Re: I-D Action: draft-ietf-httpbis-tunnel-protocol-00.txt
Julian Reschke <julian.reschke@greenbytes.de> Fri, 22 August 2014 10:02 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91EB01A01F9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Aug 2014 03:02:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-K0jXC6T6cC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 22 Aug 2014 03:02:27 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36EE11A01F6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 22 Aug 2014 03:02:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XKlco-0007kM-GZ for ietf-http-wg-dist@listhub.w3.org; Fri, 22 Aug 2014 09:59:14 +0000
Resent-Date: Fri, 22 Aug 2014 09:59:14 +0000
Resent-Message-Id: <E1XKlco-0007kM-GZ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@greenbytes.de>) id 1XKlcK-0007iH-CO for ietf-http-wg@listhub.w3.org; Fri, 22 Aug 2014 09:58:44 +0000
Received: from mail.greenbytes.de ([217.91.35.233]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <julian.reschke@greenbytes.de>) id 1XKlcJ-0001CD-0i for ietf-http-wg@w3.org; Fri, 22 Aug 2014 09:58:44 +0000
Received: from [192.168.1.26] (unknown [217.91.35.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id CEBC315A317C; Fri, 22 Aug 2014 11:58:16 +0200 (CEST)
Message-ID: <53F71437.7070204@greenbytes.de>
Date: Fri, 22 Aug 2014 11:58:15 +0200
From: Julian Reschke <julian.reschke@greenbytes.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
References: <20140818233839.23251.81316.idtracker@ietfa.amsl.com> <858FBAA8-F0D5-43A0-A621-7D504AB3327A@mnot.net>
In-Reply-To: <858FBAA8-F0D5-43A0-A621-7D504AB3327A@mnot.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=217.91.35.233; envelope-from=julian.reschke@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.783, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XKlcJ-0001CD-0i 870268617692f53504c5f889538b7f72
X-Original-To: ietf-http-wg@w3.org
Subject: Re: I-D Action: draft-ietf-httpbis-tunnel-protocol-00.txt
Archived-At: <http://www.w3.org/mid/53F71437.7070204@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26703
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi there, below comments on the current version in git: > The HTTP Tunnel-Protocol header field identifies the protocol that > will be spoken within the tunnel, using the application layer next > protocol identifier [RFC7301] specified for TLS [RFC5246]. Maybe intro "ALPN" here? > When CONNECT is used to establish a TLS tunnel, the Tunnel-Protocol > header field may be used to carry the same next protocol label as was > carried within the TLS handshake. However, the HTTP-Protocol is an "HTTP-Protocol"? Typo? > 2. The Tunnel-Protocol HTTP Request Header Field > > Clients include the Tunnel-Protocol Request Header field in a HTTP > Connect request to indicate the application layer protocol used s/Connect/CONNECT/? > within the tunnel. Should we say something about the semantics of the field name in requests other than CONNECT? > 2.1. Header Field Values > > Valid values for the protocol field are taken from the registry > established in [RFC7301]. It would be more helpful to reference the IANA registry (<http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids>)... > 2.2. Syntax > > The ABNF (Augmented Backus-Naur Form) syntax for the Tunnel-Protocol > header field is given below. It is based on the Generic Grammar > defined in Section 2 of [RFC7230]. Section 2 of [RFC7230] doesn't define a "Generic Grammar". > Tunnel-Protocol = "Tunnel-Protocol:" protocol-id > protocol-id = token ; percent-encoded ALPN protocol identifier This should only define the field value (not the field name). See <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-alt-svc-latest.html#alt-svc> for an example. > ALPN protocol names are octet sequences with no additional > constraints on format. Octets not allowed in tokens ([RFC7230], > Section 3.2.6) must be percent-encoded as per Section 2.1 of > [RFC3986]. Consequently, the octet representing the percent > character "%" (hex 25) must be percent-encoded as well. > > In order to have precisely one way to represent any ALPN protocol > name, the following additional constraints apply: > > o Octets in the ALPN protocol must not be percent-encoded if they > are valid token characters except "%", and > > o When using percent-encoding, uppercase hex digits must be used. > > With these constraints, recipients can apply simple string comparison > to match protocol identifiers. (steal with pride :-) > For example: > > > CONNECT turn_server.example.com:5349 HTTP/1.1 > Host: turn_server.example.com:5349 > Tunnel-Protocol: turn Do we need to state how to treat multiple field instances? (Any security concern here?) > 3. IANA Considerations > > [[anchor6: To Be Added]] Insert header field registration... > 4. Security Considerations > > In case of using HTTP CONNECT to a TURN server the security > consideration of Section 4.3.6 of [RFC7231] apply. It states that > there "are significant risks in establishing a tunnel to arbitrary > servers, particularly when the destination is a well-known or > reserved TCP port that is not intended for Web traffic. Proxies that > support CONNECT SHOULD restrict its use to a limited set of known > ports or a configurable whitelist of safe request targets." > > The Tunnel-Protocol request header field described in this document > is an optional header and HTTP Proxies may of course not support the s/header/header field/ - avoid lowercase "may"; maybe say "might". > header and therefore ignore it. If the header is not present or > ignored then the proxy has no explicit indication as to the purpose > of the tunnel on which to provide consent, this is the generic case s/,/-/ > that exists without the Tunnel-Protocol header. > > 5. References > > 5.1. Normative References > > [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > Requirement Levels", BCP 14, RFC 2119, March 1997. > > [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform > Resource Identifier (URI): Generic Syntax", STD 66, > RFC 3986, January 2005. > > [RFC7230] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol > (HTTP/1.1): Message Syntax and Routing", RFC 7230, > June 2014. > > [RFC7231] Fielding, R. and J. Reschke, "Hypertext Transfer Protocol > (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. > > [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, > "Transport Layer Security (TLS) Application-Layer Protocol > Negotiation Extension", RFC 7301, July 2014. > > 5.2. Informative References > > [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security > (TLS) Protocol Version 1.2", RFC 5246, August 2008. > ... Best regards, Julian
- I-D Action: draft-ietf-httpbis-tunnel-protocol-00… internet-drafts
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Mark Nottingham
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Greg Wilkins
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Mark Nottingham
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Greg Wilkins
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Mark Nottingham
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Adam Rice
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Amos Jeffries
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Adam Rice
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Amos Jeffries
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Martin Thomson
- RE: I-D Action: draft-ietf-httpbis-tunnel-protoco… Makaraju, Maridi Raju (Raju)
- Re: I-D Action: draft-ietf-httpbis-tunnel-protoco… Julian Reschke