wdiff rfc8441.original rfc8441.txt

HTTP
Internet Engineering Task Force (IETF) P. McManus
Internet-Draft
Request for Comments: 8441 Mozilla
Updates: 6455 (if approved) June 18, September 2018
Intended status:
Category: Standards Track
Expires: December 20, 2018
ISSN: 2070-1721

Bootstrapping WebSockets with HTTP/2
draft-ietf-httpbis-h2-websockets-07

Abstract

This document defines a mechanism for running the WebSocket Protocol
(RFC 6455) over a single stream of an HTTP/2 connection.

Status of This Memo

This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force
(IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list It represents the consensus of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid the IETF community. It has
received public review and has been approved for a maximum publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.

Information about the current status of six months this document, any errata,
and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

This Internet-Draft will expire on December 20, 2018.
https://www.rfc-editor.org/info/rfc8441.

This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter . . . 3
4. The Extended CONNECT Method . . . . . . . . . . . . . . . . . 4
5. Using Extended CONNECT To to Bootstrap the WebSocket Protocol . 4
5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 5 6
6. Design Considerations . . . . . . . . . . . . . . . . . . . . 6
7. About Intermediaries . . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9.1. A New HTTP/2 Setting . . . . . . . . . . . . . . . . . . 7
9.2. A New HTTP Upgrade Token . . . . . . . . . . . . . . . . 7
10. Normative References . . . . . . . . . . . . . . . . . . . . 7 8
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8

1. Introduction

The Hypertext Transfer Protocol (HTTP) [RFC7230] provides compatible
resource-level semantics across different versions versions, but it does not
offer compatibility at the connection management connection-management level. Other
protocols, such as WebSockets,
protocols that rely on connection management connection-management details of HTTP HTTP, such as
WebSockets, must be updated for new versions of HTTP.

The WebSocket Protocol [RFC6455] uses the HTTP/1.1 Upgrade mechanism
(Section 6.7 of [RFC7230]) to transition a TCP connection from HTTP
into a WebSocket connection. A different approach must be taken with
HTTP/2 [RFC7540]. Due to its multiplexing nature, HTTP/2 does not
allow connection-wide header fields and or status codes codes, such as the
Upgrade and Connection request
header request-header fields or the 101 (Switching
Protocols) response code due to
its multiplexing nature. code. These are all required by the [RFC6455]
opening handshake.

Being able to bootstrap WebSockets from HTTP/2 allows one TCP
connection to be shared by both protocols and extends HTTP/2's more
efficient use of the network to WebSockets.

This document extends the HTTP CONNECT method (as method, as specified for
HTTP/2 in Section 8.3 of [RFC7540]). [RFC7540]. The extension allows the
substitution of a new protocol name to connect to rather than the
external host normally used by CONNECT. The result is a tunnel on a
single HTTP/2 stream that can carry data for WebSockets (or any other
protocol). The other streams on the connection may carry more
extended CONNECT tunnels, traditional HTTP/2 data, or a mixture of
both.

This tunneled stream will be multiplexed with other regular streams
on the connection and enjoys the normal priority, cancellation, and
flow control
flow-control features of HTTP/2.

Streams that successfully establish a WebSocket connection using a
tunneled stream and the modifications to the opening handshake
defined in this document then use the traditional WebSocket Protocol,
treating the stream as if it were the TCP connection in that
specification.

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.

3. The SETTINGS_ENABLE_CONNECT_PROTOCOL SETTINGS Parameter

This document adds a new SETTINGS Parameter parameter to those defined by
[RFC7540], Section 6.5.2.

The new parameter name is SETTINGS_ENABLE_CONNECT_PROTOCOL. The
value of the parameter MUST be 0 or 1.

Upon receipt of SETTINGS_ENABLE_CONNECT_PROTOCOL with a value of 1, a
client MAY use the Extended CONNECT definition of as defined in this document when
creating new streams. Receipt of this parameter by a server does not
have any impact.

A sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter
with the value of 0 after previously sending a value of 1.

