| draft-ietf-httpbis-alt-svc-14.txt | draft-ietf-httpbis-alt-svc-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group M. Nottingham | HTTP Working Group M. Nottingham | |||
| Internet-Draft Akamai | Internet-Draft Akamai | |||
| Intended status: Standards Track P. McManus | Intended status: Standards Track P. McManus | |||
| Expires: September 9, 2016 Mozilla | Expires: January 7, 2025 Mozilla | |||
| J. Reschke | J. Reschke | |||
| greenbytes | greenbytes | |||
| March 8, 2016 | July 6, 2024 | |||
| HTTP Alternative Services | HTTP Alternative Services | |||
| draft-ietf-httpbis-alt-svc-14 | draft-ietf-httpbis-alt-svc-latest | |||
| Abstract | Abstract | |||
| This document specifies "Alternative Services" for HTTP, which allow | This document specifies "Alternative Services" for HTTP, which allow | |||
| an origin's resources to be authoritatively available at a separate | an origin's resources to be authoritatively available at a separate | |||
| network location, possibly accessed with a different protocol | network location, possibly accessed with a different protocol | |||
| configuration. | configuration. | |||
| Editorial Note (To be removed by RFC Editor) | Editorial Note (To be removed by RFC Editor) | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| The changes in this draft are summarized in Appendix A. | The changes in this draft are summarized in Appendix A. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 9, 2016. | This Internet-Draft will expire on January 7, 2025. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 4 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 | |||
| 2. Alternative Services Concepts . . . . . . . . . . . . . . . . 5 | 2. Alternative Services Concepts . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Host Authentication . . . . . . . . . . . . . . . . . . . 7 | 2.1. Host Authentication . . . . . . . . . . . . . . . . . . . 6 | |||
| 2.2. Alternative Service Caching . . . . . . . . . . . . . . . 7 | 2.2. Alternative Service Caching . . . . . . . . . . . . . . . 6 | |||
| 2.3. Requiring Server Name Indication . . . . . . . . . . . . . 8 | 2.3. Requiring Server Name Indication . . . . . . . . . . . . 7 | |||
| 2.4. Using Alternative Services . . . . . . . . . . . . . . . . 8 | 2.4. Using Alternative Services . . . . . . . . . . . . . . . 7 | |||
| 3. The Alt-Svc HTTP Header Field . . . . . . . . . . . . . . . . 9 | 3. The Alt-Svc HTTP Header Field . . . . . . . . . . . . . . . . 8 | |||
| 3.1. Caching Alt-Svc Header Field Values . . . . . . . . . . . 11 | 3.1. Caching Alt-Svc Header Field Values . . . . . . . . . . . 11 | |||
| 4. The ALTSVC HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 12 | 4. The ALTSVC HTTP/2 Frame . . . . . . . . . . . . . . . . . . . 12 | |||
| 5. The Alt-Used HTTP Header Field . . . . . . . . . . . . . . . . 14 | 5. The Alt-Used HTTP Header Field . . . . . . . . . . . . . . . 13 | |||
| 6. The 421 Misdirected Request HTTP Status Code . . . . . . . . . 14 | 6. The 421 (Misdirected Request) HTTP Status Code . . . . . . . 14 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. Header Field Registrations . . . . . . . . . . . . . . . . 15 | 7.1. Header Field Registrations . . . . . . . . . . . . . . . 14 | |||
| 7.2. The ALTSVC HTTP/2 Frame Type . . . . . . . . . . . . . . . 15 | 7.2. The ALTSVC HTTP/2 Frame Type . . . . . . . . . . . . . . 15 | |||
| 7.3. Alt-Svc Parameter Registry . . . . . . . . . . . . . . . . 15 | 7.3. Alt-Svc Parameter Registry . . . . . . . . . . . . . . . 15 | |||
| 7.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 15 | 7.3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.3.2. Registrations . . . . . . . . . . . . . . . . . . . . 16 | 7.3.2. Registrations . . . . . . . . . . . . . . . . . . . . 15 | |||
| 8. Internationalization Considerations . . . . . . . . . . . . . 16 | 8. Internationalization Considerations . . . . . . . . . . . . . 15 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 | |||
| 9.1. Changing Ports . . . . . . . . . . . . . . . . . . . . . . 16 | 9.1. Changing Ports . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 9.2. Changing Hosts . . . . . . . . . . . . . . . . . . . . . . 17 | 9.2. Changing Hosts . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 9.3. Changing Protocols . . . . . . . . . . . . . . . . . . . . 17 | 9.3. Changing Protocols . . . . . . . . . . . . . . . . . . . 17 | |||
| 9.4. Tracking Clients Using Alternative Services . . . . . . . 18 | 9.4. Tracking Clients Using Alternative Services . . . . . . . 17 | |||
| 9.5. Confusion Regarding Request Scheme . . . . . . . . . . . . 18 | 9.5. Confusion regarding Request Scheme . . . . . . . . . . . 17 | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 18 | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . . 20 | 10.2. Informative References . . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. Change Log (to be removed by RFC Editor before | Appendix A. Change Log (to be removed by RFC Editor before | |||
| publication) . . . . . . . . . . . . . . . . . . . . 20 | publication) . . . . . . . . . . . . . . . . . . . . 21 | |||
| A.1. Since draft-nottingham-httpbis-alt-svc-05 . . . . . . . . 20 | A.1. Since draft-nottingham-httpbis-alt-svc-05 . . . . . . . . 21 | |||
| A.2. Since draft-ietf-httpbis-alt-svc-00 . . . . . . . . . . . 21 | A.2. Since draft-ietf-httpbis-alt-svc-00 . . . . . . . . . . . 21 | |||
| A.3. Since draft-ietf-httpbis-alt-svc-01 . . . . . . . . . . . 21 | A.3. Since draft-ietf-httpbis-alt-svc-01 . . . . . . . . . . . 21 | |||
| A.4. Since draft-ietf-httpbis-alt-svc-02 . . . . . . . . . . . 21 | A.4. Since draft-ietf-httpbis-alt-svc-02 . . . . . . . . . . . 21 | |||
| A.5. Since draft-ietf-httpbis-alt-svc-03 . . . . . . . . . . . 21 | A.5. Since draft-ietf-httpbis-alt-svc-03 . . . . . . . . . . . 21 | |||
| A.6. Since draft-ietf-httpbis-alt-svc-04 . . . . . . . . . . . 21 | A.6. Since draft-ietf-httpbis-alt-svc-04 . . . . . . . . . . . 22 | |||
| A.7. Since draft-ietf-httpbis-alt-svc-05 . . . . . . . . . . . 22 | A.7. Since draft-ietf-httpbis-alt-svc-05 . . . . . . . . . . . 22 | |||
| A.8. Since draft-ietf-httpbis-alt-svc-06 . . . . . . . . . . . 22 | A.8. Since draft-ietf-httpbis-alt-svc-06 . . . . . . . . . . . 22 | |||
| A.9. Since draft-ietf-httpbis-alt-svc-07 . . . . . . . . . . . 22 | A.9. Since draft-ietf-httpbis-alt-svc-07 . . . . . . . . . . . 22 | |||
| A.10. Since draft-ietf-httpbis-alt-svc-08 . . . . . . . . . . . 23 | A.10. Since draft-ietf-httpbis-alt-svc-08 . . . . . . . . . . . 23 | |||
| A.11. Since draft-ietf-httpbis-alt-svc-09 . . . . . . . . . . . 24 | A.11. Since draft-ietf-httpbis-alt-svc-09 . . . . . . . . . . . 24 | |||
| A.12. Since draft-ietf-httpbis-alt-svc-10 . . . . . . . . . . . 24 | A.12. Since draft-ietf-httpbis-alt-svc-10 . . . . . . . . . . . 24 | |||
| A.13. Since draft-ietf-httpbis-alt-svc-11 . . . . . . . . . . . 24 | A.13. Since draft-ietf-httpbis-alt-svc-11 . . . . . . . . . . . 24 | |||
| A.14. Since draft-ietf-httpbis-alt-svc-12 . . . . . . . . . . . 24 | A.14. Since draft-ietf-httpbis-alt-svc-12 . . . . . . . . . . . 24 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 24 | A.15. Since draft-ietf-httpbis-alt-svc-13 . . . . . . . . . . . 25 | |||
| A.16. Since draft-ietf-httpbis-alt-svc-14 . . . . . . . . . . . 25 | ||||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 25 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 | ||||
| 1. Introduction | 1. Introduction | |||
| HTTP [RFC7230] conflates the identification of resources with their | HTTP [RFC7230] conflates the identification of resources with their | |||
| location. In other words, "http://" and "https://" URIs are used to | location. In other words, "http://" and "https://" URIs are used to | |||
| both name and find things to interact with. | both name and find things to interact with. | |||
| In some cases, it is desirable to separate identification and | In some cases, it is desirable to separate identification and | |||
| location in HTTP; keeping the same identifier for a resource, but | location in HTTP; keeping the same identifier for a resource, but | |||
| interacting with it at a different location on the network. | interacting with it at a different location on the network. | |||
| skipping to change at page 5, line 16 ¶ | skipping to change at page 4, line 34 ¶ | |||
| delta-seconds = <delta-seconds; see [RFC7234], Section 1.2.1> | delta-seconds = <delta-seconds; see [RFC7234], Section 1.2.1> | |||
