The CONNECT-IP HTTP MethodGoogle LLC1600 Amphitheatre ParkwayMountain View, California 94043United States of Americaachernya@google.comGoogle LLC1600 Amphitheatre ParkwayMountain View, California 94043United States of Americadallasmccall@google.comGoogle LLC1600 Amphitheatre ParkwayMountain View, California 94043United States of Americadschinazi.ietf@gmail.comMASQUEInternet-DraftThis document describes the CONNECT-IP HTTP method. CONNECT-IP is similar to
CONNECT-UDP, but allows transmitting IP packets, without being limited to just
TCP like CONNECT or UDP like CONNECT-UDP.Discussion VenuesDiscussion of this document takes place on the
Multiplexed Application Substrate over QUIC Encryption Working Group mailing list (masque@ietf.org),
which is archived at .Source for this draft and an issue tracker can be found at
.IntroductionThis document describes the CONNECT-IP HTTP method. CONNECT-IP is similar to
CONNECT-UDP, but allows transmitting IP packets, without being limited to just
TCP like CONNECT or UDP like CONNECT-UDP.CONNECT-IP allows endpoints to set up an IP tunnel between one another. This
can be used to implement a consumer VPN, point-to-point, point-to-network, and
network-to-network capabilities as described in
.Conventions and DefinitionsThe key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14
when, and only when, they appear in all capitals, as shown here.In this document, we use the term "proxy" to refer to the HTTP server that
responds to the CONNECT-IP request. If there are
HTTP intermediaries (as defined in Section 2.3 of ) between the
client and the proxy, those are referred to as "intermediaries" in this
document.The CONNECT-IP MethodThe CONNECT-IP method establishes a stream to an endpoint server that then
permits the exchange of control data, such as IP address information, reachable
IP ranges, and other relevant information for successfully transmitting IP
datagrams between hosts.The request-target of a CONNECT-IP request is a URI which uses
the "https" scheme and an immutable path of "/". When using HTTP/2
or later, CONNECT-IP requests use HTTP pseudo-headers with the
following requirements:
The ":method" pseudo-header field is set to "CONNECT-IP".
The ":scheme" pseudo-header field is set to "https".
The ":path" pseudo-header field is set to "/".
The ":authority" pseudo-header field contains the host and port of the proxy.
The target of a CONNECT-IP request is the server providing the CONNECT-IP
featureset, not an individual endpoint with which a connection is desired.
A CONNECT-IP request that does not conform to these restrictions is
malformed (see , Section 8.1.2.6).Any 2xx (Successful) response indicates that the proxy is willing to open an IP
tunnel between it and the client. Any response other than a successful response
indicates that the tunnel has not yet been formed.A proxy MUST NOT send any Transfer-Encoding or Content-Length header fields in
a 2xx (Successful) response to CONNECT-IP. A client MUST treat a successful
response to CONNECT-IP containing any Content-Length or Transfer-Encoding
header fields as malformed.A payload within a CONNECT-IP request message has no defined semantics; a
CONNECT-IP request with a non-empty payload is malformed. Note that the
CONNECT-IP stream is used to convey control messages, but they are not
semantically part of the request or response themselves.Responses to the CONNECT-IP method are not cacheable.The lifetime of the tunnel is tied to the CONNECT-IP stream. Closing the stream
(via the FIN bit on a QUIC STREAM frame, or a QUIC RESET_STREAM frame) closes
the associated tunnel.Transmitting IP Packets using HTTP DatagramsWhen the HTTP connection supports HTTP/3 datagrams
, IP packets can be sent using them.
The HTTP/3 Datagram Payload contains a full IP packet, from the IP Version
field until the last byte of the IP Payload.RoutesEndpoints have the ability to advertise and reject routes using the
ROUTE_ADVERTISEMENT () and ROUTE_REJECTION ()
messages. Note that these messages are purely informational: receipt of a
ROUTE_ADVERTISEMENT message does not require the recipient to start routing
traffic to its peer. Additionally, if an endpoint receives a ROUTE_REJECTION
for a given prefix that it had previously received a ROUTE_ADVERTISEMENT
message for, then the two cancel out and the endpoint MUST remove its state
from the ROUTE_ADVERTISEMENT message instead of installing new state for the
ROUTE_REJECTION message. Conversely, the same is true of a ROUTE_ADVERTISEMENT
that matches a previous ROUTE_REJECTION. Routes are handled via
longest-prefix-first preference, meaning that if a given IP prefix is covered
by multiple route advertisement and route rejections, the one with the longest
prefix is used.Stream ChunksThe DATA stream tied to the bidirectional stream that the CONNECT-IP request
was sent on is a sequence of CONNECT-IP Stream Chunks, which are defined as a
sequence of type-length-value tuples using the following format (using the
notation from the "Notational Conventions" section of
):
CONNECT-IP Stream Chunk Type:
A variable-length integer indicating the Type of the CONNECT-IP Stream
Chunk. Endpoints that receive a chunk with an unknown CONNECT-IP Stream Chunk
Type MUST silently skip over that chunk.
