]> Mozilla

mt@lowentropy.net

Akamai Technologies

mbishop@evequefou.be

Cloudflare

lucaspardue.24.7@gmail.com

Microsoft

tojens@microsoft.com

Applications and Real-Time HTTP next generation alternative alternative stickiness HTTP alternative services This document deprecates RFC 7838. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the HTTP Working Group mailing list (), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction HTTP alternative services provide an HTTP server with a means to direct requests from clients to an alternative server instance. Clients that learn about an alternative service can establish a connection to the identified instance, which - if successfully established and authenticated - can be used for future requests. This design allows for nearly seamless service continuity in some conditions. The use cases that might motivate a server to direct future requests to a different server instance vary.

• Some deployments might seek to direct a client to a server instance that is better able to serve requests for that client. This might occur if DNS resolution of the server name produces the address of a server instance that is further from the client.
• Servers that might seek to shed load, perhaps in anticipation of an imminent shutdown or maintenance action, might use an alternative service declaration to reduce either server load or the number of clients that might be affected.
• Many deployments of HTTP/3 use the protocol identifiers in an alternative service declaration to make clients aware of support for the newer protocol.

These different use cases can sometimes create awkward trade-offs for deployments of alternative services.

Caching in Alternative Services With RFC 7838 , setting the "ma" (or max-age) parameter for an alternative can be challenging for a server deployment. Setting too a large max-age can mean that clients use an alternative for longer than they should. Conversely, a short cache period for an advertisement for HTTP/3 can mean that earlier versions might be used more often than is optimal. Alternative services can interact poorly with service configuration information that is published in the DNS. With the introduction of HTTPS records , the availability of HTTP/3 can be advertised in the DNS, creating two independent sources of this information, with different approaches to caching. Alternative services can also be highly dependent on networking conditions. RFC 7838 attempted to manage this by having clients be responsible for invalidating alternatives when changes in their network are detected, unless the alternative is explicitly marked as "persistent". In practice, detecting the necessary changes is difficult for many clients, so this requirement is not consistently implemented. The alternative services mechanisms defined in RFC 7838 can produce suboptimal or even detrimental outcomes in some deployments. Consequently, this document obsoletes RFC 7838.

A New Alternative This document describes a different approach to advertising alternative services. This approach uses the DNS as the singular source of information about service reachability. An alternative service advertisement only acts as a prompt for clients to seek updated information from the DNS. To use this new design, a server advertises an alternative name using the "Alt-SvcB" field. Clients can then consult the DNS, making HTTPS queries starting with this name. The alternative name is used in place of the name of the authority and using HTTPS records is mandatory, but the process otherwise follows normal HTTPS record resolution and connection procedures. defines how this name is used in detail. Future connections for requests to resources on the same server use HTTPS record resolution to the name of the authority, but are reprioritized if a successful connection was previously made to an alternative service. defines how this process works in more detail.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Using Alternative Services When a client learns about a new potential alternative from a server, they SHOULD attempt to use that alternative for future requests to that server. The client attempts to make a request for a resource on the same server using the alternative as follows:

1. The client makes a DNS query for HTTPS records for the alternative name, following the procedures in . Clients make this query as a "SVCB-reliant" SVCB client, treating a failure to obtain HTTPS records as a failed alternative. If this process fails to produce service parameters or IP addresses, abort this process. [[ISSUE: Maybe we can still be SVCB-optional here, but that places constraints on the choice of name.]]
2. The client establishes a connection using the service parameters and addresses learned from the DNS query. Important here is that the client uses a TLS server name indication of the server name from the URL, not the alternative name. This allows the server to produce a certificate for that name, which the client can validate as applying to the URL it is resolving. If a connection cannot be established, abort this process.
3. The client validates that the server is authoritative for the resource. If the server is not authoritative, abort this process.
4. The client makes a query for the resource. If the server does not respond, responds with a 421 (Misdirected Request) (see ), or a 5xx status code (see ), abort this process.
5. Once a response is received, the connection to the alternative is complete. Any other connections can be closed and future requests directed to the alternative. The client SHOULD remember the alternative name and the service name (the TargetName from the HTTPS ServiceMode record that was used) that were used; see .

