Internet-Draft HTTP Capsule Extension Guidance October 2024
Pardue Expires 24 April 2025 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-pardue-capsule-ext-guidance-01
Published:
Intended Status:
Standards Track
Expires:
Author:
L. Pardue
Cloudflare

Guidance for HTTP Capsule Protocol Extensibility

Abstract

This document updates RFC 9297 with further guidance for extensibility of the HTTP Capsule Protocol.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://LPardue.github.io/draft-pardue-capsule-ext-guidance/draft-pardue-capsule-ext-guidance.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-pardue-capsule-ext-guidance/.

Source for this draft and an issue tracker can be found at https://github.com/LPardue/draft-pardue-capsule-ext-guidance.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 24 April 2025.

Table of Contents

1. Introduction

The Capsule Protocol [CAPSULE] is a sequence of type-length-value tuples that definitions of new HTTP upgrade tokens can choose to use. It allows endpoints to reliably communicate request-related information end-to-end on HTTP request streams, even in the presence of HTTP intermediaries.

Clients can indicate in requests that they want the data stream to use the Capsule Protocol by providing an upgrade token and/or a Capsule-Protocol header field; see Section 3 of [CAPSULE]. Servers confirm Capsule Protocol usage by returning a response in the 2xx (Successful) range, possibly including a Capsule-Protocol header field.

The process of initiating the Capsule Protocol for any given data stream identifies the purpose of usage and the Capsule types that endpoints can send or receive.

This document updates RFC 9297 with further guidance for extensibility of the Capsule Protocol.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. The Extensibility of Capsule Type Usage

In order to support extensibility, Section 3.2 of [CAPSULE] requires that:

The first ambiguity in this text comes from the term "endpoint". It relates to the resource that the Capsule Protocol negotiation applies to, not the general HTTP endpoint. In other words, known or unknown types are scoped only to the request stream Capsule Protocol usage, nothing else.

For example, proxying UDP in HTTP [UDP-PROXYING] makes use of the upgrade token "connect-udp" to enable the Connect Protocol. It describes how DATAGRAM capsules (Section 3.5 of [CAPSULE]) can be used. Use of other capsule types on that data stream is undefined, the expectation being that they are ignored on receipt.

Similarly, proxying IP in HTTP [IP-PROXYING] makes use of the upgrade token "connect-ip" to enable the Connect Protocol. It defines ADDRESS_ASSIGN, ADDRESS_REQUEST, and ROUTE_ADVERTISEMENT capsules (Section 4.7 of [IP-PROXYING]) and describes how these can be used together with DATAGRAM capsules.

An HTTP server could support both UDP and IP proxying and it's implementation would be able to understand all four capsule types. However, use of ADDRESS_ASSIGN, for example, on a "connect-udp" data stream is undefined by [UDP-PROXYING].

The [CAPSULE] document requires updated text to resolve this ambuguity. Should this document be adopted, consensus on the resolution can be established.

3.1. Negotiating Additional Capsule Type Usage

The second ambiguity with the text in Section 3.2 of [CAPSULE] comes from ambiguity of intent. Silent dropping of unknown types new can be safely used by extensions without prior arrangement or negotiation.

However, some extensions might be built on the assumption that a capsule is processed by the recipient. For example to send a capsule that elicits some response message or behavioural change. Such extensions can benefit from some form of explicit negotiation.

There are several approaches to negotiating the use of new capsule types within the scope of a request stream Capsule Protocol. This document does not mandate any specific method but advises protocol designers to use negotiation patterns that fit the end-to-end nature of the Capsule Protocol, where endpoints generate and process capsules.

Specifically SETTINGS negotiation (Section 5.5 of [HTTP/2] and Section 9 of [HTTP/3]) could be used to extend a connection, changing the scope of Capsule Protocol knowledge for all request streams or a set of upgrade tokens. However, the SETTINGS are not an end-to-end mechanism and therefore this method of negotiation does not work when intermediaries are involved.

Negotiation of new capsule types via new upgrade tokens is an end-to-end mechanism. However, while HTTP/1.x clients can offer several token values in the Upgrade mechanism (Section 7.8 of [HTTP]), extended CONNECT ([EXT-CONNECT2] and [EXTCONNECT3]) does not support this possibility. While HTTP/2 or HTTP/3 clients could use multiple separate requests in order to attempt the selection of a most-preferred upgrade token, this requires additional round trips which might introduce undesirable delays.

