IETF Logo Mail Archive

Re: CONNECT, origins, and Alt-Svc

Ben Schwartz <bemasc@meta.com> Mon, 06 November 2023 14:01 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B63C137361 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Nov 2023 06:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.745
X-Spam-Level:
X-Spam-Status: No, score=-2.745 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D6OpDXTK8YtG for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Nov 2023 06:01:43 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55690C1522D9 for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 6 Nov 2023 06:01:07 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1r009S-00CcjY-AV for ietf-http-wg-dist@listhub.w3.org; Mon, 06 Nov 2023 14:00:26 +0000
Resent-Date: Mon, 06 Nov 2023 14:00:26 +0000
Resent-Message-Id: <E1r009S-00CcjY-AV@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <prvs=4674d141e8=bemasc@meta.com>) id 1r009P-00CciS-CO for ietf-http-wg@listhub.w3.org; Mon, 06 Nov 2023 14:00:23 +0000
Received: from mx0b-00082601.pphosted.com ([67.231.153.30] helo=mx0a-00082601.pphosted.com) by titan.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <prvs=4674d141e8=bemasc@meta.com>) id 1r009N-00AL8o-FP for ietf-http-wg@w3.org; Mon, 06 Nov 2023 14:00:23 +0000
Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.17.1.19/8.17.1.19) with ESMTP id 3A665uc8003117; Mon, 6 Nov 2023 06:00:16 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=nulCnui9PtthhbL5SGNJXRrYUmnTu16BpAmHUC+WPIg=; b=D7a4AbcmAup8Y8LaWA+E558SuCf9+rRPQ5faHmmudNhOtvkQ7vS4W4NFjvr2UxSofDZZ w9XENzV7vsMn6ARgWyB188R0Z6l02HA/uODbmL4YBCd2NysWPxBPxcTxSbAX2qlIQTDa By2fiadVhX5r2id7YbKERAOxtfGFnihAVrSRjXGdRSWA0+HdbeoBqZiDBUPptdcQEdAW sNYZPyaDhv84MUzqmqdKuFG5stuctimp+peNPHnuAGcIuDMv6Clkxaf21VGk11Qm6jq7 wNglGMbzpHMaj68DKrV/TlS1Ld6wrhFD//WG1HuN4Gizh7q6m30eQZIffg1GigDPTSCr wA==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by m0089730.ppops.net (PPS) with ESMTPS id 3u6m6gc2m2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 06 Nov 2023 06:00:15 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A4kcbUoMqRyBnifIprjM7+IhsAsvU6jeF45D2Vo8/3ll++q4ie1bvDG2GaINEtBVWajaMpMTq760fzVGwjw+9MHKIOI9pEUGhfuAaYG+3kXa+61gQ4ZjaMF8cxwLVNiwIjBUSzATL2simmaVLPpciSG/BSb8GmgiFYd3L983znIJ48Xnhib4pZLfF5vmdXo8XpUOKlZnYJPBnOz3/s80jFDSo9e1HOAcmqxrqAEhZdJZhYV64SAef/jlVOQKqf9Prq0sXWFVLT4PHr32mJTHFzExWWm5hnyiwf84kKqf43Ez+UuT3s23T0FcJNh8GAxnido+Lg8ARe/jNNb1MSHRjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RH5hL4fORaDmTEqLxLN2XLX6lL6Pdqf7ZaQFa+p/mJk=; b=kMmCWn1odsQ6RRndlFdBCm8O66Z+TdOwR8s0nA1rpY/g3x8zgMuUeeOisDua1i11F2HXaVV0aOmBKXdqr2BSFWzid46NRpKtP9ijuteVFZZpeCLYGk78fVvqLrpcKa/DXlzsYVonz8FxL12xNsPiL+X6t/h9GqeL6CDqg3qexlWmvrq2Au6vLJQC+0MpFuXKyKGd12xoPYeDHtg0AFr9+IikTnEEYUL1aQ78faJOJqV6LEV23Q6d6cKvnxS3W89JFlOMvVAOPkxrZHhLYsGP6wn4izj30ln0ePXCB7J5NeNUuwOrTtLLw7nuifIdq3fHj+uWUCzuArctFdKlY5s2Jg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by PH0PR15MB4590.namprd15.prod.outlook.com (2603:10b6:510:88::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.16; Mon, 6 Nov 2023 13:59:43 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::d54d:eea6:c930:d1e6%2]) with mapi id 15.20.6977.013; Mon, 6 Nov 2023 13:59:43 +0000
From: Ben Schwartz <bemasc@meta.com>
To: David Schinazi <dschinazi.ietf@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: CONNECT, origins, and Alt-Svc
Thread-Index: AQHaEKEuUQ81F+rncU2XhzezaQIIQ7BtUaRX
Date: Mon, 06 Nov 2023 13:59:43 +0000
Message-ID: <BN8PR15MB32812726636AFED649D90873B3AAA@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <CAPDSy+7B47bLmFPKTs=a4TBp8A8wvWHkrYRGyBe7Dw0F_9j23Q@mail.gmail.com>
In-Reply-To: <CAPDSy+7B47bLmFPKTs=a4TBp8A8wvWHkrYRGyBe7Dw0F_9j23Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|PH0PR15MB4590:EE_
x-ms-office365-filtering-correlation-id: bd9c15fc-bc68-4a6b-0376-08dbded0a0c8
