Proposal for Creating Reverse Tunnels, for HTTP and TCP (Fwd: New Version Notification for draft-kazuho-httpbis-reverse-tunnel-00.txt)
Kazuho Oku <kazuhooku@gmail.com> Tue, 20 February 2024 02:40 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E24FFC14CE5D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 19 Feb 2024 18:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.856
X-Spam-Level:
X-Spam-Status: No, score=-2.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="Ujz7UA9T"; dkim=pass (2048-bit key) header.d=w3.org header.b="eOLNo2jw"; dkim=pass (2048-bit key) header.d=gmail.com header.b="eMHoo+OD"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hkuGhtgaE9f for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 19 Feb 2024 18:40:56 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06DE6C14CEFF for <httpbisa-archive-bis2Juki@ietf.org>; Mon, 19 Feb 2024 18:40:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:To:Message-ID:Date:From:In-Reply-To:References: MIME-Version:Cc:Reply-To; bh=NUkzd+jYPQJGOm7hXAdv041pN9KQv29ucCLzPqxODfw=; b= Ujz7UA9TI/1Q/OdD2WEJ5qJMlCOT/lHgSA3lOkVXkIrErE0aaZF06kbXcDrlrpdtqKuYNiQJUSC+S 8ovYpKDAbeUvzBrhk6jOGaGjebTyxYTLRsovrxqudUu0AJtUFLEYnEp5Ysu7CA4c876H4E8tAqLh7 hUcVBXH2WWG79s1hdurlG7TVfifH21ynyD9Ae3g4A1WNR8KhEg57mKayD17vAo6TRmmKhaNlObIdk WfZK2rGrgt+BTuww6KjbH75uEeCRR3lkC5BPPFyYuZVfpDHbCtc/MbuTd3Bqkj2g2PkxM0qdH0ybo OdzNcsxWlgGluwNSsjdIYr5ip7ogoZMu1Q==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rcG3m-0010IR-PW for ietf-http-wg-dist@listhub.w3.org; Tue, 20 Feb 2024 02:40:42 +0000
Resent-Date: Tue, 20 Feb 2024 02:40:42 +0000
Resent-Message-Id: <E1rcG3m-0010IR-PW@lyra.w3.org>
Received: from puck.w3.org ([34.196.82.207]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <kazuhooku@gmail.com>) id 1rcG3k-0010HK-L4 for ietf-http-wg@listhub.w3.org; Tue, 20 Feb 2024 02:40:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:To:Subject:Message-ID:Date:From:In-Reply-To:References: MIME-Version:Cc:Reply-To; bh=NUkzd+jYPQJGOm7hXAdv041pN9KQv29ucCLzPqxODfw=; t=1708396840; x=1709260840; b=eOLNo2jw2AO0fUZXqTsc2hJGUoT5UBCXXvHiG2OOOlcSXG8 qgXjUQsApWpUvV18fXQEqr8W3PxZXaA1a+hMkcmf6EdYuAxC4XiJzZ7g07eqNMSl+0NoaWAnYNiFw BdEeWVj794fHgAttsbj4XtXQ67uJ4hg14V8WMP5tz2LKuMNC+sKpJXMWuSL09eai3wRXi9K1QXP8B 4EcsTPppryff+oa3rIaSb/6fMYiw8awat0spqkaKE7S9WtXydhkGCStq9uxzvwCdIFcDdil+ZhvIl tXe76o7WNk2/ve5nwzFGFtn0W8xST8KNM8U4tizR4LflQhUiNpYWPnzt7gZyZRdw==;
Received-SPF: pass (puck.w3.org: domain of gmail.com designates 2a00:1450:4864:20::62e as permitted sender) client-ip=2a00:1450:4864:20::62e; envelope-from=kazuhooku@gmail.com; helo=mail-ej1-x62e.google.com;
Received: from mail-ej1-x62e.google.com ([2a00:1450:4864:20::62e]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <kazuhooku@gmail.com>) id 1rcG3j-001Zdp-27 for ietf-http-wg@w3.org; Tue, 20 Feb 2024 02:40:40 +0000
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-a3e75e30d36so308150866b.1 for <ietf-http-wg@w3.org>; Mon, 19 Feb 2024 18:40:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708396835; x=1709001635; darn=w3.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=NUkzd+jYPQJGOm7hXAdv041pN9KQv29ucCLzPqxODfw=; b=eMHoo+ODw9SuqIyIRZ36Xf44anQCRTjEr+2aZ/OobjIG9cYbvfoPeKHGMZzhTLSSy5 RII5gkDjfcrf6qCaieFOHYqqhsfs8aw6UcAXaY0jIJF5/omUSm+W0eCrk6icIgoQV8Gm ITgD0aw+ciM9XX66AyJ+kLqZY53DkMYpaXMVvKU0irOGf1XEqJSgEXXtvnM9Aiu6A+yv 9eloKvF4Uhb+0iNY98i10CKiLSuJEwXt9tUJWK5Q1Euk0FKfl/zdeyJEDCrjha4Pmvgl bJUpr15SVPPEdHXrduaIw4L7oVHb9lcDH0i/W/Qk2LDaTuv84QGhKp9e/rdrbVlWWaxn b3eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708396835; x=1709001635; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=NUkzd+jYPQJGOm7hXAdv041pN9KQv29ucCLzPqxODfw=; b=TBHMWeM5nTB/rzv2fV/gcOQObxXnViqBqw4CoPtgW3pTQevjyWacABM3e9Zl9ehs0k lVf/zHs0qY16Z2JgFcpN8pXlWf8p0XoCjD+qxY00U9ETd7IWf4QUYAmV01n32CPWmpjO OuLvUfZoca80DVGZUc9xdlLqwdOn8gTQh1tM1j5MsyPgM6O0BZppqe2+7qNVkc5et9iC dkJs+iL0XNLvzlFKTSpsE9xhum1ihYM0Gh+ciPTd0yKqZarSvT0VXA2wF/9zHZkHfGTq wygmn4mL9Al5lxEwGU4Dk83FB0p5q/r2L6lvAYqnY9mtTXqEFc3UtKoaTzoJMC4Hz8WS uwng==
