IETF Logo Mail Archive

Re: [Webtransport] [Masque] Endpoint requirements for unknown Capsules

David Schinazi <dschinazi.ietf@gmail.com> Fri, 05 January 2024 16:42 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DFFBC15199D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 5 Jan 2024 08:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.755
X-Spam-Level:
X-Spam-Status: No, score=-2.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YH6cdl-hyks1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 5 Jan 2024 08:42:13 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FACDC1519B9 for <httpbisa-archive-bis2Juki@ietf.org>; Fri, 5 Jan 2024 08:42:13 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1rLnF9-00Glri-3Q for ietf-http-wg-dist@listhub.w3.org; Fri, 05 Jan 2024 16:40:23 +0000
Resent-Date: Fri, 05 Jan 2024 16:40:23 +0000
Resent-Message-Id: <E1rLnF9-00Glri-3Q@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1rLnF7-00Glqc-6u for ietf-http-wg@listhub.w3.org; Fri, 05 Jan 2024 16:40:21 +0000
Received: from mail-ej1-x636.google.com ([2a00:1450:4864:20::636]) by mimas.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <dschinazi.ietf@gmail.com>) id 1rLnF0-00EfT7-RK for ietf-http-wg@w3.org; Fri, 05 Jan 2024 16:40:20 +0000
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-a294295dda3so81340366b.0 for <ietf-http-wg@w3.org>; Fri, 05 Jan 2024 08:40:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704472811; x=1705077611; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AmwZYZgiIjsLx5jwRlniBNEkEmXTsHXclalDzu3GELA=; b=eoTaQQIxcLZwE5/eEDOFTAyQonFp7Uey1v9W+AWTC9m/EpjcOyTMscCyKqs9x+uy0M E2pzA4kQ1zGuc3Piku7uht3+PwLWKhNtFUynq4XtK1EGf+XlYVXTPimryPjEWELOQ34g 2kNfCfJeXfgvwfaP+E7n5f87YyIsL+YNZiBQm38rwOU98lS96GW2MoXOKiXpey4/s/UM +vdKcbDLCLJIy/BrW27QvbVXJo4ELzeD0aLXyszxdCDGuLxb4YP4wG6lEUl9zK1jQfV4 opEA+0A3QaBsBpAC+44ZtUfmINGfPyzWnbx6Dv1AMfy+4vrzaE/ztHXAt5ANkYOq3qiU YAWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704472811; x=1705077611; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AmwZYZgiIjsLx5jwRlniBNEkEmXTsHXclalDzu3GELA=; b=F2Wl8V1d1HwtlKF15kDVyWH425fjee+lP5CkEvKWn++QKjWCe1wgSx5tNDUiMfePk1 8r8PpU7LH8igP8VYaESEDmii3pHbxWNhVCYBGxEQZS/yodftDRtmpw6W9iplZCy7SaMo WESJ56pKPbYE8TRbA8jZdPHQMm7sSKag7CehI/wtOJt4PbbBGvzV2pm9NBCNESfzzn2V EU0GQKMj5vRvLyCKpcqgEvsbQ7tTzvq7YWb9ZfhLAiC6UV0aK0qz4pSdx3ccIHfysboo 9QlRqDH5scU4BngLnS8WcIrnSEtk2q2Ue67jj187oeK/IKCfoA8iYe1+CPXTqwaWdXJf d1MQ==
X-Gm-Message-State: AOJu0YyzZY1nHaGGJZ/coN5RvQuht/45i0DzqTccDviN+g1BXghJHZMj rPYLdZTifdp2HqmwaEHMJy92twJjgsXMsopVGrM=
X-Google-Smtp-Source: AGHT+IHjBfL0Hzh0/9bOQwpwfBhM22eXzYFQyxSCGMd8j3HxLMAuvAv5089OsPYwKubp2Di4ofpr33XQkosYV+HKmA8=
X-Received: by 2002:a17:906:b84e:b0:a27:4c9e:91c6 with SMTP id ga14-20020a170906b84e00b00a274c9e91c6mr621823ejb.276.1704472810401; Fri, 05 Jan 2024 08:40:10 -0800 (PST)
MIME-Version: 1.0
References: <CALGR9oaGSX+p6K=yjjMye14oD+cpYqika05gkw6N8KbPOiRcTQ@mail.gmail.com> <EFFA5FC9-0A09-4494-9F03-64D0C93CD79E@apple.com> <CALGR9obbAt5fSO1EAOb-csDCtiFS9bkiUNm4a_qLz0sbsjMX9w@mail.gmail.com> <CALGR9ob=U1W9z=FoWLLchUDtSa7yrUp5j62fGLhWZfOy_D=sPg@mail.gmail.com>
In-Reply-To: <CALGR9ob=U1W9z=FoWLLchUDtSa7yrUp5j62fGLhWZfOy_D=sPg@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 05 Jan 2024 17:39:59 +0100
Message-ID: <CAPDSy+6oDMxETQKxABMvb41LQK2SrfCcomJchn8ErvoDGZgRvA@mail.gmail.com>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: Tommy Pauly <tpauly@apple.com>, MASQUE <masque@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, WebTransport <webtransport@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064b447060e3580fe"
Received-SPF: pass client-ip=2a00:1450:4864:20::636; envelope-from=dschinazi.ietf@gmail.com; helo=mail-ej1-x636.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=dschinazi.ietf@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1rLnF0-00EfT7-RK f3e77b3fbd1c29975fc7c149f95a01bc
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [Webtransport] [Masque] Endpoint requirements for unknown Capsules
Archived-At: <https://www.w3.org/mid/CAPDSy+6oDMxETQKxABMvb41LQK2SrfCcomJchn8ErvoDGZgRvA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51710
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I think Lucas found a real oversight in RFC 9297, and we should fix it.
Looking through Google's QUICHE implementation, we don't handle unexpected
capsules consistently. For example, a connect-udp endpoint will silently
ignore received ADDRESS_ASSIGN but will reset the stream on receipt
of DRAIN_WEBTRANSPORT_SESSION [1]. Using the nomenclature from Lucas's
original email, we do both (b) and (d). (The discrepancy in the same
implementation comes from the fact that those were implemented by different
folks.)

