HTTP Working Group M. Nottingham Internet-Draft E. Nygren Intended status: Standards Track Akamai Expires:April 1,August 17, 2017 February 13, 2017September 28, 2016The ORIGIN HTTP/2 Framedraft-ietf-httpbis-origin-frame-01draft-ietf-httpbis-origin-frame-02 Abstract This document specifies the ORIGIN frame for HTTP/2, to indicate what origins are available on a given connection. Note to Readers Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/ . Working Group information can be found at http://httpwg.github.io/ ; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/origin-frame . Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onApril 1,August 17, 2017. Copyright Notice Copyright (c)20162017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Notational Conventions . . . . . . . . . . . . . . . . .23 2. The ORIGIN HTTP/2 Frame . . . . . . . . . . . . . . . . . . .23 2.1.The Origin SetSyntax . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Processing ORIGIN Frames . . . . . . . . . . . . . . . . 3 2.3. The Origin Set . . . . . . . . . . . . . . . . . . . . . 4 2.4. Authority, Push and Coalescing with ORIGIN . . . . . . . 5 3.SecurityIANA Considerations . . . . . . . . . . . . . . . . . . .5. . 6 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Normative References . . . . . . . . . . . . . . . . . . 6 5.2. Informative References . .5. . . . . . . . . . . . . . . 7 Appendix A. Non-Normative Processing Algorithm . . . . . . . . . 7 Appendix B. Operational Considerations for Servers . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .58 1. Introduction HTTP/2 [RFC7540] allows clients to coalesce different origins [RFC6454] onto the same connection when certain conditions are met. However, in certain cases, a connection is is not usable for a coalesced origin, so the 421 (Misdirected Request) status code ([RFC7540], Section 9.1.2) was defined. Using a status code in this manner allows clients to recover from misdirected requests, but at the penalty of adding latency. To address that, this specification defines a new HTTP/2 frame type, "ORIGIN", to allow servers to indicate what origins a connection is usable for. Additionally, experience has shown that HTTP/2's requirement to establish server authority using both DNS and the server's certificate is onerous. This specification relaxes the requirement to check DNS when the ORIGIN frame is in use. Doing so has additional benefits, such as removing the latency associated with some DNS lookups, and improving DNS privacy. 1.1. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. The ORIGIN HTTP/2 Frame The ORIGIN HTTP/2 frame ([RFC7540], Section 4) allows a server to indicate what origin(s) [RFC6454] the server would like the client to consider as members of the Origin Set (Section2.1)2.3) for the connection it occurs within. 2.1. Syntax The ORIGIN frame type is 0xb (decimal 11). +-------------------------------+-------------------------------+ | Origin-Len (16) |Origin?ASCII-Origin? (*) ... +-------------------------------+-------------------------------+ The ORIGIN frame's payload contains the following fields, sets of which may be repeated within the frame to indicate multiple origins: Origin-Len: An unsigned, 16-bit integer indicating the length, in octets, of theOriginASCII-Origin field. Origin: An optional sequence of characters containing the ASCII serialization of an origin ([RFC6454], Section 6.2) that the sender believes this connection is or could be authoritative for. The ORIGIN framedefines the following flags: CLEAR (0x1): Indicatesdoes not define any flags. However, future updates to this specification MAY define flags. See Section 2.2. 2.2. Processing ORIGIN Frames The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints that do not support this frame can safely ignore it upon receipt. When received by an implementing client, it is used to initialise and manipulate the Origin Set (see Section 2.3), thereby changing how the client establishes authority for origin servers (see Section 2.4). The origin frame MUST bereset tosent on stream 0; anempty set before processing the contents of theORIGIN frameit occurs upon. REMOVE (0x2): Indicates thaton any other stream is invalid and MUST be ignored. Likewise, theorigin(s) carried inORIGIN frame is only valid on connections with thepayload must"h2" protocol identifier, or when specifically nominated by the protocol's definition; it MUST beremoved fromignored when received on a connection with theOrigin Set, if present; if"h2c" protocol identifier. This specification does notpresent, it/they have no effect. 