CONNECT-IP Stream Chunk Length:
The length of the CONNECT-IP Stream Chunk Value field following this field.
Note that this field can have a value of zero.
CONNECT-IP Stream Chunk Value:
The payload of this chunk. Its semantics are determined by the value of the
CONNECT-IP Stream Chunk Type field.
MessagesIP_PACKET MessageThe IP_PACKET message allows conveying IP Packets when HTTP/3 Datagrams are not
available. This message uses a CONNECT-IP Stream Chunk Type of 0x00. Its value
uses the following format:
IP Packet:
A full IP packet, from the IP Version field until the last byte of the IP
Payload.
Note that this message MAY still be used even when HTTP/3 datagrams are
available.ADDRESS_ASSIGN MessageThe ADDRESS_ASSIGN message allows an endpoint to inform its peer that it has
assigned an IP address to it. It allows assigning a prefix which can contain
multiple addresses. This message uses a CONNECT-IP Stream Chunk Type of 0x01.
Its value uses the following format:
IP Version:
IP Version of this address assignment. MUST be either 4 or 6.
IP Address:
Assigned IP address. If the IP Version field has value 4, the IP Address
field SHALL have a length of 32 bits. If the IP Version field has value 6, the
IP Address field SHALL have a length of 128 bits.
IP Prefix Length:
Length of the IP Prefix assigned, in bits. MUST be lesser or equal to the
length of the IP Address field, in bits.
ADDRESS_REQUEST MessageThe ADDRESS_REQUEST message allows an endpoint to request assignment of an IP
address from its peer. It allows the endpoint to optionally indicate a
preference for which address it would get assigned. This message uses a
CONNECT-IP Stream Chunk Type of 0x02. Its value uses the following format:
IP Version:
IP Version of this address request. MUST be either 4 or 6.
IP Address:
Requested IP address. If the IP Version field has value 4, the IP Address
field SHALL have a length of 32 bits. If the IP Version field has value 6, the
IP Address field SHALL have a length of 128 bits.
IP Prefix Length:
Length of the IP Prefix requested, in bits. MUST be lesser or equal to the
length of the IP Address field, in bits.
Upon receiving the ADDRESS_REQUEST message, an endpoint SHOULD assign an IP
address to its peer, and then respond with an ADDRESS_ASSIGN message to inform
the peer of the assignment.ROUTE_ADVERTISEMENT MessageThe ROUTE_ADVERTISEMENT message allows an endpoint to communicate to its peer
that it is willing to route traffic to a given prefix. This message uses a
CONNECT-IP Stream Chunk Type of 0x03. Its value uses the following format:
IP Version:
IP Version of this route advertisement. MUST be either 4 or 6.
IP Address:
IP address of the advertised route. If the IP Version field has value 4, the
IP Address field SHALL have a length of 32 bits. If the IP Version field has
value 6, the IP Address field SHALL have a length of 128 bits.
IP Prefix Length:
Length of the IP Prefix of the advertised route, in bits. MUST be lesser or
equal to the length of the IP Address field, in bits.
Upon receiving the ROUTE_ADVERTISEMENT message, an endpoint MAY start routing
IP packets in that prefix to its peer.ROUTE_REJECTION MessageThe ROUTE_REJECTION message allows an endpoint to communicate to its peer that
it is not willing to route traffic to a given prefix. This message uses a
CONNECT-IP Stream Chunk Type of 0x04. Its value uses the following format:
IP Version:
IP Version of this route rejection. MUST be either 4 or 6.
