idnits 2.17.00 (12 Aug 2021) /tmp/idnits20538/draft-ietf-httpbis-h2-websockets-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC6455, but the abstract doesn't seem to directly say this. It does mention RFC6455 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 18, 2018) is 1426 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Downref: Normative reference to an Historic RFC: RFC 8164 Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP P. McManus 3 Internet-Draft Mozilla 4 Updates: 6455 (if approved) June 18, 2018 5 Intended status: Standards Track 6 Expires: December 20, 2018 8 Bootstrapping WebSockets with HTTP/2 9 draft-ietf-httpbis-h2-websockets-07 11 Abstract 13 This document defines a mechanism for running the WebSocket Protocol 14 (RFC 6455) over a single stream of an HTTP/2 connection. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on December 20, 2018. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter . . . 3 53 4. The Extended CONNECT Method . . . . . . . . . . . . . . . . . 4 54 5. Using Extended CONNECT To Bootstrap the WebSocket Protocol . 4 55 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 56 6. Design Considerations . . . . . . . . . . . . . . . . . . . . 6 57 7. About Intermediaries . . . . . . . . . . . . . . . . . . . . 6 58 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 59 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 10. Normative References . . . . . . . . . . . . . . . . . . . . 7 61 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 62 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 64 1. Introduction 66 The Hypertext Transfer Protocol (HTTP) [RFC7230] provides compatible 67 resource-level semantics across different versions but it does not 68 offer compatibility at the connection management level. Other 69 protocols, such as WebSockets, that rely on connection management 70 details of HTTP must be updated for new versions of HTTP. 72 The WebSocket Protocol [RFC6455] uses the HTTP/1.1 Upgrade mechanism 73 (Section 6.7 of [RFC7230]) to transition a TCP connection from HTTP 74 into a WebSocket connection. A different approach must be taken with 75 HTTP/2 [RFC7540]. HTTP/2 does not allow connection-wide header 76 fields and status codes such as the Upgrade and Connection request 77 header fields or the 101 (Switching Protocols) response code due to 78 its multiplexing nature. These are all required by the [RFC6455] 79 opening handshake. 81 Being able to bootstrap WebSockets from HTTP/2 allows one TCP 82 connection to be shared by both protocols and extends HTTP/2's more 83 efficient use of the network to WebSockets. 85 This document extends the HTTP CONNECT method (as specified for 86 HTTP/2 in Section 8.3 of [RFC7540]). The extension allows the 87 substitution of a new protocol name to connect to rather than the 88 external host normally used by CONNECT. The result is a tunnel on a 89 single HTTP/2 stream that can carry data for WebSockets (or any other 90 protocol). The other streams on the connection may carry more 91 extended CONNECT tunnels, traditional HTTP/2 data, or a mixture of 92 both. 94 This tunneled stream will be multiplexed with other regular streams 95 on the connection and enjoys the normal priority, cancellation, and 96 flow control features of HTTP/2. 98 Streams that successfully establish a WebSocket connection using a 99 tunneled stream and the modifications to the opening handshake 100 defined in this document then use the traditional WebSocket Protocol, 101 treating the stream as if were the TCP connection in that 102 specification. 104 2. Terminology 106 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 107 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 108 "OPTIONAL" in this document are to be interpreted as described in BCP 109 14 [RFC2119] [RFC8174] when, and only when, they appear in all 110 capitals, as shown here. 112 3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter 114 This document adds a new SETTINGS Parameter to those defined by 115 [RFC7540], Section 6.5.2. 117 The new parameter name is SETTINGS_ENABLE_CONNECT_PROTOCOL. The 118 value of the parameter MUST be 0 or 1. 120 Upon receipt of SETTINGS_ENABLE_CONNECT_PROTOCOL with a value of 1, a 121 client MAY use the Extended CONNECT definition of this document when 122 creating new streams. Receipt of this parameter by a server does not 123 have any impact. 