idnits 2.17.1 draft-ietf-httpbis-tunnel-protocol-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([2], [3], [4], [1]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 18, 2015) is 3296 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 248 -- Looks like a reference, but probably isn't: '2' on line 251 -- Looks like a reference, but probably isn't: '3' on line 24 -- Looks like a reference, but probably isn't: '4' on line 25 -- Looks like a reference, but probably isn't: '5' on line 118 -- Looks like a reference, but probably isn't: '6' on line 156 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 5766 (Obsoleted by RFC 8656) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group A. Hutton 3 Internet-Draft Unify 4 Intended status: Standards Track J. Uberti 5 Expires: October 20, 2015 Google 6 M. Thomson 7 Mozilla 8 April 18, 2015 10 The ALPN HTTP Header Field 11 draft-ietf-httpbis-tunnel-protocol-03 13 Abstract 15 This specification allows HTTP CONNECT requests to indicate what 16 protocol will be used within the tunnel once established, using the 17 ALPN header field. 19 Editorial Note (To be removed by RFC Editor) 21 Discussion of this draft takes place on the HTTPBIS working group 22 mailing list (ietf-http-wg@w3.org), which is archived at [1]. 24 Working Group information can be found at [2] and [3]; source code 25 and issues list for this draft can be found at [4]. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on October 20, 2015. 44 Copyright Notice 46 Copyright (c) 2015 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 63 2. The ALPN HTTP Header Field . . . . . . . . . . . . . . . . . 3 64 2.1. Header Field Values . . . . . . . . . . . . . . . . . . . 3 65 2.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 67 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 68 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 69 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 70 5.2. Informative References . . . . . . . . . . . . . . . . . 5 71 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 73 1. Introduction 75 The HTTP CONNECT method (Section 4.3.6 of [RFC7231]) requests that 76 the recipient establish a tunnel to the identified origin server and 77 thereafter forward packets, in both directions, until the tunnel is 78 closed. Such tunnels are commonly used to create end-to-end virtual 79 connections, through one or more proxies. 81 The HTTP ALPN header field identifies the protocol that will be 82 spoken within the tunnel, using the Application Layer Protocol 83 Negotiation identifier (ALPN, [RFC7301]). 85 When the CONNECT method is used to establish a tunnel, the ALPN 86 header field can be used to identify the protocol that the client 87 intends to use with that tunnel. For a tunnel that is then secured 88 using TLS [RFC5246], the header field carries the same application 89 protocol label as will be carried within the TLS handshake. If there 90 are multiple possible application protocols, all of those application 91 protocols are indicated. 93 The ALPN header field carries an indication of client intent only. 94 In TLS, the final choice of application protocol is made by the 95 server from the set of choices presented by the client. Other 96 protocols could negotiate protocols differently. 98 Proxies do not implement the tunneled protocol, though they might 99 choose to make policy decisions based on the value of the header 100 field. For example, a proxy could use the application protocol to 101 select appropriate traffic prioritization. 103 1.1. Requirements Language 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 107 document are to be interpreted as described in RFC 2119 [RFC2119]. 109 2. The ALPN HTTP Header Field 111 Clients include the ALPN header field in an HTTP CONNECT request to 112 indicate the application layer protocol that will be used within the 113 tunnel, or the set of protocols that might be used within the tunnel. 115 2.1. Header Field Values 117 Valid values for the protocol field are taken from the "Application- 118 Layer Protocol Negotiation (ALPN) Protocol ID" registry ([5]) 119 established by [RFC7301]. 121 2.2. Syntax 123 The ABNF (Augmented Backus-Naur Form) syntax for the ALPN header 124 field is given below. It is based on the Generic Grammar defined in 125 Section 2 of [RFC7230]. 