A client MUST NOT remember a service name for an alternative service until a request has been successfully completed with a 2xx or 3xx status code. A client MAY send additional requests using the newly established connection to the alternative service after it verifies that the server is authoritative. The alternative service is therefore active once the connection is established, but it will not be reused () for future connections until a request completes successfully. A client MAY continue sending other requests over any existing connection to the server until this process completes in order to minimize latency for those requests. A client MAY - when presented with an alternative name - proactively make a request for an arbitrary resource on the server, rather than waiting for the next time a request is needed. This might allow the connection to be available for future requests with less delay.

Retention of Alternatives Clients SHOULD remember the successful use of an alternative service. Two pieces of information are retained:

• the alternative name, which is the name provided by the server in the Alt-SvcB field or ALTSVCB frame, and
• the service name, which is the TargetName from the ServiceMode HTTPS record that was used to successfully connect to the server.

These two names are saved for the server against the origin of the server . Clients MUST NOT reuse saved information for a server with a different hostname, port, or scheme. The name given in an Alt-SvcB field or ALTSVCB frame is retained only so that the client can avoid initiating a connection to an alternative if it has already made an attempt. Any time that a server provides a different name in an Alt-SvcB field or ALTSVCB frame, any existing information MUST be discarded. A client MAY then initiate a DNS query and connection attempt to the identified alternative. A client can subsequently ignore repeated fields or frames. A server might provide an Alt-SvcB field in all responses it sends. Only acting on a value once ensures that this repetition has no effect on clients. Though a server might repeat the field, clients MUST NOT consider an absent field as indicative of a retraction of a previous advertisement. An alternative name is only removed when explicitly replaced or when a remembered service name does not appear in the set of HTTPS query responses. On the first attempt to use an alternative, a failed alternative SHOULD be remembered using an alternative name and a null or absent service name. This avoids making repeated attempts to use an alternative service that is not available if the server repeats the information in Alt-SvcB fields or ALTSVCB frames. A client MAY periodically attempt to retry a failed alternative if the information is repeated. A server can explicitly request that a client remove any remembered service name by providing an alternative name of "invalid". The "invalid" domain name corresponds to a DNS name that will never successfully resolve (see ), which guarantees that an attempt to use this name cannot succeed. Clients MAY recognize the name "invalid" as special and avoid any attempt to use this to discover an alternative service.

Reusing Alternatives A client remembers the service name, or the TargetName from the ServiceMode HTTPS record that it successfully used to establish a connection to an alternative service. In subsequent connections to the same server, it makes HTTP queries for the server name. If this query returns a ServiceMode resource record (RR) that includes a TargetName that is identical to the remembered service name, the client SHOULD choose that over any alternatives, including those RRs that are marked "alt-only"; see . A client does not make a query for the remembered alternative name. They make a query for the name of the server, using the QNAME derived from the URI of the target resource. The RR that matches the remembered service name is selected, overriding any SvcPriority that might otherwise result in another ServiceMode record being chosen. If a query for HTTPS records does not produce a ServiceMode record with a matching TargetName, any remembered information MUST be removed for that origin. When reusing stored information, if a connection is unsuccessful for any reason (see ), remembered information for that origin MUST be removed. Clients clear retained alternative service information on reuse to prevent stale information from affecting all future connection attempts. After removing remembered information, a client MAY make another attempt to connect using any other ServiceMode records that the DNS query produced.

Example of Reuse A client that is fetching "https://example.com/" might originally perform a DNS query for "example.com" and receive in response: Under normal conditions, the SvcPriority of the "alt?.example." RRs would indicate that it is not preferred, so the "example.com" record would be used. If the client received an alternative service advertisement from this server for "alt.example.net" it would then make a DNS query to that name. This might return a different set of records, as follows: If the client selects "alt2.example." and successfully connects to that host, it remembers both the name given as an alternative name ("alt.example.net") and a service name (the TargetName from the ServiceMode HTTPS record, "alt2.example."). In subsequent connections to "example.com", the client again queries the "example.com" name. Importantly, this is not any other name it might have learned. The resulting response - after following indirections through AliasMode, CNAME, or similar mechanisms - produces the same records as previously: The ServiceMode HTTPS record for "alt2.example." is used, even though this is a lower priority than other records. It is also used despite not using the same port number as previously.

