter ("u") takes an integer between 0 and 7, in 277 descending order of priority. This range provides sufficient 278 granularity for prioritizing responses for ordinary web browsing, at 279 minimal complexity. 281 The value is encoded as an sh-integer. The default value is 3. 283 This parameter indicates the sender's recommendation, based on the 284 expectation that the server would transmit HTTP responses in the 285 order of their urgency values if possible. The smaller the value, 286 the higher the precedence. 288 The following example shows a request for a CSS file with the urgency 289 set to "0": 291 :method = GET 292 :scheme = https 293 :authority = example.net 294 :path = /style.css 295 priority = u=0 297 A client that fetches a document that likely consists of multiple 298 HTTP resources (e.g., HTML) SHOULD assign the default urgency level 299 to the main resource. This convention allows servers to refine the 300 urgency using knowledge specific to the web-site (see Section 6). 302 The lowest urgency level (7) is reserved for background tasks such as 303 delivery of software updates. This urgency level SHOULD NOT be used 304 for fetching responses that have impact on user interaction. 306 3.2. Incremental 308 The incremental parameter ("i") takes an sh-boolean as the value that 309 indicates if an HTTP response can be processed incrementally, i.e. 310 provide some meaningful output as chunks of the response arrive. 312 The default value of the incremental parameter is false ("0"). 314 A server might distribute the bandwidth of a connection between 315 incremental responses that share the same urgency, hoping that 316 providing those responses in parallel would be more helpful to the 317 client than delivering the responses one by one. 319 If a client makes concurrent requests with the incremental parameter 320 set to false, there is no benefit serving responses in parallel 321 because the client is not going to process those responses 322 incrementally. Serving non-incremental responses one by one, in the 323 order in which those requests were generated is considered to be the 324 best strategy. 326 The following example shows a request for a JPEG file with the 327 urgency parameter set to "5" and the incremental parameter set to 328 "true". 330 :method = GET 331 :scheme = https 332 :authority = example.net 333 :path = /image.jpg 334 priority = u=5, i 336 3.3. Defining New Parameters 338 When attempting to extend priorities, care must be taken to ensure 339 any use of existing parameters are either unchanged or modified in a 340 way that is backwards compatible for peers that are unaware of the 341 extended meaning. 343 For example, if there is a need to provide more granularity than 344 eight urgency levels, it would be possible to subdivide the range 345 using an additional parameter. Implementations that do not recognize 346 the parameter can safely continue to use the less granular eight 347 levels. 349 Alternatively, the urgency can be augmented. For example, a 350 graphical user agent could send a "visible" parameter to indicate if 351 the resource being requested is within the viewport. 353 4. The Priority HTTP Header Field 355 The Priority HTTP header field can appear in requests and responses. 356 A client uses it to specify the priority of the response. A server 357 uses it to inform the client that the priority was overwritten. An 358 intermediary can use the Priority information from client requests 359 and server responses to correct or amend the precedence to suit it 360 (see Section 6). 362 The Priority header field is an end-to-end signal of the request 363 priority from the client or the response priority from the server. 365 As is the ordinary case for HTTP caching ([RFC7234]), a response with 366 a Priority header field might be cached and re-used for subsequent 367 requests. When an origin server generates the Priority response 368 header field based on properties of an HTTP request it receives, the 369 server is expected to control the cacheability or the applicability 370 of the cached response, by using header fields that control the 371 caching behavior (e.g., Cache-Control, Vary). 