IP Address:
IP address of the rejected route. If the IP Version field has value 4, the IP
Address field SHALL have a length of 32 bits. If the IP Version field has value
6, the IP Address field SHALL have a length of 128 bits.
IP Prefix Length:
Length of the IP Prefix of the advertised route, in bits. MUST be lesser or
equal to the length of the IP Address field, in bits.
Upon receiving the ROUTE_REJECTION message, an endpoint MUST stop routing IP
packets in that prefix to its peer. Note that this message can be reordered
with DATAGRAM frames, and therefore an endpoint that receives packets for
routes it has rejected MUST NOT treat that as an error.ROUTE_RESET MessageThe ROUTE_RESET message allows an endpoint to cancel any routes it had
previously advertised or denied. This message uses a CONNECT-IP Stream Chunk
Type of 0x05. Its value uses the following format:Upon receiving the ROUTE_RESET message, an endpoint MUST stop routing IP
packets to its peer. Note that this message can be reordered with DATAGRAM
frames, and therefore an endpoint that receives packets for routes it has
rejected MUST NOT treat that as an error.The main purpose of the ROUTE_RESET message is to allow endpoints to not have
to remember the full list of routes they have shared with their peer. In
practice, it is expected that ROUTE_RESET messages will be closely followed by
ROUTE_ADVERTISEMENT messages that will refill the routing table that was just
cleared.SHUTDOWN MessageThe SHUTDOWN message allows an endpoint to communicate to its peer that it is
about to close the CONNECT-IP stream, with a string explaining the reason for
the shutdown. This message uses a CONNECT-IP Stream Chunk Type of 0x06. Its
value uses the following format:
Reason Phrase:
Additional diagnostic information for the shutdown. This SHOULD be
a UTF-8 encoded string , though the frame does not carry
information, such as language tags, that would aid comprehension by any entity
other than the one that created the text.
Note that the SHUTDOWN message is informational, the tunnel is only closed when
its corresponding CONNECT-IP stream is closed. Endpoints MAY close the tunnel
with a reason phrase by sending the SHUTDOWN message with the FIN bit set on
the underlying QUIC STREAM frame that carried it.ATOMIC_START MessageThe ATOMIC_START message allows an endpoint to create an atomic set of
messages. This message uses a CONNECT-IP Stream Chunk Type of 0x07. Its value
uses the following format:Upon receiving an ATOMIC_START message, an endpoint MUST buffer all incoming
known messages until it receives an ATOMIC_END message. Endpoints MUST NOT send
two ATOMIC_START messages without an ATOMIC_END message between them.Endpoints MUST NOT buffer unknown messages. Endpoints MAY choose to immediately
process IP_PACKET and SHUTDOWN messages instead of buffering them. Extensions
that register new message types MAY specify that it is allowed to skip
buffering for them.The purpose of this frame is to avoid timing issues where an endpoint installs
a route before an important route rejection was received. Endpoints SHOULD
group their initial configuration into an atomic block to allow their peer to
mark the tunnel as operational once the whole block is parsed.ATOMIC_END MessageThe ATOMIC_END message allows an endpoint to end an atomic set of messages.
This message uses a CONNECT-IP Stream Chunk Type of 0x08. Its value uses the
following format:Upon receiving an ATOMIC_END message, an endpoint MUST parse all previously
buffered messages, in order of receipt. Endpoints MUST NOT send an ATOMIC_END
message without a preceding ATOMIC_START message.Extensibility ConsiderationsCONNECT-IP can be extended via multiple mechanisms to increase functionality.
There are two main ways to extend CONNECT-IP: HTTP headers and CONNECT-IP
Stream Chunk Types. For example, an authentication extension could define an
HTTP header that allows endpoints to send authentication credentials to their
peer during the creation of the tunnel. Alternatively, one could specify an
extension that defines a new CONNECT-IP Stream Chunk Type which allows
exchanging DNS configuration between endpoints.Security ConsiderationsThere are significant risks in allowing arbitrary clients to establish a tunnel
to arbitrary servers, as that could allow bad actors to send traffic and have
it attributed to the proxy. Proxies that support CONNECT-IP SHOULD restrict its
use to authenticated users. The HTTP Authorization header MAY
be used to authenticate clients. More complex authentication schemes are out of
scope for this document but can be implemented using CONNECT-IP extensions.IANA ConsiderationsHTTP MethodThis document will request IANA to register "CONNECT-IP" in the
HTTP Method Registry (IETF review) maintained at
<>.Stream Chunk Type RegistrationThis document will request IANA to create a "CONNECT-IP Stream Chunk Type"
registry. This registry governs a 62-bit space, and follows the registration
policy for QUIC registries as defined in . In addition to the fields
required by the QUIC policy, registrations in this registry MUST include the
following fields:
Type:
A short mnemonic for the type.
