| draft-ietf-httpbis-connect-tcp-08.txt | draft-ietf-httpbis-connect-tcp-latest.txt | |||
|---|---|---|---|---|
| httpbis Working Group B. Schwartz | httpbis Working Group B. Schwartz | |||
| Internet-Draft Meta Platforms, Inc. | Internet-Draft Meta Platforms, Inc. | |||
| Intended status: Standards Track June 11, 2025 | Intended status: Standards Track July 01, 2025 | |||
| Expires: December 13, 2025 | Expires: January 2, 2026 | |||
| Template-Driven HTTP CONNECT Proxying for TCP | Template-Driven HTTP CONNECT Proxying for TCP | |||
| draft-ietf-httpbis-connect-tcp-08 | draft-ietf-httpbis-connect-tcp-latest | |||
| Abstract | Abstract | |||
| TCP proxying using HTTP CONNECT has long been part of the core HTTP | TCP proxying using HTTP CONNECT has long been part of the core HTTP | |||
| specification. However, this proxying functionality has several | specification. However, this proxying functionality has several | |||
| important deficiencies in modern HTTP environments. This | important deficiencies in modern HTTP environments. This | |||
| specification defines an alternative HTTP proxy service configuration | specification defines an alternative HTTP proxy service configuration | |||
| for TCP connections. This configuration is described by a URI | for TCP connections. This configuration is described by a URI | |||
| Template, similar to the CONNECT-UDP and CONNECT-IP protocols. | Template, similar to the CONNECT-UDP and CONNECT-IP protocols. | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 13, 2025. | This Internet-Draft will expire on January 2, 2026. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.2. Problems . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Problems . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.3. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.3. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 | |||
| 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. In HTTP/1.1 . . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. In HTTP/1.1 . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. In HTTP/2 and HTTP/3 . . . . . . . . . . . . . . . . . . 5 | 3.2. In HTTP/2 and HTTP/3 . . . . . . . . . . . . . . . . . . 6 | |||
| 3.3. Use of Other Relevant Headers . . . . . . . . . . . . . . 6 | 3.3. Use of Other Relevant Headers . . . . . . . . . . . . . . 6 | |||
| 3.3.1. Origin-scoped Headers . . . . . . . . . . . . . . . . 6 | 3.3.1. Origin-scoped Headers . . . . . . . . . . . . . . . . 6 | |||
| 3.3.2. Authentication Headers . . . . . . . . . . . . . . . 7 | 3.3.2. Authentication Headers . . . . . . . . . . . . . . . 7 | |||
| 3.4. Closing Connections . . . . . . . . . . . . . . . . . . . 7 | 3.4. Closing Connections . . . . . . . . . . . . . . . . . . . 7 | |||
| 4. Additional Connection Setup Behaviors . . . . . . . . . . . . 9 | 4. Additional Connection Setup Behaviors . . . . . . . . . . . . 9 | |||
| 4.1. Latency optimizations . . . . . . . . . . . . . . . . . . 9 | 4.1. Latency optimizations . . . . . . . . . . . . . . . . . . 9 | |||
| 4.2. Conveying metadata . . . . . . . . . . . . . . . . . . . 9 | 4.2. Conveying metadata . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.1. Servers . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.2. Clients . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 5.2. Clients . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 6.1. Resource Exhaustion attacks . . . . . . . . . . . . . . . 11 | 6.1. Resource Exhaustion attacks . . . . . . . . . . . . . . . 11 | |||
| 7. Operational Considerations . . . . . . . . . . . . . . . . . 12 | 7. Operational Considerations . . . . . . . . . . . . . . . . . 12 | |||
| 7.1. Avoiding HTTP/1.1 . . . . . . . . . . . . . . . . . . . . 12 | 7.1. Avoiding HTTP/1.1 . . . . . . . . . . . . . . . . . . . . 12 | |||
| 7.2. Gateway Compatibility . . . . . . . . . . . . . . . . . . 13 | 7.2. Gateway Compatibility . . . . . . . . . . . . . . . . . . 13 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 8.1. New Upgrade Token . . . . . . . . . . . . . . . . . . . . 13 | 8.1. New Upgrade Token . . . . . . . . . . . . . . . . . . . . 13 | |||
| 8.2. New MASQUE Default Template . . . . . . . . . . . . . . . 13 | 8.2. New MASQUE Default Template . . . . . . . . . . . . . . . 14 | |||