373 5. Reprioritization 375 After a client sends a request, it may be beneficial to change the 376 priority of the response. As an example, a web browser might issue a 377 prefetch request for a JavaScript file with the urgency parameter of 378 the Priority request header field set to "u=7" (background). Then, 379 when the user navigates to a page which references the new JavaScript 380 file, while the prefetch is in progress, the browser would send a 381 reprioritization frame with the priority field value set to "u=0". 383 In HTTP/2 and HTTP/3, after a request message is sent on a stream, 384 the stream transitions to a state that prevents the client from 385 sending additional frames on the stream. Therefore, a client cannot 386 reprioritize a response by using the Priority header field. 387 Modifying this behavior would require a semantic change to the 388 protocol, but this is avoided by restricting the stream on which a 389 PRIORITY_UPDATE frame can be sent. In HTTP/2 the frame is on stream 390 zero and in HTTP/3 it is sent on the control stream 391 ([I-D.ietf-quic-http], Section 6.2.1). 393 This document specifies a new PRIORITY_UPDATE frame type for HTTP/2 394 ([RFC7540]) and HTTP/3 ([I-D.ietf-quic-http]) which enables 395 reprioritization. It carries updated priority parameters and 396 references the target of the reprioritization based on a version- 397 specific identifier; in HTTP/2 this is the Stream ID, in HTTP/3 this 398 is either the Stream ID or Push ID. 400 Unlike the header field, the reprioritization frame is a hop-by-hop 401 signal. 403 5.1. HTTP/2 PRIORITY_UPDATE Frame 405 The HTTP/2 PRIORITY_UPDATE frame (type=0xF) carries the stream ID of 406 the response that is being reprioritized, and the updated priority in 407 ASCII text, using the same representation as that of the Priority 408 header field value. 410 The Stream Identifier field ([RFC7540], Section 4.1) in the 411 PRIORITY_UPDATE frame header MUST be zero (0x0). 413 0 1 2 3 414 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 415 +---------------------------------------------------------------+ 416 |R| Stream ID (31) | 417 +---------------------------------------------------------------+ 418 | Priority Field Value (*) ... 419 +---------------------------------------------------------------+ 421 Figure 1: HTTP/2 PRIORITY_UPDATE Frame Payload 423 The PRIORITY_UPDATE frame payload has the following fields: 425 R: A reserved 1-bit field. The semantics of this bit are undefined, 426 and the bit MUST remain unset (0x0) when sending and MUST be 427 ignored when receiving. 429 Stream ID: A 31-bit stream identifier for the stream that is the 430 target of the priority update. 432 Priority Field Value: The priority update value in ASCII text, 433 encoded using Structured Headers. 435 The HTTP/2 PRIORITY_UPDATE frame MUST NOT be sent prior to opening 436 the stream. If a PRIORITY_UPDATE is received prior to the stream 437 being opened, it MAY be treated as a connection error of type 438 PROTOCOL_ERROR. 440 TODO: add more description of how to handle things like receiving 441 PRIORITY_UPDATE on wrong stream, a PRIORITY_UPDATE with an invalid 442 ID, etc. 444 5.2. HTTP/3 PRIORITY_UPDATE Frame 446 The HTTP/3 PRIORITY_UPDATE frame (type=0xF) carries the identifier of 447 the element that is being reprioritized, and the updated priority in 448 ASCII text, using the same representation as that of the Priority 449 header field value. 451 The PRIORITY_UPDATE frame MUST be sent on the control stream 452 ([I-D.ietf-quic-http], Section 6.2.1). 454 0 1 2 3 455 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 457 |T| Empty | Prioritized Element ID (i) ... 458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 459 | Priority Field Value (*) ... 460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 462 Figure 2: HTTP/3 PRIORITY_UPDATE Frame Payload 464 The PRIORITY_UPDATE frame payload has the following fields: 466 T (Prioritized Element Type): A one-bit field indicating the type of 467 element being prioritized. A value of 0 indicates a 468 reprioritization for a Request Stream, so the Prioritized Element 469 ID is interpreted as a Stream ID. A value of 1 indicates a 470 reprioritization for a Push stream, so the Prioritized Element ID 471 is interpreted as a Push ID. 473 Empty: A seven-bit field that has no semantic value. 475 Prioritized Element ID: The stream ID or push ID that is the target 476 of the priority update. 