The use of

Using a SETTINGS Parameter to opt-in parameter to opt into an otherwise incompatible
protocol change is a use of "Extending HTTP/2" defined by Section 5.5
of [RFC7540]. Specifically, the addition a new pseudo-header field ":protocol" field,
":protocol", and the change in meaning of the
":authority" pseudo-header :authority pseudo-
header field in Section 4 require opt-in negotiation. If a client
were to use the provisions of the extended CONNECT method defined in
this document without first receiving a
SETTINGS_ENABLE_CONNECT_PROTOCOL parameter, a non-supporting peer
would detect a malformed request and generate a stream error
(Section 8.1.2.6 of [RFC7540]).

4. The Extended CONNECT Method

Usage of the CONNECT method in HTTP/2 is defined by Section 8.3 of
[RFC7540]. This extension modifies the method in the following ways:

o A new pseudo-header field :protocol MAY be included on request
HEADERS indicating the desired protocol to be spoken on the tunnel
created by CONNECT. The pseudo-header field is single valued and
contains a value from the HTTP "Hypertext Transfer Protocol (HTTP)
Upgrade Token Registry Registry" located at
https://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-
tokens.xhtml
<https://www.iana.org/assignments/http-upgrade-tokens/>

o On requests that contain the :protocol pseudo-header field, the
:scheme and :path pseudo-header fields of the target URI (See (see
Section 5) MUST also be included.

o On requests bearing the :protocol pseudo-header field, the
:authority pseudo-header field is interpreted according to
Section 8.1.2.3 of [RFC7540] instead of Section 8.3 of [RFC7540]. that
document. In particular, the server MUST NOT create a tunnel to
the host indicated by the :authority as it would with a CONNECT
method request that was not modified by this extension.

Upon receiving a CONNECT request bearing the :protocol pseudo-header
field
field, the server establishes a tunnel to another service of the
protocol type indicated by the pseudo-header field. This service may
or may not be co-located with the server.

5. Using Extended CONNECT To to Bootstrap the WebSocket Protocol

The :protocol pseudo-header field MUST be included in the CONNECT
request
request, and it MUST have a value of "websocket" to initiate a
WebSocket connection on an HTTP/2 stream. Other HTTP request and
response header
response-header fields, such as those for manipulating cookies, may
be included in the HEADERS with the CONNECT method as usual. This
request replaces the GET-based request in [RFC6455] and is used to
process the WebSockets opening handshake.

The scheme of the target URI (Section 5.1 of [RFC7230]) MUST be
"https" for "wss" schemed "wss"-schemed WebSockets and "http" for "ws" schemed "ws"-schemed
WebSockets. The remainder of the Target target URI is the same as the
websocket
WebSocket URI. The websocket WebSocket URI is still used for proxy
autoconfiguration. The security requirements for the HTTP/2
connection used by this specification are established by [RFC7540]
for https requests and [RFC8164] for http requests.

[RFC6455] requires the use of Connection and Upgrade header fields
that are not part of HTTP/2. They MUST NOT be included in the
CONNECT request defined here.

[RFC6455] requires the use of a Host header field which that is also not
part of HTTP/2. The Host information is conveyed as part of the
:authority pseudo-header field field, which is required on every HTTP/2
transaction.

Implementations using this extended CONNECT to bootstrap WebSockets
do not do the processing of the [RFC6455] Sec-WebSocket-Key and Sec-
WebSocket-Accept Sec-WebSocket-
Accept header fields of [RFC6455] as that functionality has been
superseded by the :protocol pseudo-header field.

The Origin [RFC6454], Sec-WebSocket-Version, Sec-WebSocket-Protocol,
and Sec-WebSocket-Extensions header fields are used in the CONNECT
request and response header response-header fields in the same way as defined in [RFC6455]. Note
that HTTP/1 header field names were case-insensitive
and case insensitive, whereas HTTP/2
requires they be encoded as lower case. lowercase.

After successfully processing the opening handshake, the peers should
proceed with the WebSocket Protocol [RFC6455] using the HTTP/2 stream
from the CONNECT transaction as if it were the TCP connection
referred to in [RFC6455]. The state of the WebSocket connection at
this point is OPEN OPEN, as defined by [RFC6455], Section 4.1.

