HTTP Working Group A. Hutton Internet-Draft Unify Intended status: Standards Track J. Uberti Expires: November 21, 2015 Google M. Thomson Mozilla May 20, 2015 The ALPN HTTP Header Field draft-ietf-httpbis-tunnel-protocol-04 Abstract This specification allows HTTP CONNECT requests to indicate what protocol will be used within the tunnel once established, using the ALPN header field. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 21, 2015. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as Hutton, et al. Expires November 21, 2015 [Page 1] Internet-Draft The ALPN Header May 2015 described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 2. The ALPN HTTP Header Field . . . . . . . . . . . . . . . . . . 3 2.1. Header Field Values . . . . . . . . . . . . . . . . . . . . 4 2.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Normative References . . . . . . . . . . . . . . . . . . . 6 5.2. Informative References . . . . . . . . . . . . . . . . . . 6 Hutton, et al. Expires November 21, 2015 [Page 2] Internet-Draft The ALPN Header May 2015 1. Introduction The HTTP CONNECT method (Section 4.3.6 of [RFC7231]) requests that the recipient establish a tunnel to the identified origin server and thereafter forward packets, in both directions, until the tunnel is closed. Such tunnels are commonly used to create end-to-end virtual connections, through one or more proxies. The HTTP ALPN header field identifies the protocol that will be used within the tunnel, using the Application Layer Protocol Negotiation identifier (ALPN, [RFC7301]). When the CONNECT method is used to establish a tunnel, the ALPN header field can be used to identify the protocol that the client intends to use with that tunnel. For a tunnel that is then secured using TLS [RFC5246], the header field carries the same application protocol label as will be carried within the TLS handshake. If there are multiple possible application protocols, all of those application protocols are indicated. The ALPN header field carries an indication of client intent only. An ALPN identifier is used here only to identify the application protocol or suite of protocols that the client intends to use in the tunnel. No negotiation takes place using this header field. In TLS, the final choice of application protocol is made by the server from the set of choices presented by the client. Other substrates could negotiate the application protocol differently. Proxies do not implement the tunneled protocol, though they might choose to make policy decisions based on the value of the header field. For example, a proxy could use the application protocol to select appropriate traffic prioritization. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. The ALPN HTTP Header Field Clients include the ALPN header field in an HTTP CONNECT request to indicate the application layer protocol that will be used within the tunnel, or the set of protocols that might be used within the tunnel. Hutton, et al. Expires November 21, 2015 [Page 3] Internet-Draft The ALPN Header May 2015 2.1. Header Field Values Valid values for the protocol field are taken from the "Application- Layer Protocol Negotiation (ALPN) Protocol ID" registry () established by [RFC7301]. 2.2. Syntax The ABNF (Augmented Backus-Naur Form) syntax for the ALPN header field is given below. It is based on the Generic Grammar defined in Section 2 of [RFC7230]. ALPN = "ALPN":" 1#protocol-id protocol-id = token ; percent-encoded ALPN protocol identifier ALPN protocol names are octet sequences with no additional constraints on format. Octets not allowed in tokens ([RFC7230], Section 3.2.6) MUST be percent-encoded as per Section 2.1 of [RFC3986]. Consequently, the octet representing the percent character "%" (hex 25) MUST be percent-encoded as well. In order to have precisely one way to represent any ALPN protocol name, the following additional constraints apply: o Octets in the ALPN protocol MUST NOT be percent-encoded if they are valid token characters except "%", and o When using percent-encoding, uppercase hex digits MUST be used. With these constraints, recipients can apply simple string comparison to match protocol identifiers. For example: CONNECT www.example.com HTTP/1.1 Host: www.example.com ALPN: h2, http%2F1.1 2.3. Usage For a CONNECT tunnel that conveys a TLS session that in turn encapsulates another protocol, the value of the ALPN header field contains the same list of ALPN identifiers that will be sent in the TLS ClientHello message [RFC7301]. Where no protocol negotiation is expected to occur, such as in Hutton, et al. Expires November 21, 2015 [Page 4] Internet-Draft The ALPN Header May 2015 protocols that do not use TLS, the ALPN header field contains a single ALPN Protocol Identifier corresponding to the application protocol that is intended to be used. If an alternative form of protocol negotiation is possible, the ALPN header field contains the set of protocols that might be negotiated. When used in the ALPN header field, the ALPN identifier and registry are used to identify an entire application protocol stack, not a single protocol layer or component. 3. IANA Considerations HTTP header fields are registered within the "Permanent Message Header Field Names" registry maintained at . This document defines and registers the ALPN header field, according to [RFC3864] as follows: Header Field Name: ALPN Protocol: http Status: Standard Reference: Section 2 Change Controller: IETF (iesg@ietf.org) - Internet Engineering Task Force 4. Security Considerations In case of using HTTP CONNECT to a TURN server ("Traversal Using Relays around NAT", [RFC5766]) the security considerations of Section 4.3.6 of [RFC7231] apply. It states that there "are significant risks in establishing a tunnel to arbitrary servers, particularly when the destination is a well-known or reserved TCP port that is not intended for Web traffic. Proxies that support CONNECT SHOULD restrict its use to a limited set of known ports or a configurable whitelist of safe request targets." The ALPN header field described in this document is an OPTIONAL header field. Clients and HTTP proxies could choose to not support the header and therefore fail to provide it, or ignore it when present. If the header is not available or ignored, a proxy cannot identify the purpose of the tunnel and use this as input to any authorization decision regarding the tunnel. This is indistinguishable from the case where either client or proxy does not support the ALPN header field. Hutton, et al. Expires November 21, 2015 [Page 5] Internet-Draft The ALPN Header May 2015 The value of the ALPN header field could be falsified by a client. If the data being sent through the tunnel is encrypted (for example, with TLS [RFC5246]), then the proxy might not be able to directly inspect the data to verify that the claimed protocol is the one which is actually being used, though a proxy might be able to perform traffic analysis [TRAFFIC]. A proxy therefore cannot rely on the value of the ALPN header field as a policy input in all cases. 5. References 5.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March 1997, . [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration Procedures for Message Header Fields", BCP 90, RFC 3864, DOI 10.17487/RFC3864, September 2004, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, . [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, . [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, July 2014, . 5.2. Informative References [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/ RFC5246, August 2008, . Hutton, et al. Expires November 21, 2015 [Page 6] Internet-Draft The ALPN Header May 2015 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)", RFC 5766, DOI 10.17487/RFC5766, April 2010, . [TRAFFIC] Pironti, A., Strub, P-Y., and K. Bhargavan, "Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures, Revision 1", 2012, . Authors' Addresses Andrew Hutton Unify Technology Drive Nottingham NG9 1LA UK EMail: andrew.hutton@unify.com Justin Uberti Google 747 6th Ave S Kirkland, WA 98033 US EMail: justin@uberti.name Martin Thomson Mozilla 331 E Evelyn Street Mountain View, CA 94041 US EMail: martin.thomson@gmail.com Hutton, et al. Expires November 21, 2015 [Page 7]