Re: Alt-Svc related Chromium bug report (proxy related) from Erik Nygren on 2014-04-17 (ietf-http-wg@w3.org from April to June 2014)

From: Erik Nygren <erik@nygren.org>
Date: Thu, 17 Apr 2014 18:22:01 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: Martin Thomson <martin.thomson@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKC-DJjrCeBhN=GYJNDRXz6-jM-cD-bTuGHLGf_rf2h4536=oA@mail.gmail.com>

> "Proxies MUST NOT change or append Alt-Svc values."

Agreed.  I guess CDNs will need to remove Alt-Svc values that may be
returned by an origin if they can't handle the upgrade.  This is a little
unfortunate from a compatibility perspective.

It may also be worth us thinking through the Alt-Svc scenarios in the proxy
world a little more carefully, perhaps with some concrete examples of flows
to make sure we're on the same page.  For example, the upgrade case is
fairly straight-forward:

1) Upgrade to HTTP/2-over-TLS through a proxy:

        - client makes HTTP request through proxy (GET
http://www.example.com/)
        - server returns AltSvc to the client via the proxy (Alt-Svc:
http2=443)
        - client makes a HTTP connect request through the proxy (CONNECT
www.example.com:443)

However, some of the other cases are less clear to me:

2) What happens for clients talking HTTP/2 to a proxy with the proxy
talking HTTP/2 to the origin?  Would an ALTSVC frame referencing a
different server and using TLS get passed through meaning that the client
needs to now CONNECT through to do TLS?

3) What happens with clients talking HTTP/1 to a proxy when the proxy is
talking HTTP/2 to the origin and gets an ALTSVC frame pointing to a
different host?  Presumably the proxy needs to drop it?

Are there other similar scenarios we need to work through?

      Erik

On Tue, Apr 1, 2014 at 8:32 PM, Mark Nottingham <mnot@mnot.net> wrote:

> I think that phrase probably needs to at least be modified to
>
> "Proxies MUST NOT change or append Alt-Svc values."
>
>
> On 1 Apr 2014, at 2:51 pm, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
> > On 31 March 2014 20:08, Amos Jeffries <squid3@treenet.co.nz> wrote:
> >> This is not "mis-advertising". The origin server producing the response
> >> eminently *does* support that service.
> >>
> >> I then draw your attention to draft-ietf-httpbis-alt-svc-00 section 3...
> >>
> >> " Intermediaries MUST NOT change or append Alt-Svc values. "
> >>
> >> There is no distinction regarding intermediary type(s), nor exemption
> >> clauses. CDN is an intermediary just as much as any other.
> >
> >
> > That would be fine, except for the fact that - in this case - it seems
> > likely that the CDN is acting as an origin server that serves a copy
> > of the content, not an intermediary.  The URI includes the domain name
> > of the CDN.  Will, amirite?
> >
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>

Received on Thursday, 17 April 2014 22:22:30 UTC