- From: Adrien de Croy <adrien@qbik.com>
- Date: Tue, 27 Jan 2015 09:01:13 +0000
- To: "Willy Tarreau" <w@1wt.eu>, "Martin Thomson" <martin.thomson@gmail.com>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Willy - I think the intention is that this is used whether or not there is TLS in play, but that the ALPN token used in Tunnel-Protocol wouldn't match what is in the ALPN in any tunneled TLS (if any). E.g. if tunneling SMTP over TLS, you'd advertise smtps in the Tunnel-Protocol header, and smtp in the ALPN field in the client helo in TLS. If tunneling SMTP, you'd just advertise smtp in the Tunnel-Protocol header. So it's using the Tunnel-Protocol to describe possibly several layers. I personally would prefer to separate it out so that a proxy can know the next layer is TLS regardless of what is transported over TLS. Adrien ------ Original Message ------ From: "Willy Tarreau" <w@1wt.eu> To: "Martin Thomson" <martin.thomson@gmail.com> Cc: "HTTP Working Group" <ietf-http-wg@w3.org> Sent: 27/01/2015 7:47:11 p.m. Subject: Re: New tunnel protocol >On Mon, Jan 26, 2015 at 04:00:16PM -0800, Martin Thomson wrote: >> On 25 January 2015 at 10:57, Willy Tarreau <w@1wt.eu> wrote: >> > OK, then maybe put ALPN in the header field's name to remove the >> > ambiguity, because there there's nothing that makes it obvious >> > that TLS is in use at all, and the name makes one think it's the >> > protocol being tunnelled which is named instead of the one inside >> > TLS. >> >> I've always considered the name on this draft to be weak. But I >> haven't found a name that I liked better. > >The name of the draft has little importance, you need one to start >discussions, so by definition the contents may change over time. > >> Please send suggestions. > >For the header field, I'd suggest : Tunnel-ALPN. That clearly covers >your purpose of advertising the ALPN names registered at IANA. > >But like Amos and Adrien, I think that you're missing an opportunity >to have a header field indicating what is transported when it's not >TLS, and possibly to make it more flexible to indicate what is put >on top of TLS. I understand the benefits of ALPN (given that it >advertises a list of protocols to be negociated), as well as I'm >pretty convinced about the benefits of indicating what is transported >so that clients may help policy enforcement detect their protocol and >validate it (eventhough I respect that it could be out of the scope >of your proposal). > >At least, calling it Tunnel-ALPN or TLS-ALPN, or Tunnel-TLS-ALPN will >serve your purpose and will not prevent anyone from proposing to >address the other needs with another non-confusing header field name. > >Regards, >Willy > >
Received on Tuesday, 27 January 2015 09:02:12 UTC