IETF Logo Mail Archive

Re: [Masque] Dropping HTTP/1.x requirement for CONNECT-UDP

Tommy Pauly <tpauly@apple.com> Thu, 25 March 2021 15:20 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: masque@ietfa.amsl.com
Delivered-To: masque@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D95A3A2531 for <masque@ietfa.amsl.com>; Thu, 25 Mar 2021 08:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.246
X-Spam-Level:
X-Spam-Status: No, score=-2.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.251, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRDRd4GHSZaT for <masque@ietfa.amsl.com>; Thu, 25 Mar 2021 08:20:10 -0700 (PDT)
Received: from rn-mailsvcp-ppex-lapp15.apple.com (rn-mailsvcp-ppex-lapp15.rno.apple.com [17.179.253.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727D73A2533 for <masque@ietf.org>; Thu, 25 Mar 2021 08:20:10 -0700 (PDT)
Received: from pps.filterd (rn-mailsvcp-ppex-lapp15.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp15.rno.apple.com (8.16.0.43/8.16.0.43) with SMTP id 12PFDeGK012451; Thu, 25 Mar 2021 08:20:02 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=PyqQXJzWPAO3AwBLN9A/emYQ/V1A37dDOvrTW7uG5MI=; b=oSLNAffaD0gxpiOMwpSVYr4Tc6OhJFOp3O32gyamw8gUv6iTK9CGrgy9yoQTkqRV5qZL ag2tH/3FGjtL+hFgvrXC/chlcgc3EIr2MNGVrvAdR4WcktSWKPE/18P2eZU/YHCuhiNp vDAZ2aj7WTkFU7DpUsk6F2/YKsnx4L1ZqGajTNY2DWi8J1s4PGXH8Z57Xvc/AdivLTfc 5WxhHuiTW13IubOUOmcNMWwnEJ6c1oqIKP9qyC0HoENcDRh/zib+XUJQSnwq2y4PIqFM Ec9dXk1zWunTC3DfLLmWtYl3NZ7Ihc9TieN59cTTTS+h6uY6IIfaXAz7G+1ruFgy4lS4 fg==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-ppex-lapp15.rno.apple.com with ESMTP id 37dembkeb6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 25 Mar 2021 08:20:02 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QQJ00ZIV6LEAJ10@rn-mailsvcp-mta-lapp02.rno.apple.com>; Thu, 25 Mar 2021 08:20:02 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QQJ00L005ZK5J00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 25 Mar 2021 08:20:02 -0700 (PDT)
X-Va-A:
X-Va-T-CD: a307069c117d92ca5914e55b5f3dbe78
X-Va-E-CD: 5941c1938a303a2cc2aa951013da524e
X-Va-R-CD: 6c33b829cc86532365ac3ddc3871a900
X-Va-CD: 0
X-Va-ID: 355785e4-e596-4ec3-92b9-efd642aaa928
X-V-A:
X-V-T-CD: a307069c117d92ca5914e55b5f3dbe78
X-V-E-CD: 5941c1938a303a2cc2aa951013da524e
X-V-R-CD: 6c33b829cc86532365ac3ddc3871a900
X-V-CD: 0
X-V-ID: 54d30668-cb72-4b43-b1b6-9d41bd93faa9
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-25_04:2021-03-24, 2021-03-25 signatures=0
Received: from smtpclient.apple (unknown [17.11.85.163]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QQJ00LVU6LB5800@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 25 Mar 2021 08:19:59 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <D10B8202-B858-45AE-B9DA-E1E8FF75CB85@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_29122826-4116-4F69-8B3F-A69EB5CDBF8A"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.6\))
Date: Thu, 25 Mar 2021 08:19:58 -0700
In-reply-to: <CAKKJt-favDBmSWfBrHo3Pa1EXZ1MPsB6nxSe25x-O9i=VW+_Vw@mail.gmail.com>
Cc: Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>, Alex Chernyakhovsky <achernya=40google.com@dmarc.ietf.org>, Ian Swett <ianswett@google.com>, David Schinazi <dschinazi.ietf@gmail.com>, Mark Nottingham <mnot@mnot.net>, Roy Fielding <fielding@gbiv.com>, MASQUE <masque@ietf.org>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
References: <CAPDSy+5QOV-QfJVi1c1yN5KCawkibHfzZvWUaX3z9nby1tRKCg@mail.gmail.com> <CAHbWFkTjqo8kPfJZ1iYJf9Haz3bERSoo_hFuTEW7Ht-qVR=DqQ@mail.gmail.com> <2DFDA98E-E6A4-4D7A-9B22-043048ADF30E@apple.com> <4950F4ED-AF9C-493D-A72A-D2CFEE90C0FA@mnot.net> <9E9DFAEA-7B83-4208-AA99-770B70B6D569@apple.com> <CAPDSy+7ZWUeQt=Y6EvgSC=MeMAQ3QoHikta4g6ocyGViqTs0fg@mail.gmail.com> <CAKcm_gN561ruvtUL5JX9N0M58MN1dEQegWH0NuD6cGN-Badh9g@mail.gmail.com> <CAHbWFkR+5Y5jtXu2NnZ-fVxoFdSpBxP7ewutVPT0rfX1oHM6JQ@mail.gmail.com> <6476D243-6173-457F-9953-0382F7B7037B@ericsson.com> <CAKKJt-favDBmSWfBrHo3Pa1EXZ1MPsB6nxSe25x-O9i=VW+_Vw@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.80.0.2.6)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-25_04:2021-03-24, 2021-03-25 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/masque/QyG5TpXAQXjCpPKmM5HwOgQ5N1E>
Subject: Re: [Masque] Dropping HTTP/1.x requirement for CONNECT-UDP
X-BeenThere: masque@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiplexed Application Substrate over QUIC Encryption <masque.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/masque>, <mailto:masque-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/masque/>
List-Post: <mailto:masque@ietf.org>
List-Help: <mailto:masque-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/masque>, <mailto:masque-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 15:20:12 -0000