Exclusive Alternative Services ServiceMode HTTPS records can be marked as only being available for use as an alternative. This allows servers to use alternative services for specific server instances, without having clients connect to them without being first invited to do so. This is achieved with a SvcParam with a key of "alt-only" (codepoint TBD). The value of this SvcParamKey MUST be empty. HTTPS ServiceMode records with this SvcParamKey MUST NOT be used unless the client is actively seeking an alternative, either as a result of actively looking up an alternative name or because the alternative has been remembered. To prevent clients that do not support this specification from using these services, the "alt-only" SvcParamKey MUST be listed in the "mandatory" SvcParam. In the following example, though "alt1.example" is listed at a higher priority than "example.com", clients will not use this service unless an alternative was provided by the server: [[ISSUE: Do we need this flag in addition to the priority override? Could one of the two be sufficient?]]

Port Numbers The name that is provided in the Alt-SvcB field or ALTSVCB frame can be any valid DNS QNAME. This includes those with underscored labels , including those that might be used to query for HTTPS records to a non-default port. This might be used to direct clients to connect to alternative ports. Note that the HTTPS records might direct clients to an entirely different port number than the name implies. Clients MUST NOT infer a port number from the provided name, instead treating this name no differently than any other.

Interaction with GOAWAY Servers that advertise alternative services cannot expect clients to switch to the advertised alternative. Use of the alternative is entirely at the discretion of clients. If the client is unsuccessful in connecting to an alternative or does not attempt a connection, they could continue to use the existing connection for new requests. A server that seeks to actively encourage clients to disconnect and seek service elsewhere needs to use graceful shutdown procedures of the HTTP version that is in use. HTTP/2 and HTTP/3 each provide a GOAWAY frame that can be used to initiate the graceful shutdown of a connection. Alternative services is not a substitute for these mechanisms.

Proxies The procedures in this document apply to clients that connect to gateways or reverse proxies. However, clients that connect via a proxy, using HTTP CONNECT or similar methods, have a choice. Clients that provide a proxy with the name of a service leave name resolution to the proxy. Such a client MUST ignore any alternative service advertisement it receives and MAY fallback to using legacy alternative services; see . Clients that make HTTPS queries for any connection attempt via a proxy can use alternative services. Such a client MUST provide the proxy with the IP address of the server it wishes to contact, rather than providing a name.

Fallback to Alt-Svc A client that successfully makes use of HTTPS records in resolving the name of an HTTP server MUST ignore any Alt-Svc fields or ALTSVC frames that the server provides. This document deprecates the mechanisms defined in RFC 7838 . Servers might provide Alt-Svc fields or ALTSVC frames in order to support clients that cannot use HTTPS records.

No Authority This design does not assume that information that a client learns about alternatives is authoritative in any way, either by virtue of being provided by an authoritative server. Instead, once a server is determined to be authorative (see ), that server is treated as the authority on all aspects of service configuration. For protocol choice, and maybe extensions in the TLS handshake determine what is used. In contrast RFC 7838, sending alternative services over an HTTP connection ensures that the information is authoritative. Clients therefore might have been less concerned about attacks that compromise the integrity of alternative services when using RFC 7838. Though integrity protection might appear to be valuable, it produced conflicts. For instance, information about the protocol is ostensibly authentic when provided in Alt-Svc fields or ALTSVC frames. However, protocol support is also authenticated when establishing a connection. This creates a potential conflict between two equally authoritative sources of the same information. Conflicts also arise when alternative service information is retained as any retained state might disagree with what is currently deployed. This design avoids this contention by having the entire service resolution process occur almost entirely to the DNS. An alternative service advertisement provides only a minimal nudge to perform a DNS query at the time it is made. On reconnection, remembered state only affects prioritization of active DNS records. Invalid configurations do not persist.

Protocol Elements Multiple ways of encoding an alternative service name is defined. The Alt-SvcB field in allows servers to indicate a preferred service in responses. The ALTSVCB frames in allows a server to provide alternative names outside of the context of a query. These approaches have different properties. Alt-SvcB fields are forwarded by intermediaries and so might reach clients through a gateway or reverse proxy. Clients that use a proxy without using CONNECT or similar tunnels, might also receive an alternative name using a field. In comparison, ALTSVCB frames each only apply to a single origin within the scope of a single connection.