125 A sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter 126 with the value of 0 after previously sending a value of 1. 128 The use of a SETTINGS Parameter to opt-in to an otherwise 129 incompatible protocol change is a use of "Extending HTTP/2" defined 130 by Section 5.5 of [RFC7540]. Specifically, the addition a new 131 pseudo-header field ":protocol" and the change in meaning of the 132 ":authority" pseudo-header field in Section 4 require opt-in 133 negotiation. If a client were to use the provisions of the extended 134 CONNECT method defined in this document without first receiving a 135 SETTINGS_ENABLE_CONNECT_PROTOCOL parameter, a non-supporting peer 136 would detect a malformed request and generate a stream error 137 (Section 8.1.2.6 of [RFC7540]). 139 4. The Extended CONNECT Method 141 Usage of the CONNECT method in HTTP/2 is defined by Section 8.3 of 142 [RFC7540]. This extension modifies the method in the following ways: 144 o A new pseudo-header field :protocol MAY be included on request 145 HEADERS indicating the desired protocol to be spoken on the tunnel 146 created by CONNECT. The pseudo-header field is single valued and 147 contains a value from the HTTP Upgrade Token Registry located at 148 https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade- 149 tokens.xhtml 151 o On requests that contain the :protocol pseudo-header field, the 152 :scheme and :path pseudo-header fields of the target URI (See 153 Section 5) MUST also be included. 155 o On requests bearing the :protocol pseudo-header field, the 156 :authority pseudo-header field is interpreted according to 157 Section 8.1.2.3 of [RFC7540] instead of Section 8.3 of [RFC7540]. 158 In particular, the server MUST NOT create a tunnel to the host 159 indicated by the :authority as it would with a CONNECT method 160 request that was not modified by this extension. 162 Upon receiving a CONNECT request bearing the :protocol pseudo-header 163 field the server establishes a tunnel to another service of the 164 protocol type indicated by the pseudo-header field. This service may 165 or may not be co-located with the server. 167 5. Using Extended CONNECT To Bootstrap the WebSocket Protocol 169 The :protocol pseudo-header field MUST be included in the CONNECT 170 request and it MUST have a value of "websocket" to initiate a 171 WebSocket connection on an HTTP/2 stream. Other HTTP request and 172 response header fields, such as those for manipulating cookies, may 173 be included in the HEADERS with the CONNECT method as usual. This 174 request replaces the GET-based request in [RFC6455] and is used to 175 process the WebSockets opening handshake. 177 The scheme of the target URI (Section 5.1 of [RFC7230]) MUST be 178 "https" for "wss" schemed WebSockets and "http" for "ws" schemed 179 WebSockets. The remainder of the Target URI is the same as the 180 websocket URI. The websocket URI is still used for proxy 181 autoconfiguration. The security requirements for the HTTP/2 182 connection used by this specification are established by [RFC7540] 183 for https requests and [RFC8164] for http requests. 185 [RFC6455] requires the use of Connection and Upgrade header fields 186 that are not part of HTTP/2. They MUST NOT be included in the 187 CONNECT request defined here. 189 [RFC6455] requires the use of a Host header field which is also not 190 part of HTTP/2. The Host information is conveyed as part of the 191 :authority pseudo-header field which is required on every HTTP/2 192 transaction. 194 Implementations using this extended CONNECT to bootstrap WebSockets 195 do not do the processing of the [RFC6455] Sec-WebSocket-Key and Sec- 196 WebSocket-Accept header fields as that functionality has been 197 superseded by the :protocol pseudo-header field. 199 The Origin [RFC6454], Sec-WebSocket-Version, Sec-WebSocket-Protocol, 200 and Sec-WebSocket-Extensions header fields are used in the CONNECT 201 request and response header fields in the same way as defined in 202 [RFC6455]. Note that HTTP/1 header field names were case-insensitive 203 and HTTP/2 requires they be encoded as lower case. 205 After successfully processing the opening handshake, the peers should 206 proceed with the WebSocket Protocol [RFC6455] using the HTTP/2 stream 207 from the CONNECT transaction as if it were the TCP connection 208 referred to in [RFC6455]. The state of the WebSocket connection at 209 this point is OPEN as defined by [RFC6455], Section 4.1. 