Header fields provide an end-to-end negotiation mechanism. The Capsule-Protocol header field is itself extensible and parameters could, in theory, be used to negotiate extensions. However, Capsule-Protocol requires that unknown parameters are ignored, so extension designers ought to use an offer-echo pattern that confirms the recipient did process the parameter. Also note that use of Capsule-Protocol is optional and the upgrade tokens can mandate use of the Capsule Protocol without this header field. In such cases, a new header field can be defined to support extension negotiation.

4. Generic CAPSULE_ERROR code for HTTP/2 and HTTP/3

Section 3.3 of [CAPSULE] describes error handling for all HTTP versions. It defined the H3_DATAGRAM_ERROR code for HTTP/3, with the description "Datagram or Capsule Protocol parse error". Subsequent work that relies on using the Capsule protocol has identified that there are situations where using H3_DATAGRAM_ERROR can be confusing, such as where DATAGRAM capsules are expressly not allowed, but some other processing error related to capsules occurs. Furthermore, there is no registered HTTP/2 error code to articulate capsule-related errors (instead, this is delegated to HTTP/2 generic malformed handling defined in Section 8.1.1 of [HTTP/2]).

This document registers two generic error codes, CAPSULE_ERROR and H3_CAPSULE_ERROR (values TBD), for HTTP/2 and HTTP/3 respectively. This can be used as a general-purpose error for anything related to Capsule protocol handling, when a more-specific error is not available or is not preferred.

5. Security Considerations

The ability to send capsule types that the peer may not know, and is therefore required to ignore, can be abused to cause a peer to expend additional processing time. This could become a burden when used unnecessarily or to excess.

An endpoint that does not monitor such behavior exposes itself to a risk of denial-of-service attack. Implementations SHOULD track the use of unknown capsule types and set limits on their use. An endpoint MAY treat activity that is suspicious as a reason to close a connection, but false positives will result in disrupting valid connections and requests. For guidance on closing connections see Section 9.6 of [HTTP/1.1], Section 5.5 of [HTTP/2], and Section 9 of [HTTP/3].

6. IANA Considerations

TODO: register error codes

7. References

7.1. Normative References

[CAPSULE]
Schinazi, D. and L. Pardue, "HTTP Datagrams and the Capsule Protocol", RFC 9297, DOI 10.17487/RFC9297, , <https://www.rfc-editor.org/rfc/rfc9297>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

7.2. Informative References

[EXT-CONNECT2]
McManus, P., "Bootstrapping WebSockets with HTTP/2", RFC 8441, DOI 10.17487/RFC8441, , <https://www.rfc-editor.org/rfc/rfc8441>.
[EXTCONNECT3]
Hamilton, R., "Bootstrapping WebSockets with HTTP/3", RFC 9220, DOI 10.17487/RFC9220, , <https://www.rfc-editor.org/rfc/rfc9220>.
[HTTP]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP Semantics", STD 97, RFC 9110, DOI 10.17487/RFC9110, , <https://www.rfc-editor.org/rfc/rfc9110>.
[HTTP/1.1]
Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1", STD 99, RFC 9112, DOI 10.17487/RFC9112, , <https://www.rfc-editor.org/rfc/rfc9112>.
[HTTP/2]
Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113, DOI 10.17487/RFC9113, , <https://www.rfc-editor.org/rfc/rfc9113>.
[HTTP/3]
Bishop, M., Ed., "HTTP/3", RFC 9114, DOI 10.17487/RFC9114, , <https://www.rfc-editor.org/rfc/rfc9114>.
[IP-PROXYING]
Pauly, T., Ed., Schinazi, D., Chernyakhovsky, A., Kühlewind, M., and M. Westerlund, "Proxying IP in HTTP", RFC 9484, DOI 10.17487/RFC9484, , <https://www.rfc-editor.org/rfc/rfc9484>.
[UDP-PROXYING]
Schinazi, D., "Proxying UDP in HTTP", RFC 9298, DOI 10.17487/RFC9298, , <https://www.rfc-editor.org/rfc/rfc9298>.

Acknowledgments

David Schinazi and Tommy Pauly are capsule enthusiasts that suggested some ideas leading to the genesis of this document

Author's Address

Lucas Pardue
Cloudflare