> On Mar 25, 2021, at 7:05 AM, Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
> 
> I'm actually following up on something Ian said earlier ... 
> 
> On Thu, Mar 25, 2021 at 8:42 AM Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org <mailto:40ericsson.com@dmarc.ietf.org>> wrote:
> I agree. I thought that the mapping is actually relatively straight forward though. With H2 you can have one CONNECT per stream (and no datagram support). For H1 you can only have one CONNECT per connection and you would open multiple TCP/HTTP connections for each forwarding request separately.
> 
>  
> 
>  
> 
>  
> 
> From: Masque <masque-bounces@ietf.org <mailto:masque-bounces@ietf.org>> on behalf of Alex Chernyakhovsky <achernya=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>>
> Date: Wednesday, 24. March 2021 at 02:11
> To: Ian Swett <ianswett@google.com <mailto:ianswett@google.com>>
> Cc: David Schinazi <dschinazi.ietf@gmail.com <mailto:dschinazi.ietf@gmail.com>>, Mark Nottingham <mnot@mnot.net <mailto:mnot@mnot.net>>, Roy Fielding <fielding@gbiv.com <mailto:fielding@gbiv.com>>, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>>, MASQUE <masque@ietf.org <mailto:masque@ietf.org>>
> Subject: Re: [Masque] Dropping HTTP/1.x requirement for CONNECT-UDP
> 
>  
> 
> I don't think aligning h1 and h2 makes sense. h2 is closer to h3 than it is to h1.
> 
>  
> 
> Sincerely,
> 
> -Alex
> 
>  
> 
> On Tue, Mar 23, 2021 at 7:25 PM Ian Swett <ianswett@google.com <mailto:ianswett@google.com>> wrote:
> 
> IMO it makes sense to align the h1 and h2 designs, since they're both fallbacks we'd rather not use.  If h1+h2 lands after h3 in a different doc, I don't see a problem with that, but I'm also fine with them being in a single document.
> 
>  
> 
> In a surprising number of cases where h3 is blocked, h2 is blocked as well(ie: Corp MITMs) and users will end up on h1.  Additionally, h1 is still widely used behind load balancers/proxies.  As such, by the time this becomes RFC, I wouldn't be surprised if there's more usage of it over h1 than h2.
> 
> I know there's a conceptual reason for having mappings for h3, h2, and h1, but if Ian's experience here is typical, how bad would it be if the recommendation was to fall back from h3 to h1? 
> 
> If h2 doesn't work on a path now, do we want to encourage those operators to allow h2 and continue to block h3, rather than encouraging people to allow h3?

The specifics of how a given implementation falls back for a particular scenario are, I think, a bit out of scope. I think we need to be able to use H3, H2, or H1, overall.

While there may be scenarios that are doing man-in-the-middle attacks/techniques that force things back to H1, there are also cases where a client would disallow any such man-in-the-middle attack and would prefer to fail hard. So, I have scenarios were I would accept falling back to H2, but would not accept falling back to H1.