2.1.define any flags for the ORIGIN frame, but future updates might use them to change its semantics. The first four flags (0x1, 0x2, 0x4 and 0x8) are reserved for backwards- incompatible changes, and therefore when any of them are set, the ORIGIN frame containing them MUST be ignored by clients conforming to this specification. The remaining flags are reserved for backwards- compatible changes, and do not affect processing by clients conformant to this specification. The ORIGIN frame describes a property of the connection, and therefore is processed hop-by-hop. An intermediary MUST NOT forward ORIGIN frames. Clients configured to use a proxy MUST ignore any ORIGIN frames received from it. Each ASCII-Origin field in the frame's payload MUST be parsed as an ASCII serialisation of an origin ([RFC6454], Section 6.2). If parsing fails, the field MUST be ignored. See Appendix A for an illustrative algorithm for processing ORIGIN frames. 2.3. The Origin Set The set of origins (as per [RFC6454]) that a given connection might be used for is known in this specification as the Origin Set.WhenBy default, aconnectionconnections's Origin Set is uninitialised. When an ORIGIN frame is firstestablished, itsreceived and successfully processed by a client, the connection's Origin Set is defined tobe those origins thatcontain a single origin, composed from: o Scheme: "https" o Host: theclient would normally considervalue sent in Server Name Indication ([RFC6066] Section 3), converted to lower case o Port: the remote port of the connectionauthoritative for; see [RFC7540], Section 10.1.(i.e., the server's port) The contents of that ORIGIN frame (and subsequent ones) allows the server tomodify the Origin Set. In particular: 1. A server canincrementally addto its members by sending an ORIGIN frame (without any flags set); 2. A server can prune one or morenew originsfrom itto the Origin Set, as described in Section 2.2. The Origin Set is also affected bysending an ORIGIN framethe 421 (Misdirected Request) response status code, defined in [RFC7540] Section 9.1.2. Upon receipt of a response with this status code, implementing clients MUST create theREMOVE flag set; 3. A server canASCII serialisation of the corresponding request's origin (as per [RFC6454], Section 6.2) and removeall its membersit from the connection's Origin Set, if present. 2.4. Authority, Push andthen add zero or more members by sending an ORIGIN frameCoalescing withthe CLEAR flag setORIGIN [RFC7540], Section 10.1 uses both DNS anda payload containingthenew origins. Addingpresented TLS certificate to establish theOrigin Set (cases 1 and 3 above) does not implyorigin server(s) thatthea connection is authoritativefor the added origins (in the sense of [RFC7540],for, just as HTTP/1.1 does in [RFC7230]. Furthermore, [RFC7540] Section10.1) on its own; this MUST9.1.1 explicitly allows a connection to be used for more than one origin server, if it is authoritative. This affects what requests can beestablishedsent on the connection, both in HEADERS frame bysome other mechanism. Athe client and as PUSH_PROMISE frames from the server. Once an Origin Set has been initialised for a connection, clients thatimplementsimplement this specification change these behaviors in the following ways: o Clients MUST NOTuse a connectionconsult DNS to establish the connection's authority for new requests. The TLS certificate MUST stil be used to do so, as described in [RFC7540] Section 9.1.1. o Clients sending agiven origin unless thatnew request SHOULD use an existing connection if the request's originappearsis inthethat connection's OriginSetSet, unless there are operational reasons for creating a new connection. o Clients MUST use theconnection, regardless ofOrigin Set to determine whetheror not it believesa received PUSH_PROMISE is authoritative, as described in [RFC7540], Section 8.2.2. Note that clients are still required to perform checks on the certificate presented by the server for each origin that a connection isauthoritativeused for; see [RFC7540] Section 9.1.1 for more information. This includes verifying thatorigin. 2.2. Processing ORIGIN Frames Thethe host matches a "dNSName" value from the certificate "subjectAltName" field (using the wildcard rules defined in [RFC2818]; see also [RFC5280] Section 4.2.1.6). Because ORIGINframecan change the set of origins a connection is used for over time, it is possible that anon-critical extensionclient might have more than one viable connection toHTTP/2. Endpoints that do not support this frame can safely ignore it upon receipt.an origin open at any time. Whenreceived bythis occurs, clients SHOULD not emit new requests on any connection whose Origin Set is aclient,subset of another connection's Origin Set, and SHOULD close itcanonce all outstanding requests are satisfied. 3. IANA Considerations This specification adds an entry to the "HTTP/2 Frame Type" registry. o Frame Type: ORIGIN o Code: 0xb o Specification: [this document] 4. Security Considerations Clients that blindly trust the ORIGIN frame's contents will beusedvulnerable toinform HTTP/2 connection coalescing (seea large number of attacks. See Section2.1), but does not relax2.4 for mitigations. Relaxing the requirementthere that the server is authoritative. Theto consult DNS when determining authority for an originframe MUST be sent on stream 0;means that anORIGIN frame on any other stream is invalid and MUSTattacker who possesses a valid certificate no longer needs to beignored. The ORIGIN frame is processed hop-by-hop. An intermediary MUST NOT forward ORIGIN frames. Clients configuredon-path to redirect traffic to them; instead of modifying DNS, they need only convince the user to visit another Web site, in order to coalesce connections to the target onto their existing connection. 