| port = <port, see [RFC7230], Section 2.7> | port = <port, see [RFC7230], Section 2.7> | |||
| quoted-string = <quoted-string, see [RFC7230], Section 3.2.6> | quoted-string = <quoted-string, see [RFC7230], Section 3.2.6> | |||
| token = <token, see [RFC7230], Section 3.2.6> | token = <token, see [RFC7230], Section 3.2.6> | |||
| uri-host = <uri-host, see [RFC7230], Section 2.7> | uri-host = <uri-host, see [RFC7230], Section 2.7> | |||
| 2. Alternative Services Concepts | 2. Alternative Services Concepts | |||
| This specification defines a new concept in HTTP, the ""Alternative | This specification defines a new concept in HTTP, the ""Alternative | |||
| Service"". When an origin [RFC6454] has resources that are | Service"". When an origin [RFC6454] has resources that are | |||
| accessible through a different protocol / host / port combination, it | accessible through a different protocol/host/port combination, it is | |||
| is said to have an alternative service available. | said to have an alternative service available. | |||
| An alternative service can be used to interact with the resources on | An alternative service can be used to interact with the resources on | |||
| an origin server at a separate location on the network, possibly | an origin server at a separate location on the network, possibly | |||
| using a different protocol configuration. Alternative services are | using a different protocol configuration. Alternative services are | |||
| considered authoritative for an origin's resources, in the sense of | considered authoritative for an origin's resources, in the sense of | |||
| [RFC7230], Section 9.1. | [RFC7230], Section 9.1. | |||
| For example, an origin: | For example, an origin: | |||
| ("http", "www.example.com", "80") | ("http", "www.example.com", "80") | |||
| skipping to change at page 5, line 33 ¶ | skipping to change at page 5, line 4 ¶ | |||
| [RFC7230], Section 9.1. | [RFC7230], Section 9.1. | |||
| For example, an origin: | For example, an origin: | |||
| ("http", "www.example.com", "80") | ("http", "www.example.com", "80") | |||
| might declare that its resources are also accessible at the | might declare that its resources are also accessible at the | |||
| alternative service: | alternative service: | |||
| ("h2", "new.example.com", "81") | ("h2", "new.example.com", "81") | |||
| By their nature, alternative services are explicitly at the | By their nature, alternative services are explicitly at the | |||
| granularity of an origin; they cannot be selectively applied to | granularity of an origin; they cannot be selectively applied to | |||
| resources within an origin. | resources within an origin. | |||
| Alternative services do not replace or change the origin for any | Alternative services do not replace or change the origin for any | |||
| given resource; in general, they are not visible to the software | given resource; in general, they are not visible to the software | |||
| "above" the access mechanism. The alternative service is essentially | "above" the access mechanism. The alternative service is essentially | |||
| alternative routing information that can also be used to reach the | alternative routing information that can also be used to reach the | |||
| origin in the same way that DNS CNAME or SRV records define routing | origin in the same way that DNS CNAME or SRV records define routing | |||
| information at the name resolution level. Each origin maps to a set | information at the name resolution level. Each origin maps to a set | |||
| of these routes -- the default route is derived from the origin | of these routes -- the default route is derived from the origin | |||
| itself and the other routes are introduced based on alternative- | itself and the other routes are introduced based on alternative- | |||
| service information. | service information. | |||
| Furthermore, it is important to note that the first member of an | Furthermore, it is important to note that the first member of an | |||
| alternative service tuple is different from the "scheme" component of | alternative service tuple is different from the "scheme" component of | |||
| an origin; it is more specific, identifying not only the major | an origin; it is more specific, identifying not only the major | |||
| version of the protocol being used, but potentially communication | version of the protocol being used, but potentially the communication | |||
| options for that protocol. | options for that protocol as well. | |||
| This means that clients using an alternative service can change the | This means that clients using an alternative service can change the | |||
| host, port and protocol that they are using to fetch resources, but | host, port, and protocol that they are using to fetch resources, but | |||
| these changes MUST NOT be propagated to the application that is using | these changes MUST NOT be propagated to the application that is using | |||
| HTTP; from that standpoint, the URI being accessed and all | HTTP; from that standpoint, the URI being accessed and all | |||
| information derived from it (scheme, host, port) are the same as | information derived from it (scheme, host, and port) are the same as | |||
| before. | before. | |||
| Importantly, this includes its security context; in particular, when | Importantly, this includes its security context; in particular, when | |||
| TLS [RFC5246] is used to authenticate, the alternative service will | TLS [RFC5246] is used to authenticate, the alternative service will | |||
| need to present a certificate for the origin's host name, not that of | need to present a certificate for the origin's host name, not that of | |||
| the alternative. Likewise, the Host header field ([RFC7230], Section | the alternative. Likewise, the Host header field ([RFC7230], | |||
| 5.4) is still derived from the origin, not the alternative service | Section 5.4) is still derived from the origin, not the alternative | |||
| (just as it would if a CNAME were being used). | service (just as it would if a CNAME were being used). | |||
| The changes MAY, however, be made visible in debugging tools, | The changes MAY, however, be made visible in debugging tools, | |||
| consoles, etc. | consoles, etc. | |||
| Formally, an alternative service is identified by the combination of: | Formally, an alternative service is identified by the combination of: | |||
| o An Application Layer Protocol Negotiation (ALPN) protocol name, as | o An Application Layer Protocol Negotiation (ALPN) protocol name, as | |||
| per [RFC7301] | per [RFC7301] | |||
| o A host, as per [RFC3986], Section 3.2.2 | o A host, as per [RFC3986], Section 3.2.2 | |||
| skipping to change at page 6, line 39 ¶ | skipping to change at page 6, line 10 ¶ | |||
| o A port, as per [RFC3986], Section 3.2.3 | o A port, as per [RFC3986], Section 3.2.3 | |||
| The ALPN protocol name is used to identify the application protocol | The ALPN protocol name is used to identify the application protocol | |||
| or suite of protocols used by the alternative service. Note that for | or suite of protocols used by the alternative service. Note that for | |||
| the purpose of this specification, an ALPN protocol name implicitly | the purpose of this specification, an ALPN protocol name implicitly | |||
| includes TLS in the suite of protocols it identifies, unless | includes TLS in the suite of protocols it identifies, unless | |||
| specified otherwise in its definition. In particular, the ALPN name | specified otherwise in its definition. In particular, the ALPN name | |||
| "http/1.1", registered by Section 6 of [RFC7301], identifies HTTP/1.1 | "http/1.1", registered by Section 6 of [RFC7301], identifies HTTP/1.1 | |||
| over TLS. | over TLS. | |||
| Additionally, each alternative service MUST have: | Additionally, each alternative service MUST have a freshness | |||
| lifetime, expressed in seconds (see Section 2.2). | ||||
| o A freshness lifetime, expressed in seconds; see Section 2.2 | ||||
| There are many ways that a client could discover the alternative | There are many ways that a client could discover the alternative | |||
| service(s) associated with an origin. This document describes two | service(s) associated with an origin. This document describes two | |||
| such mechanisms: the "Alt-Svc" HTTP header field (Section 3) and the | such mechanisms: the "Alt-Svc" HTTP header field (Section 3) and the | |||
| "ALTSVC" HTTP/2 frame type (Section 4). | "ALTSVC" HTTP/2 frame type (Section 4). | |||
