Skip to main content

The Tunnel-Protocol HTTP Request Header Field
draft-ietf-httpbis-tunnel-protocol-01

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 7639.
Authors Andrew Hutton , Justin Uberti , Martin Thomson
Last updated 2015-02-10 (Latest revision 2015-01-19)
Replaces draft-hutton-httpbis-connect-protocol
RFC stream Internet Engineering Task Force (IETF)
Formats
Reviews
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd Mark Nottingham
IESG IESG state Became RFC 7639 (Proposed Standard)
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to "Mark Nottingham" <mnot@mnot.net>
draft-ietf-httpbis-tunnel-protocol-01
HTTPbis Working Group                                          A. Hutton
Internet-Draft                                                     Unify
Intended status: Standards Track                               J. Uberti
Expires: July 23, 2015                                            Google
                                                              M. Thomson
                                                                 Mozilla
                                                        January 19, 2015

             The Tunnel-Protocol HTTP Request Header Field
                 draft-ietf-httpbis-tunnel-protocol-01

Abstract

   This specification allows HTTP CONNECT requests to indicate what
   protocol will be used within the tunnel once established, using the
   Tunnel-Protocol request header field.

Editorial Note (To be removed by RFC Editor)

   Discussion of this draft takes place on the HTTPBIS working group
   mailing list (ietf-http-wg@w3.org), which is archived at [1].

   Working Group information can be found at [2] and [3]; source code
   and issues list for this draft can be found at [4].

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 23, 2015.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Hutton, et al.            Expires July 23, 2015                 [Page 1]
Internet-Draft               Tunnel-Protocol                January 2015

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  The Tunnel-Protocol HTTP Request Header Field . . . . . . . .   3
     2.1.  Header Field Values . . . . . . . . . . . . . . . . . . .   3
     2.2.  Syntax  . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
     5.2.  Informative References  . . . . . . . . . . . . . . . . .   5
     5.3.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   The HTTP CONNECT method (Section 4.3.6 of [RFC7231]) requests that
   the recipient establish a tunnel to the identified origin server and
   thereafter forward packets, in both directions, until the tunnel is
   closed.  Such tunnels are commonly used to create end-to-end virtual
   connections, through one or more proxies, which may then be secured
   using TLS (Transport Layer Security, [RFC5246]).

   The HTTP Tunnel-Protocol header field identifies the protocol that
   will be spoken within the tunnel, using the application layer next
   protocol identifier [RFC7301] specified for TLS [RFC5246].

   When CONNECT is used to establish a TLS tunnel, the Tunnel-Protocol
   header field may be used to carry the same application protocol label
   as will be carried within the TLS handshake.  If there are multiple
   possible application protocols, all of those application protocols
   are indicated.

   The Tunnel-Protocol header field carries an indication only.  In TLS,
   the final choice of application protocol is made by the server.
   Proxies do not implement the tunneled protocol, though they might
   choose to make policy decisions based on the value of the header
   field.

Hutton, et al.            Expires July 23, 2015                 [Page 2]
Internet-Draft               Tunnel-Protocol                January 2015

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  The Tunnel-Protocol HTTP Request Header Field

   Clients include the `Tunnel-Protocol` Request Header field in an HTTP
   CONNECT request to indicate the application layer protocol will be
   used within the tunnel, or the set of protocols that might be used
   within the tunnel.

2.1.  Header Field Values

   Valid values for the protocol field are taken from the registry
   established in [RFC7301].

2.2.  Syntax

   The ABNF (Augmented Backus-Naur Form) syntax for the `Tunnel-
   Protocol` header field is given below.  It is based on the Generic
   Grammar defined in Section 2 of [RFC7230].

   Tunnel-Protocol = "Tunnel-Protocol":" 1#protocol-id
   protocol-id     = token ; percent-encoded ALPN protocol identifier

   ALPN protocol names are octet sequences with no additional
   constraints on format.  Octets not allowed in tokens ([RFC7230],
   Section 3.2.6) must be percent-encoded as per Section 2.1 of
   [RFC3986].  Consequently, the octet representing the percent
   character "%" (hex 25) must be percent-encoded as well.

   In order to have precisely one way to represent any ALPN protocol
   name, the following additional constraints apply:

   o  Octets in the ALPN protocol must not be percent-encoded if they
      are valid token characters except "%", and

   o  When using percent-encoding, uppercase hex digits must be used.

   With these constraints, recipients can apply simple string comparison
   to match protocol identifiers.

Hutton, et al.            Expires July 23, 2015                 [Page 3]
Internet-Draft               Tunnel-Protocol                January 2015

   For example:

     CONNECT www.example.com HTTP/1.1
     Host: www.example.com
     Tunnel-Protocol: h2, http%2F1.1

3.  IANA Considerations

   HTTP header fields are registered within the "Message Headers"
   registry maintained at [5].  This document defines and registers the
   `Tunnel-Protocol` header field, according to [RFC3864] as follows:

   Header Field Name:  Tunnel-Protocol

   Protocol:  http

   Status:  Standard

   Reference:  Section 2

   Change Controller:  IETF (iesg@ietf.org) - Internet Engineering Task
      Force

4.  Security Considerations

   In case of using HTTP CONNECT to a TURN server the security
   considerations of Section 4.3.6 of [RFC7231] apply.  It states that
   there "are significant risks in establishing a tunnel to arbitrary
   servers, particularly when the destination is a well-known or
   reserved TCP port that is not intended for Web traffic.  Proxies that
   support CONNECT SHOULD restrict its use to a limited set of known
   ports or a configurable whitelist of safe request targets."

   The `Tunnel-Protocol` request header field described in this document
   is an optional header.  Clients and HTTP Proxies could choose to not
   support the header and therefore fail to provide it, or ignore it
   when present.  If the header is not available or ignored, a proxy
   cannot identify the purpose of the tunnel and use this as input to
   any authorization decision regarding the tunnel.  This is
   indistinguishable from the case where either client or proxy does not
   support the `Tunnel-Protocol` header.

5.  References

Hutton, et al.            Expires July 23, 2015                 [Page 4]
Internet-Draft               Tunnel-Protocol                January 2015

5.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              September 2004.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66, RFC
              3986, January 2005.

   [RFC7230]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Message Syntax and Routing", RFC 7230, June
              2014.

   [RFC7231]  Fielding, R. and J. Reschke, "Hypertext Transfer Protocol
              (HTTP/1.1): Semantics and Content", RFC 7231, June 2014.

   [RFC7301]  Friedl, S., Popov, A., Langley, A., and E. Stephan,
              "Transport Layer Security (TLS) Application-Layer Protocol
              Negotiation Extension", RFC 7301, July 2014.

5.2.  Informative References

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

5.3.  URIs

   [1] https://www.iana.org/assignments/message-headers

Authors' Addresses

   Andrew Hutton
   Unify
   Technology Drive
   Nottingham  NG9 1LA
   UK

   EMail: andrew.hutton@unify.com

Hutton, et al.            Expires July 23, 2015                 [Page 5]
Internet-Draft               Tunnel-Protocol                January 2015

   Justin Uberti
   Google
   747 6th Ave S
   Kirkland, WA  98033
   US

   EMail: justin@uberti.name

   Martin Thomson
   Mozilla
   331 E Evelyn Street
   Mountain View, CA  94041
   US

   EMail: martin.thomson@gmail.com

Hutton, et al.            Expires July 23, 2015                 [Page 6]