IETF Logo Mail Archive

Re: WGLC for draft-ietf-httpbis-connect-tcp

Tommy Pauly <tpauly@apple.com> Wed, 06 March 2024 23:03 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E742C14F69C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 Mar 2024 15:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.855
X-Spam-Level:
X-Spam-Status: No, score=-2.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="JpBDDNhv"; dkim=pass (2048-bit key) header.d=w3.org header.b="ZDJjh51P"; dkim=pass (2048-bit key) header.d=apple.com header.b="ofljeM9m"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHd9NYsegogh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 6 Mar 2024 15:03:54 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEA2EC14E513 for <httpbisa-archive-bis2Juki@ietf.org>; Wed, 6 Mar 2024 15:03:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:References:To:Cc:In-reply-to:Date:MIME-version:Content-type: Message-id:From:Reply-To; bh=ihggZjYe8q1QixU9XHUX9EK7MEuOxLmnyQEfl3uDOSg=; b= JpBDDNhv8FZCdwBnP1Z9s327vB7GdkwriiXt2dM40RT2Q1HD+V0MLlfRcTmWCnigtRko4xa3oYex5 2OIppXf/L5OQYggjqUZDowngSemqfnOPqb/JEUQuXRDNih6WRhfmQSGPdA9wUNgvTJA0DWZ4e7VID 9AC0tn6NQpCDFdKNhwc59WaVKPAejzZx6aXqtze490Y159ZLUWSpofxk8zloPQEqvHxBwv5luwnzJ UA5Sp3JDOkGmTMSKwGodZuLzPPQ5Y4GpLgZ/TmhCmFHoa5GcrnkmvOsEfpbMa9qGMmZNDQZxcpCp9 VDpKewapAlM8PQHI4I0IgWAmlWMj5H4CPg==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ri0IW-006mlN-Pp for ietf-http-wg-dist@listhub.w3.org; Wed, 06 Mar 2024 23:03:40 +0000
Resent-Date: Wed, 06 Mar 2024 23:03:40 +0000
Resent-Message-Id: <E1ri0IW-006mlN-Pp@lyra.w3.org>
Received: from pan.w3.org ([3.222.182.102]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tpauly@apple.com>) id 1ri0IU-006mkH-TI for ietf-http-wg@listhub.w3.org; Wed, 06 Mar 2024 23:03:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=References:To:Cc:In-reply-to:Date:Subject:MIME-version:Content-type: Message-id:From:Reply-To; bh=ihggZjYe8q1QixU9XHUX9EK7MEuOxLmnyQEfl3uDOSg=; t=1709766218; x=1710630218; b=ZDJjh51PGj29LjgkXL2+qBPS/XjecyEN0+/5W5OmKKVp0mF HkpsJQfl/iSOGsGnOqja+CNKhxvew9GgvhB97MBnkCOWZZRF86yb+YSE0vW60yvAvh8mTLVRr2z0L Q8kwXE+OEnPGGj8ogSWt7f1PqjkC/vrS80J6yrxb2ahtNowuaokZg20wKNcY0p3kwMzGUDrhoRGwn h4NPJvQMwL3RAVwFSUlODJ1R2hm0jUTDhgCZJZO/yA1yFaFRZkiOtfp4zVDzuhICT3oDuwDAJFT3D k44pt2LWhteJYbxDeZLJaxT10Tn9C3CvZHCfgRW0VfSW/TIQfXxHhDo0Na18UYng==;
Received-SPF: pass (pan.w3.org: domain of apple.com designates 17.32.222.23 as permitted sender) client-ip=17.32.222.23; envelope-from=tpauly@apple.com; helo=ma-mailsvcp-mx-lapp02.apple.com;
Received: from ma-mailsvcp-mx-lapp02.apple.com ([17.32.222.23]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <tpauly@apple.com>) id 1ri0IT-008AHm-3B for ietf-http-wg@w3.org; Wed, 06 Mar 2024 23:03:38 +0000
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by ma-mailsvcp-mx-lapp02.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S9Y00HOB81HJA20@ma-mailsvcp-mx-lapp02.apple.com> for ietf-http-wg@w3.org; Wed, 06 Mar 2024 15:03:34 -0800 (PST)
X-Proofpoint-ORIG-GUID: 22wr1fQk7C49t7gJbJhfqqke5BdqeacT
X-Proofpoint-GUID: 22wr1fQk7C49t7gJbJhfqqke5BdqeacT
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-06_12,2024-03-05_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 mlxlogscore=999 mlxscore=0 phishscore=0 malwarescore=0 bulkscore=0 spamscore=0 suspectscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2403060186
