Re: CONNECT, origins, and Alt-Svc
David Benjamin <davidben@chromium.org> Mon, 06 November 2023 12:36 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 264C8C17DC0C for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Nov 2023 04:36:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.756
X-Spam-Level:
X-Spam-Status: No, score=-2.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2t-4aQpXZU6b for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 6 Nov 2023 04:36:26 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55D1DC17C8B5 for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 6 Nov 2023 04:36:26 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1qzypM-00CNts-U7 for ietf-http-wg-dist@listhub.w3.org; Mon, 06 Nov 2023 12:35:36 +0000
Resent-Date: Mon, 06 Nov 2023 12:35:36 +0000
Resent-Message-Id: <E1qzypM-00CNts-U7@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <davidben@google.com>) id 1qzypK-00CNsL-Df for ietf-http-wg@listhub.w3.org; Mon, 06 Nov 2023 12:35:34 +0000
Received: from mail-yw1-x112f.google.com ([2607:f8b0:4864:20::112f]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <davidben@google.com>) id 1qzypI-004uqd-IA for ietf-http-wg@w3.org; Mon, 06 Nov 2023 12:35:34 +0000
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-5afabb23900so52547067b3.2 for <ietf-http-wg@w3.org>; Mon, 06 Nov 2023 04:35:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1699274128; x=1699878928; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VHmQZ56k6Q699/HzZHdb1Ul2374vU2owysvf+43IBTQ=; b=A/zEIec36orHSOM8zbaHuVoudoUHvIUDpO3CJVX/AExWU/B8gz7GtjfDRNDjY+pJLf AnKHGm7PJ81eDwXiQkWlMTK9aIjpUU8R4h6RWzGz4IDX4ddmWDJ/jQVUg9uTWSLLi/lV rQslKE9R3DFjfMkEG0SLx0Q4x4VjGxVVqNLk8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699274128; x=1699878928; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VHmQZ56k6Q699/HzZHdb1Ul2374vU2owysvf+43IBTQ=; b=kdzNAJOnamUchSiwX7+NguhjwAS/oMYj0kGsR2/HkiihAg69ng7rOKlemd72S+xX0W 3BgP1qgafH0SqQZn0ONqL6z46YpUw5nsR/jGO9VRlKxcLtWzIxgCvSYmRedPUwQjw03q 5WUxAwGXvPjfcpj+IP+WYNOeY1etDe1aVWOrsiZjLiZsX5IVPz032Pby3qsI5FDBBs7y 6SwI5hHGXPXQG0VagNmNn3sPTpHPtLKODW/9LRIvTvGupAZUTV66vryxtn/uX1tM4bpZ Ta4/Nq5Nved0Jkf68gQSKYezizTq0PqtO503QKZmGQDRKg4BQ1lyAF5S9WqyzguTTNnH Ipyg==
X-Gm-Message-State: AOJu0Yy3g+hsM4GN/b6lTo0Rl58SP5SPE8OhFsnQPObk5SYkWRLlOZRs 75Bc3zJo+ZirWVRLJSEYEf4wVqEAlvv6ryEMetFvl5QMTaqnxIoQr7m9
X-Google-Smtp-Source: AGHT+IEr0Br73pweVP6YIJpSDxTBYS5Wb8PRLOmgaAflLiqi0edDYE54hGh6UAu7GbFnS+xO2jMacGSFxpkfBYWMF90=
X-Received: by 2002:a25:2f4b:0:b0:d9b:48e0:14ed with SMTP id v72-20020a252f4b000000b00d9b48e014edmr27269736ybv.31.1699274128372; Mon, 06 Nov 2023 04:35:28 -0800 (PST)
MIME-Version: 1.0
References: <CAPDSy+7B47bLmFPKTs=a4TBp8A8wvWHkrYRGyBe7Dw0F_9j23Q@mail.gmail.com>
In-Reply-To: <CAPDSy+7B47bLmFPKTs=a4TBp8A8wvWHkrYRGyBe7Dw0F_9j23Q@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 06 Nov 2023 07:35:10 -0500
Message-ID: <CAF8qwaCGjUSPRk1Dz-Ux9aO02iW9F-1r6SrX4hur5Z1rP+5FaA@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000cd15ca06097b16ed"
Received-SPF: pass client-ip=2607:f8b0:4864:20::112f; envelope-from=davidben@google.com; helo=mail-yw1-x112f.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=davidben@google.com domain=chromium.org), signature is good
X-W3C-Hub-Spam-Status: No, score=-11.3
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1qzypI-004uqd-IA 72c9b249bd1b1c7785a6228bef36a322
X-Original-To: ietf-http-wg@w3.org
Subject: Re: CONNECT, origins, and Alt-Svc
Archived-At: <https://www.w3.org/mid/CAF8qwaCGjUSPRk1Dz-Ux9aO02iW9F-1r6SrX4hur5Z1rP+5FaA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51560
