draft-ietf-httpapi-ratelimit-headers-02.unpg.txt   draft-ietf-httpapi-ratelimit-headers-latest.txt 
HTTPAPI Working Group R. Polli HTTPAPI Working Group R. Polli
Internet-Draft Team Digitale, Italian Government Internet-Draft Team Digitale, Italian Government
Intended status: Standards Track A. Martinez Intended status: Standards Track A. Martinez
Expires: May 14, 2022 Red Hat Expires: July 30, 2022 Red Hat
November 10, 2021 January 26, 2022
RateLimit Fields for HTTP RateLimit Fields for HTTP
draft-ietf-httpapi-ratelimit-headers-02 draft-ietf-httpapi-ratelimit-headers-latest
Abstract Abstract
This document defines the RateLimit-Limit, RateLimit-Remaining, This document defines the RateLimit-Limit, RateLimit-Remaining,
RateLimit-Reset fields for HTTP, thus allowing servers to publish RateLimit-Reset fields for HTTP, thus allowing servers to publish
current service limits and clients to shape their request policy and current service limits and clients to shape their request policy and
avoid being throttled out. avoid being throttled out.
Note to Readers Note to Readers
skipping to change at line 47 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 14, 2022. This Internet-Draft will expire on July 30, 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. Goals
1.2. Notational Conventions
2. Expressing rate-limit policies
2.1. Time window
2.2. Service limit
2.3. Quota policy
3. Providing RateLimit fields
3.1. Performance considerations
4. Receiving RateLimit fields
4.1. Intermediaries
4.2. Caching
5. Fields definition
5.1. RateLimit-Limit
5.2. RateLimit-Remaining
5.3. RateLimit-Reset
6. Security Considerations
6.1. Throttling does not prevent clients from issuing requests
6.2. Information disclosure
6.3. Remaining quota-units are not granted requests
6.4. Reliability of RateLimit-Reset
6.5. Resource exhaustion
6.6. Denial of Service
7. IANA Considerations
7.1. RateLimit Parameters Registration
8. References
8.1. Normative References
8.2. Informative References
8.3. URIs
Appendix A. Rate-limiting and quotas
A.1. Interoperability issues
Appendix B. Examples
B.1. Unparameterized responses
B.1.1. Throttling information in responses
B.1.2. Use in conjunction with custom fields
B.1.3. Use for limiting concurrency
B.1.4. Use in throttled responses
B.2. Parameterized responses
B.2.1. Throttling window specified via parameter
B.2.2. Dynamic limits with parameterized windows
B.2.3. Dynamic limits for pushing back and slowing down
B.3. Dynamic limits for pushing back with Retry-After and slow
down
B.3.1. Missing Remaining information
B.3.2. Use with multiple windows
Appendix C. Acknowledgements
Appendix D. FAQ
RateLimit fields currently used on the web
Changes
F.1. Since draft-ietf-httpapi-ratelimit-headers-01
F.2. Since draft-ietf-httpapi-ratelimit-headers-00
Authors' Addresses
1. Introduction 1. Introduction
The widespreading of HTTP as a distributed computation protocol The widespreading of HTTP as a distributed computation protocol
requires an explicit way of communicating service status and usage requires an explicit way of communicating service status and usage
quotas. quotas.
This was partially addressed by the "Retry-After" header field This was partially addressed by the "Retry-After" header field
defined in [SEMANTICS] to be returned in "429 Too Many Requests" (see defined in [SEMANTICS] to be returned in "429 Too Many Requests" (see
[STATUS429]) or "503 Service Unavailable" responses. [STATUS429]) or "503 Service Unavailable" responses.
skipping to change at line 176 skipping to change at page 3, line 31
include detailed quota limits and related fields in API include detailed quota limits and related fields in API
documentation. documentation.
The following features are out of the scope of this document: The following features are out of the scope of this document:
Authorization: RateLimit fields are not meant to support Authorization: RateLimit fields are not meant to support
authorization or other kinds of access controls. authorization or other kinds of access controls.