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=ihggZjYe8q1QixU9XHUX9EK7MEuOxLmnyQEfl3uDOSg=; b=ofljeM9mkN/oIqrv0irVC8LZ77I5UnHuqX2BievGPQznTbmVOZBLo3tjD8BkxB3gPeBm oJI+o6GnUkMZhBlPlhEwT87lTSbz7Vi9Yh3i7xWuzdAxhX01eE8kL2cwpvQ/0vOoVVVA bWnSXq3Iy+srVwdvRfhSGBVwo/Z8cI++e5FLRwEd4vznDaAivOi5nAjpNBIflZL/gNNZ g4adup/lYmcAg16kvymGp2BUhK26cpUKoyPd4dbm+nCSNXSr2doa2aHhyuPQG9qsL/TE lMjiWepK4HaJOBmh8JGabYBSTtVqmD+DIC3R8RIUMsHGoifHTSnO99cDhJkOaRdsyXY8 ew==
Received: from rn-mailsvcp-policy-lapp01.rno.apple.com (rn-mailsvcp-policy-lapp01.rno.apple.com [17.179.253.18]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S9Y00H3P81TN670@rn-mailsvcp-mta-lapp04.rno.apple.com>; Wed, 06 Mar 2024 15:03:30 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-policy-lapp01.rno.apple.com by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0S9Y00W007Q7Q000@rn-mailsvcp-policy-lapp01.rno.apple.com>; Wed, 06 Mar 2024 15:03:29 -0800 (PST)
X-Va-A:
X-Va-T-CD: d12e0f3df28afb7f00edc1fe4f140be5
X-Va-E-CD: c9bd4101e6b9c7970cf18ac1d952aca8
X-Va-R-CD: 07c6ebd6c62e25bf0ecdfba5c6b0180d
X-Va-ID: 566821c0-99b3-4443-ad15-257859058428
X-Va-CD: 0
X-V-A:
X-V-T-CD: d12e0f3df28afb7f00edc1fe4f140be5
X-V-E-CD: c9bd4101e6b9c7970cf18ac1d952aca8
X-V-R-CD: 07c6ebd6c62e25bf0ecdfba5c6b0180d
X-V-ID: b4a7e57c-7d8e-46fc-a125-ad1798dd8dec
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-06_12,2024-03-05_01,2023-05-22_02
Received: from smtpclient.apple ([17.234.32.135]) by rn-mailsvcp-policy-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0S9Y007HJ81TIH00@rn-mailsvcp-policy-lapp01.rno.apple.com>; Wed, 06 Mar 2024 15:03:29 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <4CFF195E-5D02-414D-9C08-A7647CD7A2D0@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_698A8D8A-F352-4619-BA78-229B49737D19"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Date: Wed, 06 Mar 2024 15:03:19 -0800
In-reply-to: <CAPDSy+7Lo0KkeYNsUdbsjoaoN3Dc_pCGabHSuXGXtt31a_Ungg@mail.gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
To: David Schinazi <dschinazi.ietf@gmail.com>, Ben Schwartz <bemasc@meta.com>
References: <7228A073-F867-4007-BB44-0AA547455539@apple.com> <CAPDSy+5ETu3BeA-0defYYKhLhMZ9f6UE=boxAp7aFwh-RTi9xw@mail.gmail.com> <SA1PR15MB437034E91B1959A206D82482B3792@SA1PR15MB4370.namprd15.prod.outlook.com> <0489428B-16E4-42AF-8224-9054122DD41A@apple.com> <662ECDC0-3B90-443F-BD0F-AF340FD7FEED@meta.com> <CAPDSy+7TEseyJv5TO0BLrdRBpGvjGLOeEqSbZW4JN8xir5c1tg@mail.gmail.com> <8A616C9D-496D-4730-938D-A9BDB1CEBC48@meta.com> <CAPDSy+7Lo0KkeYNsUdbsjoaoN3Dc_pCGabHSuXGXtt31a_Ungg@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
X-W3C-Hub-DKIM-Status: validation passed: (address=tpauly@apple.com domain=apple.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.365, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1ri0IT-008AHm-3B d381e54a40096b8f07426012da7f00ce
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC for draft-ietf-httpbis-connect-tcp
Archived-At: <https://www.w3.org/mid/4CFF195E-5D02-414D-9C08-A7647CD7A2D0@apple.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51864
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

