Re: New tunnel protocol from Martin Thomson on 2015-01-25 (ietf-http-wg@w3.org from January to March 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Sun, 25 Jan 2015 09:39:33 -0800
To: Willy Tarreau <w@1wt.eu>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUyeWOdd49XPVrCY0ecTU1q7Qg0_JmCOgbfe0i5WVgRqg@mail.gmail.com>

Thanks for taking a look Willy, and my apologies for not getting this
properly right (I'll explain below).

On 25 January 2015 at 00:06, Willy Tarreau <w@1wt.eu> wrote:
> At first I was quite excited to see something like this but now I'm
> seeing you want to limit its use to TLS only :

That is certainly not the intent.  As "h2c" demonstrates, we're using
ALPN to identify protocols that don't run on TLS.

The latest editor's draft attempts to address that problem.

> I expected to see a header field indicating whether we were transporting
> TLSv1.2, OpenVPN, RDP, ICA, IMAP, SSH etc since that's what makes it hard
> for proxies to apply policy enforcement based on protocol validation.

All those need is a new ALPN identifier and they are good to go.

> I'm not sure about what purpose it provides since if a proxy expects TLS,
> it could already look at ALPN to see the transported protocol.

Well, part of the intent here is to allow the proxy to bring that
information forward.  Then, the only thing that it might want to do is
check that the client wasn't lying.

> Thus I'm having two possible suggestions that come to mind :
>   - either make this protocol a list of encapsulated layers. That way
>     you can say "TLS/1.2, HTTP/1.1"

As currently used for "h2" and "h2c", ALPN identifies a specific
protocol, with all the layers that it depends on (the whole stack, if
you will).

> Personally I think the first one above is particularly suited to various
> applications because they can decide what to disclose. For example,
> "Tunnel-Protocol: TLS/1.2, h2" explicitly discloses everything, while
> "Tunnel-Protocol: TLS/1.2" only discloses the envelope and a proxy may
> or may not accept to let that pass through depending on its policy, or
> could attempt to detect it via ALPN decoding. In the case where you want
> multiple protocols to be attempted (eg: h2 & http/1.1), the second
> option above probably is better. In this case, a client may send

Partial disclosure wasn't a goal. If the intent is to hide some of
what is happening, the best option is to omit the header field
entirely.

Received on Sunday, 25 January 2015 17:40:00 UTC