5. References 5.1. Normative References [RFC2119] Bradner, S., "Key words for usea proxy MUST ignore any ORIGIN frames received from it.in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/RFC2818, May 2000, <http://www.rfc-editor.org/info/rfc2818>. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>. [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) Extensions: Extension Definitions", RFC 6066, DOI 10.17487/RFC6066, January 2011, <http://www.rfc-editor.org/info/rfc6066>. [RFC6454] Barth, A., "The Web Origin Concept", RFC 6454, DOI 10.17487/RFC6454, December 2011, <http://www.rfc-editor.org/info/rfc6454>. [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext Transfer Protocol Version 2 (HTTP/2)", RFC 7540, DOI 10.17487/RFC7540, May 2015, <http://www.rfc-editor.org/info/rfc7540>. 5.2. Informative References [RFC5988] Nottingham, M., "Web Linking", RFC 5988, DOI 10.17487/RFC5988, October 2010, <http://www.rfc-editor.org/info/rfc5988>. [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, <http://www.rfc-editor.org/info/rfc7230>. [RFC7838] Nottingham, M., McManus, P., and J. Reschke, "HTTP Alternative Services", RFC 7838, DOI 10.17487/RFC7838, April 2016, <http://www.rfc-editor.org/info/rfc7838>. Appendix A. Non-Normative Processing Algorithm The following algorithm illustrates how a clientcancould handle received ORIGIN frames: 1. If the client is configured to use aproxy,proxy for the connection, ignore the frame and stop processing. 2. If the connection is not identified with the "h2" protocol identifier or another protocol that has explicitly opted into this specification, ignore the frame and stop processing. 3. If the frame occurs upon any stream except stream 0, ignore the frame and stop processing.3.4. If any of theCLEAR flag isflags 0x1, 0x2, 0x4 or 0x8 are set,remove all members fromignore the frame and stop processing. 5. If no previous ORIGIN frame on the connection has reached this step, initialise the OriginSet. 4.Set as per Section 2.3. 6. For each Origin field "origin_raw" in the frame payload: 1. Parse "origin_raw" as an ASCII serialization of an origin ([RFC6454], Section 6.2) and let the result be "parsed_origin".2.Ifthe REMOVE flag is set, remove any member of the Origin Set that is the same as "parsed_origin" (as per [RFC6454], Section 5), and continueparsing fails, skip to the next"parsed_origin". 3. Otherwise, add"origin_raw". 2. Add "parsed_origin" to the Origin Set.3. SecurityAppendix B. Operational ConsiderationsClientsfor Servers The ORIGIN frame allows a server to indicate for which origins a given connection ought be used. For example, it can be used to inform the client thatblindly trustthe connection is to only be used for the SNI-based origin, by sending an empty ORIGINframe's contents willframe. Or, a larger number of origins can bevulnerableindicated by including a payload. Generally, this information is most useful to send before sending any part of a response that might initiate a new connection; for example, "Link" headers [RFC5988] in a response HEADERS, or links in the response body. Therefore, the ORIGIN frame ought be sent as soon as possible on a connection, ideally before any HEADERS or PUSH_PROMISE frames. However, if it's desirable to associate a large number ofattacks; henceorigins with a connection, doing so might introduce end-user perceived latency, due to their size. As a result, it might be necessary to select a "core" set of origins to send initially, expanding thereinforcement that this specification does not relaxset of origins therequirementconnection is used forserver authority in [RFC7540],with subsequent ORIGIN frames later (e.g., when the connection is idle). Senders should note that, as per [RFC6454] Section10.1. 4. Normative References [RFC2119] Bradner, S., "Key words for use4, the values inRFCsan ORIGIN header need toIndicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC6454] Barth, A., "The Webbe case-normalised before serialisation. Finally, servers that allow alternative services [RFC7838] will need to explicitly advertise those origins when sending ORIGIN, because the default contents of the OriginConcept", RFC 6454, DOI 10.17487/RFC6454, December 2011, <http://www.rfc-editor.org/info/rfc6454>. [RFC7540] Belshe, M., Peon, R., and M. Thomson, Ed., "Hypertext Transfer Protocol Version 2 (HTTP/2)", RFC 7540, DOI 10.17487/RFC7540, May 2015, <http://www.rfc-editor.org/info/rfc7540>.Set (as per Section 2.3) do not contain any Alternative Services, even if they have been used previously on the connection. Authors' Addresses Mark Nottingham Akamai Email: mnot@mnot.net URI: https://www.mnot.net/ Erik Nygren Akamai Email: nygren@akamai.com