478 Priority Field Value: The priority update value in ASCII text, 479 encoded using Structured Headers. 481 The HTTP/3 PRIORITY_UPDATE frame MUST NOT be sent with an invalid 482 identifier, including before the request stream has been opened or 483 before a promised request has been received. If a server receives a 484 PRIORITY_UPDATE specifying a push ID that has not been promised, it 485 SHOULD be treated as a connection error of type H3_ID_ERROR. 487 Because the HTTP/3 PRIORITY_UPDATE frame is sent on the control 488 stream and there are no ordering guarantees between streams, a client 489 that reprioritizes a request before receiving the response data might 490 cause the server to receive a PRIORITY_UPDATE for an unknown request. 491 If the request stream ID is within bidirectional stream limits, the 492 PRIORITY_UPDATE frame SHOULD be buffered until the stream is opened 493 and applied immediately after the request message has been processed. 494 Holding PRIORITY_UPDATES consumes extra state on the peer, although 495 the size of the state is bounded by bidirectional stream limits. 496 There is no bound on the number of PRIORITY_UPDATES that can be sent, 497 so an endpoint SHOULD store only the most recently received frame. 499 TODO: add more description of how to handle things like receiving 500 PRIORITY_UPDATE on wrong stream, a PRIORITY_UPDATE with an invalid 501 ID, etc. 503 6. Merging Client- and Server-Driven Parameters 505 It is not always the case that the client has the best understanding 506 of how the HTTP responses deserve to be prioritized. The server 507 might have additional information that can be combined with the 508 client's indicated priority in order to improve the prioritization of 509 the response. For example, use of an HTML document might depend 510 heavily on one of the inline images; existence of such dependencies 511 is typically best known to the server. Or, a server that receives 512 requests for a font [RFC8081] and images with the same urgency might 513 give higher precedence to the font, so that a visual client can 514 render textual information at an early moment. 516 An origin can use the Priority response header field to indicate its 517 view on how an HTTP response should be prioritized. An intermediary 518 that forwards an HTTP response can use the parameters found in the 519 Priority response header field, in combination with the client 520 Priority request header field, as input to its prioritization 521 process. No guidance is provided for merging priorities, this is 522 left as an implementation decision. 524 Absence of a priority parameter in an HTTP response indicates the 525 server's disinterest in changing the client-provided value. This is 526 different from the logic being defined for the request header field, 527 in which omission of a priority parameter implies the use of their 528 default values (see Section 3). 530 As a non-normative example, when the client sends an HTTP request 531 with the urgency parameter set to "5" and the incremental parameter 532 set to "true" 534 :method = GET 535 :scheme = https 536 :authority = example.net 537 :path = /menu.png 538 priority = u=5, i 540 and the origin responds with 542 :status = 200 543 content-type = image/png 544 priority = u=1 546 the intermediary might alter its understanding of the urgency from 547 "5" to "1", because it prefers the server-provided value over the 548 client's. The incremental value continues to be "true", the value 549 specified by the client, as the server did not specify the 550 incremental("i") parameter. 552 7. Client Scheduling 554 A client MAY use priority values to make local scheduling choices 555 about the requests it initiates. 557 8. Fairness 559 As a general guideline, a server SHOULD NOT use priority information 560 for making schedule decisions across multiple connections, unless it 561 knows that those connections originate from the same client. Due to 562 this, priority information conveyed over a non-coalesced HTTP 563 connection (e.g., HTTP/1.1) might go unused. 565 The remainder of this section discusses scenarios where unfairness is 566 problematic and presents possible mitigations, or where unfairness is 567 desirable. 569 TODO: Discuss if we should add a signal that mitigates this issue. 