Re: Questions on HTTP URI schemes and QUIC
Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Wed, 25 July 2018 05:48 UTC
Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1C0130DF4 for <quic@ietfa.amsl.com>; Tue, 24 Jul 2018 22:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uS1KxvMyA_HN for <quic@ietfa.amsl.com>; Tue, 24 Jul 2018 22:48:23 -0700 (PDT)
Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3A2E130E2A for <quic@ietf.org>; Tue, 24 Jul 2018 22:48:22 -0700 (PDT)
Received: by mail-qt0-x22b.google.com with SMTP id e19-v6so6533779qtp.8 for <quic@ietf.org>; Tue, 24 Jul 2018 22:48:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=2x45d0nxvJEqQPGkMDxh54lyJCcmbaF91rS3pRq4Gv4=; b=HXLVDUUaYbwCVzfQNfipWktT3ipQPtMgmn0zOXOJEJ+hxwL1C/b8rPlQIdaMR18ENe Gw9phsiSA7S5+Q2uT/bKv7JBkEKOyxzLFosRzmQcDk+gr6tQtjR3qWRC8soVcURly2Rh xQ3EPYTls8Jk2EjzMyvPG16ot2B4rvL7psurlRTGEe59ZpNS8d88wIYPXbFUB+HROTBB abXbXxplOL4xhaBGkNwzjI+tS5YfOKX7GVXmPw1Oq57dHhgUj+UFxhm0ZL3Mau5jA6By p+7HPRlm07AoVFVGjLXBuxZm1QDo/AR9ZlvSC0UbFOPzBkVOgTiqhoZQpktHmHamcxPb Gmiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :mime-version; bh=2x45d0nxvJEqQPGkMDxh54lyJCcmbaF91rS3pRq4Gv4=; b=f+Hr58A457UTMkhPiU2T2RyjAhC9lIpT/TAx9G5FpOAiC1IbX8rpSLQJVgkOkGkvtz LDWSitFXLSKpoSjiPDdyzinYgmWyhChoSLzSWcdme2gyu44kkUm4JIi13DDmxRNkSywF Ffcf3fe3M1JcvVnbwbUa8/aGwnK+9AuoPbHmq+Lx7uLDe8SBjc3nQ/NKigqrFQ4FB+3y qIE7OAexmciwIBa4V00lBmyXZi3uBYsN37F3Ldu+72m0Gd1YybiOa6wxRMxWiciDElGl n8nnble4swra+JEoY2hqLyY7zPip69vTgUv9PV3rrlFHyp/x6EAktXSxmDOt0QfncITm Vvig==
X-Gm-Message-State: AOUpUlH6Qa8lSYi2GTUk4A1tKtr0kWVosn2hoL2p09HRsWVKNb4T0Ncz CwDk7i/8r+5GdstEUZeKBhU=
X-Google-Smtp-Source: AAOMgpdsrf47k4693SN/eqTzUVRUeVyzOr31TxL8CfhY0EalxgL+WlIzNYH2XIdGYRSXyOv/WIq/WQ==
X-Received: by 2002:a0c:ca94:: with SMTP id a20-v6mr17831146qvk.37.1532497701888; Tue, 24 Jul 2018 22:48:21 -0700 (PDT)
Received: from DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM ([40.101.73.69]) by smtp.gmail.com with ESMTPSA id o2-v6sm1671658qte.16.2018.07.24.22.48.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 24 Jul 2018 22:48:20 -0700 (PDT)
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
To: Sridhar Bhaskaran <sridhar.bhaskaran@huawei.com>, Ted Hardie <ted.ietf@gmail.com>, IETF QUIC WG <quic@ietf.org>
Subject: Re: Questions on HTTP URI schemes and QUIC
Thread-Topic: Questions on HTTP URI schemes and QUIC
Thread-Index: AUFFRjg2ghJw9e6hhjKznfXxRVMqEkFBM0ZDQkVGODY1QTNGQzlFRjg2QW5YWVExRUY4NpqXJS6d
X-MS-Exchange-MessageSentRepresentingType: 2
Date: Wed, 25 Jul 2018 05:48:17 +0000
Message-ID: <DB6PR10MB1766AEAB4F1B0C7F40DDEEACAC540@DB6PR10MB1766.EURPRD10.PROD.OUTLOOK.COM>
References: <0E42DD26875E1748992B1E3F732A36AE0129BCBA@BLREML503-MBX.china.huawei.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB77BFA@bgb01xud1012> <0E42DD26875E1748992B1E3F732A36AE0129C45B@BLREML503-MBX.china.huawei.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB786A5@bgb01xud1012> <0E42DD26875E1748992B1E3F732A36AE0129E9E9@BLREML503-MBX.china.huawei.com> <CA+9kkMAZqQviCshp8opYD4OBtG+SrXJ7TeXvwMzne_xDa4-_QA@mail.gmail.com>, <0E42DD26875E1748992B1E3F732A36AE0129F121@BLREML503-MBX.china.huawei.com>
In-Reply-To: <0E42DD26875E1748992B1E3F732A36AE0129F121@BLREML503-MBX.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_DB6PR10MB1766AEAB4F1B0C7F40DDEEACAC540DB6PR10MB1766EURP_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/KzNTkQX1YukfRTpd2yJlyrmm5dQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 05:48:25 -0000