| The remainder of this section describes requirements that are common | The remainder of this section describes requirements that are common | |||
| to alternative services, regardless of how they are discovered. | to alternative services, regardless of how they are discovered. | |||
| 2.1. Host Authentication | 2.1. Host Authentication | |||
| skipping to change at page 8, line 20 ¶ | skipping to change at page 7, line 38 ¶ | |||
| Note that the SNI information provided in TLS by the client will be | Note that the SNI information provided in TLS by the client will be | |||
| that of the origin, not the alternative (as will the Host HTTP header | that of the origin, not the alternative (as will the Host HTTP header | |||
| field value). | field value). | |||
| 2.4. Using Alternative Services | 2.4. Using Alternative Services | |||
| By their nature, alternative services are OPTIONAL: clients do not | By their nature, alternative services are OPTIONAL: clients do not | |||
| need to use them. However, it is advantageous for clients to behave | need to use them. However, it is advantageous for clients to behave | |||
| in a predictable way when alternative services are used by servers, | in a predictable way when alternative services are used by servers, | |||
| to aid purposes like load balancing. | to aid in purposes like load balancing. | |||
| Therefore, if a client supporting this specification becomes aware of | Therefore, if a client supporting this specification becomes aware of | |||
| an alternative service, the client SHOULD use that alternative | an alternative service, the client SHOULD use that alternative | |||
| service for all requests to the associated origin as soon as it is | service for all requests to the associated origin as soon as it is | |||
| available, provided the alternative service information is fresh | available, provided the alternative service information is fresh | |||
| (Section 2.2) and the security properties of the alternative service | (Section 2.2) and the security properties of the alternative service | |||
| protocol are desirable, as compared to the existing connection. A | protocol are desirable, as compared to the existing connection. A | |||
| viable alternative service is then treated in every way as the | viable alternative service is then treated in every way as the | |||
| origin; this includes the ability to advertise alternative services. | origin; this includes the ability to advertise alternative services. | |||
| skipping to change at page 8, line 48 ¶ | skipping to change at page 8, line 18 ¶ | |||
| directly connect to an alternative service for this request, but | directly connect to an alternative service for this request, but | |||
| instead route it through that proxy. | instead route it through that proxy. | |||
| When a client uses an alternative service for a request, it can | When a client uses an alternative service for a request, it can | |||
| indicate this to the server using the Alt-Used header field | indicate this to the server using the Alt-Used header field | |||
| (Section 5). | (Section 5). | |||
| The client does not need to block requests on any existing | The client does not need to block requests on any existing | |||
| connection; it can be used until the alternative connection is | connection; it can be used until the alternative connection is | |||
| established. However, if the security properties of the existing | established. However, if the security properties of the existing | |||
| connection are weak (for example, cleartext HTTP/1.1) then it might | connection are weak (for example, cleartext HTTP/1.1), then it might | |||
| make sense to block until the new connection is fully available in | make sense to block until the new connection is fully available in | |||
| order to avoid information leakage. | order to avoid information leakage. | |||
| Furthermore, if the connection to the alternative service fails or is | Furthermore, if the connection to the alternative service fails or is | |||
| unresponsive, the client MAY fall back to using the origin or another | unresponsive, the client MAY fall back to using the origin or another | |||
| alternative service. Note, however, that this could be the basis of | alternative service. Note, however, that this could be the basis of | |||
| a downgrade attack, thus losing any enhanced security properties of | a downgrade attack, thus losing any enhanced security properties of | |||
| the alternative service. If the connection to the alternative | the alternative service. If the connection to the alternative | |||
| service does not negotiate the expected protocol (for example, ALPN | service does not negotiate the expected protocol (for example, ALPN | |||
| fails to negotiate h2, or an Upgrade request to h2c is not accepted), | fails to negotiate h2, or an Upgrade request to h2c is not accepted), | |||
| skipping to change at page 10, line 51 ¶ | skipping to change at page 10, line 32 ¶ | |||
| The Alt-Svc field value can have multiple values: | The Alt-Svc field value can have multiple values: | |||
| Alt-Svc: h2="alt.example.com:8000", h2=":443" | Alt-Svc: h2="alt.example.com:8000", h2=":443" | |||
| When multiple values are present, the order of the values reflects | When multiple values are present, the order of the values reflects | |||
| the server's preference (with the first value being the most | the server's preference (with the first value being the most | |||
| preferred alternative). | preferred alternative). | |||
| The value(s) advertised by Alt-Svc can be used by clients to open a | The value(s) advertised by Alt-Svc can be used by clients to open a | |||
| new connection to an alternative service. Subsequent requests can | new connection to an alternative service. Subsequent requests can | |||
| start using this new connection immediately, or can continue using | start using this new connection immediately or can continue using the | |||
| the existing connection while the new connection is created. | existing connection while the new connection is created. | |||
| When using HTTP/2 ([RFC7540]), servers SHOULD instead send an ALTSVC | When using HTTP/2 ([RFC7540]), servers SHOULD instead send an ALTSVC | |||
| frame (Section 4). A single ALTSVC frame can be sent for a | frame (Section 4). A single ALTSVC frame can be sent for a | |||
| connection; a new frame is not needed for every request. Note that, | connection; a new frame is not needed for every request. Note that, | |||
| despite this recommendation, Alt-Svc header fields remain valid in | despite this recommendation, Alt-Svc header fields remain valid in | |||
| responses delivered over HTTP/2. | responses delivered over HTTP/2. | |||
| Each "alt-value" is followed by an OPTIONAL semicolon-separated list | Each "alt-value" is followed by an OPTIONAL semicolon-separated list | |||
| of additional parameters, each such "parameter" comprising a name and | of additional parameters, each such "parameter" comprising a name and | |||
| a value. | a value. | |||
| skipping to change at page 11, line 30 ¶ | skipping to change at page 11, line 12 ¶ | |||
| New parameters can be defined in extension specifications (see | New parameters can be defined in extension specifications (see | |||
| Section 7.3 for registration details). | Section 7.3 for registration details). | |||
| Note that all field elements that allow "quoted-string" syntax MUST | Note that all field elements that allow "quoted-string" syntax MUST | |||
| be processed as per Section 3.2.6 of [RFC7230]. | be processed as per Section 3.2.6 of [RFC7230]. | |||
| 3.1. Caching Alt-Svc Header Field Values | 3.1. Caching Alt-Svc Header Field Values | |||
| When an alternative service is advertised using Alt-Svc, it is | When an alternative service is advertised using Alt-Svc, it is | |||
| considered fresh for 24 hours from generation of the message. This | considered fresh for 24 hours from generation of the message. This | |||
| can be modified with the 'ma' (max-age) parameter. | can be modified with the "ma" (max-age) parameter. | |||
| Syntax: | Syntax: | |||
| ma = delta-seconds; see [RFC7234], Section 1.2.1 | ma = delta-seconds; see [RFC7234], Section 1.2.1 | |||
| The delta-seconds value indicates the number of seconds since the | The delta-seconds value indicates the number of seconds since the | |||
| response was generated the alternative service is considered fresh | response was generated for which the alternative service is | |||
| for. | considered fresh. | |||