Throttling scope: This specification does not cover the throttling Throttling scope: This specification does not cover the throttling
scope, that may be the given resource-target, its parent path or scope, that may be the given resource-target, its parent path or
the whole Origin (see Section 7 of [RFC6454]). the whole Origin (see Section 7 of [RFC6454]). This can be
addressed using extensibility mechanisms such as the parameter
registry Section 7.1.
Response status code: RateLimit fields may be returned in both Response status code: RateLimit fields may be returned in both
successful (see Section 15.3 of [SEMANTICS]) and non-successful successful (see Section 15.3 of [SEMANTICS]) and non-successful
responses. This specification does not cover whether non responses. This specification does not cover whether non
Successful responses count on quota usage, nor it mandates any Successful responses count on quota usage, nor it mandates any
correlation between the RateLimit values and the returned status correlation between the RateLimit values and the returned status
code. code.
Throttling policy: This specification does not mandate a specific Throttling policy: This specification does not mandate a specific
throttling policy. The values published in the fields, including throttling policy. The values published in the fields, including
skipping to change at line 243 skipping to change at page 5, line 8
requests that the server is willing to accept from one or more requests that the server is willing to accept from one or more
clients on a given basis (originating IP, authenticated user, clients on a given basis (originating IP, authenticated user,
geographical, ..) during a "time-window" as defined in Section 2.1. geographical, ..) during a "time-window" as defined in Section 2.1.
The "service-limit" is expressed in "quota-units" and has the The "service-limit" is expressed in "quota-units" and has the
following syntax: following syntax:
service-limit = quota-units service-limit = quota-units
quota-units = sf-integer quota-units = sf-integer
where quota-units is a non-negative sf-integer. where "quota-units" is a non-negative sf-integer.
The "service-limit" SHOULD match the maximum number of acceptable The "service-limit" SHOULD match the maximum number of acceptable
requests. requests.
The "service-limit" MAY differ from the total number of acceptable The "service-limit" MAY differ from the total number of acceptable
requests when weight mechanisms, bursts, or other server policies are requests when weight mechanisms, bursts, or other server policies are
implemented. implemented.
If the "service-limit" does not match the maximum number of If the "service-limit" does not match the maximum number of
acceptable requests the relation with that SHOULD be communicated acceptable requests the relation with that SHOULD be communicated
skipping to change at line 280 skipping to change at page 5, line 45
This specification allows describing a quota policy with the This specification allows describing a quota policy with the
following syntax: following syntax:
quota-policy = sf-item quota-policy = sf-item
where the associated bare-item is a service-limit and parameters are where the associated bare-item is a service-limit and parameters are
supported. supported.
The following parameters are defined: The following parameters are defined:
w: The "w" parameter specifies a time window. Its syntax is a "time- w: The REQUIRED "w" parameter specifies a time window. Its syntax is
window" defined in Section 2.1. a "time-window" defined in Section 2.1.
Other parameters are allowed and can be regarded as comments. They Other parameters are allowed and can be regarded as comments. They
ought to be registered within the "Hypertext Transfer Protocol (HTTP) ought to be registered within the "Hypertext Transfer Protocol (HTTP)
RateLimit Parameters Registry", as described in Section 7.1. RateLimit Parameters Registry", as described in Section 7.1.
An example policy of 100 quota-units per minute. An example policy of 100 quota-units per minute.
100;w=60 100;w=60
The definition of a quota-policy does not imply any specific The definition of a quota-policy does not imply any specific
distribution of quota-units over time. Such service specific details distribution of quota-units over time. Such service specific details
can be conveyed as parameters. can be conveyed as parameters.
Two examples of providing further details via custom parameters Two policy examples containing further details via custom parameters
100;w=60;comment="fixed window" 100;w=60;comment="fixed window"
12;w=1;burst=1000;policy="leaky bucket" 12;w=1;burst=1000;policy="leaky bucket"
To avoid clashes, implementers SHOULD prefix unregistered parameters
with an "x-<vendor>" identifier, e.g. "x-acme-policy", "x-acme-
burst". While it is useful to define a clear syntax and semantics
even for custom parameters, it is important to note that user agents
are not required to process quota policy information.
