IETF Logo Mail Archive

Re: [hybi] workability (or otherwise) of HTTP upgrade

Mark Nottingham <mnot@mnot.net> Mon, 06 December 2010 23:14 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0D89728B23E for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 15:14:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.603
X-Spam-Level:
X-Spam-Status: No, score=-104.603 tagged_above=-999 required=5 tests=[AWL=-2.004, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B92SI23u9xqb for <hybi@core3.amsl.com>; Mon, 6 Dec 2010 15:14:33 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by core3.amsl.com (Postfix) with ESMTP id B5BBD3A68D7 for <hybi@ietf.org>; Mon, 6 Dec 2010 15:14:33 -0800 (PST)
Received: from chancetrain-lm.mnot.net (unknown [118.209.2.20]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 901EA22E254; Mon, 6 Dec 2010 18:15:50 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <DA6A1BBE-B67F-40B9-92A3-E62E78E43CD0@gbiv.com>
Date: Tue, 07 Dec 2010 10:15:46 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <775DB33B-9FD3-4D25-AF55-B33463D6B9ED@mnot.net>
References: <AANLkTin6=8_Bhn2YseoSHGh1OSkQzsYrTW=fMiPvYps1@mail.gmail.com> <20101126000352.ad396b9a.eric@bisonsystems.net> <AANLkTimzQyG4hugOvHqoNrBrZFA4fGbGXQ7MZ2i+68dO@mail.gmail.com> <4CF615B2.9010304@rowe-clan.net> <F96E5CE9-CA7D-4B70-8260-F05456D021FB@gbiv.com> <AANLkTimi5HL56PD9gLHUWs=mcbV3Eaz=GOsK38sxPevb@mail.gmail.com> <DA6A1BBE-B67F-40B9-92A3-E62E78E43CD0@gbiv.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
X-Mailer: Apple Mail (2.1082)
Cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, Hybi HTTP <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [hybi] workability (or otherwise) of HTTP upgrade
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2010 23:14:35 -0000

Right. Adam is talking about a gateway, not a proxy. 


On 02/12/2010, at 11:32 AM, Roy T. Fielding wrote:

> On Dec 1, 2010, at 10:01 AM, Adam Barth wrote:
> 
>> On Wed, Dec 1, 2010 at 9:45 AM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>> On Dec 1, 2010, at 1:30 AM, William A. Rowe Jr. wrote:
>>>> On 11/26/2010 6:55 AM, Greg Wilkins wrote:
>>>>> 
>>>>> And do you get similar feeling to think about using the CONNECT method
>>>>> to establish tunnels for arbitrary protocols?
>>>> 
>>>> CONNECT suffers from the same issues you identify is deploying a new port.
>>>> Namely, http servers will reject those requests.  Leveraging CONNECT
>>>> successfully would require additional HTTP-level authentication to identify
>>>> users and prevent abuse (as most proxies do).  Restructuring the internet,
>>>> whether it is adding a new port to unblock, or permitting specific classes
>>>> of CONNECT traffic, would be a similar battle.
>>> 
>>> Perhaps more to the point, CONNECT is a method that is only allowed to be
>>> sent to a client-side proxy server.  Deliberately sending it in other
>>> HTTP messages would be a violation of its method semantics and the
>>> HTTP/1.1 syntax (because its unusual target syntax is only allowed
>>> when sent to a proxy).
>> 
>> That seems like a matter of perspective.  When opening a connection to
>> a WebSocket server, can one not view the server as a proxy sever?
> 
> No, because the browser is not limiting such connections to a
> configuration-selected proxy (hence, it is not equivalent from
> a behavioral or organizational policy perspective, which is
> where the name "proxy" came from originally and what drives the
> selection and enforcement of proxy use within larger companies).
> 
> I don't have a problem with configured proxies being used via
> a normal CONNECT tunnel to perform raw websockets access outside
> a port-restricted firewall.  That would be a normal proxy
> configuration (not intercepts).
> 
> ....Roy

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email