127 ALPN = "ALPN":" 1#protocol-id 128 protocol-id = token ; percent-encoded ALPN protocol identifier 130 ALPN protocol names are octet sequences with no additional 131 constraints on format. Octets not allowed in tokens ([RFC7230], 132 Section 3.2.6) MUST be percent-encoded as per Section 2.1 of 133 [RFC3986]. Consequently, the octet representing the percent 134 character "%" (hex 25) MUST be percent-encoded as well. 136 In order to have precisely one way to represent any ALPN protocol 137 name, the following additional constraints apply: 139 o Octets in the ALPN protocol MUST NOT be percent-encoded if they 140 are valid token characters except "%", and 142 o When using percent-encoding, uppercase hex digits MUST be used. 144 With these constraints, recipients can apply simple string comparison 145 to match protocol identifiers. 147 For example: 149 CONNECT www.example.com HTTP/1.1 150 Host: www.example.com 151 ALPN: h2, http%2F1.1 153 3. IANA Considerations 155 HTTP header fields are registered within the "Message Headers" 156 registry maintained at [6]. This document defines and registers the 157 ALPN header field, according to [RFC3864] as follows: 159 Header Field Name: ALPN 161 Protocol: http 163 Status: Standard 165 Reference: Section 2 167 Change Controller: IETF (iesg@ietf.org) - Internet Engineering Task 168 Force 170 4. Security Considerations 172 In case of using HTTP CONNECT to a TURN server ("Traversal Using 173 Relays around NAT", [RFC5766]) the security considerations of 174 Section 4.3.6 of [RFC7231] apply. It states that there "are 175 significant risks in establishing a tunnel to arbitrary servers, 176 particularly when the destination is a well-known or reserved TCP 177 port that is not intended for Web traffic. Proxies that support 178 CONNECT SHOULD restrict its use to a limited set of known ports or a 179 configurable whitelist of safe request targets." 181 The ALPN header field described in this document is an OPTIONAL 182 header field. Clients and HTTP proxies could choose to not support 183 the header and therefore fail to provide it, or ignore it when 184 present. If the header is not available or ignored, a proxy cannot 185 identify the purpose of the tunnel and use this as input to any 186 authorization decision regarding the tunnel. This is 187 indistinguishable from the case where either client or proxy does not 188 support the ALPN header field. 190 The value of the ALPN header field could be falsified by a client. 191 If the data being sent through the tunnel is encrypted (for example, 192 with TLS [RFC5246]), then the proxy might not be able to directly 193 inspect the data to verify that the claimed protocol is the one which 194 is actually being used, though a proxy might be able to perform 195 traffic analysis [TRAFFIC]. A proxy therefore cannot rely on the 196 value of the ALPN header field as a policy input in all cases. 198 5. References 200 5.1. Normative References 202 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 203 Requirement Levels", BCP 14, RFC 2119, March 1997, 204 . 206 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 207 Procedures for Message Header Fields", BCP 90, RFC 3864, 208 September 2004, . 210 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 211 Resource Identifier (URI): Generic Syntax", STD 66, RFC 212 3986, January 2005, 213 . 215 [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 216 (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 217 2014, . 219 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 220 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014, 221 . 223 [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, 224 "Transport Layer Security (TLS) Application-Layer Protocol 225 Negotiation Extension", RFC 7301, July 2014, 226 . 228 5.2. Informative References 230 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 231 (TLS) Protocol Version 1.2", RFC 5246, August 2008, 232 . 234 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using 235 Relays around NAT (TURN): Relay Extensions to Session 236 Traversal Utilities for NAT (STUN)", RFC 5766, April 2010, 237 . 239 [TRAFFIC] Pironti, A., Strub, P-Y., and K. Bhargavan, "Website Users 240 by TLS Traffic Analysis: New Attacks and Effective 241 Countermeasures, Revision 1", 2012, 242 . 246 5.3. URIs 248 [1] http://www.iana.org/assignments/tls-extensiontype-values/#alpn- 249 protocol-ids 251 [2] https://www.iana.org/assignments/message-headers 253 Authors' Addresses 255 Andrew Hutton 256 Unify 257 Technology Drive 258 Nottingham NG9 1LA 259 UK 261 EMail: andrew.hutton@unify.com 263 Justin Uberti 264 Google 265 747 6th Ave S 266 Kirkland, WA 98033 267 US 269 EMail: justin@uberti.name 271 Martin Thomson 272 Mozilla 273 331 E Evelyn Street 274 Mountain View, CA 94041 275 US 277 EMail: martin.thomson@gmail.com