Re: CONNECT, origins, and Alt-Svc from Lucas Pardue on 2023-11-06 (ietf-http-wg@w3.org from October to December 2023)

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 6 Nov 2023 12:19:58 +0000
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CALGR9obfsXgfCytfoXvoHn-Gmr21yNsRaH=tBs2wZZn6TxU4YQ@mail.gmail.com>

Hi David


On Mon, Nov 6, 2023 at 11:05 AM David Schinazi <dschinazi.ietf@gmail.com>
wrote:

> Howdy HTTP enthusiasts,
>
> As we're adding support for CONNECT-UDP in Chrome, we're having to answer
> the related question "ok I know which proxy I want to use, but do I use TCP
> or QUIC?".
>
> Right now, the only mechanisms we have to discover HTTP/3 support are
> Alt-Svc and the HTTPS RR. Both of these are defined in terms of origin*.
> CONNECT-UDP is defined in terms of origin so we're in good shape there.
> Same story for connect-tcp
> <https://datatracker.ietf.org/doc/draft-ietf-httpbis-connect-tcp/>. But
> for CONNECT we're in a weird spot. In CONNECT, there is no origin (or if
> there is, it applies to the target destination, not to the proxy). So it
> doesn't quite feel right for a proxy to send the Alt-Svc header on the
> response to a CONNECT request. Similarly, I'm not sure that if I get an
> HTTPS RR for the proxy hostname I'm allowed to use it for CONNECT. So
> there's no great way to know that a CONNECT proxy supports HTTP/3. So if a
> PAC file tells the browser to use "HTTPS proxy.example.org:443" then it's
> not clear to me how the browser should figure out if it can use HTTP/3.
> Here are some options:
>
> 1) Send the first CONNECT over HTTP/1 or 2, pretend that use of Alt-Svc
> applies to the proxy
> 2) Query the HTTPS DNS RR and pretend that it applies to the proxy
> 3) Send an OPTIONS * request to the proxy and look for Alt-Svc
> 4) Try HTTP/3 for the first CONNECT request and fallback to TCP if
> anything fails (happy eyeballs style)
> 5) Create a new PAC script verb that means connect-tcp/connect-udp
> 6) Create a new PAC script verb that means HTTP/3
>

For coverage, could we also add

7) Proxy sends ALTSVC frame on stream 0 with an origin set to self (e.g.
proxy.example.org with h3=":443") [1]


> None of these feel like great solutions. Does anyone have thoughts?
>

I agree they don't feel that great. Especially when the WG has been
discussing reducing use of Alt-Svc [2].

Cheers
Lucas

[1] - https://datatracker.ietf.org/doc/html/rfc7838#section-4
[2] - https://datatracker.ietf.org/doc/draft-thomson-httpbis-alt-svcb/01/

Received on Monday, 6 November 2023 12:20:16 UTC