| Alt-Svc: h2=":443"; ma=3600 | Alt-Svc: h2=":443"; ma=3600 | |||
| See Section 4.2.3 of [RFC7234] for details of determining response | See Section 4.2.3 of [RFC7234] for details on determining the | |||
| age. | response age. | |||
| For example, a response: | For example, a response: | |||
| HTTP/1.1 200 OK | HTTP/1.1 200 OK | |||
| Content-Type: text/html | Content-Type: text/html | |||
| Cache-Control: max-age=600 | Cache-Control: max-age=600 | |||
| Age: 30 | Age: 30 | |||
| Alt-Svc: h2=":8000"; ma=60 | Alt-Svc: h2=":8000"; ma=60 | |||
| indicates that an alternative service is available and usable for the | indicates that an alternative service is available and usable for the | |||
| next 60 seconds. However, the response has already been cached for | next 60 seconds. However, the response has already been cached for | |||
| 30 seconds (as per the Age header field value), so therefore the | 30 seconds (as per the Age header field value); therefore, the | |||
| alternative service is only fresh for the 30 seconds from when this | alternative service is only fresh for the 30 seconds from when this | |||
| response was received, minus estimated transit time. | response was received, minus estimated transit time. | |||
| Note that the freshness lifetime for HTTP caching (here, 600 seconds) | Note that the freshness lifetime for HTTP caching (here, 600 seconds) | |||
| does not affect caching of Alt-Svc values. | does not affect caching of Alt-Svc values. | |||
| When an Alt-Svc response header field is received from an origin, its | When an Alt-Svc response header field is received from an origin, its | |||
| value invalidates and replaces all cached alternative services for | value invalidates and replaces all cached alternative services for | |||
| that origin. | that origin. | |||
| By default, cached alternative services will be cleared when the | By default, cached alternative services will be cleared when the | |||
| client detects a network change. Alternative services that are | client detects a network change. Alternative services that are | |||
| intended to be longer-lived (such as those that are not specific to | intended to be longer lived (such as those that are not specific to | |||
| the client access network) can carry the "persist" parameter with a | the client access network) can carry the "persist" parameter with a | |||
| value "1" as a hint that the service is potentially useful beyond a | value "1" as a hint that the service is potentially useful beyond a | |||
| network configuration change. | network configuration change. | |||
| Syntax: | Syntax: | |||
| persist = "1" | persist = "1" | |||
| For example: | For example: | |||
| skipping to change at page 13, line 33 ¶ | skipping to change at page 13, line 9 ¶ | |||
| +---------------------------------------------------------------+ | +---------------------------------------------------------------+ | |||
| ALTSVC Frame Payload | ALTSVC Frame Payload | |||
| The ALTSVC frame contains the following fields: | The ALTSVC frame contains the following fields: | |||
| Origin-Len: An unsigned, 16-bit integer indicating the length, in | Origin-Len: An unsigned, 16-bit integer indicating the length, in | |||
| octets, of the Origin field. | octets, of the Origin field. | |||
| Origin: An OPTIONAL sequence of characters containing the ASCII | Origin: An OPTIONAL sequence of characters containing the ASCII | |||
| serialization of an origin ([RFC6454], Section 6.2) that the | serialization of an origin ([RFC6454], Section 6.2) to which the | |||
| alternative service is applicable to. | alternative service is applicable. | |||
| Alt-Svc-Field-Value: A sequence of octets (length determined by | Alt-Svc-Field-Value: A sequence of octets (length determined by | |||
| subtracting the length of all preceding fields from the frame | subtracting the length of all preceding fields from the frame | |||
| length) containing a value identical to the Alt-Svc field value | length) containing a value identical to the Alt-Svc field value | |||
| defined in Section 3 (ABNF production "Alt-Svc"). | defined in Section 3 (ABNF production "Alt-Svc"). | |||
| The ALTSVC frame does not define any flags. | The ALTSVC frame does not define any flags. | |||
| The ALTSVC frame is intended for receipt by clients. A device acting | The ALTSVC frame is intended for receipt by clients. A device acting | |||
| as a server MUST ignore it. | as a server MUST ignore it. | |||
| skipping to change at page 14, line 17 ¶ | skipping to change at page 13, line 41 ¶ | |||
| Receiving an ALTSVC frame is semantically equivalent to receiving an | Receiving an ALTSVC frame is semantically equivalent to receiving an | |||
| Alt-Svc header field. As a result, the ALTSVC frame causes | Alt-Svc header field. As a result, the ALTSVC frame causes | |||
| alternative services for the corresponding origin to be replaced. | alternative services for the corresponding origin to be replaced. | |||
| Note that it would be unwise to mix the use of Alt-Svc header fields | Note that it would be unwise to mix the use of Alt-Svc header fields | |||
| with the use of ALTSVC frames, as the sequence of receipt might be | with the use of ALTSVC frames, as the sequence of receipt might be | |||
| hard to predict. | hard to predict. | |||
| 5. The Alt-Used HTTP Header Field | 5. The Alt-Used HTTP Header Field | |||
| The Alt-Used header field is used in requests to indicate the | The Alt-Used header field is used in requests to identify the | |||
| identity of the alternative service in use, just as the Host header | alternative service in use, just as the Host header field | |||
| field (Section 5.4 of [RFC7230]) identifies the host and port of the | (Section 5.4 of [RFC7230]) identifies the host and port of the | |||
| origin. | origin. | |||
| Alt-Used = uri-host [ ":" port ] | Alt-Used = uri-host [ ":" port ] | |||
| Alt-Used is intended to allow alternative services to detect loops, | Alt-Used is intended to allow alternative services to detect loops, | |||
| differentiate traffic for purposes of load balancing, and generally | differentiate traffic for purposes of load balancing, and generally | |||
| to ensure that it is possible to identify the intended destination of | to ensure that it is possible to identify the intended destination of | |||
| traffic, since introducing this information after a protocol is in | traffic, since introducing this information after a protocol is in | |||
| use has proven to be problematic. | use has proven to be problematic. | |||
| When using an alternative service, clients SHOULD include an Alt-Used | When using an alternative service, clients SHOULD include an Alt-Used | |||
| header field in all requests. | header field in all requests. | |||
| For example: | For example: | |||
| GET /thing HTTP/1.1 | GET /thing HTTP/1.1 | |||
| Host: origin.example.com | Host: origin.example.com | |||
| Alt-Used: alternate.example.net | Alt-Used: alternate.example.net | |||
| 6. The 421 Misdirected Request HTTP Status Code | 6. The 421 (Misdirected Request) HTTP Status Code | |||
| The 421 (Misdirected Request) status code is defined in Section 9.1.2 | The 421 (Misdirected Request) status code is defined in Section 9.1.2 | |||
| of [RFC7540] to indicate that the current server instance is not | of [RFC7540] to indicate that the current server instance is not | |||
| authoritative for the requested resource. This can be used to | authoritative for the requested resource. This can be used to | |||
| indicate that an alternative service is not authoritative; see | indicate that an alternative service is not authoritative; see | |||
| Section 2). | Section 2). | |||
| Clients receiving 421 (Misdirected Request) from an alternative | Clients receiving 421 (Misdirected Request) from an alternative | |||
| service MUST remove the corresponding entry from its alternative | service MUST remove the corresponding entry from its alternative | |||
| service cache (see Section 2.2) for that origin. Regardless of the | service cache (see Section 2.2) for that origin. Regardless of the | |||
| skipping to change at page 15, line 13 ¶ | skipping to change at page 14, line 36 ¶ | |||
| at another alternative server, or at the origin. | at another alternative server, or at the origin. | |||
| An Alt-Svc header field in a 421 (Misdirected Request) response MUST | An Alt-Svc header field in a 421 (Misdirected Request) response MUST | |||
