Diff: rfc9484v4.txt - rfc9484.txt

	rfc9484v4.txt	rfc9484.txt

	Internet Engineering Task Force (IETF) T. Pauly, Ed.	Internet Engineering Task Force (IETF) T. Pauly, Ed.
	Request for Comments: 9484 Apple Inc.	Request for Comments: 9484 Apple Inc.
	Updates: 9298 D. Schinazi	Updates: 9298 D. Schinazi
	Category: Standards Track A. Chernyakhovsky	Category: Standards Track A. Chernyakhovsky
	ISSN: 2070-1721 Google LLC	ISSN: 2070-1721 Google LLC

	M. Kuehlewind	M. Kühlewind
	M. Westerlund	M. Westerlund
	Ericsson	Ericsson

	September 2023	October 2023

	Proxying IP in HTTP	Proxying IP in HTTP

	Abstract	Abstract

	This document describes how to proxy IP packets in HTTP. This	This document describes how to proxy IP packets in HTTP. This
	protocol is similar to UDP proxying in HTTP but allows transmitting	protocol is similar to UDP proxying in HTTP but allows transmitting
	arbitrary IP packets. More specifically, this document defines a	arbitrary IP packets. More specifically, this document defines a
	protocol that allows an HTTP client to create an IP tunnel through an	protocol that allows an HTTP client to create an IP tunnel through an
	HTTP server that acts as an IP proxy. This document updates RFC	HTTP server that acts as an IP proxy. This document updates RFC

	skipping to change at line 242 ¶	skipping to change at line 242 ¶
	carry any message content.	carry any message content.

	IP proxying over HTTP MUST be operated over TLS or QUIC encryption,	IP proxying over HTTP MUST be operated over TLS or QUIC encryption,
	or another equivalent encryption protocol, to provide	or another equivalent encryption protocol, to provide
	confidentiality, integrity, and authentication.	confidentiality, integrity, and authentication.

	4.1. IP Proxy Handling	4.1. IP Proxy Handling

	Upon receiving an IP proxying request:	Upon receiving an IP proxying request:


	* If the recipient is configured to use another HTTP proxy, it will	* If the recipient is configured to use another HTTP server, it will
	act as an intermediary by forwarding the request to another HTTP	act as an intermediary by forwarding the request to the other HTTP
	server. Note that such intermediaries may need to re-encode the	server. Note that such intermediaries may need to re-encode the
	request if they forward it using a version of HTTP that is	request if they forward it using a version of HTTP that is
	different from the one used to receive it, as the request encoding	different from the one used to receive it, as the request encoding
	differs by version (see below).	differs by version (see below).

	* Otherwise, the recipient will act as an IP proxy. The IP proxy	* Otherwise, the recipient will act as an IP proxy. The IP proxy
	can choose to reject the IP proxying request. Otherwise, it	can choose to reject the IP proxying request. Otherwise, it
	extracts the optional "target" and "ipproto" variables from the	extracts the optional "target" and "ipproto" variables from the
	URI it has reconstructed from the request headers, decodes their	URI it has reconstructed from the request headers, decodes their
	percent-encoding, and establishes an IP tunnel.	percent-encoding, and establishes an IP tunnel.

	skipping to change at line 274 ¶	skipping to change at line 274 ¶
	example, if DNS resolution returns an error, the proxy can use the	example, if DNS resolution returns an error, the proxy can use the
	dns_error proxy error type from Section 2.3.2 of [PROXY-STATUS].	dns_error proxy error type from Section 2.3.2 of [PROXY-STATUS].

	The lifetime of the IP forwarding tunnel is tied to the IP proxying	The lifetime of the IP forwarding tunnel is tied to the IP proxying
	request stream. The IP proxy MUST maintain all IP address and route	request stream. The IP proxy MUST maintain all IP address and route
	assignments associated with the IP forwarding tunnel while the	assignments associated with the IP forwarding tunnel while the
	request stream is open. IP proxies MAY choose to tear down the	request stream is open. IP proxies MAY choose to tear down the
	tunnel due to a period of inactivity, but they MUST close the request	tunnel due to a period of inactivity, but they MUST close the request
	stream when doing so.	stream when doing so.


	A successful response (as defined in Sections 4.3 and 4.5) indicates	A successful IP proxying response (as defined in Sections 4.3 and
	that the IP proxy has established an IP tunnel and is willing to	4.5) indicates that the IP proxy has established an IP tunnel and is
	proxy IP payloads. Any response other than a successful response	willing to proxy IP payloads. Any response other than a successful
	indicates that the request has failed; thus, the client MUST abort	IP proxying response indicates that the request has failed; thus, the
	the request.	client MUST abort the request.