Description:
A brief description of the type semantics, which MAY be a summary if a
specification reference is provided.
The initial contents of this registry are:Each value of the format 41 * N + 29 for integer values of N (that is, 29,
70, 111, ...) are reserved; these values MUST NOT be assigned by IANA and MUST
NOT appear in the listing of assigned values.ReferencesNormative ReferencesKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and RoutingThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.Uniform Resource Identifier (URI): Generic SyntaxA Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]Hypertext Transfer Protocol Version 2 (HTTP/2)This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients.This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP's existing semantics remain unchanged.Using QUIC Datagrams with HTTP/3Google LLCCloudflare The QUIC DATAGRAM extension provides application protocols running
over QUIC with a mechanism to send unreliable data while leveraging
the security and congestion-control properties of QUIC. However,
QUIC DATAGRAM frames do not provide a means to demultiplex
application contexts. This document defines how to use QUIC DATAGRAM
frames when the application protocol running over QUIC is HTTP/3 by
adding an identifier at the start of the frame payload. This allows
HTTP messages to convey related information using unreliable DATAGRAM
frames, ensuring those frames are properly associated with an HTTP
message.
Discussion of this work is encouraged to happen on the MASQUE IETF
mailing list (masque@ietf.org (mailto:masque@ietf.org)) or on the
GitHub repository which contains the draft: https://github.com/ietf-
wg-masque/draft-ietf-masque-h3-datagram.
QUIC: A UDP-Based Multiplexed and Secure TransportFastlyMozilla This document defines the core of the QUIC transport protocol. QUIC
provides applications with flow-controlled streams for structured
communication, low-latency connection establishment, and network path
migration. QUIC includes security measures that ensure
confidentiality, integrity, and availability in a range of deployment
circumstances. Accompanying documents describe the integration of
TLS for key negotiation, loss detection, and an exemplary congestion
control algorithm.
DO NOT DEPLOY THIS VERSION OF QUIC
DO NOT DEPLOY THIS VERSION OF QUIC UNTIL IT IS IN AN RFC. This
version is still a work in progress. For trial deployments, please
use earlier versions.
Note to Readers
Discussion of this draft takes place on the QUIC working group
mailing list (quic@ietf.org (mailto:quic@ietf.org)), which is
archived at https://mailarchive.ietf.org/arch/search/?email_list=quic
Working Group information can be found at https://github.com/quicwg;
source code and issues list for this draft can be found at
https://github.com/quicwg/base-drafts/labels/-transport.
UTF-8, a transformation format of ISO 10646ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279.Informative ReferencesRequirements for a MASQUE Protocol to Proxy IP TrafficGoogle LLCGoogle LLCGoogle LLC There is interest among MASQUE working group participants in
designing a protocol that can proxy IP traffic over HTTP. This
document describes the set of requirements for such a protocol.
Discussion of this work is encouraged to happen on the MASQUE IETF
mailing list masque@ietf.org or on the GitHub repository which
contains the draft: https://github.com/ietf-wg-masque/draft-ietf-
masque-ip-proxy-reqs.
Hypertext Transfer Protocol (HTTP/1.1): AuthenticationThe Hypertext Transfer Protocol (HTTP) is a stateless application- level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework.ExamplesConsumer VPNIn this scenario, the client will typically receive a single IP address that
the proxy has picked from a pool of addresses it maintains. The client will
route all traffic through the tunnel. The exchange could look as follows:
IP Version = 4
IP Address = 0.0.0.0
IP Prefix Length = 0
<-------- ADDRESS_ASSIGN
IP Version = 4
IP Address = 192.0.2.42
IP Prefix Length = 32
<-------- ROUTE_ADVERTISEMENT
IP Version = 4
IP Address = 0.0.0.0
IP Prefix Length = 0
]]>AcknowledgmentsThe design of CONNECT-IP was inspired by discussions in the MASQUE working
group around . The authors would like to thank participants in those
discussions for their feedback.