| be ignored. | be ignored. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| 7.1. Header Field Registrations | 7.1. Header Field Registrations | |||
| HTTP header fields are registered within the "Message Headers" | HTTP header fields are registered within the "Message Headers" | |||
| registry maintained at | registry maintained at <https://www.iana.org/assignments/message- | |||
| <https://www.iana.org/assignments/message-headers/>. | headers/>. | |||
| This document defines the following HTTP header fields, so their | This document defines the following HTTP header fields, so their | |||
| associated registry entries shall be added according to the permanent | associated registry entries have been added according to the | |||
| registrations below (see [BCP90]): | permanent registrations below (see [BCP90]): | |||
| +-------------------+----------+----------+-----------+ | +-------------------+----------+----------+------------+ | |||
| | Header Field Name | Protocol | Status | Reference | | | Header Field Name | Protocol | Status | Reference | | |||
| +-------------------+----------+----------+-----------+ | +-------------------+----------+----------+------------+ | |||
| | Alt-Svc | http | standard | Section 3 | | | Alt-Svc | http | standard | Section 3 | | |||
| | Alt-Used | http | standard | Section 5 | | | Alt-Used | http | standard | Section 5 | | |||
| +-------------------+----------+----------+-----------+ | +-------------------+----------+----------+------------+ | |||
| The change controller is: "IETF (iesg@ietf.org) - Internet | The change controller is: "IETF (iesg@ietf.org) -- Internet | |||
| Engineering Task Force". | Engineering Task Force". | |||
| 7.2. The ALTSVC HTTP/2 Frame Type | 7.2. The ALTSVC HTTP/2 Frame Type | |||
| This document registers the ALTSVC frame type in the HTTP/2 Frame | This document registers the ALTSVC frame type in the "HTTP/2 Frame | |||
| Types registry ([RFC7540], Section 11.2). | Type" registry ([RFC7540], Section 11.2). | |||
| Frame Type: ALTSVC | Frame Type: ALTSVC | |||
| Code: 0xa | Code: 0xa | |||
| Specification: Section 4 of this document | Specification: Section 4 of this document | |||
| 7.3. Alt-Svc Parameter Registry | 7.3. Alt-Svc Parameter Registry | |||
| The HTTP Alt-Svc Parameter Registry defines the name space for | The "Hypertext Transfer Protocol (HTTP) Alt-Svc Parameter Registry" | |||
| parameters. It will be created and maintained at (the suggested URI) | defines the name space for parameters. It has been created and will | |||
| <http://www.iana.org/assignments/http-alt-svc-parameters>. | be maintained at <http://www.iana.org/assignments/http-alt-svc- | |||
| parameters>. | ||||
| 7.3.1. Procedure | 7.3.1. Procedure | |||
| A registration MUST include the following fields: | A registration MUST include the following fields: | |||
| o Parameter Name | o Parameter Name | |||
| o Pointer to specification text | o Pointer to specification text | |||
| Values to be added to this name space require Expert Review (see | Values to be added to this name space require Expert Review (see | |||
| [RFC5226], Section 4.1). | [RFC5226], Section 4.1). | |||
| 7.3.2. Registrations | 7.3.2. Registrations | |||
| The HTTP Alt-Svc Parameter Registry is to be populated with the | The "Hypertext Transfer Protocol (HTTP) Alt-Svc Parameter Registry" | |||
| registrations below: | has been populated with the registrations below: | |||
| +-------------------+-------------+ | +-------------------+--------------+ | |||
| | Alt-Svc Parameter | Reference | | | Alt-Svc Parameter | Reference | | |||
| +-------------------+-------------+ | +-------------------+--------------+ | |||
| | ma | Section 3.1 | | | ma | Section 3.1 | | |||
| | persist | Section 3.1 | | | persist | Section 3.1 | | |||
| +-------------------+-------------+ | +-------------------+--------------+ | |||
| 8. Internationalization Considerations | 8. Internationalization Considerations | |||
| An internationalized domain name that appears in either the header | An internationalized domain name that appears in either the header | |||
| field (Section 3) or the HTTP/2 frame (Section 4) MUST be expressed | field (Section 3) or the HTTP/2 frame (Section 4) MUST be expressed | |||
| using A-labels ([RFC5890], Section 2.3.2.1). | using A-labels ([RFC5890], Section 2.3.2.1). | |||
| 9. Security Considerations | 9. Security Considerations | |||
| 9.1. Changing Ports | 9.1. Changing Ports | |||
| Using an alternative service implies accessing an origin's resources | Using an alternative service implies accessing an origin's resources | |||
| on an alternative port, at a minimum. An attacker that can inject | on an alternative port, at a minimum. Therefore, an attacker that | |||
| alternative services and listen at the advertised port is therefore | can inject alternative services and listen at the advertised port is | |||
| able to hijack an origin. On certain servers, it is normal for users | able to hijack an origin. On certain servers, it is normal for users | |||
| to be able to control some personal pages available on a shared port, | to be able to control some personal pages available on a shared port | |||
| and also to accept to requests on less-privileged ports. | and also to accept requests on less-privileged ports. | |||
| For example, an attacker that can add HTTP response header fields to | For example, an attacker that can add HTTP response header fields to | |||
| some pages can redirect traffic for an entire origin to a different | some pages can redirect traffic for an entire origin to a different | |||
| port on the same host using the Alt-Svc header field; if that port is | port on the same host using the Alt-Svc header field; if that port is | |||
| under the attacker's control, they can thus masquerade as the HTTP | under the attacker's control, they can thus masquerade as the HTTP | |||
| server. | server. | |||
| This risk is mitigated by the requirements in Section 2.1. | This risk is mitigated by the requirements in Section 2.1. | |||
| On servers, this risk can also be reduced by restricting the ability | On servers, this risk can also be reduced by restricting the ability | |||
| to advertise alternative services, and restricting who can open a | to advertise alternative services, and restricting who can open a | |||
| port for listening on that host. | port for listening on that host. | |||
| 9.2. Changing Hosts | 9.2. Changing Hosts | |||
| When the host is changed due to the use of an alternative service, it | When the host is changed due to the use of an alternative service, | |||
| presents an opportunity for attackers to hijack communication to an | this presents an opportunity for attackers to hijack communication to | |||
| origin. | an origin. | |||
| For example, if an attacker can convince a user agent to send all | For example, if an attacker can convince a user agent to send all | |||
| traffic for "innocent.example.org" to "evil.example.com" by | traffic for "innocent.example.org" to "evil.example.com" by | |||
| successfully associating it as an alternative service, they can | successfully associating it as an alternative service, they can | |||
| masquerade as that origin. This can be done locally (see mitigations | masquerade as that origin. This can be done locally (see mitigations | |||
| in Section 9.1) or remotely (e.g., by an intermediary as a man-in- | in Section 9.1) or remotely (e.g., by an intermediary as a man-in- | |||
| the-middle attack). | the-middle attack). | |||
| This is the reason for the requirement in Section 2.1 that clients | This is the reason for the requirement in Section 2.1 that clients | |||
| have reasonable assurances that the alternative service is under | have reasonable assurances that the alternative service is under | |||
| skipping to change at page 17, line 31 ¶ | skipping to change at page 17, line 7 ¶ | |||
| certificate for the origin proves that the alternative service is | certificate for the origin proves that the alternative service is | |||
| authorized to serve traffic for the origin. | authorized to serve traffic for the origin. | |||
| Note that this assurance is only as strong as the method used to | Note that this assurance is only as strong as the method used to | |||
| authenticate the alternative service. In particular, when TLS | authenticate the alternative service. In particular, when TLS | |||
| authentication is used to do so, there are well-known exploits to | authentication is used to do so, there are well-known exploits to | |||