	Along with a successful response, the IP proxy can send capsules to	Along with a successful IP proxying response, the IP proxy can send
	assign addresses and advertise routes to the client (Section 4.7).	capsules to assign addresses and advertise routes to the client
	The client can also assign addresses and advertise routes to the IP	(Section 4.7). The client can also assign addresses and advertise
	proxy for network-to-network routing.	routes to the IP proxy for network-to-network routing.

	4.2. HTTP/1.1 Request	4.2. HTTP/1.1 Request

	When using HTTP/1.1 [HTTP/1.1], an IP proxying request will meet the	When using HTTP/1.1 [HTTP/1.1], an IP proxying request will meet the
	following requirements:	following requirements:

	* The method SHALL be "GET".	* The method SHALL be "GET".

	* The request SHALL include a single Host header field containing	* The request SHALL include a single Host header field containing
	the host and optional port of the IP proxy.	the host and optional port of the IP proxy.

	skipping to change at line 321 ¶	skipping to change at line 321 ¶
	GET https://example.org/.well-known/masque/ip/// HTTP/1.1	GET https://example.org/.well-known/masque/ip/// HTTP/1.1
	Host: example.org	Host: example.org
	Connection: Upgrade	Connection: Upgrade
	Upgrade: connect-ip	Upgrade: connect-ip
	Capsule-Protocol: ?1	Capsule-Protocol: ?1

	Figure 2: Example HTTP/1.1 Request	Figure 2: Example HTTP/1.1 Request

	4.3. HTTP/1.1 Response	4.3. HTTP/1.1 Response


	The server indicates a successful response by replying with the	The server indicates a successful IP proxying response by replying
	following requirements:	with the following requirements:

	* The HTTP status code on the response SHALL be 101 (Switching	* The HTTP status code on the response SHALL be 101 (Switching
	Protocols).	Protocols).

	* The response SHALL include a Connection header field with value	* The response SHALL include a Connection header field with value
	"Upgrade" (note that this requirement is case-insensitive, as per	"Upgrade" (note that this requirement is case-insensitive, as per
	Section 7.6.1 of [HTTP]).	Section 7.6.1 of [HTTP]).

	* The response SHALL include a single Upgrade header field with	* The response SHALL include a single Upgrade header field with
	value "connect-ip".	value "connect-ip".

	skipping to change at line 392 ¶	skipping to change at line 392 ¶
	:protocol = connect-ip	:protocol = connect-ip
	:scheme = https	:scheme = https
	:path = /.well-known/masque/ip///	:path = /.well-known/masque/ip///
	:authority = example.org	:authority = example.org
	capsule-protocol = ?1	capsule-protocol = ?1

	Figure 4: Example HTTP/2 or HTTP/3 Request	Figure 4: Example HTTP/2 or HTTP/3 Request

	4.5. HTTP/2 and HTTP/3 Responses	4.5. HTTP/2 and HTTP/3 Responses


	The server indicates a successful response by replying with the	The server indicates a successful IP proxying response by replying
	following requirements:	with the following requirements:

	* The HTTP status code on the response SHALL be in the 2xx	* The HTTP status code on the response SHALL be in the 2xx
	(Successful) range.	(Successful) range.

	* The response SHALL meet the requirements of HTTP responses that	* The response SHALL meet the requirements of HTTP responses that
	start the Capsule Protocol; see Section 3.2 of [HTTP-DGRAM].	start the Capsule Protocol; see Section 3.2 of [HTTP-DGRAM].

	If any of these requirements are not met, the client MUST treat this	If any of these requirements are not met, the client MUST treat this
	proxying attempt as failed and abort the request. As an example, any	proxying attempt as failed and abort the request. As an example, any
	status code in the 3xx range will be treated as a failure and cause	status code in the 3xx range will be treated as a failure and cause

	skipping to change at line 494 ¶	skipping to change at line 494 ¶
	target = IPv6prefix / IPv4prefix / reg-name / "*"	target = IPv6prefix / IPv4prefix / reg-name / "*"
	IPv6prefix = IPv6address ["%2F" 1*3DIGIT]	IPv6prefix = IPv6address ["%2F" 1*3DIGIT]
	IPv4prefix = IPv4address ["%2F" 1*2DIGIT]	IPv4prefix = IPv4address ["%2F" 1*2DIGIT]
	ipproto = 13DIGIT / ""	ipproto = 13DIGIT / ""

	Figure 6: URI Template Variable Format	Figure 6: URI Template Variable Format

	IP proxies MAY perform access control using the scoping information	IP proxies MAY perform access control using the scoping information
	provided by the client, i.e., if the client is not authorized to	provided by the client, i.e., if the client is not authorized to
	access any of the destinations included in the scope, then the IP	access any of the destinations included in the scope, then the IP

	proxy can immediately fail the request.	proxy can immediately reject the request.

