The ALPN HTTP Header FieldUnifyTechnology DriveNottinghamNG9 1LAUnited Kingdomandrew.hutton@unify.comGoogle747 6th Street SouthKirklandWA98033United Statesjustin@uberti.nameMozilla331 East Evelyn AvenueMountain ViewCA94041United Statesmartin.thomson@gmail.com
Applications
HTTP Working GroupHTTP CONNECTFirewallHTTP proxy
This specification allows HTTP CONNECT requests to indicate what
protocol is intended to be used within the tunnel once established,
using the ALPN header field.
The HTTP CONNECT method ()
requests that the recipient establish a tunnel to the identified origin
server and thereafter forward packets, in both directions, until the
tunnel is closed. Such tunnels are commonly used to create end-to-end
virtual connections through one or more proxies.
The ALPN HTTP header field identifies the protocol or protocols that the
client intends to use within a tunnel that is established using CONNECT.
This uses the Application-Layer Protocol Negotiation (ALPN) identifier .
For a tunnel that is then secured using
Transport Layer Security (TLS), the header field carries the same
application protocol label as will be carried within the TLS handshake
. If there are multiple possible application
protocols, all of those application protocols are indicated.
The ALPN header field carries an indication of client intent only. An
ALPN identifier is used here only to identify the application protocol
or suite of protocols that the client intends to use in the tunnel. No
negotiation takes place using this header field. In TLS, the final
choice of application protocol is made by the server from the set of
choices presented by the client. Other substrates could negotiate the
application protocol differently.
Proxies do not implement the tunneled protocol, though they might choose
to make policy decisions based on the value of the header field. For
example, a proxy could use the application protocol to select
appropriate traffic prioritization.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
Clients include the ALPN header field in an HTTP CONNECT request to
indicate the application-layer protocol that a client intends to use
within the tunnel, or a set of protocols that might be used within the
tunnel.
Valid values for the protocol field are taken from the
"Application-Layer Protocol Negotiation (ALPN) Protocol ID" registry
established by .
The ABNF (Augmented Backus-Naur Form) syntax for the ALPN
header field value is given below. It uses the syntax defined
in .
ALPN protocol names are octet sequences with no additional constraints
on format. Octets not allowed in tokens () MUST be percent-encoded as per . Consequently, the octet
representing the percent character "%" (hex 25) MUST be
percent-encoded as well.
In order to have precisely one way to represent any ALPN protocol
name, the following additional constraints apply:
Octets in the ALPN protocol MUST NOT be percent-encoded if they
are valid token characters except "%".
When using percent-encoding, uppercase hex digits MUST be used.
With these constraints, recipients can apply simple string comparison
to match protocol identifiers.
For example:
When used in the ALPN header field, an ALPN identifier is used to
identify an entire application protocol stack, not a single protocol
layer or component.
For a CONNECT tunnel that conveys a protocol secured with TLS, the
value of the ALPN header field contains the same list of ALPN
identifiers that will be sent in the TLS ClientHello message .
Where no protocol negotiation is expected to occur, such as in
protocols that do not use TLS, the ALPN header field contains a single
ALPN protocol identifier corresponding to the application protocol
that is intended to be used. If an alternative form of protocol
negotiation is possible, the ALPN header field contains the set of
protocols that might be negotiated.
A proxy can use the value of the ALPN header field to more cleanly and
efficiently reject requests for a CONNECT tunnel. Exposing protocol
information at the HTTP layer allows a proxy to deny requests earlier,
with better error reporting (such as a 403 status code). The ALPN
header field can be falsified and therefore is not a sufficient basis
for authorizing a request.
A proxy could attempt to inspect packets to determine the protocol in
use. This requires that the proxy understand each ALPN identifier.
Protocols like TLS could hide negotiated protocols, or protocol
negotiation details could change over time. Proxies SHOULD NOT break
a CONNECT tunnel solely on the basis of a failure to recognize the
protocol.
A proxy can use the ALPN header field value to change how it
manages or prioritizes connections.