| make an attacker's certificate appear as legitimate. | make an attacker's certificate appear as legitimate. | |||
| Alternative services could be used to persist such an attack. For | Alternative services could be used to persist such an attack. For | |||
| example, an intermediary could man-in-the-middle TLS-protected | example, an intermediary could man-in-the-middle TLS-protected | |||
| communication to a target, and then direct all traffic to an | communication to a target and then direct all traffic to an | |||
| alternative service with a large freshness lifetime, so that the user | alternative service with a large freshness lifetime so that the user | |||
| agent still directs traffic to the attacker even when not using the | agent still directs traffic to the attacker even when not using the | |||
| intermediary. | intermediary. | |||
| Implementations MUST perform any certificate-pinning validation (such | Implementations MUST perform any certificate-pinning validation (such | |||
| as [RFC7469]) on alternative services just as they would on direct | as [RFC7469]) on alternative services just as they would on direct | |||
| connections to the origin. Implementations might also choose to add | connections to the origin. Implementations might also choose to add | |||
| other requirements around which certificates are acceptable for | other requirements around which certificates are acceptable for | |||
| alternative services. | alternative services. | |||
| 9.3. Changing Protocols | 9.3. Changing Protocols | |||
| When the ALPN protocol is changed due to the use of an alternative | When the ALPN protocol is changed due to the use of an alternative | |||
| service, the security properties of the new connection to the origin | service, the security properties of the new connection to the origin | |||
| can be different from that of the "normal" connection to the origin, | can be different from that of the "normal" connection to the origin, | |||
| because the protocol identifier itself implies this. | because the protocol identifier itself implies this. | |||
| For example, if an "https://" URI has a protocol advertised that does | For example, if an "https://" URI has a protocol advertised that does | |||
| not use some form of end-to-end encryption (most likely, TLS), it | not use some form of end-to-end encryption (most likely, TLS), this | |||
| violates the expectations for security that the URI scheme implies. | violates the expectations for security that the URI scheme implies. | |||
| Therefore, clients cannot blindly use alternative services, but | Therefore, clients cannot use alternative services blindly, but | |||
| instead evaluate the option(s) presented to assure that security | instead evaluate the option(s) presented to ensure that security | |||
| requirements and expectations of specifications, implementations and | requirements and expectations of specifications, implementations, and | |||
| end users are met. | end users are met. | |||
| 9.4. Tracking Clients Using Alternative Services | 9.4. Tracking Clients Using Alternative Services | |||
| Choosing an alternative service implies connecting to a new, server- | Choosing an alternative service implies connecting to a new, server- | |||
| supplied host name. By using unique names, servers could conceivably | supplied host name. By using unique names, servers could conceivably | |||
| track client requests. Such tracking could follow users across | track client requests. Such tracking could follow users across | |||
| multiple networks, when the "persist" flag is used. | multiple networks, when the "persist" flag is used. | |||
| Clients that wish to prevent requests from being correlated can | Clients that wish to prevent requests from being correlated can | |||
| decide not to use alternative services for multiple requests that | decide not to use alternative services for multiple requests that | |||
| would not otherwise be allowed to be correlated. | would not otherwise be allowed to be correlated. | |||
| In a user agent, any alternative service information MUST be removed | In a user agent, any alternative service information MUST be removed | |||
| when origin-specific data is cleared (typically, when cookies | when origin-specific data is cleared (typically, when cookies | |||
| [RFC6265] are cleared). | [RFC6265] are cleared). | |||
| 9.5. Confusion Regarding Request Scheme | 9.5. Confusion regarding Request Scheme | |||
| Some server-side HTTP applications make assumptions about security | Some server-side HTTP applications make assumptions about security | |||
| based upon connection context; for example, equating being served | based upon connection context; for example, equating being served | |||
| upon port 443 with the use of an "https://" URI and the various | upon port 443 with the use of an "https://" URI and the various | |||
| security properties that implies. | security properties that implies. | |||
| This affects not only the security properties of the connection | This affects not only the security properties of the connection | |||
| itself, but also the state of the client at the other end of it; for | itself, but also the state of the client at the other end of it; for | |||
| example, a Web browser treats "https://" URIs differently than | example, a Web browser treats "https://" URIs differently than | |||
| "http://" URIs in many ways, not just for purposes of protocol | "http://" URIs in many ways, not just for purposes of protocol | |||
| skipping to change at page 19, line 12 ¶ | skipping to change at page 18, line 37 ¶ | |||
| the case for HTTP/1.1 over TLS), servers can mitigate this risk by | the case for HTTP/1.1 over TLS), servers can mitigate this risk by | |||
| either assuming that all requests have an insecure context, or by | either assuming that all requests have an insecure context, or by | |||
| refraining from advertising alternative services for insecure schemes | refraining from advertising alternative services for insecure schemes | |||
| (for example, HTTP). | (for example, HTTP). | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/ | [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, | |||
| RFC2818, May 2000, | DOI 10.17487/RFC2818, May 2000, | |||
| <http://www.rfc-editor.org/info/rfc2818>. | <https://www.rfc-editor.org/info/rfc2818>. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, | Resource Identifier (URI): Generic Syntax", STD 66, | |||
| RFC 3986, DOI 10.17487/RFC3986, January 2005, | RFC 3986, DOI 10.17487/RFC3986, January 2005, | |||
| <http://www.rfc-editor.org/info/rfc3986>. | <https://www.rfc-editor.org/info/rfc3986>. | |||
| [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an | |||
| IANA Considerations Section in RFCs", BCP 26, RFC 5226, | IANA Considerations Section in RFCs", BCP 26, RFC 5226, | |||
| DOI 10.17487/RFC5226, May 2008, | DOI 10.17487/RFC5226, May 2008, | |||
| <http://www.rfc-editor.org/info/rfc5226>. | <https://www.rfc-editor.org/info/rfc5226>. | |||
| [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | |||
| Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ | Specifications: ABNF", STD 68, RFC 5234, | |||
| RFC5234, January 2008, | DOI 10.17487/RFC5234, January 2008, | |||
| <http://www.rfc-editor.org/info/rfc5234>. | <https://www.rfc-editor.org/info/rfc5234>. | |||
| [RFC5890] Klensin, J., "Internationalized Domain Names for | [RFC5890] Klensin, J., "Internationalized Domain Names for | |||
| Applications (IDNA): Definitions and Document Framework", | Applications (IDNA): Definitions and Document Framework", | |||
| RFC 5890, DOI 10.17487/RFC5890, August 2010, | RFC 5890, DOI 10.17487/RFC5890, August 2010, | |||
| <http://www.rfc-editor.org/info/rfc5890>. | <https://www.rfc-editor.org/info/rfc5890>. | |||
| [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | [RFC6066] Eastlake, D., "Transport Layer Security (TLS) Extensions: | |||
| Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, | Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, | |||
| January 2011, <http://www.rfc-editor.org/info/rfc6066>. | January 2011, <https://www.rfc-editor.org/info/rfc6066>. | |||
| [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, | [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, | |||
| DOI 10.17487/RFC6454, December 2011, | DOI 10.17487/RFC6454, December 2011, | |||
| <http://www.rfc-editor.org/info/rfc6454>. | <https://www.rfc-editor.org/info/rfc6454>. | |||
| [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer | |||