	4.7. Capsules	4.7. Capsules

	This document defines multiple new capsule types that allow endpoints	This document defines multiple new capsule types that allow endpoints
	to exchange IP configuration information. Both endpoints MAY send	to exchange IP configuration information. Both endpoints MAY send
	any number of these new capsules.	any number of these new capsules.

	4.7.1. ADDRESS_ASSIGN Capsule	4.7.1. ADDRESS_ASSIGN Capsule

	The ADDRESS_ASSIGN capsule (capsule type 0x01) allows an endpoint to	The ADDRESS_ASSIGN capsule (capsule type 0x01) allows an endpoint to

	skipping to change at line 876 ¶	skipping to change at line 876 ¶

	7.1. Link Operation	7.1. Link Operation

	The IP forwarding tunnels described in this document are not fully	The IP forwarding tunnels described in this document are not fully
	featured "interfaces" in the IPv6 addressing architecture sense	featured "interfaces" in the IPv6 addressing architecture sense
	[IPv6-ADDR]. In particular, they do not necessarily have IPv6 link-	[IPv6-ADDR]. In particular, they do not necessarily have IPv6 link-
	local addresses. Additionally, IPv6 stateless autoconfiguration or	local addresses. Additionally, IPv6 stateless autoconfiguration or
	router advertisement messages are not used in such interfaces, and	router advertisement messages are not used in such interfaces, and
	neither is neighbor discovery.	neither is neighbor discovery.


	Clients MAY optimistically start sending proxied IP packets before	When using HTTP/2 or HTTP/3, a client MAY optimistically start
	receiving the response to its IP proxying request, noting however	sending proxied IP packets before receiving the response to its IP
	that those may not be processed by the IP proxy if it responds to the	proxying request, noting however that those may not be processed by
	request with a failure or if the datagrams are received by the IP	the IP proxy if it responds to the request with a failure or if the
	proxy before the request. Since receiving addresses and routes is	datagrams are received by the IP proxy before the request. Since
	required in order to know that a packet can be sent through the	receiving addresses and routes is required in order to know that a
	tunnel, such optimistic packets might be dropped by the IP proxy if	packet can be sent through the tunnel, such optimistic packets might
	it chooses to provide different addressing or routing information	be dropped by the IP proxy if it chooses to provide different
	than what the client assumed.	addressing or routing information than what the client assumed.

	Note that it is possible for multiple proxied IP packets to be	Note that it is possible for multiple proxied IP packets to be
	encapsulated in the same outer packet, for example, because a QUIC	encapsulated in the same outer packet, for example, because a QUIC

	packet can carry two QUIC DATAGRAM frames. It is also possible for a	packet can carry more than one QUIC DATAGRAM frame. It is also
	proxied IP packet to span multiple outer packets, because a DATAGRAM	possible for a proxied IP packet to span multiple outer packets,
	capsule can be split across multiple QUIC or TCP packets.	because a DATAGRAM capsule can be split across multiple QUIC or TCP
		packets.

	7.2. Routing Operation	7.2. Routing Operation

	The requirements in this section are a repetition of requirements	The requirements in this section are a repetition of requirements
	that apply to IP routers in general and might not apply to	that apply to IP routers in general and might not apply to
	implementations of IP proxying that rely on external software for	implementations of IP proxying that rely on external software for
	routing.	routing.

	When an endpoint receives an HTTP Datagram containing an IP packet,	When an endpoint receives an HTTP Datagram containing an IP packet,
	it will parse the packet's IP header, perform any local policy checks	it will parse the packet's IP header, perform any local policy checks

	skipping to change at line 1535 ¶	skipping to change at line 1536 ¶
	[TUNNEL-SECURITY]. Since there are known risks with some IPv6	[TUNNEL-SECURITY]. Since there are known risks with some IPv6
	extension headers (e.g., [ROUTING-HDR]), implementers need to follow	extension headers (e.g., [ROUTING-HDR]), implementers need to follow
	the latest guidance regarding handling of IPv6 extension headers.	the latest guidance regarding handling of IPv6 extension headers.

	Transferring DSCP markings from inner to outer packets (see	Transferring DSCP markings from inner to outer packets (see
	Section 10.3) exposes end-to-end flow level information to an on-path	Section 10.3) exposes end-to-end flow level information to an on-path
	observer between the IP proxying endpoints. This can potentially	observer between the IP proxying endpoints. This can potentially
	expose a single end-to-end flow. Because of this, such use of DSCPs	expose a single end-to-end flow. Because of this, such use of DSCPs
	in privacy-sensitive contexts is NOT RECOMMENDED.	in privacy-sensitive contexts is NOT RECOMMENDED.