Alt-SvcB Field The "Alt-SvcB" response field is a List of String values (see Sections and of ). This response field MAY appear in a header or trailer section, though servers need to be aware that some clients might not process field values. Each field value includes an alternative name. Each alternative name is encoded as an ASCII string, or a series of DNS A-labels, each separated by a single period character (".", U+2E). Each value MAY end with a period, though - for the purposes of the process in - the string is treated as an absolute DNS QNAME whether or not a trailing period is present. The applicable origin is derived from the origin of the Target Resource (see ). If multiple Alt-SvcB fields or field values are present in a response, the client MAY use any subset of the provided alternative names, including none, one, or all of the provided names. Servers SHOULD NOT provide more than one name. The DNS provides ample opportunity to present clients with options, including the use of priority to help manage selection. A list is tolerated only to allow for the possibility that multiple field lines might be added to responses without proper coordination. Clients MUST ignore unknown parameters that are provided with alternative names. This document does not define any parameters as the DNS is expected to provide supplementary information about services; a revision of this document would be required to enable the use of parameters.

ALTSVCB Frame An ALTSVCB frame is defined for both HTTP/2 and HTTP/3. The frame provides an alternative name for an identified origin . In both protocols, the ALTSVCB frame uses the identifier TBD. The format for both protocols is the same; this is shown in using the notation from .

ALTSVCB Frame Format

The fields in the ALTSVCB frame are defined as follows:

Origin Length:

An integer, encoded as a QUIC variable-length integer (see ) indicating the length of the Origin field, in bytes.

Origin:

The ASCII serialization of the affected origin; see .

Alternative Name:

The remainder of the frame contains a single alternative name, encoded as an ASCII string; see the definition in for more details on the encoding.

If a server sends multiple ALTSVCB frames for the same origin, clients MUST ignore any frames other than the most recent.

Security Considerations TODO Lots of work to do here. Review RFC 7838 for relevant information to copy over.

Internationalization Considerations An internationalized domain name that appears in either an Alt-SvcB field () or an ALTSVCB frame () MUST be expressed using A-labels; see .

IANA Considerations TODO register:

• Field
• H2 Frame
• H3 Frame
• alt-only SvcParam

References Normative References The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK] This document specifies "Alternative Services" for HTTP, which allow an origin's resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration. Google Akamai Technologies Akamai Technologies This document specifies the "SVCB" and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration and keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP [HTTP]. By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. TO BE REMOVED: This document is being collaborated on in Github at: https://github.com/MikeBishop/dns-alt-svc (https://github.com/MikeBishop/dns-alt-svc). The most recent working version of the document, open issues, etc. should all be available there. The authors (gratefully) accept pull requests. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK] This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields that wish to use a common syntax that is more restrictive than traditional HTTP field values. This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. This document is one of a collection that, together, describe the protocol and usage context for a revision of Internationalized Domain Names for Applications (IDNA), superseding the earlier version. It describes the document collection and provides definitions and other material that are common to the set. [STANDARDS-TRACK] Informative References This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection. This document obsoletes RFCs 7540 and 8740. The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3. This document describes what it means to say that a Domain Name (DNS name) is reserved for special use, when reserving such a name is appropriate, and the procedure for doing so. It establishes an IANA registry for such domain names, and seeds it with entries for some of the already established special domain names. Formally, any DNS Resource Record (RR) may occur under any domain name. However, some services use an operational convention for defining specific interpretations of an RRset by locating the records in a DNS branch under the parent domain to which the RRset actually applies. The top of this subordinate branch is defined by a naming convention that uses a reserved node name, which begins with the underscore character (e.g., "_name"). The underscored naming construct defines a semantic scope for DNS record types that are associated with the parent domain above the underscored branch. This specification explores the nature of this DNS usage and defines the "Underscored and Globally Scoped DNS Node Names" registry with IANA. The purpose of this registry is to avoid collisions resulting from the use of the same underscored name for different services. Mozilla An extension is defined for TLS that allows a client and server to detect an attempt to force the use of less-preferred application protocol even where protocol options are incompatible. This supplements application-layer protocol negotiation (ALPN), which allows choices between compatible protocols to be authenticated.

Contributors RFC 7838 was authored by Patrick McManus, Julian Reschke, and Mark Nottingham. This draft contains none of that work, but many of those same basic ideas.

Acknowledgments This work is input to discussions with a design team on HTTP alternative services, formed after realizing that a simple revision to RFC 7838. Though it is informed by discussions thus far, it is NOT the product of that group. Thanks are due to those who have participated in those discussions, who the author is to cowardly to list due to the risk that someone is missed.