HTTP header fields are registered within the "Permanent Message Header
Field Names" registry maintained by IANA . This
document defines and registers the ALPN header field, according to as follows:
ALPN
http
Standard
of this document (RFC 7639)
IETF (iesg@ietf.org) - Internet Engineering Task Force
In case of using HTTP CONNECT to a TURN (Traversal Using Relays
around NAT, ) server, the security considerations of
apply. It states that
there "are significant risks in establishing a tunnel to arbitrary
servers, particularly when the destination is a well-known or reserved
TCP port that is not intended for Web traffic. ... Proxies that support
CONNECT SHOULD restrict its use to a limited set of known ports or a
configurable whitelist of safe request targets."
The ALPN header field described in this document is OPTIONAL. Clients
and HTTP proxies could choose not to support it and therefore either
fail to provide it or ignore it when present. If the header field is
not available or is ignored, a proxy cannot identify the purpose of the
tunnel and use this as input to any authorization decision regarding the
tunnel. This is indistinguishable from the case where either client or
proxy does not support the ALPN header field.
There is no confidentiality protection for the ALPN header field. ALPN
identifiers that might expose confidential or sensitive information
SHOULD NOT be sent, as described in .
The value of the ALPN header field could be falsified by a
client. If the data being sent through the tunnel is encrypted (for
example, with TLS), then the proxy might
not be able to directly inspect the data to verify that the claimed
protocol is the one which is actually being used, though a proxy might
be able to perform traffic analysis .
Therefore, a proxy cannot rely on the value of the ALPN header field
as a policy input in all cases.
Key words for use in RFCs to Indicate Requirement LevelsHarvard University1350 Massachusetts AvenueCambridgeMA 02138- +1 617 495 3864sob@harvard.edu
General
keyword
In many standards track documents several words are used to signify
the requirements in the specification. These words are often
capitalized. This document defines these words as they should be
interpreted in IETF documents. Authors who follow these guidelines
should incorporate this phrase near the beginning of their document:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
RFC 2119.
Note that the force of these words is modified by the requirement
level of the document in which they are used.
Registration Procedures for Message Header FieldsThis specification defines registration procedures for the message header fields used by Internet mail, HTTP, Netnews and other applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Uniform Resource Identifier (URI): Generic SyntaxWorld Wide Web ConsortiumMassachusetts Institute of Technology77 Massachusetts AvenueCambridgeMA02139USA+1-617-253-5702+1-617-258-5999timbl@w3.orghttp://www.w3.org/People/Berners-Lee/Day Software5251 California Avenue, Suite 110IrvineCA92617USA+1-949-679-2960+1-949-679-2972fielding@gbiv.comhttp://roy.gbiv.com/Adobe Systems Incorporated345 Park AvenueSan JoseCA95110USA+1-408-536-3024LMM@acm.orghttp://larry.masinter.net/
Applications
uniform resource identifierURIURLURNWWWresource
A Uniform Resource Identifier (URI) is a compact sequence of characters
that identifies an abstract or physical resource. This specification
defines the generic URI syntax and a process for resolving URI references
that might be in relative form, along with guidelines and security
considerations for the use of URIs on the Internet.
The URI syntax defines a grammar that is a superset of all valid URIs,
allowing an implementation to parse the common components of a URI
reference without knowing the scheme-specific requirements of every
possible identifier. This specification does not define a generative
grammar for URIs; that task is performed by the individual
specifications of each URI scheme.
Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and RoutingThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.Hypertext Transfer Protocol (HTTP/1.1): Semantics and ContentThe Hypertext Transfer Protocol (HTTP) is a stateless \%application- level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.Transport Layer Security (TLS) Application-Layer Protocol Negotiation ExtensionThis document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.Application-Layer Protocol Negotiation (ALPN) Protocol IDIANAPermanent Message Header Field Names>IANAThe Transport Layer Security (TLS) Protocol Version 1.2This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)If a host is located behind a NAT, then in certain situations it can be impossible for that host to communicate directly with other hosts (peers). In these situations, it is necessary for the host to use the services of an intermediate node that acts as a communication relay. This specification defines a protocol, called TURN (Traversal Using Relays around NAT), that allows the host to control the operation of the relay and to exchange packets with its peers using the relay. TURN differs from some other relay control protocols in that it allows a client to communicate with multiple peers using a single relay address. [STANDARDS-TRACK]
Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective
Countermeasures, Revision 1