570 For example, we might add a SETTINGS parameter that indicates the 571 next hop that the connection is NOT coalesced (see 572 https://github.com/kazuho/draft-kazuho-httpbis-priority/issues/99). 574 8.1. Coalescing Intermediaries 576 When an intermediary coalesces HTTP requests coming from multiple 577 clients into one HTTP/2 or HTTP/3 connection going to the backend 578 server, requests that originate from one client might have higher 579 precedence than those coming from others. 581 It is sometimes beneficial for the server running behind an 582 intermediary to obey to the value of the Priority header field. As 583 an example, a resource-constrained server might defer the 584 transmission of software update files that would have the background 585 urgency being associated. However, in the worst case, the asymmetry 586 between the precedence declared by multiple clients might cause 587 responses going to one end client to be delayed totally after those 588 going to another. 590 In order to mitigate this fairness problem, when a server responds to 591 a request that is known to have come through an intermediary, the 592 server SHOULD prioritize the response as if it was assigned the 593 priority of "u=1, i" (i.e. round-robin) regardless of the value of 594 the Priority header field being transmitted, unless the server knows 595 the intermediary is not coalescing requests from multiple clients. 597 A server can determine if a request came from an intermediary through 598 configuration, or by consulting if that request contains one of the 599 following header fields: 601 o Forwarded, X-Forwarded-For ([RFC7239]) 603 o Via ([RFC7230], Section 5.7.1) 605 Responding to requests coming through an intermediary in a round- 606 robin manner works well when the network bottleneck exists between 607 the intermediary and the end client, as the intermediary would be 608 buffering the responses and then be forwarding the chunks of those 609 buffered responses based on the prioritization scheme it implements. 610 A sophisticated server MAY use a weighted round-robin reflecting the 611 urgencies expressed in the requests, so that less urgent responses 612 would receive less bandwidth in case the bottleneck exists between 613 the server and the intermediary. 615 8.2. HTTP/1.x Back Ends 617 It is common for CDN infrastructure to support different HTTP 618 versions on the front end and back end. For instance, the client- 619 facing edge might support HTTP/2 and HTTP/3 while communication to 620 back end servers is done using HTTP/1.1. Unlike with connection 621 coalescing, the CDN will "de-mux" requests into discrete connections 622 to the back end. As HTTP/1.1 and older do not provide a way to 623 concurrently transmit multiple responses, there is no immediate 624 fairness issue in protocol. However, back end servers MAY still use 625 client headers for request scheduling. Back end servers SHOULD only 626 schedule based on client priority information where that information 627 can be scoped to individual end clients. Authentication and other 628 session information might provide this linkability. 630 8.3. Intentional Introduction of Unfairness 632 It is sometimes beneficial to deprioritize the transmission of one 633 connection over others, knowing that doing so introduces a certain 634 amount of unfairness between the connections and therefore between 635 the requests served on those connections. 637 For example, a server might use a scavenging congestion controller on 638 connections that only convey background priority responses such as 639 software update images. Doing so improves responsiveness of other 640 connections at the cost of delaying the delivery of updates. 642 9. Why use an End-to-End Header Field? 644 Contrary to the prioritization scheme of HTTP/2 that uses a hop-by- 645 hop frame, the Priority header field is defined as end-to-end. 647 The rationale is that the Priority header field transmits how each 648 response affects the client's processing of those responses, rather 649 than how relatively urgent each response is to others. The way a 650 client processes a response is a property associated to that client 651 generating that request. Not that of an intermediary. Therefore, it 652 is an end-to-end property. How these end-to-end properties carried 653 by the Priority header field affect the prioritization between the 654 responses that share a connection is a hop-by-hop issue. 