| 8.3. New Capsule Type . . . . . . . . . . . . . . . . . . . . 14 | 8.3. New Capsule Type . . . . . . . . . . . . . . . . . . . . 14 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17 | Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. History | 1.1. History | |||
| HTTP has used the CONNECT method for proxying TCP connections since | HTTP has used the CONNECT method for proxying TCP connections since | |||
| HTTP/1.1. When using CONNECT, the request target specifies a host | HTTP/1.1. When using CONNECT, the request target specifies a host | |||
| and port number, and the proxy forwards TCP payloads between the | and port number, and the proxy forwards TCP payloads between the | |||
| skipping to change at page 5, line 8 ¶ | skipping to change at page 5, line 8 ¶ | |||
| o The request SHALL include a single "Host" header field containing | o The request SHALL include a single "Host" header field containing | |||
| the origin of the proxy. | the origin of the proxy. | |||
| o The request SHALL include a "Connection" header field with the | o The request SHALL include a "Connection" header field with the | |||
| value "Upgrade". (Note that this requirement is case-insensitive | value "Upgrade". (Note that this requirement is case-insensitive | |||
| as per Section 7.6.1 of [RFC9110].) | as per Section 7.6.1 of [RFC9110].) | |||
| o The request SHALL include an "Upgrade" header field with the value | o The request SHALL include an "Upgrade" header field with the value | |||
| "connect-tcp". | "connect-tcp". | |||
| o The request SHOULD include a "Capsule-Protocol: ?1" header. | o The request SHOULD include a "Capsule-Protocol: ?1" header (as | |||
| recommended in [RFC9297], Section 3.4). | ||||
| If the request is well-formed and permissible, the proxy MUST attempt | If the request is well-formed and permissible, the proxy MUST attempt | |||
| to establish the TCP connection before sending any response status | to establish the TCP connection before sending any response status | |||
| code other than "100 (Continue)" (see Section 4.2). If the TCP | code other than "100 (Continue)" (see Section 4.2). If the TCP | |||
| connection is successful, the response SHALL be as follows: | connection is successful, the response SHALL be as follows: | |||
| o The HTTP status code SHALL be "101 (Switching Protocols)". | o The HTTP status code SHALL be "101 (Switching Protocols)". | |||
| o The response SHALL include a "Connection" header field with the | o The response SHALL include a "Connection" header field with the | |||
| value "Upgrade". | value "Upgrade". | |||
| o The response SHALL include a single "Upgrade" header field with | o The response SHALL include a single "Upgrade" header field with | |||
| the value "connect-tcp". | the value "connect-tcp". | |||
| o The response SHOULD include a "Capsule-Protocol: ?1" header. | o The response SHOULD include a "Capsule-Protocol: ?1" header (as | |||
| above). | ||||
| If the request is malformed or impermissible, the proxy MUST return a | If the request is malformed or impermissible, the proxy MUST return a | |||
| 4XX error code. If a TCP connection was not established, the proxy | 4XX error code. If a TCP connection was not established, the proxy | |||
| MUST NOT switch protocols to "connect-tcp", and the client MAY reuse | MUST NOT switch protocols to "connect-tcp", and the client MAY reuse | |||
| this connection for additional HTTP requests. | this connection for additional HTTP requests. | |||
| Client Proxy | Client Proxy | |||
| GET /proxy?target_host=192.0.2.1&target_port=443 HTTP/1.1 | GET /proxy?target_host=192.0.2.1&target_port=443 HTTP/1.1 | |||
| Host: example.com | Host: example.com | |||
| skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 28 ¶ | |||
| o The :path and :scheme pseudo-header fields SHALL contain the path | o The :path and :scheme pseudo-header fields SHALL contain the path | |||
| and scheme of the request URI derived from the proxy's URI | and scheme of the request URI derived from the proxy's URI | |||
| Template. | Template. | |||
| A templated TCP proxying request that does not conform to all of | A templated TCP proxying request that does not conform to all of | |||
| these requirements represents a client error (see [RFC9110], | these requirements represents a client error (see [RFC9110], | |||