Going forward, I think we should update 9297 to clarify this, and perhaps
provide guidelines for future capsules. I think
draft-pardue-capsule-ext-guidance is a good starting point, and I'd like to
discuss it in Brisbane. The main question that needs resolving before then
is: in what WG should we discuss this? My personal interpretation is that
this is in-charter for MASQUE, but what do y'all think?

Cheers,
David

[1]
https://github.com/google/quiche/blob/6c5a75906be4155ee7140415e9d2b2d18efc9fbc/quiche/quic/core/http/quic_spdy_stream.cc#L1382

On Fri, Nov 24, 2023 at 12:46 AM Lucas Pardue <lucaspardue.24.7@gmail.com>
wrote:

> I posted a draft, the repo is
> https://github.com/LPardue/draft-pardue-capsule-ext-guidance if anyone is
> interested
>
> A new version of Internet-Draft draft-pardue-capsule-ext-guidance-00.txt
> has
> been successfully submitted by Lucas Pardue and posted to the
> IETF repository.
>
> Name:     draft-pardue-capsule-ext-guidance
> Revision: 00
> Title:    Guidance for HTTP Capsule Protocol Extensibility
> Date:     2023-11-23
> Group:    Individual Submission
> Pages:    6
> URL:
> https://www.ietf.org/archive/id/draft-pardue-capsule-ext-guidance-00.txt
> Status:
> https://datatracker.ietf.org/doc/draft-pardue-capsule-ext-guidance/
> HTML:
> https://www.ietf.org/archive/id/draft-pardue-capsule-ext-guidance-00.html
> HTMLized:
> https://datatracker.ietf.org/doc/html/draft-pardue-capsule-ext-guidance
>
>
> Abstract:
>
>    This document updates RFC 9297 with further guidance for
>    extensibility of the HTTP Capsule Protocol.
>
> On Thu, Nov 23, 2023 at 1:49 PM Lucas Pardue <lucaspardue.24.7@gmail.com>
> wrote:
>
>> Hi Tommy,
>>
>> On Wed, Nov 22, 2023 at 5:48 AM Tommy Pauly <tpauly@apple.com> wrote:
>>
>>> Good question!
>>>
>>> While the connect-ip capsules don’t have defined behavior for
>>> connect-udp, that shouldn’t prevent them from being used in the future. An
>>> assign IP could make sense there. There’s a benefit from being able to use
>>> capsules across protocols like that.
>>>
>>> However, in order for it to work, I think we’d need to have a
>>> negotiation between client and server to say “I support the connect-udp
>>> extension that allows address assigning.”
>>>
>>> That doesn’t answer your question. I could see this going either way.
>>> The problem with option d is that it requires the connect-udp
>>> implementation to be aware of these capsules in order to send an error. So
>>> I’d probably go with interpretation b?
>>>
>>
>> Actually I think it goes part way to answering the question, so thanks!
>>
>> I agree we don't want to limit extensibility possibilities. For endpoints
>> to know that a new capsule type can be used, some form of negotiation is
>> required. I don't think we need to be prescriptive about how that is done,
>> a header might work (like "connect-udp-assign: ?1") or a setting, or
>> whatever.
>>
>> I could live with option b) augmented by new text that better describes
>> the general extension framework. I think we also overlooked adding text to
>> RFC 9297's security considerations related to DoS of endpoints, see
>> HTTP/3's [1] as an example of text I think we could port over.
>>
>> I'll see if I can find some time to collect these into a short I-D for
>> easier discussion.
>>
>> Cheers,
>> Lucas
>>
>> [1] - https://www.rfc-editor.org/rfc/rfc9114.html#section-10.5-4
>>
>>
>>> Tommy
>>>
>>> On Nov 21, 2023, at 12:05 PM, Lucas Pardue <lucaspardue.24.7@gmail.com>