656 Having the Priority header field defined as end-to-end is important 657 for caching intermediaries. Such intermediaries can cache the value 658 of the Priority header field along with the response, and utilize the 659 value of the cached header field when serving the cached response, 660 only because the header field is defined as end-to-end rather than 661 hop-by-hop. 663 It should also be noted that the use of a header field carrying a 664 textual value makes the prioritization scheme extensible; see the 665 discussion below. 667 10. Security Considerations 669 [CVE-2019-9513] aka "Resource Loop", is a DoS attack based on 670 manipulation of the HTTP/2 priority tree. Extensible priorities does 671 not use stream dependencies, which mitigates this vulnerability. 673 TBD: depending on the outcome of reprioritization discussions, 674 following paragraphs may change or be removed. 676 [RFC7540], Section 5.3.4 describes a scenario where closure of 677 streams in the priority tree could cause suboptimal prioritization. 678 To avoid this, [RFC7540] states that "an endpoint SHOULD retain 679 stream prioritization state for a period after streams become 680 closed". Retaining state for streams no longer counted towards 681 stream concurrency consumes server resources. Furthermore, [RFC7540] 682 identifies that reprioritization of a closed stream could affect 683 dependents; it recommends updating the priority tree if sufficient 684 state is stored, which will also consume server resources. To limit 685 this commitment, it is stated that "The amount of prioritization 686 state that is retained MAY be limited" and "If a limit is applied, 687 endpoints SHOULD maintain state for at least as many streams as 688 allowed by their setting for SETTINGS_MAX_CONCURRENT_STREAMS.". 689 Extensible priorities does not use stream dependencies, which 690 minimizes most of the resource concerns related to this scenario. 692 [RFC7540], Section 5.3.4 also presents considerations about the state 693 required to store priority information about streams in an "idle" 694 state. This state can be limited by adopting the guidance about 695 concurrency limits described above. Extensible priorities is subject 696 to a similar consideration because PRIORITY_UPDATE frames may arrive 697 before the request that they reference. A server is required to 698 store the information in order to apply the most up-to-date signal to 699 the request. However, HTTP/3 implementations might have practical 700 barriers to determining reasonable stream concurrency limits 701 depending on the information that is available to them from the QUIC 702 transport layer. TODO: so what can we suggest? 704 11. IANA Considerations 706 This specification registers the following entry in the Permanent 707 Message Header Field Names registry established by [RFC3864]: 709 Header field name: Priority 711 Applicable protocol: http 713 Status: standard 714 Author/change controller: IETF 716 Specification document(s): This document 718 Related information: n/a 720 This specification registers the following entry in the HTTP/2 721 Settings registry established by [RFC7540]: 723 Name: SETTINGS_DEPRECATE_HTTP2_PRIORITIES 725 Code: 0x9 727 Initial value: 0 729 Specification: This document 731 This specification registers the following entry in the HTTP/2 Frame 732 Type registry established by [RFC7540]: 734 Frame Type: PRIORITY_UPDATE 736 Code: 0xF 738 Specification: This document 740 This specification registers the following entries in the HTTP/3 741 Frame Type registry established by [I-D.ietf-quic-http]: 743 Frame Type: PRIORITY_UPDATE 745 Code: 0xF 747 Specification: This document 749 12. References 751 12.1. Normative References 753 [I-D.ietf-quic-http] 754 Bishop, M., "Hypertext Transfer Protocol Version 3 755 (HTTP/3)", draft-ietf-quic-http-29 (work in progress), 756 June 2020. 758 [I-D.ietf-quic-transport] 759 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 760 and Secure Transport", draft-ietf-quic-transport-29 (work 761 in progress), June 2020. 763 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 764 Requirement Levels", BCP 14, RFC 2119, 765 DOI 10.17487/RFC2119, March 1997, 766 . 