X-Gm-Message-State: AOJu0YxyL6UW8EVF96I0+UNkCrG8KjgRxmesmwsIVrnZXEeKB0mxa32d tPqU2G4QrDsM/b8Otv+kEju78RRMZxp58/L4zeHPkXWsAF3E/sXTVx9V5G5VNlGGvHQ2txIFa+p 1AksFaifIAT+aTvXB9KVAAU3siLy3sRPYSHE=
X-Google-Smtp-Source: AGHT+IHfJSXPKTYrKOsX6jCYo+Bz9QlKfDNE8btYqe5GT/DrVtRnxwp+SPxf/gQlymT3kVLYGOqACJQtv0chOr3whZk=
X-Received: by 2002:a17:906:c791:b0:a3d:20ec:7d1a with SMTP id cw17-20020a170906c79100b00a3d20ec7d1amr15082428ejb.11.1708396835225; Mon, 19 Feb 2024 18:40:35 -0800 (PST)
MIME-Version: 1.0
References: <170839651236.24815.18130483846873637989@ietfa.amsl.com>
In-Reply-To: <170839651236.24815.18130483846873637989@ietfa.amsl.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Tue, 20 Feb 2024 11:40:23 +0900
Message-ID: <CANatvzyhBNpYT42ChnAte=-cQGRSA9iN-iot4hZsHN8ESW3CWw@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000007fc20f0611c722d5"
X-W3C-Hub-DKIM-Status: validation passed: (address=kazuhooku@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1rcG3j-001Zdp-27 c0174a0034088930b7b2784ed2afc242
X-Original-To: ietf-http-wg@w3.org
Subject: Proposal for Creating Reverse Tunnels, for HTTP and TCP (Fwd: New Version Notification for draft-kazuho-httpbis-reverse-tunnel-00.txt)
Archived-At: <https://www.w3.org/mid/CANatvzyhBNpYT42ChnAte=-cQGRSA9iN-iot4hZsHN8ESW3CWw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51806
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hello folks, At the previous IETF meeting, Ben presented the “Reverse HTTP” proposal, which can be found at: https://github.com/httpwg/wg-materials/blob/gh-pages/ietf118/reverse-http.pdf . When we discussed the proposal, it seemed that there is interest in: * using extended CONNECT, and * supporting reverse tunneling for TCP, in addition to HTTP. As stated during the meeting, we are interested in implementing this feature in h2o and have therefore submitted the draft, available at: https://www.ietf.org/archive/id/draft-kazuho-httpbis-reverse-tunnel-00.html. Please let us know what you think. For the primary use case of setting up HTTP connections in the reverse direction, the draft employs the extended CONNECT method (or the upgrade mechanism in HTTP/1.1). Once the tunnel is set up, HTTP/1.1 or HTTP/2 can be used as-is. The design utilizes URIs to identify the reverse service, offering flexibility to operators, including the large-scale reverse proxy operators who automate configuration changes. Operators can provide unique URIs to each backend that connects in the reverse direction, and authenticate the backends using HTTP authentication (or other HTTP-based authentication schemes). Additionally, this feature can be seamlessly integrated into existing reverse proxies with minimal effort and virtually zero overhead. A reverse proxy can accept the reverse tunnel using HTTP/1.1, and upon establishment, just “add” the tunnel’s TCP / TLS connection to the already-existing connection pool. This is because the protocol being used atop the tunnel is HTTP/1.1 or HTTP/2 unmodified. Of course, the draft does not forbid endpoints from using HTTP/2 to