- From: Takeshi Yoshino <tyoshino@google.com>
- Date: Sat, 11 Nov 2017 01:51:05 +0900
- To: Kazuho Oku <kazuhooku@gmail.com>
- Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, hybi <hybi@ietf.org>, Patrick McManus <pmcmanus@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAH9hSJapY-KxFwMzGp4vmNcZuu5R8gJ+es4Rs1Le8G2CWPLjsQ@mail.gmail.com>
On Fri, Nov 10, 2017 at 4:05 PM, Kazuho Oku <kazuhooku@gmail.com> wrote: > 2017-11-10 15:14 GMT+09:00 Kari Hurtta <hurtta-ietf@elmme-mailer.org>: > > Then that ":upgrade" works as explicit tunneling mechanism, IF you can > trust > > that response is treated as mailformed (stream error of type > PROTOCOL_ERROR) > > when proxies/frameworks does not subscribe that tunneling mechanism. > > > > Can you trust that? > > Note that we would be doing negotiation beforehand using a SETTINGS > parameter. Otherwise, a client cannot send a request with `:upgrade:` > pseudo header. > > I believe that a successful negotiation would be sufficient to > guarantee that the `:upgrade:` response header will be recognized as a > signal (or a 101 status code as a signal). > Agreed with Kazuho about this point. Depending on such detection of a spec violation is interesting, but I think we shouldn't. It's fragile. We're already clearing the path between the endpoints by the forwarding of the SETTINGS. That should be enough, yes. I'd rather suggest that we don't violate RFC 7540. As we'll be using a pseudo header, we anyway need special logic to generate/parse it. So, it doesn't matter so much whether the name is "upgrade" or not. We could e.g. use ":upgrade", and ":upgrade-response" in each direction respectively. I listed a few more points below that I think we should get consensus. But basically, I like the direction (use of HEADERS, signaling by SETTINGS). ---- I remember that we had some discussion about this kind of usage of the SETTINGS frame mechanism with H2 connection bundling/un-bundling proxies on the way, when we were discussing Yutaka's WS/H2 I-D <https://tools.ietf.org/html/draft-hirano-httpbis-websocket-over-http2-01> 3 y ago. Suppose that we have a reverse proxy that has a single H2 connection with a browser which is unbundled by the proxy to different target backends (still H2 but with fewer streams) where some backends can handle tunneling, but some cannot. The proxy needs to either: - forward the SETTINGS to the browser to allow it to use tunneling, but convert tunneling requests to the tunneling/H2 non-capable backends to one over H1 - don't forward the SETTINGS as not all backends are capable of it As SETTINGS is about hop-by-hop characteristics, we need to consolidate the bit as above at bundling points. I think this is fine and we don't want to introduce any complicated mechanism to perform e2e negotiation. Do you all agree on this? ---- In Yutaka's I-D, we tried to allow speculatively initiating a WebSocket over H2 without waiting for capability announcement by the server. In Patrick's proposal, we instead wait for the SETTINGS frame before initiating a WebSocket. How and when should a browser determine whether a certain H2 connection is tunneling capable or not? What's in my mind is: - When there's no connection at all, - ws: RFC 6455 connection attempt is made on TCP but with the HTTP2-Settings header in addition to the standard RFC 6455 headers, which might get upgraded to WS/H2 (indicated by e.g. an additional header, or a special Upgrade value "websocket-h2c") or just proceed as RFC 6455 - wss: Use ALPN? See https://tools.ietf.org/html/draft-hirano-httpbis-websocket-over-http2-01#section-3.4 - When there's ongoing H2 connection establishing, the browser waits until the initial SETTINGS is received following the preface. If there isn't ENABLE_CONNECT_PROTOCOL, the browser should use WS/TCP. Otherwise, it should use WS/H2. - When there's existing H2 connection established, if there wasn't ENABLE_CONNECT_PROTOCOL in the initial SETTINGS from the server, use WS/TCP, and WS/H2 otherwise. Initially, I thought it might be fine to assume that there's existing H2 when WS attempt is made, but it's not always true, I guess. ---- Is it ok that we cannot announce tunneling capability for each protocol separately? draft-hirano-httpbis-websocket-over-http2-01 allocated a dedicated SETTINGS identifier for WebSockets while draft-hirano-httpbis-websocket-over-http2-00 let each bit indicate capability for each protocol. In Patrick's proposal, currently we just determine tunneling yes/no and then everything beyond is upper layer protocol's work. I think this is fine if this tunneling is made completely independent from the upper layer protocol.
Received on Friday, 10 November 2017 16:51:59 UTC