211 The HTTP/2 stream closure is also analogous to the TCP connection 212 closure of [RFC6455]. Orderly TCP level closures are represented as 213 END_STREAM ([RFC7540], Section 6.1) flags and RST exceptions are 214 represented with the RST_STREAM ([RFC7540], Section 6.4) frame with 215 the CANCEL ([RFC7540], Section 7) error code. 217 5.1. Example 218 [[ From Client ]] [[ From Server ]] 220 SETTINGS 221 SETTINGS_ENABLE_CONNECT_[..] = 1 223 HEADERS + END_HEADERS 224 :method = CONNECT 225 :protocol = websocket 226 :scheme = https 227 :path = /chat 228 :authority = server.example.com 229 sec-websocket-protocol = chat, superchat 230 sec-websocket-extensions = permessage-deflate 231 sec-websocket-version = 13 232 origin = http://www.example.com 234 HEADERS + END_HEADERS 235 :status = 200 236 sec-websocket-protocol = chat 238 DATA 239 WebSocket Data 241 DATA + END_STREAM 242 WebSocket Data 244 DATA + END_STREAM 245 WebSocket Data 247 6. Design Considerations 249 A more native integration with HTTP/2 is certainly possible with 250 larger additions to HTTP/2. This design was selected to minimize the 251 solution complexity while still addressing the primary concern of 252 running HTTP/2 and WebSockets concurrently. 254 7. About Intermediaries 256 This document does not change how WebSockets interacts with HTTP 257 forward proxies. If a client wishing to speak WebSockets connects 258 via HTTP/2 to an HTTP proxy it should continue to use a traditional 259 (i.e. not with a :protocol pseudo-header field) CONNECT to tunnel 260 through that proxy to the WebSocket server via HTTP. 262 The resulting version of HTTP on that tunnel determines whether 263 WebSockets is initiated directly or via a modified CONNECT request 264 described in this document. 266 8. Security Considerations 268 [RFC6455] ensures that non-WebSockets clients, especially 269 XMLHttpRequest based clients, cannot make a WebSocket connection. 270 Its primary mechanism for doing that is the use of Sec- prefixed 271 request header fields that cannot be created by XMLHttpRequest-based 272 clients. This specification addresses that concern in two ways: 274 o XMLHttpRequest also prohibits use of the CONNECT method in 275 addition to Sec- prefixed request header fields. 277 o The use of a pseudo-header field is something that is connection 278 specific and HTTP/2 does not ever allow to be created outside of 279 the protocol stack. 281 The security considerations of [RFC6455] section 10 continue to apply 282 to the use of the WebSocket Protocol when using this specification 283 with the exception of 10.8. That section is not relevant because it 284 is specific to the boostrapping handshake that is changed in this 285 document. 287 9. IANA Considerations 289 This document establishes an entry for the HTTP/2 Settings Registry 290 that was established by Section 11.3 of [RFC7540]. 292 Name: SETTINGS_ENABLE_CONNECT_PROTOCOL 294 Code: 0x8 296 Initial Value: 0 298 Specification: This document 300 10. Normative References 302 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 303 Requirement Levels", BCP 14, RFC 2119, 304 DOI 10.17487/RFC2119, March 1997, 305 . 307 [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, 308 DOI 10.17487/RFC6454, December 2011, 309 . 311 [RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol", 312 RFC 6455, DOI 10.17487/RFC6455, December 2011, 313 . 315 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 316 Protocol (HTTP/1.1): Message Syntax and Routing", 317 RFC 7230, DOI 10.17487/RFC7230, June 2014, 318 . 320 [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext 321 Transfer Protocol Version 2 (HTTP/2)", RFC 7540, 322 DOI 10.17487/RFC7540, May 2015, 323 . 325 [RFC8164] Nottingham, M. and M. Thomson, "Opportunistic Security for 326 HTTP/2", RFC 8164, DOI 10.17487/RFC8164, May 2017, 327 . 329 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 330 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 331 May 2017, . 333 Acknowledgments 335 The 2017 HTTP Workshop had a very productive discussion that helped 336 determine the key problem and acceptable level of solution 337 complexity. 339 Author's Address 341 Patrick McManus 342 Mozilla 344 Email: mcmanus@ducksong.com