establish reverse tunnels. It will be at the discretion of the endpoints to decide which HTTP version to use. Considering that tunnels will be typically established using HTTPS, additional encryption atop the tunnel is often unnecessary. In light of this, the draft defines a method to negotiate the application protocol by reusing the ‘ALPN’ header field, streamlining communication within the encrypted tunnel. For the other use case of setting up a TCP relay, the draft utilizes the ‘Forwarded’ header field to convey the 4-tuple of the TCP connection being relayed. The header field is sent as part of a successful response indicating the establishment of the relay. Until a relay is established, 100 (Continue) responses are used to indicate that the relay is waiting for a connection to be matched. Regarding the TCP relay use case, it might be worthwhile to mention an alternative approach not included in the current draft submission. This strategy entails establishing an HTTP reverse tunnel as previously described, followed by utilizing this channel to transmit 'CONNECT' requests that relay TCP connections. This approach might be slightly more complex than the design specified in the draft, but it builds on top of the HTTP feature that already exists for relaying bi-directional byte streams. ---------- Forwarded message --------- From: IETF I-D Submission Tool <idsubmission@ietf.org> Date: 2024年2月20日(火) 11:25 Subject: Confirm submission of I-D draft-kazuho-httpbis-reverse-tunnel To: Kazuho Oku <kazuhooku@gmail.com> Hi, The IETF datatracker Internet-Draft submission service has received your Internet-Draft draft-kazuho-httpbis-reverse-tunnel-00, and requires a confirmation step in order to be able to complete the posting of the Internet-Draft. Please follow this link to the page where you can confirm the posting: https://datatracker.ietf.org/submit/status/140209/confirm/da185e3e7d346ab40f2a320bf26a2917/ Best regards, The IETF Secretariat through the Internet-Draft submission service -- Kazuho Oku ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: 2024年2月20日(火) 11:35 Subject: New Version Notification for draft-kazuho-httpbis-reverse-tunnel-00.txt To: Kazuho Oku <kazuhooku@gmail.com> A new version of Internet-Draft draft-kazuho-httpbis-reverse-tunnel-00.txt has been successfully submitted by Kazuho Oku and posted to the IETF repository. Name: draft-kazuho-httpbis-reverse-tunnel Revision: 00 Title: Reverse Tunnel over HTTP Date: 2024-02-20 Group: Individual Submission Pages: 12 URL: https://www.ietf.org/archive/id/draft-kazuho-httpbis-reverse-tunnel-00.txt Status: https://datatracker.ietf.org/doc/draft-kazuho-httpbis-reverse-tunnel/ HTML: https://www.ietf.org/archive/id/draft-kazuho-httpbis-reverse-tunnel-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-kazuho-httpbis-reverse-tunnel Abstract: This document specifies an HTTP extension to establish bi-directional byte streams in the direction from servers to their clients, utilizing HTTP as a tunneling mechanism. This approach not only facilitates communication between servers located behind firewalls and their known clients but also introduces the potential for these known clients to serve as relays. In such configurations, clients can forward application protocol messages or relay TCP connections, allowing servers to interact with any client on the Internet without direct exposure. The IETF Secretariat -- Kazuho Oku
- Proposal for Creating Reverse Tunnels, for HTTP a… Kazuho Oku
- Re: Proposal for Creating Reverse Tunnels, for HT… Ben Schwartz