Tommy

> 
> Best,
> 
> Spencer 
>  
> 
> I don't think the CONNECT-UDP design for h2 and h3 needs to share framing, given h3 has datagrams and doesn't need frames transmitted on streams to transmit UDP?
> 
>  
> 
> On Tue, Mar 23, 2021 at 6:42 PM David Schinazi <dschinazi.ietf@gmail.com <mailto:dschinazi.ietf@gmail.com>> wrote:
> 
> Or we could have one document now that describes CONNECT-UDP over h2 and h3, and a separate document that defines CONNECT-UDP over h1 later?
> 
> I'm not saying CONNECT-UDP should never support HTTP/1.1, I'm just saying that maybe we don't need to design that yet.
> 
>  
> 
> Thoughts?
> 
> David
> 
>  
> 
> On Mon, Mar 22, 2021 at 7:57 PM Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> 
> Yes, that’s what I recall as well.
> 
> David, can we still go down the path of using frames in HTTP/3 and HTTP/2, while letting CONNECT-UDP have a more degenerate case for HTTP/1.1?
> 
> Tommy
> 
> > On Mar 22, 2021, at 7:53 PM, Mark Nottingham <mnot@mnot.net <mailto:mnot@mnot.net>> wrote:
> > 
> > My recollection is that this was discussed at length during chartering, and the resolution was that we'd make it version-independent, like other methods. If you want to re-visit that, I think we'd need to ask the whole HTTP WG, not just a couple of people.
> > 
> > Cheers,
> > 
> > 
> >> On 23 Mar 2021, at 9:39 am, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com>> wrote:
> >> 
> >> While I understand the desire for this, I’m concerned about making a method that only works with some versions.
> >> 
> >> From https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#methods <https://protect2.fireeye.com/v1/url?k=57aa9374-0831aa71-57aad3ef-86d2114eab2f-8a67a28437e1dc6d&q=1&e=cd2d81ff-d165-41ed-836c-128d76921781&u=https%3A%2F%2Fhttpwg.org%2Fhttp-core%2Fdraft-ietf-httpbis-semantics-latest.html%23methods> :
> >> 
> >> HTTP defines a number of generic extension points that can be used to introduce capabilities to the protocol without introducing a new version, including methods, status codes, field names, and further extensibility points within defined fields, such as authentication schemes and cache-directives (see Cache-Control extensions in Section 5.2.3 of [Caching]). Because the semantics of HTTP are not versioned, these extension points are persistent; the version of the protocol in use does not affect their semantics.
> >> 
> >> Version-independent extensions are discouraged from depending on or interacting with the specific version of the protocol in use. When this is unavoidable, careful consideration needs to be given to how the extension can interoperate across versions.
> >> 
> >> I’d like to hear the opinions of Mark and Roy on this.
> >> 
> >> Tommy
> >> 
> >>> On Mar 22, 2021, at 3:21 PM, Alex Chernyakhovsky <achernya=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote:
> >>> 
> >>> I think this makes a lot of sense. As it stands today, anyone wishing to add UDP support would have to make changes to their client/server anyway -- I feel like the complexity we'd take on by continuing to support HTTP/1.1 and older isn't beneficial since we wouldn't be able to interoperate with existing implementations with the new features. Requiring HTTP/2 or newer lets us rely on a lot of nice things that have been added (like multiplexing) and not have to re-invent them in HTTP/1.1 just for UDP.
> >>> 
> >>> Sincerely,
> >>> -Alex
> >>> 
> >>> On Thu, Mar 18, 2021 at 6:12 PM David Schinazi <dschinazi.ietf@gmail.com <mailto:dschinazi.ietf@gmail.com>> wrote:
> >>> Hi MASQUE enthusiasts,
> >>> 
> >>> The CONNECT-UDP draft currently states "The CONNECT-UDP method is defined for all versions of HTTP." While supporting HTTP/3 is our top priority, and supporting HTTP/2 is necessary because of networks that block UDP, I'm not sure supporting versions of HTTP before 2 is useful. Additionally, it constrains our design space as HTTP/1.1 does not have the HTTP framing layer that HTTP/2 and HTTP/3 have. I would like to drop support for HTTP/1.1, 1.0 and 0.9.
> >>> 
> >>> Does anyone object to dropping the requirement to support versions of HTTP before 2?
> >>> 
> >>> Thanks,
> >>> David
> >>> -- 
> >>> Masque mailing list
> >>> Masque@ietf.org <mailto:Masque@ietf.org>
> >>> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>
> >>> -- 
> >>> Masque mailing list
> >>> Masque@ietf.org <mailto:Masque@ietf.org>
> >>> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>
> >> 
> > 
> > --
> > Mark Nottingham   https://www.mnot.net/ <https://protect2.fireeye.com/v1/url?k=0c525adb-53c963de-0c521a40-86d2114eab2f-69a3e42f0cf4ffba&q=1&e=cd2d81ff-d165-41ed-836c-128d76921781&u=https%3A%2F%2Fwww.mnot.net%2F>
> > 
> > -- 
> > Masque mailing list
> > Masque@ietf.org <mailto:Masque@ietf.org>
> > https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>
> -- 
> Masque mailing list
> Masque@ietf.org <mailto:Masque@ietf.org>
> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>-- 
> Masque mailing list
> Masque@ietf.org <mailto:Masque@ietf.org>
> https://www.ietf.org/mailman/listinfo/masque <https://www.ietf.org/mailman/listinfo/masque>

v2.23.0 | Report a Bug | By Email