Re: workability (or otherwise) of HTTP upgrade

On 26 November 2010 18:03, Eric J. Bowman <eric@bisonsystems.net> wrote:

> What about:  3) Use another port?  I've seen that opinion voiced, so I
> haven't signed up to the hybi list to voice it myself.  No criticism of
> Web Sockets is intended or implied here, it's just a concrete example of
> something which increasingly concerns me regarding Upgrade.


The problem with another port, is that the success rate of  opening an
arbitrary port through firewalls is not that high.     Thus if
websocket was allocated it's own sockets, then there would still be
need for a websocket over 80 protocol (eg like there is BOSH for
XMPP).

I would like to see a dedicated port for websocket so that over time
it could be opened as needed, but I think there will be a desire to
function over 80 for some time to come.     This could be done with
some enhanced HTTP (eg SPDY), but I'm not sure if such a protocol
would match all the features of websocket (eg improved data density),
nor fit with your HTTP-like restrictions described below.


> It's perhaps fundamentally flawed for HTTP to be the handshake mechanism
> for protocols that are not even remotely similar to HTTP.  In this case,
> we have a half-duplex, request/response, resource/representation
> protocol establishing a full-duplex, asynchronous, opaque-bits-on-the-
> wire connection that's fundamentally incompatible with the deployed
> architecture of port 80 (caches, security gateways); and which nobody
> seems happy with.
>
> My suggested fixes to 9.8, based on the notion that HTTP 1.0, 1.1
> and 2.0, and PTTH 1.0, are not "incompatible" protocols:
>
> "The 'Upgrade' general-header field allows the client to specify which
> version of the communication protocol it would like to use, if the
> server chooses to switch versions.  Additionally, the server MUST use
> the Upgrade header field within a 101 (Switching Protocols) response to
> indicate the version(s) being switched to.
>
> The Upgrade header field is intended to provide a simple mechanism for
> transitioning from HTTP/1.1 to some newer, compatible protocol...  This
> eases the difficult transition between versions of compatible protocols
> by allowing the client to initiate a request..."
>
> This opens a whole can of worms about what constitutes a compatible
> protocol, instead of the current wording:  "The capabilities and nature
> of the application-layer communication after the protocol change is
> entirely dependent upon the new protocol chosen," which seems like the
> sort of free-for-all that leads to unintended security consequences.

Indeed.  Is HTTP over SSL a compatible protocol? semantically yes, but
it is fundamentally different on the wire.

Would this restriction also apply to protocols like SPDY that are
enhanced HTTP-like protocols, but with additional features.


> My issue is whether it's overreaching to extend Upgrade from being a
> versioning mechanism for HTTP, into a general-purpose protocol tunneling
> mechanism.  Or securable.  Does a registry need to be defined here, and
> if so, shouldn't there be some fidelity with the notions of the media
> type and request/response architectural paradigms?

RFC2817 would appear to have gone beyond that already.

>> So I'd ask the httpbis readers, are there any reasons you know of that
>> would prevent Upgrade being used for websocket?
>>
>
> Yes -- Web Sockets is fundamentally different from anything I'd expect
> to see on port 80.  The fact that this is exactly what Upgrade allows,
> even encourages with the proposed registry, gives me the heebie-jeebies.

And do you get similar feeling to think about using the CONNECT method
to establish tunnels for arbitrary protocols?


cheers

Received on Friday, 26 November 2010 12:56:25 UTC