768 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 769 Protocol (HTTP/1.1): Message Syntax and Routing", 770 RFC 7230, DOI 10.17487/RFC7230, June 2014, 771 . 773 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 774 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 775 DOI 10.17487/RFC7540, May 2015, 776 . 778 [STRUCTURED-HEADERS] 779 Nottingham, M. and P. Kamp, "Structured Field Values for 780 HTTP", draft-ietf-httpbis-header-structure-19 (work in 781 progress), June 2020. 783 12.2. Informative References 785 [CVE-2019-9513] 786 Common Vulnerabilities and Exposures, "CVE-2019-9513", 787 March 2019, . 790 [I-D.lassey-priority-setting] 791 Lassey, B. and L. Pardue, "Declaring Support for HTTP/2 792 Priorities", draft-lassey-priority-setting-00 (work in 793 progress), July 2019. 795 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 796 Procedures for Message Header Fields", BCP 90, RFC 3864, 797 DOI 10.17487/RFC3864, September 2004, 798 . 800 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 801 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 802 RFC 7234, DOI 10.17487/RFC7234, June 2014, 803 . 805 [RFC7239] Petersson, A. and M. Nilsson, "Forwarded HTTP Extension", 806 RFC 7239, DOI 10.17487/RFC7239, June 2014, 807 . 809 [RFC8081] Lilley, C., "The "font" Top-Level Media Type", RFC 8081, 810 DOI 10.17487/RFC8081, February 2017, 811 . 813 12.3. URIs 815 [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ 817 [2] https://httpwg.org/ 819 [3] https://github.com/httpwg/http-extensions/labels/priorities 821 [4] http://tools.ietf.org/agenda/83/slides/slides-83-httpbis-5.pdf 823 [5] https://github.com/pmeenan/http3-prioritization-proposal 825 Appendix A. Acknowledgements 827 Roy Fielding presented the idea of using a header field for 828 representing priorities in http://tools.ietf.org/agenda/83/slides/ 829 slides-83-httpbis-5.pdf [4]. In https://github.com/pmeenan/http3- 830 prioritization-proposal [5], Patrick Meenan advocates for 831 representing the priorities using a tuple of urgency and concurrency. 832 The ability to deprecate HTTP/2 prioritization is based on 833 [I-D.lassey-priority-setting], authored by Brad Lassey and Lucas 834 Pardue, with modifications based on feedback that was not 835 incorporated into an update to that document. 837 The motivation for defining an alternative to HTTP/2 priorities is 838 drawn from discussion within the broad HTTP community. Special 839 thanks to Roberto Peon, Martin Thomson and Netflix for text that was 840 incorporated explicitly in this document. 842 In addition to the people above, this document owes a lot to the 843 extensive discussion in the HTTP priority design team, consisting of 844 Alan Frindell, Andrew Galloni, Craig Taylor, Ian Swett, Kazuho Oku, 845 Lucas Pardue, Matthew Cox, Mike Bishop, Roberto Peon, Robin Marx, Roy 846 Fielding. 848 Appendix B. Change Log 850 B.1. Since draft-ietf-httpbis-priority-00 852 o Move text around (#1217, #1218) 854 o Editorial change to the default urgency. The value is 3, which 855 was always the intent of previous changes. 857 B.2. Since draft-kazuho-httpbis-priority-04 859 o Minimize semantics of Urgency levels (#1023, #1026) 861 o Reduce guidance about how intermediary implements merging priority 862 signals (#1026) 864 o Remove mention of CDN-Loop (#1062) 866 o Editorial changes 868 o Make changes due to WG adoption 870 o Removed outdated Consideration (#118) 872 B.3. Since draft-kazuho-httpbis-priority-03 874 o Changed numbering from "[-1,6]" to "[0,7]" (#78) 876 o Replaced priority scheme negotiation with HTTP/2 priority 877 deprecation (#100) 879 o Shorten parameter names (#108) 881 o Expand on considerations (#105, #107, #109, #110, #111, #113) 883 B.4. Since draft-kazuho-httpbis-priority-02 885 o Consolidation of the problem statement (#61, #73) 887 o Define SETTINGS_PRIORITIES for negotiation (#58, #69) 889 o Define PRIORITY_UPDATE frame for HTTP/2 and HTTP/3 (#51) 891 o Explain fairness issue and mitigations (#56) 893 B.5. Since draft-kazuho-httpbis-priority-01 895 o Explain how reprioritization might be supported. 897 B.6. Since draft-kazuho-httpbis-priority-00 899 o Expand urgency levels from 3 to 8. 901 Authors' Addresses 903 Kazuho Oku 904 Fastly 906 Email: kazuhooku@gmail.com 908 Lucas Pardue 909 Cloudflare 911 Email: lucaspardue.24.7@gmail.com