		Opportunistic sending of IP packets (see Section 7.1) is not allowed
		in HTTP/1.x because a server could reject the HTTP Upgrade and
		attempt to parse the IP packets as a subsequent HTTP request,
		allowing request smuggling attacks; see [OPTIMISTIC]. In particular,
		an intermediary that re-encodes a request from HTTP/2 or 3 to
		HTTP/1.1 MUST NOT forward any received capsules until it has parsed a
		successful IP proxying response.

	12. IANA Considerations	12. IANA Considerations

	12.1. HTTP Upgrade Token Registration	12.1. HTTP Upgrade Token Registration

	IANA has registered "connect-ip" in the "HTTP Upgrade Tokens"	IANA has registered "connect-ip" in the "HTTP Upgrade Tokens"
	registry maintained at <https://www.iana.org/assignments/http-	registry maintained at <https://www.iana.org/assignments/http-
	upgrade-tokens>.	upgrade-tokens>.

	Value: connect-ip	Value: connect-ip
	Description: Proxying of IP Payloads	Description: Proxying of IP Payloads

	skipping to change at line 1774 ¶	skipping to change at line 1783 ¶

	[IPSEC] Kent, S. and K. Seo, "Security Architecture for the	[IPSEC] Kent, S. and K. Seo, "Security Architecture for the
	Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,	Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
	December 2005, <https://www.rfc-editor.org/info/rfc4301>.	December 2005, <https://www.rfc-editor.org/info/rfc4301>.

	[IPv6-ADDR]	[IPv6-ADDR]
	Hinden, R. and S. Deering, "IP Version 6 Addressing	Hinden, R. and S. Deering, "IP Version 6 Addressing
	Architecture", RFC 4291, DOI 10.17487/RFC4291, February	Architecture", RFC 4291, DOI 10.17487/RFC4291, February
	2006, <https://www.rfc-editor.org/info/rfc4291>.	2006, <https://www.rfc-editor.org/info/rfc4291>.


		[OPTIMISTIC]
		Schwartz, B. M., "Security Considerations for Optimistic
		Use of HTTP Upgrade", Work in Progress, Internet-Draft,
		draft-schwartz-httpbis-optimistic-upgrade-00, 21 August
		2023, <https://datatracker.ietf.org/doc/html/draft-
		schwartz-httpbis-optimistic-upgrade-00>.

	[PROXY-REQS]	[PROXY-REQS]
	Chernyakhovsky, A., McCall, D., and D. Schinazi,	Chernyakhovsky, A., McCall, D., and D. Schinazi,
	"Requirements for a MASQUE Protocol to Proxy IP Traffic",	"Requirements for a MASQUE Protocol to Proxy IP Traffic",
	Work in Progress, Internet-Draft, draft-ietf-masque-ip-	Work in Progress, Internet-Draft, draft-ietf-masque-ip-
	proxy-reqs-03, 27 August 2021,	proxy-reqs-03, 27 August 2021,
	<https://datatracker.ietf.org/doc/html/draft-ietf-masque-	<https://datatracker.ietf.org/doc/html/draft-ietf-masque-
	ip-proxy-reqs-03>.	ip-proxy-reqs-03>.

	[ROUTING-HDR]	[ROUTING-HDR]
	Abley, J., Savola, P., and G. Neville-Neil, "Deprecation	Abley, J., Savola, P., and G. Neville-Neil, "Deprecation

	skipping to change at line 1827 ¶	skipping to change at line 1843 ¶
	Google LLC	Google LLC
	1600 Amphitheatre Parkway	1600 Amphitheatre Parkway
	Mountain View, CA 94043	Mountain View, CA 94043
	United States of America	United States of America
	Email: dschinazi.ietf@gmail.com	Email: dschinazi.ietf@gmail.com

	Alex Chernyakhovsky	Alex Chernyakhovsky
	Google LLC	Google LLC
	Email: achernya@google.com	Email: achernya@google.com


	Mirja Kuehlewind	Mirja Kühlewind
	Ericsson	Ericsson
	Email: mirja.kuehlewind@ericsson.com	Email: mirja.kuehlewind@ericsson.com

	Magnus Westerlund	Magnus Westerlund
	Ericsson	Ericsson
	Email: magnus.westerlund@ericsson.com	Email: magnus.westerlund@ericsson.com

End of changes. 13 change blocks.
	31 lines changed or deleted	47 lines changed or added
This html diff was produced by rfcdiff 1.48.