| Protocol (HTTP/1.1): Message Syntax and Routing", | Protocol (HTTP/1.1): Message Syntax and Routing", | |||
| RFC 7230, DOI 10.17487/RFC7230, June 2014, | RFC 7230, DOI 10.17487/RFC7230, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7230>. | <https://www.rfc-editor.org/info/rfc7230>. | |||
| [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, | |||
| Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", | Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", | |||
| RFC 7234, DOI 10.17487/RFC7234, June 2014, | RFC 7234, DOI 10.17487/RFC7234, June 2014, | |||
| <http://www.rfc-editor.org/info/rfc7234>. | <https://www.rfc-editor.org/info/rfc7234>. | |||
| [RFC7301] Friedl, S., Popov, A., Langley, A., and S. Emile, | [RFC7301] Friedl, S., Popov, A., Langley, A., and S. Emile, | |||
| "Transport Layer Security (TLS) Application-Layer Protocol | "Transport Layer Security (TLS) Application-Layer Protocol | |||
| Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, | |||
| July 2014, <http://www.rfc-editor.org/info/rfc7301>. | July 2014, <https://www.rfc-editor.org/info/rfc7301>. | |||
| [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", | [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", | |||
| RFC 7405, DOI 10.17487/RFC7405, December 2014, | RFC 7405, DOI 10.17487/RFC7405, December 2014, | |||
| <http://www.rfc-editor.org/info/rfc7405>. | <https://www.rfc-editor.org/info/rfc7405>. | |||
| [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext | |||
| Transfer Protocol version 2", RFC 7540, DOI 10.17487/ | Transfer Protocol version 2", RFC 7540, | |||
| RFC7540, May 2015, | DOI 10.17487/RFC7540, May 2015, | |||
| <http://www.rfc-editor.org/info/rfc7540>. | <https://www.rfc-editor.org/info/rfc7540>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration | [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration | |||
| Procedures for Message Header Fields", BCP 90, RFC 3864, | Procedures for Message Header Fields", BCP 90, RFC 3864, | |||
| September 2004, <http://www.rfc-editor.org/info/bcp90>. | September 2004, <https://www.rfc-editor.org/info/bcp90>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ | (TLS) Protocol Version 1.2", RFC 5246, | |||
| RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, | |||
| <http://www.rfc-editor.org/info/rfc5246>. | <https://www.rfc-editor.org/info/rfc5246>. | |||
| [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, | |||
| DOI 10.17487/RFC6265, April 2011, | DOI 10.17487/RFC6265, April 2011, | |||
| <http://www.rfc-editor.org/info/rfc6265>. | <https://www.rfc-editor.org/info/rfc6265>. | |||
| [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning | [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning | |||
| Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, | Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April | |||
| April 2015, <http://www.rfc-editor.org/info/rfc7469>. | 2015, <https://www.rfc-editor.org/info/rfc7469>. | |||
| Appendix A. Change Log (to be removed by RFC Editor before publication) | Appendix A. Change Log (to be removed by RFC Editor before publication) | |||
| A.1. Since draft-nottingham-httpbis-alt-svc-05 | A.1. Since draft-nottingham-httpbis-alt-svc-05 | |||
| This is the first version after adoption of | This is the first version after adoption of draft-nottingham-httpbis- | |||
| draft-nottingham-httpbis-alt-svc-05 as Working Group work item. It | alt-svc-05 as Working Group work item. It only contains editorial | |||
| only contains editorial changes. | changes. | |||
| A.2. Since draft-ietf-httpbis-alt-svc-00 | A.2. Since draft-ietf-httpbis-alt-svc-00 | |||
| Selected 421 as proposed status code for "Not Authoritative". | Selected 421 as proposed status code for "Not Authoritative". | |||
| Changed header field syntax to use percent-encoding of ALPN protocol | Changed header field syntax to use percent-encoding of ALPN protocol | |||
| names (<https://github.com/http2/http2-spec/issues/446>). | names (<https://github.com/http2/http2-spec/issues/446>). | |||
| A.3. Since draft-ietf-httpbis-alt-svc-01 | A.3. Since draft-ietf-httpbis-alt-svc-01 | |||
| Updated HTTP/1.1 references. | Updated HTTP/1.1 references. | |||
| Renamed "Service" to "Alt-Svc-Used" and reduced information to a flag | Renamed "Service" to "Alt-Svc-Used" and reduced information to a flag | |||
| to address fingerprinting concerns | to address fingerprinting concerns (<https://github.com/http2/http2- | |||
| (<https://github.com/http2/http2-spec/issues/502>). | spec/issues/502>). | |||
| Note that ALTSVC frame is preferred to Alt-Svc header field | Note that ALTSVC frame is preferred to Alt-Svc header field | |||
| (<https://github.com/http2/http2-spec/pull/503>). | (<https://github.com/http2/http2-spec/pull/503>). | |||
| Incorporate ALTSRV frame | Incorporate ALTSRV frame (<https://github.com/http2/http2-spec/ | |||
| (<https://github.com/http2/http2-spec/pull/507>). | pull/507>). | |||
| Moved definition of status code 421 to HTTP/2. | Moved definition of status code 421 to HTTP/2. | |||
| Partly resolved <https://github.com/httpwg/http-extensions/issues/5>. | Partly resolved <https://github.com/httpwg/http-extensions/issues/5>. | |||
| A.4. Since draft-ietf-httpbis-alt-svc-02 | A.4. Since draft-ietf-httpbis-alt-svc-02 | |||
| Updated ALPN reference. | Updated ALPN reference. | |||
| Resolved <https://github.com/httpwg/http-extensions/issues/2>. | Resolved <https://github.com/httpwg/http-extensions/issues/2>. | |||
| A.5. Since draft-ietf-httpbis-alt-svc-03 | A.5. Since draft-ietf-httpbis-alt-svc-03 | |||
| Renamed "Alt-Svc-Used" to "Alt-Used" | Renamed "Alt-Svc-Used" to "Alt-Used" (<https://github.com/httpwg/ | |||
| (<https://github.com/httpwg/http-extensions/issues/17>). | http-extensions/issues/17>). | |||
| Clarify ALTSVC Origin information requirements | Clarify ALTSVC Origin information requirements | |||
| (<https://github.com/httpwg/http-extensions/issues/19>). | (<https://github.com/httpwg/http-extensions/issues/19>). | |||
| Remove/tune language with respect to tracking risks (see | Remove/tune language with respect to tracking risks (see | |||
| <https://github.com/httpwg/http-extensions/issues/34>). | <https://github.com/httpwg/http-extensions/issues/34>). | |||
| A.6. Since draft-ietf-httpbis-alt-svc-04 | A.6. Since draft-ietf-httpbis-alt-svc-04 | |||
| Mention tracking by alt-svc host name in Security Considerations | Mention tracking by alt-svc host name in Security Considerations | |||
| (<https://github.com/httpwg/http-extensions/issues/36>). | (<https://github.com/httpwg/http-extensions/issues/36>). | |||
| "421 (Not Authoritative)" -> "421 (Misdirected Request)". | "421 (Not Authoritative)" -> "421 (Misdirected Request)". | |||
| Allow the frame to carry multiple indicator and use the same payload | Allow the frame to carry multiple indicator and use the same payload | |||
| formats for both | formats for both (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/37>). | issues/37>). | |||
| A.7. Since draft-ietf-httpbis-alt-svc-05 | A.7. Since draft-ietf-httpbis-alt-svc-05 | |||
| Go back to specifying the origin in Alt-Used, but make it a "SHOULD" | Go back to specifying the origin in Alt-Used, but make it a "SHOULD" | |||
| (<https://github.com/httpwg/http-extensions/issues/34>). | (<https://github.com/httpwg/http-extensions/issues/34>). | |||
| Restore Origin field in ALT-SVC frame | Restore Origin field in ALT-SVC frame (<https://github.com/httpwg/ | |||
| (<https://github.com/httpwg/http-extensions/issues/38>). | http-extensions/issues/38>). | |||
| A.8. Since draft-ietf-httpbis-alt-svc-06 | A.8. Since draft-ietf-httpbis-alt-svc-06 | |||
| Disallow use of alternative services when the protocol might not | Disallow use of alternative services when the protocol might not | |||
| carry the scheme | carry the scheme (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/12>). | issues/12>). | |||
| Align opp-sec and alt-svc | Align opp-sec and alt-svc (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/33>). | extensions/issues/33>). | |||
| alt svc frame on pushed (even and non-0) frame | alt svc frame on pushed (even and non-0) frame | |||
| (<https://github.com/httpwg/http-extensions/issues/44>). | (<https://github.com/httpwg/http-extensions/issues/44>). | |||
| "browser" -> "user agent" | "browser" -> "user agent" (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/pull/61>). | extensions/pull/61>). | |||