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zOYXGCR4JXD9DOBIgtezzGwKMMeSEIU2EB5XdhuhsGW5Azzhu0xuwpXNxWgoAQbOwQurgJWg7lzC0lbnMuJt8IBOXAX/IQ/x0iUG0MH5Wv8qmJmrXW6fw/MZLX+skjCKgBxVqhwaRcrTj2WrefekTaex59DVf/9TiSJpjDtgn592dqwqnp57u1B9DyhrzZKavnFzdjf73iCnov4/OHBlfsEkWTH9cGq5XnHQIFkFZKW3Qv8cMOt4RwORbSUIeJhJhCYLNBkDCbqngBSsFXMmbveeYaBwdrXjA8EjhAVf8akuWMo/Ey3AA0/+cHVle4UWi8lobNcopJB9rAkMN1Nh9QZDwtjg+5fE4rzhiR8AG6Jfj6QY7xX+I6qfGvDji2aRZEw/vdRtr4OukFQILJBiQY9fvE98hII5tzTNH23QNigs/vYI07BMeNfsGji+pkv6bm1U4qm51aL7L+36QNCejh258xV27JiU8m9IoTg0OKVYWTSDPPiNSCH7fuhTtdTu1ZGMJrCuFuczmXbg4N5+T6HdZhXv2jlQuQY0yMbHt3i6QpVoAz49v+5SxPryVN6PPL7QjGp68tVFHqJi9LbcYeXuVgoMDdBKVqNHeo47q/Swu5NxxxIz0eNYMBGC4PD9fdrsrCYuOHZnG62B0SS7Hw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN8PR15MB3281.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(136003)(376002)(396003)(346002)(39860400002)(366004)(279900001)(230173577357003)(230273577357003)(230922051799003)(451199024)(64100799003)(186009)(1800799009)(52536014)(8936002)(8676002)(19627405001)(1015004)(966005)(478600001)(2906002)(55016003)(5660300002)(41300700001)(66946007)(110136005)(64756008)(66476007)(66556008)(66446008)(76116006)(91956017)(86362001)(66574015)(26005)(38070700009)(71200400001)(9686003)(6506007)(7696005)(53546011)(122000001)(316002)(33656002)(83380400001)(38100700002)(166002);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DJ1tshS6xux7VagWdzcJbNM60M7ZizEtXR5QaUoHQSylYgJd5TJ9ajMrLEC87CXLMw4yafiM7zzsFDYVVaqh8kj++RluP9UK8EfOI66ah/E3ZCZaXVnHxqNRLR0E82VyxIO0SuFv0OpHdsC6tYeuoTDXWYpb1VLRVZTkUBfJongc6Wam6sH0d+X1Ih3yGZ1rg16jnpxvb3G6ekRuPjEx3vfJ6WxUjNtI9rTJ8SUEaIJsvhdHNHIDpntmP0r//i84XJaY6SdR+lRiYQ3T14wHzieNElP8xUz7Hz7J+88B8o4VXBWGwWxJvyGZ8lf6FsutWQ/JD1tQjWQcqWt9hV0dmAJrDssw/ZJDKh713nxxrr8Bi9Rjb/2VPhUflK+PdZt2K7edZrfqgGSpYzy/zZ+hho2ARVrxsE47vrv/fPMqGrCJqXEFDM6BNgJ+02xbWPxV9NsNdQnn+Dbt8IDs0dQiXrCFhRG30iRUfkGcV7kv9Pkg/btWgZVKEh5k2pdr7C1SeA4VyB80cHuqEIBW5WsQdUCXlqcSiHuzD++yIgFy5UNMI9IXQiR52HdGENwaMP/e+brWXutIoh3Fp3LvKteko+e+1HKNRAA8Pto2CVWOaZ0/W9It4nfxfXSTqj+mvaehmqdZWBx9Qg9PvPON6U6lHlMI7XAeOhi0PH7llK+TKoiKj7mMeGaEQxFnvkKBEDg9IWs7o55UDoynO1Vo0yjrJYKPbNqIcNHtGQLyEuRAG4qioSsZ5n5zDD03wr9S1fNeKROUtz2QSPiAULwo3YHW/3RIM0v/w1Ip29pBjMLmCUljD+3NoWKxOJLHeWrXsbuKVlbc5WloLGMcucE3sojSxXEHzl6dwqYCfXpGVQePxyKZm7LV7iN3LrrfE8ZYQubA+H6iLHiwT/xKP1KsjdSKQY2CaDD+Bd9b1ztT5pGBZHJ62TAu2FAcTzSy/3dnuWk7/DxVFuQC0h5frwfQWZZQITzW14eRVFa3ZMidT814pnnNiKSVsPzvxT6BNj+inD7N9YoyBhij8NgfKjxs/73+VTt3ngHwj3SXTHBoy+5hSfwxdEHjIy3oUSqT5BffaJUj+0JtgtIZbv7yar4mGLootK+CSIEw3j6UJ6WhGXoUGOddQEPENPNxMii21EojLjJsYsMpDNwIuR/2zqC69PEcFJx+hhLQI4i37W5vRuwWRdMlYHVbkzaFL9EgFY+B58j0RTIq5ufVbfThIoKPn3c4EvlSa2M+BUzErl3ySFvuZqjym6T+Bj7ZZheNdXjgLs7Aw40IwOq/q4AwelQGAz4U6QdJDNGpMlNbNIlaYqG+NZXZumLp+5CRRCV3kQI2Eso/DvXlf4i7WE5+//xLQb6ys/p5K6jNk8r1kj6tYSKUXdhPoW8UzoSy9wOIdZ7BlThyEEYdL6ZpQ/Oi3fqYr5/K8KcSZkmNzesXND6+NJOvCcnbp3YjmFP9cJTcyBCjjqWMq1r2gvY80xWpZ3lKqtKBqkOYvBn+MZTJlpXTiVWcjO5EmJ0hVBKcKBAAQQ1vCsZUzYTSFcltp8AihP3nctNlRO0mM/+r/pxQVYQ/Re0jf7k=
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32812726636AFED649D90873B3AAABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd9c15fc-bc68-4a6b-0376-08dbded0a0c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2023 13:59:43.4621 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9P9ErtxI/Sse0C+28+3nB6/ZbSJoHE/Tx4wFezEvWSSvoufjdS/F7E9V1bfd8E7R
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR15MB4590
X-Proofpoint-GUID: oH5K1KJjKqVHbOdUHivu3jnCUaXwbeCZ
X-Proofpoint-ORIG-GUID: oH5K1KJjKqVHbOdUHivu3jnCUaXwbeCZ
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-06_12,2023-11-02_03,2023-05-22_02
Received-SPF: pass client-ip=67.231.153.30; envelope-from=prvs=4674d141e8=bemasc@meta.com; helo=mx0a-00082601.pphosted.com
X-W3C-Hub-DKIM-Status: validation passed: (address=prvs=4674d141e8=bemasc@meta.com domain=meta.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1r009N-00AL8o-FP 7cf60ee03c7a4c0afd3bf440d2abea24
X-Original-To: ietf-http-wg@w3.org
Subject: Re: CONNECT, origins, and Alt-Svc
Archived-At: <https://www.w3.org/mid/BN8PR15MB32812726636AFED649D90873B3AAA@BN8PR15MB3281.namprd15.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51564
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

