idnits 2.17.1 draft-ietf-httpbis-tunnel-protocol-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 20, 2015) is 3263 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 263 -- Looks like a reference, but probably isn't: '2' on line 266 ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112) ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 5766 (Obsoleted by RFC 8656) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group A. Hutton 3 Internet-Draft Unify 4 Intended status: Standards Track J. Uberti 5 Expires: November 21, 2015 Google 6 M. Thomson 7 Mozilla 8 May 20, 2015 10 The ALPN HTTP Header Field 11 draft-ietf-httpbis-tunnel-protocol-04 13 Abstract 15 This specification allows HTTP CONNECT requests to indicate what 16 protocol will be used within the tunnel once established, using the 17 ALPN header field. 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on November 21, 2015. 36 Copyright Notice 38 Copyright (c) 2015 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 55 2. The ALPN HTTP Header Field . . . . . . . . . . . . . . . . . 3 56 2.1. Header Field Values . . . . . . . . . . . . . . . . . . . 3 57 2.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.3. Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 60 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 61 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 63 5.2. Informative References . . . . . . . . . . . . . . . . . 6 64 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 1. Introduction 68 The HTTP CONNECT method (Section 4.3.6 of [RFC7231]) requests that 69 the recipient establish a tunnel to the identified origin server and 70 thereafter forward packets, in both directions, until the tunnel is 71 closed. Such tunnels are commonly used to create end-to-end virtual 72 connections, through one or more proxies. 74 The HTTP ALPN header field identifies the protocol that will be used 75 within the tunnel, using the Application Layer Protocol Negotiation 76 identifier (ALPN, [RFC7301]). 78 When the CONNECT method is used to establish a tunnel, the ALPN 79 header field can be used to identify the protocol that the client 80 intends to use with that tunnel. For a tunnel that is then secured 81 using TLS [RFC5246], the header field carries the same application 82 protocol label as will be carried within the TLS handshake. If there 83 are multiple possible application protocols, all of those application 84 protocols are indicated. 86 The ALPN header field carries an indication of client intent only. 87 An ALPN identifier is used here only to identify the application 88 protocol or suite of protocols that the client intends to use in the 89 tunnel. No negotiation takes place using this header field. In TLS, 90 the final choice of application protocol is made by the server from 91 the set of choices presented by the client. Other substrates could 92 negotiate the application protocol differently. 94 Proxies do not implement the tunneled protocol, though they might 95 choose to make policy decisions based on the value of the header 96 field. For example, a proxy could use the application protocol to 97 select appropriate traffic prioritization. 99 1.1. Requirements Language 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 2. The ALPN HTTP Header Field 107 Clients include the ALPN header field in an HTTP CONNECT request to 108 indicate the application layer protocol that will be used within the 109 tunnel, or the set of protocols that might be used within the tunnel. 111 2.1. Header Field Values 113 Valid values for the protocol field are taken from the "Application- 114 Layer Protocol Negotiation (ALPN) Protocol ID" registry ([1]) 115 established by [RFC7301]. 117 2.2. Syntax 119 The ABNF (Augmented Backus-Naur Form) syntax for the ALPN header 120 field is given below. It is based on the Generic Grammar defined in 121 Section 2 of [RFC7230]. 123 ALPN = "ALPN":" 1#protocol-id 124 protocol-id = token ; percent-encoded ALPN protocol identifier 126 ALPN protocol names are octet sequences with no additional 127 constraints on format. Octets not allowed in tokens ([RFC7230], 128 Section 3.2.6) MUST be percent-encoded as per Section 2.1 of 129 [RFC3986]. Consequently, the octet representing the percent 130 character "%" (hex 25) MUST be percent-encoded as well. 132 In order to have precisely one way to represent any ALPN protocol 133 name, the following additional constraints apply: 135 o Octets in the ALPN protocol MUST NOT be percent-encoded if they 136 are valid token characters except "%", and 138 o When using percent-encoding, uppercase hex digits MUST be used. 140 With these constraints, recipients can apply simple string comparison 141 to match protocol identifiers. 