| ABNF for "parameter" | ABNF for "parameter" (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/65>). | issues/65>). | |||
| Updated HTTP/2 reference. | Updated HTTP/2 reference. | |||
| A.9. Since draft-ietf-httpbis-alt-svc-07 | A.9. Since draft-ietf-httpbis-alt-svc-07 | |||
| Alt-Svc alternative cache invalidation | Alt-Svc alternative cache invalidation (<https://github.com/httpwg/ | |||
| (<https://github.com/httpwg/http-extensions/issues/16>). | http-extensions/issues/16>). | |||
| Unexpected Alt-Svc frames | Unexpected Alt-Svc frames (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/18>). | extensions/issues/18>). | |||
| Associating Alt-Svc header with an origin | Associating Alt-Svc header with an origin | |||
| (<https://github.com/httpwg/http-extensions/issues/21>). | (<https://github.com/httpwg/http-extensions/issues/21>). | |||
| ALPN identifiers in Alt-Svc | ALPN identifiers in Alt-Svc (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/43>). | extensions/issues/43>). | |||
| Number of alternate services used | Number of alternate services used (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/58>). | extensions/issues/58>). | |||
| Proxy and .pac interaction | Proxy and .pac interaction (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/62>). | extensions/issues/62>). | |||
| Need to define extensibility for alt-svc parameters | Need to define extensibility for alt-svc parameters | |||
| (<https://github.com/httpwg/http-extensions/issues/69>). | (<https://github.com/httpwg/http-extensions/issues/69>). | |||
| Persistence of alternates across network changes | Persistence of alternates across network changes | |||
| (<https://github.com/httpwg/http-extensions/issues/71>). | (<https://github.com/httpwg/http-extensions/issues/71>). | |||
| Alt-Svc header with 421 status | Alt-Svc header with 421 status (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/75>). | extensions/issues/75>). | |||
| Incorporate several editorial improvements suggested by Mike Bishop | Incorporate several editorial improvements suggested by Mike Bishop | |||
| (<https://github.com/httpwg/http-extensions/pull/77>, | (<https://github.com/httpwg/http-extensions/pull/77>, | |||
| <https://github.com/httpwg/http-extensions/pull/78>). | <https://github.com/httpwg/http-extensions/pull/78>). | |||
| Alt-Svc response header field in HTTP/2 frame | Alt-Svc response header field in HTTP/2 frame | |||
| (<https://github.com/httpwg/http-extensions/issues/87>). | (<https://github.com/httpwg/http-extensions/issues/87>). | |||
| A.10. Since draft-ietf-httpbis-alt-svc-08 | A.10. Since draft-ietf-httpbis-alt-svc-08 | |||
| Remove left over text about ext-params, applying to an earlier | Remove left over text about ext-params, applying to an earlier | |||
| version of Alt-Used (see | version of Alt-Used (see <https://github.com/httpwg/http-extensions/ | |||
| <https://github.com/httpwg/http-extensions/issues/34>). | issues/34>). | |||
| Conflicts between Alt-Svc and ALPN | Conflicts between Alt-Svc and ALPN (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/72>). | extensions/issues/72>). | |||
| Elevation of privilege | Elevation of privilege (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/73>). | issues/73>). | |||
| Alternates of alternates | Alternates of alternates (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/74>). | issues/74>). | |||
| Alt-Svc and Cert Pinning | Alt-Svc and Cert Pinning (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/76>). | issues/76>). | |||
| Using alt-svc on localhost (no change to spec, see | Using alt-svc on localhost (no change to spec, see | |||
| <https://github.com/httpwg/http-extensions/issues/89>). | <https://github.com/httpwg/http-extensions/issues/89>). | |||
| IANA procedure for alt-svc parameters | IANA procedure for alt-svc parameters (<https://github.com/httpwg/ | |||
| (<https://github.com/httpwg/http-extensions/issues/96>). | http-extensions/issues/96>). | |||
| Alt-svc from https (1.1) to https (1.1) | Alt-svc from https (1.1) to https (1.1) (<https://github.com/httpwg/ | |||
| (<https://github.com/httpwg/http-extensions/issues/91>). | http-extensions/issues/91>). | |||
| Alt-svc vs the ability to convey the scheme inside the protocol | Alt-svc vs the ability to convey the scheme inside the protocol | |||
| (<https://github.com/httpwg/http-extensions/issues/92>). | (<https://github.com/httpwg/http-extensions/issues/92>). | |||
| Reconciling MAY/can vs. SHOULD | Reconciling MAY/can vs. SHOULD (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/101>). | extensions/issues/101>). | |||
| Typo in alt-svc caching example | Typo in alt-svc caching example (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/117>). | extensions/issues/117>). | |||
| A.11. Since draft-ietf-httpbis-alt-svc-09 | A.11. Since draft-ietf-httpbis-alt-svc-09 | |||
| Editorial improvements | Editorial improvements (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/118>, | issues/118>, <https://github.com/httpwg/http-extensions/issues/119>, | |||
| <https://github.com/httpwg/http-extensions/issues/119>, | ||||
| <https://github.com/httpwg/http-extensions/issues/120>, | <https://github.com/httpwg/http-extensions/issues/120>, | |||
| <https://github.com/httpwg/http-extensions/issues/121>, | <https://github.com/httpwg/http-extensions/issues/121>, | |||
| <https://github.com/httpwg/http-extensions/issues/122>, | <https://github.com/httpwg/http-extensions/issues/122>, | |||
| <https://github.com/httpwg/http-extensions/issues/123>, | <https://github.com/httpwg/http-extensions/issues/123>, | |||
| <https://github.com/httpwg/http-extensions/issues/125>, | <https://github.com/httpwg/http-extensions/issues/125>, | |||
| <https://github.com/httpwg/http-extensions/issues/126>). | <https://github.com/httpwg/http-extensions/issues/126>). | |||
| A.12. Since draft-ietf-httpbis-alt-svc-10 | A.12. Since draft-ietf-httpbis-alt-svc-10 | |||
| Editorial improvements | Editorial improvements (<https://github.com/httpwg/http-extensions/ | |||
| (<https://github.com/httpwg/http-extensions/issues/130>). | issues/130>). | |||
| Use RFC 7405 ABNF extension | Use RFC 7405 ABNF extension (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/131>). | extensions/issues/131>). | |||
| A.13. Since draft-ietf-httpbis-alt-svc-11 | A.13. Since draft-ietf-httpbis-alt-svc-11 | |||
| Security considerations wrt system ports | Security considerations wrt system ports (<https://github.com/httpwg/ | |||
| (<https://github.com/httpwg/http-extensions/issues/139>). | http-extensions/issues/139>). | |||
| A.14. Since draft-ietf-httpbis-alt-svc-12 | A.14. Since draft-ietf-httpbis-alt-svc-12 | |||
| Editorial changes triggered by <https://lists.w3.org/Archives/Public/ | Editorial changes triggered by <https://lists.w3.org/Archives/Public/ | |||
| ietf-http-wg/2016JanMar/0243.html>. | ietf-http-wg/2016JanMar/0243.html>. | |||
| Reasonable Assurances and H2C | Reasonable Assurances and H2C (<https://github.com/httpwg/http- | |||
| (<https://github.com/httpwg/http-extensions/issues/148>). | extensions/issues/148>). | |||
| Appendix B. Acknowledgements | A.15. Since draft-ietf-httpbis-alt-svc-13 | |||
| Editorial improvements. Also relaxed the requirements for | ||||
| "reasonable assurances" (see <https://github.com/httpwg/http- | ||||
| extensions/issues/148>). | ||||
| A.16. Since draft-ietf-httpbis-alt-svc-14 | ||||
| Editorial changes made during RFC Editor's AUTH48 stage | ||||
| (<https://github.com/httpwg/http-extensions/issues/165>). | ||||
| Acknowledgements | ||||
| Thanks to Adam Langley, Bence Beky, Chris Lonvick, Eliot Lear, Erik | Thanks to Adam Langley, Bence Beky, Chris Lonvick, Eliot Lear, Erik | |||
| Nygren, Guy Podjarny, Herve Ruellan, Lucas Pardue, Martin Thomson, | Nygren, Guy Podjarny, Herve Ruellan, Lucas Pardue, Martin Thomson, | |||
| Matthew Kerwin, Mike Bishop, Paul Hoffman, Richard Barnes, Richard | Matthew Kerwin, Mike Bishop, Paul Hoffman, Richard Barnes, Richard | |||
| Bradbury, Stephen Farrell, Stephen Ludin, and Will Chan for their | Bradbury, Stephen Farrell, Stephen Ludin, and Will Chan for their | |||
| feedback and suggestions. | feedback and suggestions. | |||
| The Alt-Svc header field was influenced by the design of the | The Alt-Svc header field was influenced by the design of the | |||
| Alternate-Protocol header field in SPDY. | Alternate-Protocol header field in SPDY. | |||
| End of changes. 91 change blocks. | ||||
| 210 lines changed or deleted | 223 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||