Network Working Group B. M. Schwartz Internet-Draft Meta Platforms, Inc. Intended status: Standards Track 奥 一穂 (K. Oku) Expires: 8 May 2025 Fastly 4 November 2024 HTTP Version Translation of the Capsule Protocol draft-kb-capsule-conversion-00 Abstract This draft specifies how HTTP intermediaries can translate the Capsule Protocol between HTTP versions. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-kb-capsule-conversion/. Source for this draft and an issue tracker can be found at https://github.com/bemasc/capsule-conversion. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 May 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Schwartz & Oku Expires 8 May 2025 [Page 1] Internet-Draft Capsule Translation November 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Converting an HTTP/1.1 Upgrade request to Extended CONNECT . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Converting an Extended CONNECT request to HTTP/1.1 Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Converting an Extended CONNECT request to Extended CONNECT for a different HTTP version . . . . . . . . . . . . . . 5 4. Implications . . . . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . 7 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction The Capsule Protocol [RFC9297] defines a framing layer that can be used for protocols running over HTTP. The Capsule Protocol consists of a linear stream of capsules, each with a specified type and size. Endpoints can establish a Capsule Protocol connection using HTTP Extended CONNECT or the HTTP/1.1 Upgrade process. Intermediaries such as HTTP Gateways can play an active role in the Capsule Protocol. To inform intermediaries that this protocol is in use, endpoints can include a "Capsule-Protocol: ?1" header in their request or response. Intermediaries are obligated to pass unrecognized capsule types unmodified, but some capsule types do permit intermediaries to modify them. The Capsule Protocol is defined for HTTP/1.1, HTTP/2, and HTTP/3, and intermediaries can translate Capsule Protocol streams between different versions of HTTP. For example, an HTTP Gateway receiving a request using the "connect-tcp-capsule" Upgrade Token Schwartz & Oku Expires 8 May 2025 [Page 2] Internet-Draft Capsule Translation November 2024 [I-D.ietf-httpbis-connect-tcp] over HTTP/3 might forward it to a backend server using HTTP/1.1 for further processing. However, this translation currently requires the intermediary to recognize the specified Upgrade Token. Unrecognized Upgrade Tokens cannot be translated between HTTP versions. .------. .-------. .------. | Client +--> HTTP/2--->| Gateway +--> HTTP/1.1--->| Server | '------' :protocol=foo '-------' Upgrade: foo '------' capsule-protocol=?1 Capsule-Protocol: ?1 Figure 1: HTTP version translation of an Upgrade Token. The gateway can only perform this translation if it recognizes the "foo" Upgrade Token. As a result of this limitation, HTTP intermediaries cannot forward unrecognized Capsule Protocol Upgrade Tokens (CPUTs) unless the backend supports the HTTP version used by the client. In practice, such HTTP version mismatches are common, so intermediaries have preferred not to support unrecognized tokens at all. As a result, each new CPUT requires the cooperation of any HTTP intermediaries. This increases the maintenance burden on intermediaries and impedes the deployment of novel CPUTs. This draft specifies general rules for translating Capsule Protocol requests across HTTP versions, allowing intermediaries to perform such translations for unrecognized CPUTs. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Requirements This section describes requirements on HTTP intermediaries that change the HTTP version of a Capsule Protocol request. 3.1. Converting an HTTP/1.1 Upgrade request to Extended CONNECT A Convertible Upgrade Request is a request that meets these criteria: * The HTTP version is "1.1". * The method is "GET". Schwartz & Oku Expires 8 May 2025 [Page 3] Internet-Draft Capsule Translation November 2024 * The Upgrade header is present and specifies exactly one Upgrade Token. * A "Capsule-Protocol" header is present with an item value of "?1" (with or without parameters). * The request is otherwise well-formed for use with the Capsule Protocol. Upon receiving a Convertible Upgrade Request, an HTTP intermediary MAY convert it into an Extended CONNECT request ([RFC9220][RFC8441]) using ordinary HTTP version translation with the following modifications: * Change the method to "CONNECT". * Add a ":protocol" pseudo-header containing the specified Upgrade Token. (Note that ordinary HTTP version translation removes the "Connection" and "Upgrade" headers.) If the intermediary receives a "200 (OK)" response, it MUST convert it to an HTTP/1.1 Upgrade response as follows: * Change the response code to "101 (Switching Protocols)". * Add an "Upgrade" header containing the specified Upgrade Token. * Add a "Connection: Upgrade" header. After sending this response, the intermediary MUST process all data to and from the client in accordance with the Capsule Protocol. If the intermediary receives any other valid response, it MUST NOT convert it to an HTTP/1.1 Upgrade response, and MUST forward it using ordinary HTTP version translation. If the response status was not 1xx (Informational), the intermediary MAY accept additional HTTP/1.1 requests on this connection to the client. 