| draft-ietf-httpbis-connect-tcp-09.txt | draft-ietf-httpbis-connect-tcp-latest.txt | |||
|---|---|---|---|---|
| httpbis Working Group B. Schwartz | httpbis Working Group B. Schwartz | |||
| Internet-Draft Meta Platforms, Inc. | Internet-Draft Meta Platforms, Inc. | |||
| Intended status: Standards Track June 30, 2025 | Intended status: Standards Track November 24, 2025 | |||
| Expires: January 1, 2026 | Expires: May 28, 2026 | |||
| Template-Driven HTTP CONNECT Proxying for TCP | Template-Driven HTTP CONNECT Proxying for TCP | |||
| draft-ietf-httpbis-connect-tcp-09 | draft-ietf-httpbis-connect-tcp-latest | |||
| Abstract | Abstract | |||
| TCP proxying using HTTP CONNECT has long been part of the core HTTP | TCP proxying using HTTP CONNECT has long been part of the core HTTP | |||
| specification. However, this proxying functionality has several | specification. However, this proxying functionality has several | |||
| important deficiencies in modern HTTP environments. This | important deficiencies in modern HTTP environments. This | |||
| specification defines an alternative HTTP proxy service configuration | specification defines an alternative HTTP proxy service configuration | |||
| for TCP connections. This configuration is described by a URI | for TCP connections. This configuration is described by a URI | |||
| Template, similar to the CONNECT-UDP and CONNECT-IP protocols. | Template, similar to the CONNECT-UDP and CONNECT-IP protocols. | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 1, 2026. | This Internet-Draft will expire on May 28, 2026. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 11, line 50 ¶ | skipping to change at page 11, line 50 ¶ | |||
| processes untrusted inputs. | processes untrusted inputs. | |||
| 6.1. Resource Exhaustion attacks | 6.1. Resource Exhaustion attacks | |||
| A malicious client can achieve cause highly asymmetric resource usage | A malicious client can achieve cause highly asymmetric resource usage | |||
| at the proxy by colluding with a destination server and violating the | at the proxy by colluding with a destination server and violating the | |||
| ordinary rules of TCP or HTTP. Some example attacks, and mitigations | ordinary rules of TCP or HTTP. Some example attacks, and mitigations | |||
| that proxies can apply: | that proxies can apply: | |||
| o *Connection Pileup*: A malicious client can attempt to open a | o *Connection Pileup*: A malicious client can attempt to open a | |||
| large number of proxy<->destination connections to exhaust the | large number of connections to exhaust the proxy's memory, port, | |||
| proxy's memory, port, or file descriptor limits. When using | or file descriptor limits. When using HTTP/2 or HTTP/3, each | |||
| HTTP/2 or HTTP/3, each incremental TCP connection imposes a much | incremental TCP connection imposes a much higher cost on the proxy | |||
| higher cost on the proxy than on the attacker. | than on the attacker. | |||
| * Mitigation: Limit the number of concurrent connections per | * Mitigation: Limit the number of concurrent connections per | |||
| client. | client. | |||
| o *Window Bloat*: An attacker can grow the receive window size by | o *Window Bloat*: An attacker can grow the receive window size by | |||
| simulating a "long, fat network" [RFC7323], then fill the window | simulating a "long, fat network" [RFC7323], then fill the window | |||
| (from the sender) and stop acknowledging it (at the receiver). | (from the sender) and stop acknowledging it (at the receiver). | |||
| This leaves the proxy buffering up to 1 GiB of TCP data until some | This leaves the proxy buffering up to 1 GiB of TCP data until some | |||
| timeout, while the attacker does not have to retain a large | timeout, while the attacker does not have to retain a large | |||
| buffer. | buffer. | |||
| * Mitigation: Limit the maximum receive window for TCP and HTTP | * Mitigation: Limit the maximum receive window for TCP and HTTP | |||
| connections, and the size of userspace buffers used for | connections, and the size of userspace buffers used for | |||
| proxying. Alternatively, monitor the connections' send queues | proxying. Alternatively, monitor the connections' send queues | |||
| and limit the total buffered data per client. | and limit the total buffered data per client. | |||
| o *WAIT Abuse*: An attacker can force the proxy into a TIME-WAIT, | o *WAIT Abuse*: An attacker can force the proxy into a TIME-WAIT, | |||
| CLOSE-WAIT, or FIN-WAIT state until the timer expires, tying up a | CLOSE-WAIT, or FIN-WAIT state until the timer expires, tying up a | |||
| proxy<->destination 4-tuple for up to four minutes after the | proxy-to-destination 4-tuple for up to four minutes after the | |||
| client's connection is closed. | client's connection is closed. | |||
| * Mitigation: Limit the number of connections for each client to | * Mitigation: Limit the number of connections for each client to | |||
| each destination, even if those connections are in a waiting | each destination, even if those connections are in a waiting | |||
| state and the corresponding CONNECT stream is closed. | state and the corresponding CONNECT stream is closed. | |||
| Alternatively, allocate a large range of IP addresses for TCP | Alternatively, allocate a large range of IP addresses for TCP | |||
| connections (especially in IPv6). | connections (especially in IPv6). | |||
| 7. Operational Considerations | 7. Operational Considerations | |||
| skipping to change at page 13, line 12 ¶ | skipping to change at page 13, line 12 ¶ | |||
| limited by the number of available TCP client ports, especially | limited by the number of available TCP client ports, especially | |||
| if: | if: | |||
| * The client only has one IP address that can be used to reach | * The client only has one IP address that can be used to reach | |||
| the proxy. | the proxy. | |||
| * The client is shared between many parties, such as when acting | * The client is shared between many parties, such as when acting | |||
| as a gateway or concentrator. | as a gateway or concentrator. | |||
| * The proxied connections are often closed by the destination. | * The proxied connections are often closed by the destination. | |||
| This causes the client to initiate closure of the | This causes the client to initiate closure of the client-to- | |||
| client<->proxy connection, leaving the client in a TIME-WAIT | proxy connection, leaving the client in a TIME-WAIT state for | |||
| state for up to four minutes. | up to four minutes. | |||
| 7.2. Gateway Compatibility | 7.2. Gateway Compatibility | |||
| Templated TCP proxies can make use of standard HTTP gateways and | Templated TCP proxies can make use of standard HTTP gateways and | |||
| path-routing to ease implementation and allow use of shared | path-routing to ease implementation and allow use of shared | |||
| infrastructure. However, current gateways might need modifications | infrastructure. However, current gateways might need modifications | |||
| to support TCP proxy services. To be compatible, a gateway must: | to support TCP proxy services. To be compatible, a gateway must: | |||
| o support Extended CONNECT (if acting as an HTTP/2 or HTTP/3 | o support Extended CONNECT (if acting as an HTTP/2 or HTTP/3 | |||
| server). | server). | |||
| End of changes. 6 change blocks. | ||||
| 12 lines changed or deleted | 12 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||