]> Unify

Technology Drive Nottingham NG9 1LA UK andrew.hutton@unify.com

Google

747 6th Ave S Kirkland WA 98033 US justin@uberti.name

Mozilla

331 E Evelyn Street Mountain View CA 94041 US martin.thomson@gmail.com

Applications HTTP HTTP CONNECT Firewall HTTP proxy This specification allows HTTP CONNECT requests to indicate what protocol will be used within the tunnel once established, using the Tunnel-Protocol header field. Discussion of this draft takes place on the HTTPBIS working group mailing list (ietf-http-wg@w3.org), which is archived at . Working Group information can be found at and ; source code and issues list for this draft can be found at .

The HTTP CONNECT method () requests that the recipient establish a tunnel to the identified origin server and thereafter forward packets, in both directions, until the tunnel is closed. Such tunnels are commonly used to create end-to-end virtual connections, through one or more proxies. The HTTP Tunnel-Protocol header field identifies the protocol that will be spoken within the tunnel, using the Application Layer Protocol Negotiation identifier (ALPN, ). When the CONNECT method is used to establish a tunnel, the Tunnel-Protocol header field can be used to identify the protocol that the client intends to use with that tunnel. For a tunnel that is then secured using TLS, the header field carries the same application protocol label as will be carried within the TLS handshake. If there are multiple possible application protocols, all of those application protocols are indicated. The Tunnel-Protocol header field carries an indication of client intent only. In TLS, the final choice of application protocol is made by the server from the set of choices presented by the client. Other protocols could negotiate protocols differently. Proxies do not implement the tunneled protocol, though they might choose to make policy decisions based on the value of the header field. For example, a proxy could use the application protocol to select appropriate traffic prioritization.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

Clients include the Tunnel-Protocol header field in an HTTP CONNECT request to indicate the application layer protocol that will be used within the tunnel, or the set of protocols that might be used within the tunnel.

Valid values for the protocol field are taken from the "Application-Layer Protocol Negotiation (ALPN) Protocol ID" registry () established by .

The ABNF (Augmented Backus-Naur Form) syntax for the Tunnel-Protocol header field is given below. It is based on the Generic Grammar defined in .

ALPN protocol names are octet sequences with no additional constraints on format. Octets not allowed in tokens () MUST be percent-encoded as per . Consequently, the octet representing the percent character "%" (hex 25) MUST be percent-encoded as well. In order to have precisely one way to represent any ALPN protocol name, the following additional constraints apply: Octets in the ALPN protocol MUST NOT be percent-encoded if they are valid token characters except "%", and When using percent-encoding, uppercase hex digits MUST be used. With these constraints, recipients can apply simple string comparison to match protocol identifiers.

For example: CONNECT www.example.com HTTP/1.1 Host: www.example.com Tunnel-Protocol: h2, http%2F1.1

HTTP header fields are registered within the "Message Headers" registry maintained at . This document defines and registers the Tunnel-Protocol header field, according to as follows: Tunnel-Protocol http Standard IETF (iesg@ietf.org) - Internet Engineering Task Force

In case of using HTTP CONNECT to a TURN server ("Traversal Using Relays around NAT", ) the security considerations of apply. It states that there "are significant risks in establishing a tunnel to arbitrary servers, particularly when the destination is a well-known or reserved TCP port that is not intended for Web traffic. Proxies that support CONNECT SHOULD restrict its use to a limited set of known ports or a configurable whitelist of safe request targets." The Tunnel-Protocol header field described in this document is an OPTIONAL header field. Clients and HTTP proxies could choose to not support the header and therefore fail to provide it, or ignore it when present. If the header is not available or ignored, a proxy cannot identify the purpose of the tunnel and use this as input to any authorization decision regarding the tunnel. This is indistinguishable from the case where either client or proxy does not support the Tunnel-Protocol header field. The value of the Tunnel-Protocol header field could be falsified by a client. If the data being sent through the tunnel is encrypted (for example, with TLS), then the proxy might not be able to directly inspect the data to verify that the claimed protocol is the one which is actually being used, though a proxy might be able to perform traffic analysis . A proxy therefore cannot rely on the value of the Tunnel-Protocol header field as a policy input in all cases.

&RFC2119; &RFC3864; &RFC3986; &RFC7230; &RFC7231; &RFC7301; &RFC5246; &RFC5766;