HTTPS RRs do apply to HTTP CONNECT proxy connections.  See https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-12.html#section-9.6-2

HTTPS RR queries do include a port number (but it's omitted if the port number is 443).

So I would definitely recommend your Option 2.  Of course, that doesn't preclude the other options.

--Ben Schwartz
________________________________
From: David Schinazi <dschinazi.ietf@gmail.com>
Sent: Monday, November 6, 2023 6:03 AM
To: HTTP Working Group <ietf-http-wg@w3.org>
Subject: CONNECT, origins, and Alt-Svc

Howdy HTTP enthusiasts, As we're adding support for CONNECT-UDP in Chrome, we're having to answer the related question "ok I know which proxy I want to use, but do I use TCP or QUIC?". Right now, the only mechanisms we have
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd
Howdy HTTP enthusiasts,

As we're adding support for CONNECT-UDP in Chrome, we're having to answer the related question "ok I know which proxy I want to use, but do I use TCP or QUIC?".

Right now, the only mechanisms we have to discover HTTP/3 support are Alt-Svc and the HTTPS RR. Both of these are defined in terms of origin*. CONNECT-UDP is defined in terms of origin so we're in good shape there. Same story for connect-tcp<https://datatracker.ietf.org/doc/draft-ietf-httpbis-connect-tcp/>. But for CONNECT we're in a weird spot. In CONNECT, there is no origin (or if there is, it applies to the target destination, not to the proxy). So it doesn't quite feel right for a proxy to send the Alt-Svc header on the response to a CONNECT request. Similarly, I'm not sure that if I get an HTTPS RR for the proxy hostname I'm allowed to use it for CONNECT. So there's no great way to know that a CONNECT proxy supports HTTP/3. So if a PAC file tells the browser to use "HTTPS proxy.example.org:443<http://proxy.example.org:443>" then it's not clear to me how the browser should figure out if it can use HTTP/3. Here are some options:

1) Send the first CONNECT over HTTP/1 or 2, pretend that use of Alt-Svc applies to the proxy
2) Query the HTTPS DNS RR and pretend that it applies to the proxy
3) Send an OPTIONS * request to the proxy and look for Alt-Svc
4) Try HTTP/3 for the first CONNECT request and fallback to TCP if anything fails (happy eyeballs style)
5) Create a new PAC script verb that means connect-tcp/connect-udp
6) Create a new PAC script verb that means HTTP/3

None of these feel like great solutions. Does anyone have thoughts?
David


*well sort of. The HTTPS RR query doesn't include the port...

v2.23.0 | Report a Bug | By Email