143 For example: 145 CONNECT www.example.com HTTP/1.1 146 Host: www.example.com 147 ALPN: h2, http%2F1.1 149 2.3. Usage 151 For a CONNECT tunnel that conveys a TLS session that in turn 152 encapsulates another protocol, the value of the ALPN header field 153 contains the same list of ALPN identifiers that will be sent in the 154 TLS ClientHello message [RFC7301]. 156 Where no protocol negotiation is expected to occur, such as in 157 protocols that do not use TLS, the ALPN header field contains a 158 single ALPN Protocol Identifier corresponding to the application 159 protocol that is intended to be used. If an alternative form of 160 protocol negotiation is possible, the ALPN header field contains the 161 set of protocols that might be negotiated. 163 When used in the ALPN header field, the ALPN identifier and registry 164 are used to identify an entire application protocol stack, not a 165 single protocol layer or component. 167 3. IANA Considerations 169 HTTP header fields are registered within the "Permanent Message 170 Header Field Names" registry maintained at [2]. This document 171 defines and registers the ALPN header field, according to [RFC3864] 172 as follows: 174 Header Field Name: ALPN 176 Protocol: http 178 Status: Standard 180 Reference: Section 2 182 Change Controller: IETF (iesg@ietf.org) - Internet Engineering Task 183 Force 185 4. Security Considerations 187 In case of using HTTP CONNECT to a TURN server ("Traversal Using 188 Relays around NAT", [RFC5766]) the security considerations of 189 Section 4.3.6 of [RFC7231] apply. It states that there "are 190 significant risks in establishing a tunnel to arbitrary servers, 191 particularly when the destination is a well-known or reserved TCP 192 port that is not intended for Web traffic. Proxies that support 193 CONNECT SHOULD restrict its use to a limited set of known ports or a 194 configurable whitelist of safe request targets." 196 The ALPN header field described in this document is an OPTIONAL 197 header field. Clients and HTTP proxies could choose to not support 198 the header and therefore fail to provide it, or ignore it when 199 present. If the header is not available or ignored, a proxy cannot 200 identify the purpose of the tunnel and use this as input to any 201 authorization decision regarding the tunnel. This is 202 indistinguishable from the case where either client or proxy does not 203 support the ALPN header field. 205 The value of the ALPN header field could be falsified by a client. 206 If the data being sent through the tunnel is encrypted (for example, 207 with TLS [RFC5246]), then the proxy might not be able to directly 208 inspect the data to verify that the claimed protocol is the one which 209 is actually being used, though a proxy might be able to perform 210 traffic analysis [TRAFFIC]. A proxy therefore cannot rely on the 211 value of the ALPN header field as a policy input in all cases. 213 5. References 215 5.1. Normative References 217 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 218 Requirement Levels", BCP 14, RFC 2119, March 1997, 219 . 221 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 222 Procedures for Message Header Fields", BCP 90, RFC 3864, 223 September 2004, . 225 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 226 Resource Identifier (URI): Generic Syntax", STD 66, RFC 227 3986, January 2005, 228 . 230 [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 231 (HTTP/1.1): Message Syntax and Routing", RFC 7230, June 232 2014, . 234 [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol 235 (HTTP/1.1): Semantics and Content", RFC 7231, June 2014, 236 . 238 [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, 239 "Transport Layer Security (TLS) Application-Layer Protocol 240 Negotiation Extension", RFC 7301, July 2014, 241 . 243 5.2. Informative References 245 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 246 (TLS) Protocol Version 1.2", RFC 5246, August 2008, 247 . 249 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using 250 Relays around NAT (TURN): Relay Extensions to Session 251 Traversal Utilities for NAT (STUN)", RFC 5766, April 2010, 252 . 254 [TRAFFIC] Pironti, A., Strub, P-Y., and K. Bhargavan, "Website Users 255 by TLS Traffic Analysis: New Attacks and Effective 256 Countermeasures, Revision 1", 2012, 257 . 261 5.3. URIs 263 [1] http://www.iana.org/assignments/tls-extensiontype-values/#alpn- 264 protocol-ids 266 [2] https://www.iana.org/assignments/message-headers 268 Authors' Addresses 270 Andrew Hutton 271 Unify 272 Technology Drive 273 Nottingham NG9 1LA 274 UK 276 EMail: andrew.hutton@unify.com 278 Justin Uberti 279 Google 280 747 6th Ave S 281 Kirkland, WA 98033 282 US 284 EMail: justin@uberti.name 285 Martin Thomson 286 Mozilla 287 331 E Evelyn Street 288 Mountain View, CA 94041 289 US 291 EMail: martin.thomson@gmail.com