3. Providing RateLimit fields 3. Providing RateLimit fields
A server MAY use one or more "RateLimit" response fields defined in A server uses the "RateLimit" response fields defined in this
this document to communicate its quota policies. document to communicate its quota policies according to the following
rules:
o "RateLimit-Limit" and "RateLimit-Reset" are REQUIRED;
o "RateLimit-Remaining" is RECOMMENDED.
The returned values refers to the metrics used to evaluate if the The returned values refers to the metrics used to evaluate if the
current request respects the quota policy and MAY not apply to current request respects the quota policy and MAY not apply to
subsequent requests. subsequent requests.
Example: a successful response with the following fields Example: a successful response with the following fields
RateLimit-Limit: 10 RateLimit-Limit: 10
RateLimit-Remaining: 1 RateLimit-Remaining: 1
RateLimit-Reset: 7 RateLimit-Reset: 7
skipping to change at line 361 skipping to change at page 7, line 41
Under certain conditions, a server MAY artificially lower "RateLimit" Under certain conditions, a server MAY artificially lower "RateLimit"
field values between subsequent requests, e.g. to respond to Denial field values between subsequent requests, e.g. to respond to Denial
of Service attacks or in case of resource saturation. of Service attacks or in case of resource saturation.
Servers usually establish whether the request is in-quota before Servers usually establish whether the request is in-quota before
creating a response, so the RateLimit field values should be already creating a response, so the RateLimit field values should be already
available in that moment. Nonetheless servers MAY decide to send the available in that moment. Nonetheless servers MAY decide to send the
"RateLimit" fields in a trailer section. "RateLimit" fields in a trailer section.
To ease the migration from existing rate limit headers, a server
SHOULD be able to provide the "RateLimit-Limit" field even without
the optional "quota-policy" section.
3.1. Performance considerations 3.1. Performance considerations
Servers are not required to return "RateLimit" fields in every Servers are not required to return "RateLimit" fields in every
response, and clients need to take this into account. For example, response, and clients need to take this into account. For example,
an implementer concerned with performance might provide "RateLimit" an implementer concerned with performance might provide "RateLimit"
fields only when a given quota is going to expire. fields only when a given quota is going to expire.
Implementers concerned with response fields' size, might take into Implementers concerned with response fields' size, might take into
account their ratio with respect to the payload data, or use header- account their ratio with respect to the payload data, or use header-
compression http features such as [HPACK]. compression http features such as [HPACK].
skipping to change at line 1222 skipping to change at page 26, line 18
Response: Response:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Content-Type: application/json Content-Type: application/json
RateLimit-Limit: 5000, 1000;w=3600, 5000;w=86400 RateLimit-Limit: 5000, 1000;w=3600, 5000;w=86400
RateLimit-Remaining: 100 RateLimit-Remaining: 100
RateLimit-Reset: 36000 RateLimit-Reset: 36000
{"hello": "world"} {"hello": "world"}
Appendix C. Acknowledgements FAQ
Thanks to Willi Schoenborn, Alejandro Martinez Ruiz, Alessandro
Ranellucci, Amos Jeffries, Martin Thomson, Erik Wilde and Mark
Nottingham for being the initial contributors of these
specifications. Kudos to the first community implementers: Aapo
Talvensaari, Nathan Friedly and Sanyam Dogra.
Appendix D. FAQ _RFC Editor: Please remove this section before publication._
1. Why defining standard fields for throttling? 1. Why defining standard fields for throttling?
To simplify enforcement of throttling policies. To simplify enforcement of throttling policies.
2. Can I use RateLimit-* in throttled responses (eg with status code 2. Can I use RateLimit-* in throttled responses (eg with status code
429)? 429)?