The HTTP/2 stream closure is also analogous to the TCP connection
closure of [RFC6455]. Orderly TCP level TCP-level closures are represented as
END_STREAM flags ([RFC7540], Section 6.1) flags and 6.1). RST exceptions are
represented with the RST_STREAM frame ([RFC7540], Section 6.4) frame with
the CANCEL error code ([RFC7540], Section 7) error code. 7).

5.1. Example

[[ From Client ]] [[ From Server ]]

SETTINGS
SETTINGS_ENABLE_CONNECT_[..] = 1

HEADERS + END_HEADERS
:method = CONNECT
:protocol = websocket
:scheme = https
:path = /chat
:authority = server.example.com
sec-websocket-protocol = chat, superchat
sec-websocket-extensions = permessage-deflate
sec-websocket-version = 13
origin = http://www.example.com

HEADERS + END_HEADERS
:status = 200
sec-websocket-protocol = chat

DATA
WebSocket Data

DATA + END_STREAM
WebSocket Data

6. Design Considerations

A more native integration with HTTP/2 is certainly possible with
larger additions to HTTP/2. This design was selected to minimize the
solution complexity while still addressing the primary concern of
running HTTP/2 and WebSockets concurrently.

7. About Intermediaries

This document does not change how WebSockets interacts with HTTP
forward proxies. If a client wishing to speak WebSockets connects
via HTTP/2 to an HTTP proxy proxy, it should continue to use a traditional
(i.e.
CONNECT (i.e., not with a :protocol pseudo-header field) CONNECT to tunnel
through that proxy to the WebSocket server via HTTP.

The resulting version of HTTP on that tunnel determines whether
WebSockets is initiated directly or via a modified CONNECT request
described in this document.

8. Security Considerations

[RFC6455] ensures that non-WebSockets clients, especially
XMLHttpRequest based
XMLHttpRequest-based clients, cannot make a WebSocket connection.
Its primary mechanism for doing that is the use of Sec- prefixed
request header Sec-prefixed
request-header fields that cannot be created by XMLHttpRequest-based
clients. This specification addresses that concern in two ways:

o XMLHttpRequest also prohibits use of the CONNECT method in
addition to Sec- prefixed request header Sec-prefixed request-header fields.

o The use of a pseudo-header field is something that is connection
specific
specific, and HTTP/2 does not ever allow never allows a pseudo-header to be created
outside of the protocol stack.

The security considerations of [RFC6455] section [RFC6455], Section 10 continue to
apply to the use of the WebSocket Protocol when using this specification
specification, with the exception of 10.8. That section is not relevant
relevant, because it is specific to the boostrapping handshake that
is changed in this document.

9. IANA Considerations

9.1. A New HTTP/2 Setting

This document establishes registers an entry for in the HTTP/2 Settings Registry "HTTP/2 Settings" registry
that was established by Section 11.3 of [RFC7540].

Name: SETTINGS_ENABLE_CONNECT_PROTOCOL

Code: 0x8
Name: SETTINGS_ENABLE_CONNECT_PROTOCOL
Initial Value: 0
Specification: This document

9.2. A New HTTP Upgrade Token

This document registers an entry in the "HTTP Upgrade Tokens"
registry that was established by [RFC7230].

Value: websocket
Description: The Web Socket Protocol
Expected Version Tokens:
References: [RFC6455] [RFC8441]

10. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.

[RFC6454] Barth, A., "The Web Origin Concept", RFC 6454,
DOI 10.17487/RFC6454, December 2011,
<https://www.rfc-editor.org/info/rfc6454>.

[RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol",
RFC 6455, DOI 10.17487/RFC6455, December 2011,
<https://www.rfc-editor.org/info/rfc6455>.

[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.

[RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext
Transfer Protocol Version 2 (HTTP/2)", RFC 7540,
DOI 10.17487/RFC7540, May 2015,
<https://www.rfc-editor.org/info/rfc7540>.

[RFC8164] Nottingham, M. and M. Thomson, "Opportunistic Security for
HTTP/2", RFC 8164, DOI 10.17487/RFC8164, May 2017,
<https://www.rfc-editor.org/info/rfc8164>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.

Acknowledgments

The 2017 HTTP Workshop had a very productive discussion that helped
determine the key problem and acceptable level of solution
complexity.

Author's Address

Patrick McManus
Mozilla

Email: mcmanus@ducksong.com