3.2. Converting an Extended CONNECT request to HTTP/1.1 Upgrade A Convertible Extended CONNECT request is a request that meets these criteria: * The method is "CONNECT". Schwartz & Oku Expires 8 May 2025 [Page 4] Internet-Draft Capsule Translation November 2024 * A "capsule-protocol" header is present with an item value of "?1" (with or without parameters). * The request is otherwise well-formed for use with the Capsule Protocol. Upon receiving a Convertible Extended CONNECT Request, an HTTP intermediary MAY convert it into an HTTP/1.1 Upgrade request according to ordinary HTTP version translation, with the following modifications: * Change the method to "GET". * Add an "Upgrade" header containing the specified Upgrade Token. * Add a "Connection: Upgrade" header. If the intermediary receives a correctly formed "101 (Switching Protocols)" response, it MUST change the response code to "200 (OK)". If it receives a 2xx (Successful) response, it SHOULD return a "501 (Not Implemented)" status code, to indicate that the ":protocol" value was not accepted ([RFC9220], Section 3). Otherwise, it MUST forward any valid responses unmodified. After sending a "200" response, the intermediary MUST process all further data to and from the server in accordance with the Capsule Protocol. 3.3. Converting an Extended CONNECT request to Extended CONNECT for a different HTTP version An HTTP intermediary MAY translate a Convertible Extended CONNECT Request between different HTTP versions using ordinary HTTP version translation. 4. Implications Translation of unrecognized CPUTs across HTTP versions carries some implications for future specifications related to the Capsule Protocol: * All CPUTs must treat "GET" in HTTP/1.1 as semantically equivalent to Extended CONNECT. * The "Capsule-Protocol" response header has no effect and should be treated as a hint for later analysis. Intermediaries can process the response as the Capsule Protocol based entirely on the request header and the response status code. Schwartz & Oku Expires 8 May 2025 [Page 5] Internet-Draft Capsule Translation November 2024 * Intermediaries' behavior regarding each capsule type is independent of the CPUT. CPUTs cannot change intermediaries' treatment of existing capsule types. * A Capsule Type or CPUT cannot change the meaning of an HTTP extension. It can only rely on the behaviors that are defined as mandatory for any implementation of that extension. Extensions intended for use with the Capsule Protocol will likely need to define how HTTP version translation works. * Capsule Protocol endpoints are defined independently of the HTTP version, like ordinary HTTP resources. If an origin server's Capsule Protocol support varies between HTTP versions, clients may observe inconsistent behavior when accessing the origin through a compliant intermediary. All existing CPUTs and Capsule Types already conform to these rules. 5. Security Considerations When implemented incorrectly, HTTP/1.1 Upgrade carries a risk of request smuggling. (See [I-D.ietf-httpbis-optimistic-upgrade].) Intermediary implementors should take care to avoid excessive resource consumption by malicious clients. For example, a client might be able to send many short requests over a single HTTP/2 or HTTP/3 connection, each of which requires opening a new, long-lived TCP connection to the backend. 6. IANA Considerations This document has no IANA actions. 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Schwartz & Oku Expires 8 May 2025 [Page 6] Internet-Draft Capsule Translation November 2024 [RFC8441] McManus, P., "Bootstrapping WebSockets with HTTP/2", RFC 8441, DOI 10.17487/RFC8441, September 2018, . [RFC9220] Hamilton, R., "Bootstrapping WebSockets with HTTP/3", RFC 9220, DOI 10.17487/RFC9220, June 2022, . [RFC9297] Schinazi, D. and L. Pardue, "HTTP Datagrams and the Capsule Protocol", RFC 9297, DOI 10.17487/RFC9297, August 2022, . 7.2. Informative References [I-D.ietf-httpbis-connect-tcp] Schwartz, B. M., "Template-Driven HTTP CONNECT Proxying for TCP", Work in Progress, Internet-Draft, draft-ietf- httpbis-connect-tcp-06, 21 October 2024, . [I-D.ietf-httpbis-optimistic-upgrade] Schwartz, B. M., "Security Considerations for Optimistic Protocol Transitions in HTTP/1.1", Work in Progress, Internet-Draft, draft-ietf-httpbis-optimistic-upgrade-01, 21 October 2024, . Acknowledgments TODO acknowledge. Authors' Addresses Benjamin M. Schwartz Meta Platforms, Inc. Email: ietf@bemasc.net Kazuho Oku Fastly Email: kazuhooku@gmail.com Additional contact information: 奥 一穂 Fastly Schwartz & Oku Expires 8 May 2025 [Page 7]