Another option is to connect to the backend directly, then forward traffic keys to the proxy. ________________________________ From: QUIC <quic-bounces@ietf.org> on behalf of Sridhar Bhaskaran <sridhar.bhaskaran@huawei.com> Sent: Wednesday, July 25, 2018 5:33:09 AM To: Ted Hardie; IETF QUIC WG Subject: RE: Questions on HTTP URI schemes and QUIC Hi Ted, >> Before going down that road, may I ask why 3gpp prefers the bump-in-the-wire style proxy, rather than a configured proxy? A configured proxy can act as a back-to-back user agent, which allows the kind of inspection you describe. The mechanism can also be set to work either on a per-network basis or globally (depending on the configuration and the topology). Is that not a better fit for your deployment model? [Sridhar] In 3GPP architecture, from a HTTP client perspective it believes it is invoking the API exposed by a HTTP server. If the client is configured to route the request via a proxy (configuration is at HTTP level and application is unaware of it), then what should be the ":authority" pseudo header in a HTTP/2 request (i.e the authority part of the URI)? If the authority part of the URI still refers to an FQDN / IP address of the HTTP server, then isn’t the TLS certificate exchange supposed to happen against this? On the other hand, if the authority part of the URI refers to the proxy's endpoint itself, then how does the proxy know where to route the request further? By the way are there any IETF drafts / RFCs that explain how this would work? I may be missing few details here. Could you please clarify how a configured proxy acting as B2B user agent would a) terminate TLS by providing a valid certificate for the domain / authority with which the client is intending to communicate b) how the proxy will route the HTTP/2 request to the right server (and based on which information in the HTTP/2 request)? c) Any IETF draft / RFC that explains this. Thanks Sridhar From: Ted Hardie [mailto:ted.ietf@gmail.com] Sent: Tuesday, July 24, 2018 9:38 PM To: Sridhar Bhaskaran <sridhar.bhaskaran@huawei.com> Cc: Lucas Pardue <Lucas.Pardue@bbc.co.uk>; IETF QUIC WG <quic@ietf.org> Subject: Re: Questions on HTTP URI schemes and QUIC Hi Sridhar, On Mon, Jul 23, 2018 at 8:36 PM, Sridhar Bhaskaran <sridhar.bhaskaran@huawei.com> wrote: Yes this is understood. One follow up question is - can a bump in TLS (TLS interception) where a proxy provides certificates on behalf of origin host signed by its own CA (provided the client is configured to trust this CA) work with QUIC? Can this be made to work to intercept the protected payload at a proxy? Thanks Sridhar Before going down that road, may I ask why 3gpp prefers the bump-in-the-wire style proxy, rather than a configured proxy? A configured proxy can act as a back-to-back user agent, which allows the kind of inspection you describe. The mechanism can also be set to work either on a per-network basis or globally (depending on the configuration and the topology). Is that not a better fit for your deployment model? regards, Ted
- Questions on HTTP URI schemes and QUIC Sridhar Bhaskaran
- Re: Questions on HTTP URI schemes and QUIC Patrick McManus
- RE: Questions on HTTP URI schemes and QUIC Lucas Pardue
- RE: Questions on HTTP URI schemes and QUIC Sridhar Bhaskaran
- RE: Questions on HTTP URI schemes and QUIC Lucas Pardue
- RE: Questions on HTTP URI schemes and QUIC Sridhar Bhaskaran
- Re: Questions on HTTP URI schemes and QUIC Ted Hardie
- RE: Questions on HTTP URI schemes and QUIC Sridhar Bhaskaran
- Re: Questions on HTTP URI schemes and QUIC Mikkel Fahnøe Jørgensen
- Re: Questions on HTTP URI schemes and QUIC Martin Thomson
- RE: Questions on HTTP URI schemes and QUIC Sridhar Bhaskaran
- RE: Questions on HTTP URI schemes and QUIC Lucas Pardue
- RE: Questions on HTTP URI schemes and QUIC Sridhar Bhaskaran