| Section 15.5) and may be malformed (see Section 8.1.1 of [RFC9113] | Section 15.5) and may be malformed (see Section 8.1.1 of [RFC9113] | |||
| and Section 4.1.2 of [RFC9114]). | and Section 4.1.2 of [RFC9114]). | |||
| Additionally the "capsule-protocol" header field SHOULD be present | ||||
| with a value of "?1" (as recommended in [RFC9297], Section 3.4). | ||||
| HEADERS | HEADERS | |||
| :method = CONNECT | :method = CONNECT | |||
| :scheme = https | :scheme = https | |||
| :authority = request-proxy.example | :authority = request-proxy.example | |||
| :path = /proxy?target_host=2001%3Adb8%3A%3A1&target_port=443 | :path = /proxy?target_host=2001%3Adb8%3A%3A1&target_port=443 | |||
| :protocol = connect-tcp | :protocol = connect-tcp | |||
| capsule-protocol = ?1 | capsule-protocol = ?1 | |||
| ... | ... | |||
| Templated TCP proxy example in HTTP/2 | Templated TCP proxy example in HTTP/2 | |||
| skipping to change at page 15, line 42 ¶ | skipping to change at page 16, line 5 ¶ | |||
| June 2022, <https://www.rfc-editor.org/info/rfc9114>. | June 2022, <https://www.rfc-editor.org/info/rfc9114>. | |||
| [RFC9209] Nottingham, M. and P. Sikora, "The Proxy-Status HTTP | [RFC9209] Nottingham, M. and P. Sikora, "The Proxy-Status HTTP | |||
| Response Header Field", RFC 9209, DOI 10.17487/RFC9209, | Response Header Field", RFC 9209, DOI 10.17487/RFC9209, | |||
| June 2022, <https://www.rfc-editor.org/info/rfc9209>. | June 2022, <https://www.rfc-editor.org/info/rfc9209>. | |||
| [RFC9220] Hamilton, R., "Bootstrapping WebSockets with HTTP/3", | [RFC9220] Hamilton, R., "Bootstrapping WebSockets with HTTP/3", | |||
| RFC 9220, DOI 10.17487/RFC9220, June 2022, | RFC 9220, DOI 10.17487/RFC9220, June 2022, | |||
| <https://www.rfc-editor.org/info/rfc9220>. | <https://www.rfc-editor.org/info/rfc9220>. | |||
| [RFC9297] Schinazi, D. and L. Pardue, "HTTP Datagrams and the | ||||
| Capsule Protocol", RFC 9297, DOI 10.17487/RFC9297, August | ||||
| 2022, <https://www.rfc-editor.org/info/rfc9297>. | ||||
| [RFC9298] Schinazi, D., "Proxying UDP in HTTP", RFC 9298, | [RFC9298] Schinazi, D., "Proxying UDP in HTTP", RFC 9298, | |||
| DOI 10.17487/RFC9298, August 2022, | DOI 10.17487/RFC9298, August 2022, | |||
| <https://www.rfc-editor.org/info/rfc9298>. | <https://www.rfc-editor.org/info/rfc9298>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [CAPABILITY] | [CAPABILITY] | |||
| "Good Practices for Capability URLs", February 2014, | "Good Practices for Capability URLs", February 2014, | |||
| <https://www.w3.org/TR/capability-urls/>. | <https://www.w3.org/TR/capability-urls/>. | |||
| skipping to change at page 17, line 5 ¶ | skipping to change at page 17, line 17 ¶ | |||
| 2015, <https://www.rfc-editor.org/info/rfc7469>. | 2015, <https://www.rfc-editor.org/info/rfc7469>. | |||
| [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP | [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP | |||
| Alternative Services", RFC 7838, DOI 10.17487/RFC7838, | Alternative Services", RFC 7838, DOI 10.17487/RFC7838, | |||
| April 2016, <https://www.rfc-editor.org/info/rfc7838>. | April 2016, <https://www.rfc-editor.org/info/rfc7838>. | |||
| [RFC8942] Grigorik, I. and Y. Weiss, "HTTP Client Hints", RFC 8942, | [RFC8942] Grigorik, I. and Y. Weiss, "HTTP Client Hints", RFC 8942, | |||
| DOI 10.17487/RFC8942, February 2021, | DOI 10.17487/RFC8942, February 2021, | |||
| <https://www.rfc-editor.org/info/rfc8942>. | <https://www.rfc-editor.org/info/rfc8942>. | |||
| [RFC9297] Schinazi, D. and L. Pardue, "HTTP Datagrams and the | ||||
| Capsule Protocol", RFC 9297, DOI 10.17487/RFC9297, August | ||||
| 2022, <https://www.rfc-editor.org/info/rfc9297>. | ||||
| Acknowledgments | Acknowledgments | |||
| Thanks to Amos Jeffries, Tommy Pauly, Kyle Nekritz, David Schinazi, | Thanks to Amos Jeffries, Tommy Pauly, Kyle Nekritz, David Schinazi, | |||
| and Kazuho Oku for close review and suggested changes. | and Kazuho Oku for close review and suggested changes. | |||
| Author's Address | Author's Address | |||
| Benjamin M. Schwartz | Benjamin M. Schwartz | |||
| Meta Platforms, Inc. | Meta Platforms, Inc. | |||
| End of changes. 12 change blocks. | ||||
| 14 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||