(As an individual)

I agree with David regarding the list of IP addresses — at the very least, it could be done in a similar way for connect-udp, etc.

I did have one additional question about the design here. The related connect-udp and connect-ip protocols do have a nice feature inherent to using datagrams that they can use capsules to provide control messages between the client and the proxy at the start or during the middle of a transaction. Since connect-tcp consumes the stream, it doesn’t do that (and that makes sense for the sake of simplicity). However, I can imagine some cases where a client and proxy could want to have some generic capsules that describe proxy behavior that could be interesting for a connect-tcp proxy; for example, if a client and proxy wanted to communicate about different sending patterns to use for obfuscating traffic with padding and chaff, that could be negotiated using capsules.

So my question is: do we think we’ll have any extension features that would want to use a capsule-like mechanism with connect-tcp, and if so how would that work? For example, if the client and proxy negotiate using the Capsule-Protocol header, do the stream data chunks end up going into capsules instead of directly into DATA frames?

Thanks,
Tommy

> On Feb 16, 2024, at 2:04 PM, David Schinazi <dschinazi.ietf@gmail.com> wrote:
> 
> Thanks for clarifying. At this point the list-of-IP-addresses feature seems unneeded to me, and it adds complexity to server implementations. I would personally recommend removing it from this document. It can always be added back if we need it later in an extension.
> David
> 
> On Thu, Feb 15, 2024 at 1:01 PM Ben Schwartz <bemasc@meta.com <mailto:bemasc@meta.com>> wrote:
>> 
>> 
>> > On Feb 15, 2024, at 2:34 PM, David Schinazi <dschinazi.ietf@gmail.com <mailto:dschinazi.ietf@gmail.com>> wrote:
>> > 
>> > Hi Ben, thanks for the PR - it looks good to me.
>> > 
>> > Regarding your point about client implementers, can you share more about them? Who's implemented this so far? Who's depending on the address list feature?
>> 
>> I’m referring to prior conversations where some people seemed to prefer leaving DNS resolution entirely in the client’s hands, e.g. [1].
>> 
>> In most cases, I think target_host should simply be a hostname.  However, I do think there are some cases where passing an IP address is appropriate, and in those cases passing a list of N IPs is much more efficient than sending N requests with one IP each:
>> 
>> * When the client feels that it is necessary to enforce DNSSEC validation of the A/AAAA responses.  (This is an unusual threat model, but it is supported by platforms like iOS [2]).
>> * When the client attempts to reduce connection setup latency by using an HTTPS record’s ipv4hint and ipv6hint SvcParams.
>> * When the IP addresses were not delivered through DNS at all (e.g., ICE TCP in SDP [3])
>> 
>> —Ben
>> 
>> [1] https://datatracker.ietf.org/doc/chatlog-115-masque-202211090930/#:~:text=In%20general%2C%20it%27s%20better%20for%20the%20proxy%20to%20do%20the%20final%20name%2D%3EIP%20resolution%2C%20whereas%20it%27s%20better%20for%20the%20client%20to%20do%20the%20HTTPS/SVCB%20lookup.
>> 
>> [2] https://developer.apple.com/documentation/network/nwparameters/3952717-requiresdnssecvalidation
>> 
>> [3] https://datatracker.ietf.org/doc/html/rfc6544#appendix-C
>> 
>> > 
>> > Thanks,
>> > David
>> > 
>> > On Wed, Feb 14, 2024 at 1:59 PM Ben Schwartz <bemasc@meta.com <mailto:bemasc@meta.com>> wrote:
>> > 
>> >> On Feb 13, 2024, at 10:48 PM, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
>> >> 
>> >>> On Jan 26, 2024, at 11:19 AM, Ben Schwartz <bemasc@meta.com <mailto:bemasc@meta.com>> wrote:
>> > ...
>> >>>     • "target_port" or "tcp_port": https://github.com/httpwg/http-extensions/pull/2720
>> > 
>> > 
>> > …
>> > 
>> >> As I’ve mentioned just now on the issue, the direction for configuration might be to be more explicit on the supported protocol, so that we don’t try to infer the protocol from the template. Based on that, I’d lean right now towards just having a target_port, instead of tcp_port.
>> > 
>> > 
>> > OK it sounds like the consensus favors this change, so I’ve opened https://github.com/httpwg/http-extensions/pull/2736.
>> > 
>> >>> 
>> >>>     • Support for "target_host=192.0.2.1&target_host=2001:db8::1": https://github.com/httpwg/http-extensions/pull/2719
>> >>> 
>> >>> To improve Happy Eyeballs and related behaviors, "connect-tcp" allows the client to provide a list of IP addresses.  URI Templates have a built-in notion of lists.  In URI Template Level 3 and below, list elements are always joined by commas ("192.0.2.1,2001:db8::1").  However, in Level 4, templates can use the "explode modifier" to generate repeated key=value assignments (as above), which are more idiomatic in some web frameworks.  Should we require clients to support Level 4 templates, or restrict proxies to publishing Level 3 templates?
>> >> 
>> >> 
>> >> In what I’ve seen, it’s usually best to have happy eyeballs be done by the proxy based on the DNS resolution the proxy itself has performed, not necessarily the addresses provided by the client. Before we make this too complex, I'd like to hear about who would exercise this capability.
>> > 
>> > I agree that this is best practice.  (It’s even documented at https://datatracker.ietf.org/doc/html/rfc9460#section-3.2-2.)  However, I’ve heard a number of arguments from client implementors who felt that the client should be able to use its own DNS resolver, independent of the proxy, in which case this functionality seems valuable for Happy Eyeballs to work as intended.
>> > 
>> > In the above pull request, I’ve simplified the syntax for this (reducing the URI Template requirement to Level 3) to minimize the burden on clients that don’t use the feature.
>> > 
>> > —Ben
>> 
>>

v2.23.0 | Report a Bug | By Email