Re: I-D Action: draft-ietf-httpbis-tunnel-protocol-00.txt

Julian Reschke <julian.reschke@greenbytes.de> Fri, 22 August 2014 10:02 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91EB01A01F9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Aug 2014 03:02:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-K0jXC6T6cC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Aug 2014 03:02:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36EE11A01F6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Aug 2014 03:02:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XKlco-0007kM-GZ for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Aug 2014 09:59:14 +0000
Resent-Date: Fri, 22 Aug 2014 09:59:14 +0000
Resent-Message-Id: <E1XKlco-0007kM-GZ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@greenbytes.de>) id 1XKlcK-0007iH-CO for ietf-http-wg@listhub.w3.org; Fri, 22 Aug 2014 09:58:44 +0000
Received: from mail.greenbytes.de ([217.91.35.233]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@greenbytes.de>) id 1XKlcJ-0001CD-0i for ietf-http-wg@w3.org; Fri, 22 Aug 2014 09:58:44 +0000
Received: from [192.168.1.26] (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id CEBC315A317C; Fri, 22 Aug 2014 11:58:16 +0200 (CEST)
Message-ID: <53F71437.7070204@greenbytes.de>
Date: Fri, 22 Aug 2014 11:58:15 +0200
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
References: <20140818233839.23251.81316.idtracker@ietfa.amsl.com> <858FBAA8-F0D5-43A0-A621-7D504AB3327A@mnot.net>
In-Reply-To: <858FBAA8-F0D5-43A0-A621-7D504AB3327A@mnot.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=217.91.35.233; envelope-from=julian.reschke@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.783, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XKlcJ-0001CD-0i 870268617692f53504c5f889538b7f72
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-tunnel-protocol-00.txt
Archived-At: <http://www.w3.org/mid/53F71437.7070204@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26703
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi there,

below comments on the current version in git:

>    The HTTP Tunnel-Protocol header field identifies the protocol that
>    will be spoken within the tunnel, using the application layer next
>    protocol identifier [RFC7301] specified for TLS [RFC5246].

Maybe intro "ALPN" here?

>    When CONNECT is used to establish a TLS tunnel, the Tunnel-Protocol
>    header field may be used to carry the same next protocol label as was
>    carried within the TLS handshake.  However, the HTTP-Protocol is an

"HTTP-Protocol"? Typo?

> 2.  The Tunnel-Protocol HTTP Request Header Field
>
>    Clients include the Tunnel-Protocol Request Header field in a HTTP
>    Connect request to indicate the application layer protocol used

s/Connect/CONNECT/?

>    within the tunnel.

Should we say something about the semantics of the field name in 
requests other than CONNECT?

> 2.1.  Header Field Values
>
>    Valid values for the protocol field are taken from the registry
>    established in [RFC7301].

It would be more helpful to reference the IANA registry 
(<http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids>)...

> 2.2.  Syntax
>
>    The ABNF (Augmented Backus-Naur Form) syntax for the Tunnel-Protocol
>    header field is given below.  It is based on the Generic Grammar
>    defined in Section 2 of [RFC7230].

Section 2 of [RFC7230] doesn't define a "Generic Grammar".

>       Tunnel-Protocol = "Tunnel-Protocol:" protocol-id
>       protocol-id     = token ; percent-encoded ALPN protocol identifier

This should only define the field value (not the field name). See 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-alt-svc-latest.html#alt-svc> 
for an example.

>    ALPN protocol names are octet sequences with no additional
>    constraints on format.  Octets not allowed in tokens ([RFC7230],
>    Section 3.2.6) must be percent-encoded as per Section 2.1 of
>    [RFC3986].  Consequently, the octet representing the percent
>    character "%" (hex 25) must be percent-encoded as well.
>
>    In order to have precisely one way to represent any ALPN protocol
>    name, the following additional constraints apply:
>
>    o  Octets in the ALPN protocol must not be percent-encoded if they
>       are valid token characters except "%", and
>
>    o  When using percent-encoding, uppercase hex digits must be used.
>
>    With these constraints, recipients can apply simple string comparison
>    to match protocol identifiers.

(steal with pride :-)

>    For example:
>
>
>      CONNECT turn_server.example.com:5349 HTTP/1.1
>      Host: turn_server.example.com:5349
>      Tunnel-Protocol: turn

Do we need to state how to treat multiple field instances? (Any security 
concern here?)

> 3.  IANA Considerations
>
>    [[anchor6: To Be Added]]

Insert header field registration...

> 4.  Security Considerations
>
>    In case of using HTTP CONNECT to a TURN server the security
>    consideration of Section 4.3.6 of [RFC7231] apply.  It states that
>    there "are significant risks in establishing a tunnel to arbitrary
>    servers, particularly when the destination is a well-known or
>    reserved TCP port that is not intended for Web traffic.  Proxies that
>    support CONNECT SHOULD restrict its use to a limited set of known
>    ports or a configurable whitelist of safe request targets."
>
>    The Tunnel-Protocol request header field described in this document
>    is an optional header and HTTP Proxies may of course not support the

s/header/header field/

- avoid lowercase "may"; maybe say "might".

>    header and therefore ignore it.  If the header is not present or
>    ignored then the proxy has no explicit indication as to the purpose
>    of the tunnel on which to provide consent, this is the generic case

s/,/-/

>    that exists without the Tunnel-Protocol header.
>
> 5.  References
>
> 5.1.  Normative References
>
>    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
>               Requirement Levels", BCP 14, RFC 2119, March 1997.
>
>    [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
>               Resource Identifier (URI): Generic Syntax", STD 66,
>               RFC 3986, January 2005.
>
>    [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
>               (HTTP/1.1): Message Syntax and Routing", RFC 7230,
>               June 2014.
>
>    [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
>               (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.
>
>    [RFC7301]  Friedl, S., Popov, A., Langley, A., and E. Stephan,
>               "Transport Layer Security (TLS) Application-Layer Protocol
>               Negotiation Extension", RFC 7301, July 2014.
>
> 5.2.  Informative References
>
>    [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
>               (TLS) Protocol Version 1.2", RFC 5246, August 2008.
> ...


Best regards, Julian