>>> wrote:
>>>
>>> 
>>> Hi folks,
>>>
>>> I have a question about how endpoints (not intermediaries) should
>>> approach handling HTTP Capsules and I'm looking for some WG input.
>>>
>>> RFC 9297 defined HTTP Datagrams and the Capsule Protocol[1]. During
>>> standardization, the primary use case was for proxying UDP over HTTP (RFC
>>> 9298).
>>>
>>> 9297 defines Datagram capsules and 9298 defines how an Upgrade or
>>> extended request accompanied with a connect-udp token, when successful,
>>> enables *both* UDP proxying and the Capsule protocol. Once the request is
>>> set up it is the expectation that Datagram capsules are exchanged, modulo
>>> HTTP/3 which also has a native QUIC Datagram mapping (so endpoints can
>>> exchange either form).
>>>
>>> RFC 9297 section 3.2 states:
>>>
>>> > Endpoints that receive a Capsule with an unknown Capsule Type MUST silently
>>> drop that Capsule and skip over it to parse the next Capsule.
>>>
>>> This is inspired by HTTP/2&3 frame design with the goal of extensibility
>>> and maintenance*. We have GREASE capsule codepoints and unknown real
>>> extensions can be used with causing things to fall over. So far so good.
>>>
>>> Recently, RFC 9484 was published, defining IP over HTTP. This defined a
>>> connect-ip token and 3 new capsule types, ADDRESS_ASSIGN, ADDRESS_REQUEST,
>>> and ROUTE_ADVERTISEMENT.
>>>
>>> So here's the question:
>>>
>>> Assume there's an endpoint that supports both IP and UDP tunneling. It
>>> knows about the tokens and the capsules I mentioned above. If it receives a
>>> request for connect-udp and accepts it, then receives an ADDRESS_ASSIGN
>>> capsule what should it do?
>>>
>>> The text in RFC 9297 seems a little ambiguous and I tried to map out the
>>> options
>>>
>>> a) The ADDRESS_ASSIGN capsule is unknown in the context of RFC 9298, so
>>> it MUST be ignored
>>> b) The ADDRESS_ASSIGN capsule is unknown in the connect-udp context of
>>> the target resource of the request over which the capsule protocol is
>>> using, so it MUST be ignored
>>> c) The ADDRESS_ASSIGN capsule is known to the endpoint. However, it is
>>> undefined and so is silently dropped
>>> d) The ADDRESS_ASSIGN capsule is known to the endpoint. Since this
>>> capsule is unexpected for connect-udp, the server treats this as some form
>>> of protocol violation (stream or connection close).
>>>
>>> Option (d) seems drastic but is more in the theme of dealing with the
>>> "Harmful consequences of Tolerating the Unexpected" [4], so might actually
>>> be The Right Thing TM.
>>>
>>> We have other specs like WebTransport queuing up 13 new capsule
>>> registrations. If there's anything we could do to clarify the situation
>>> (such as a short update doc to RFC 9297) then now seems like the right time
>>> to be doing it. So please let me know your opinions.
>>>
>>> Cheers,
>>> Lucas
>>>
>>> * There are other considerations for intermediaries but I'm overlooking
>>> that complication right now.
>>>
>>>
>>> [1] - https://www.rfc-editor.org/rfc/rfc9297.html
>>> [2] - https://www.rfc-editor.org/rfc/rfc9298.html
>>> [3] - https://www.rfc-editor.org/rfc/rfc9484.html
>>> [4] - https://www.rfc-editor.org/rfc/rfc9413.html#section-4
>>> --
>>> Webtransport mailing list
>>> Webtransport@ietf.org
>>> https://www.ietf.org/mailman/listinfo/webtransport
>>>
>>> --
> Webtransport mailing list
> Webtransport@ietf.org
> https://www.ietf.org/mailman/listinfo/webtransport
>

v2.23.0 | Report a Bug | By Email