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Mon, Nov 6, 2023 at 6:05 AM David Schinazi <dschinazi.ietf@gmail.com> wrote: > Howdy HTTP enthusiasts, > > As we're adding support for CONNECT-UDP in Chrome, we're having to answer > the related question "ok I know which proxy I want to use, but do I use TCP > or QUIC?". > > Right now, the only mechanisms we have to discover HTTP/3 support are > Alt-Svc and the HTTPS RR. Both of these are defined in terms of origin*. > CONNECT-UDP is defined in terms of origin so we're in good shape there. > Same story for connect-tcp > <https://datatracker.ietf.org/doc/draft-ietf-httpbis-connect-tcp/>. But > for CONNECT we're in a weird spot. In CONNECT, there is no origin (or if > there is, it applies to the target destination, not to the proxy). So it > doesn't quite feel right for a proxy to send the Alt-Svc header on the > response to a CONNECT request. Similarly, I'm not sure that if I get an > HTTPS RR for the proxy hostname I'm allowed to use it for CONNECT. So > there's no great way to know that a CONNECT proxy supports HTTP/3. So if a > PAC file tells the browser to use "HTTPS proxy.example.org:443" then it's > not clear to me how the browser should figure out if it can use HTTP/3. > Here are some options: > > 1) Send the first CONNECT over HTTP/1 or 2, pretend that use of Alt-Svc > applies to the proxy > 2) Query the HTTPS DNS RR and pretend that it applies to the proxy > 3) Send an OPTIONS * request to the proxy and look for Alt-Svc > 4) Try HTTP/3 for the first CONNECT request and fallback to TCP if > anything fails (happy eyeballs style) > 5) Create a new PAC script verb that means connect-tcp/connect-udp > 6) Create a new PAC script verb that means HTTP/3 > > None of these feel like great solutions. Does anyone have thoughts? > (1) and (2) seem the most natural to me. It is a little weird that CONNECT doesn't actually send a Host header for the proxy... it'd put us in a weird place where the client is conceptually thinking of an origin, but doesn't tell the server, so the server can't react accordingly. But I don't think that's broken per se, just weird and a little limiting. I suppose we could define a Proxy-Host (Sec-Proxy-Host?) header, or transition to connect-tcp, if we really care. It's also kind of weird in that (1) would be incompatible with a request like `GET http://example.com/whatever` <http://example.com/whatever> (is there a name for this mode?). Though I think this same "there is a proxy origin, we just forgot to tell the server" theory would work for (2). I could imagine a Proxy-Alt-Svc header, but I suspect there won't be enough interest in defining that, so leaving that unsolved seems fine? (3) seems unnecessarily annoying for clients to wrangle on the client. (4) and (6) mean we're unable to pick up any SvcParamKeys that might influence the HTTP/3 connection, which seems poorly aligned with where I gather people want to go with HTTPS/SVCB. (5) could also work, but since proxy types are configured outside PAC too, I suspect it's quite a lot of systems to manually reconfigure before HTTP/3 works. So I think (1) and (2) would still be worthwhile, even if we decide (5) is a good way to transition to connect-tcp. > *well sort of. The HTTPS RR query doesn't include the port... > Not super important, but I think it does. It's just that HTTPS-RR (as opposed to SVCB) special cases (https, *, 443) to go through an undecorated query name. https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-12.html#section-2.3
- CONNECT, origins, and Alt-Svc David Schinazi
- Re: CONNECT, origins, and Alt-Svc Lucas Pardue
- Re: CONNECT, origins, and Alt-Svc Tommy Pauly
- Re: CONNECT, origins, and Alt-Svc David Benjamin
- Re: CONNECT, origins, and Alt-Svc Eric Orth
- Re: CONNECT, origins, and Alt-Svc David Benjamin
- Re: CONNECT, origins, and Alt-Svc Eric Orth
- Re: CONNECT, origins, and Alt-Svc Mark Nottingham
- Re: CONNECT, origins, and Alt-Svc David Schinazi
- Re: CONNECT, origins, and Alt-Svc Ben Schwartz
- Re: CONNECT, origins, and Alt-Svc Eric Orth