Yes, you can. Yes, you can.
skipping to change at line 1253 skipping to change at page 26, line 43
No. [RFC6585] defines the "429" status code and we use it just No. [RFC6585] defines the "429" status code and we use it just
as an example of a throttled request, that could instead use even as an example of a throttled request, that could instead use even
"403" or whatever status code. The goal of this specification is "403" or whatever status code. The goal of this specification is
to standardize the name and semantic of three ratelimit fields to standardize the name and semantic of three ratelimit fields
widely used on the internet. Stricter relations with status widely used on the internet. Stricter relations with status
codes or error response payloads would impose behaviors to all codes or error response payloads would impose behaviors to all
the existing implementations making the adoption more complex. the existing implementations making the adoption more complex.
4. Why don't pass the throttling scope as a parameter? 4. Why don't pass the throttling scope as a parameter?
After a discussion on a similar thread [4] we will probably add a The word "scope" can have different meanings: for example it can
new "RateLimit-Scope" field to this spec. be an URL, or an authorization scope. Since authorization is out
of the scope of this document (see Section 1.1), and that we rely
only on [SEMANTICS], in Section 1.1 we defined "scope" in terms
of URL.
I'm open to suggestions: comment on this issue [5] Since clients are not required to process quota policies (see
Section 4), we could add a new "RateLimit-Scope" field to this
spec. See this discussion on a similar thread [4]
Specific ecosystems can still bake their own prefixed parameters,
such as "acme-auth-scope" or "acme-url-scope" and ensure that
clients process them. This behavior cannot be relied upon when
communicating between different ecosystems.
We are open to suggestions: comment on this issue [5]
5. Why using delay-seconds instead of a UNIX Timestamp? Why not 5. Why using delay-seconds instead of a UNIX Timestamp? Why not
using subsecond precision? using subsecond precision?
Using delay-seconds aligns with "Retry-After", which is returned Using delay-seconds aligns with "Retry-After", which is returned
in similar contexts, eg on 429 responses. in similar contexts, eg on 429 responses.
Timestamps require a clock synchronization protocol (see Timestamps require a clock synchronization protocol (see
Section 5.6.7 of [SEMANTICS]). This may be problematic (e.g. Section 5.6.7 of [SEMANTICS]). This may be problematic (e.g.
clock adjustment, clock skew, failure of hardcoded clock clock adjustment, clock skew, failure of hardcoded clock
skipping to change at line 1432 skipping to change at page 30, line 42
RateLimit-Reset: 1 RateLimit-Reset: 1
If this is the case, the optimal solution is to achieve If this is the case, the optimal solution is to achieve
RateLimit-Limit: 12, 12;w=1 RateLimit-Limit: 12, 12;w=1
RateLimit-Remaining: 1 ; using 100% of throughput, that is 12 units/s RateLimit-Remaining: 1 ; using 100% of throughput, that is 12 units/s
RateLimit-Reset: 1 RateLimit-Reset: 1
At this point you should stop increasing your request rate. At this point you should stop increasing your request rate.
Acknowledgements
Thanks to Willi Schoenborn, Alejandro Martinez Ruiz, Alessandro
Ranellucci, Amos Jeffries, Martin Thomson, Erik Wilde and Mark
Nottingham for being the initial contributors of these
specifications. Kudos to the first community implementers: Aapo
Talvensaari, Nathan Friedly and Sanyam Dogra.
In addition to the people above, this document owes a lot to the
extensive discussion in the HTTPAPI workgroup, including Rich Salz,
Darrel Miller and Julian Reschke.
Changes Changes
_RFC Editor: Please remove this section before publication._ _RFC Editor: Please remove this section before publication._
F.1. Since draft-ietf-httpapi-ratelimit-headers-01 F.1. Since draft-ietf-httpapi-ratelimit-headers-01
o Update IANA considerations #60 o Update IANA considerations #60
o Use Structured fields #58 o Use Structured fields #58
 End of changes. 17 change blocks. 
78 lines changed or deleted 57 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/