<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
     which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc [
<!-- One method to get references from the online citation libraries.
     There has to be one entity for each item to be referenced.
     An alternate method (rfc include) is described in the references. --><!ENTITY RFC2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3864 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3864.xml">
<!ENTITY RFC3986 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3986.xml">
<!ENTITY RFC5246 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC7230 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7230.xml">
<!ENTITY RFC7231 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7231.xml">
<!ENTITY RFC7301 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7301.xml">
]>
<?xml-stylesheet type='text/xsl' href='lib/rfc2629.xslt' ?>
<?rfc strict="yes" ?>
<?rfc toc="yes"?>
<?rfc tocdepth="3"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<rfc category="std" docName="draft-ietf-httpbis-tunnel-protocol-latest" ipr="trust200902"      xmlns:x="http://purl.org/net/xml2rfc/ext">
  <x:feedback template="mailto:ietf-http-wg@w3.org?subject={docname},%20%22{section}%22&amp;body=&lt;{ref}&gt;:"/>
  <front>
    <title abbrev="Tunnel-Protocol">The Tunnel-Protocol HTTP Request Header Field</title>

    <author fullname="Andrew Hutton" initials="A." surname="Hutton">
      <organization>Unify</organization>
      <address>
        <postal>
          <street>Technology Drive</street>
          <city>Nottingham</city>
          <code>NG9 1LA</code>
          <country>UK</country>
        </postal>
        <email>andrew.hutton@unify.com</email>
      </address>
    </author>

   <author fullname="Justin Uberti" initials="J." surname="Uberti">
      <organization>Google</organization>
      <address>
        <postal>
          <street>747 6th Ave S</street>
          <city>Kirkland</city>
          <region>WA</region>
          <code>98033</code>
          <country>US</country>
        </postal>
        <email>justin@uberti.name</email>
      </address>
    </author>

    <author fullname="Martin Thomson" initials="M." surname="Thomson">
      <organization>Mozilla</organization>
      <address>
        <postal>
          <street>331 E Evelyn Street</street>
          <city>Mountain View</city>
          <region>CA</region>
          <code>94041</code>
          <country>US</country>
        </postal>
        <email>martin.thomson@gmail.com</email>
      </address>
    </author>

    <date year="2015" month="January" day="19"/>
    <area>Applications</area>
    <workgroup>HTTPbis</workgroup>
    <keyword>HTTP CONNECT</keyword>
    <keyword>Firewall</keyword>
    <keyword>HTTP proxy</keyword>

    <abstract>
      <t>
        This specification allows HTTP CONNECT requests to indicate what
        protocol will be used within the tunnel once established, using the
        Tunnel-Protocol request header field.
       </t>
    </abstract>

    <note title="Editorial Note (To be removed by RFC Editor)">
      <t>
        Discussion of this draft takes place on the HTTPBIS working group mailing list
        (ietf-http-wg@w3.org), which is archived at <eref
        target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
      </t>
      <t>
        Working Group information can be found at <eref
        target="https://tools.ietf.org/wg/httpbis/"/>
        and <eref target="http://httpwg.github.io/"/>; source code and issues
        list for this draft can be found at
        <eref target="https://github.com/httpwg/http-extensions"/>.
      </t>
      <!--<t>
        The changes in this draft are summarized in <xref
        target="change.log"/>.
      </t>-->
    </note>
  </front>

 <middle>
    <section title="Introduction">
      <t>
        The HTTP CONNECT method (<xref target="RFC7231" x:fmt="of" x:sec="4.3.6"/>)
        requests that the recipient establish a tunnel to the identified origin
        server and thereafter forward packets, in both directions, until the
        tunnel is closed. Such tunnels are commonly used to create end-to-end
        virtual connections, through one or more proxies, which may then be
        secured using TLS (Transport Layer Security, <xref target="RFC5246"/>).
      </t>
      <t>
        The HTTP Tunnel-Protocol header field identifies the protocol that will
        be spoken within the tunnel, using the application layer next protocol
        identifier <xref target="RFC7301"/> specified for TLS <xref
        target="RFC5246"/>.
      </t>
      <t>
        When CONNECT is used to establish a TLS tunnel, the Tunnel-Protocol
        header field may be used to carry the same application protocol label as
        will be carried within the TLS handshake.  If there are multiple
        possible application protocols, all of those application protocols are
        indicated.
      </t>
      <t>
        The Tunnel-Protocol header field carries an indication only.  In TLS,
        the final choice of application protocol is made by the server.  Proxies
        do not implement the tunneled protocol, though they might choose to make
        policy decisions based on the value of the header field.
      </t>

      <section title="Requirements Language">
        <t>
          The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
          "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
          document are to be interpreted as described in <xref
          target="RFC2119">RFC 2119</xref>.
        </t>
      </section>
    </section>

   <section title="The Tunnel-Protocol HTTP Request Header Field" anchor="tp">
      <t>
        Clients include the `Tunnel-Protocol` Request Header field in an HTTP
        CONNECT request to indicate the application layer protocol will be used
        within the tunnel, or the set of protocols that might be used within the
        tunnel.
      </t>

      <section title="Header Field Values">
        <t>
          Valid values for the protocol field are taken from the registry
          established in <xref target="RFC7301"/>.
        </t>
      </section>

     <section title="Syntax">
        <t>
          The ABNF (Augmented Backus-Naur Form) syntax for the `Tunnel-Protocol`
          header field is given below.  It is based on the Generic Grammar
          defined in <xref x:sec="2" x:fmt="of" target="RFC7230"/>.
        </t>
        <figure>
          <artwork type="abnf2616"><![CDATA[
Tunnel-Protocol = "Tunnel-Protocol":" 1#protocol-id
protocol-id     = token ; percent-encoded ALPN protocol identifier
]]></artwork>
        </figure>
        <t>
          ALPN protocol names are octet sequences with no additional constraints
          on format. Octets not allowed in tokens (<xref target="RFC7230"
          x:fmt="," x:sec="3.2.6"/>) must be percent-encoded as per <xref
          x:fmt="of" x:sec="2.1" target="RFC3986"/>.  Consequently, the octet
          representing the percent character "%" (hex 25) must be
          percent-encoded as well.
        </t>
        <t>
          In order to have precisely one way to represent any ALPN protocol
          name, the following additional constraints apply:
          <list style="symbols">
            <t>
              Octets in the ALPN protocol must not be percent-encoded if they
              are valid token characters except "%", and
            </t>
            <t>
              When using percent-encoding, uppercase hex digits must be used.
            </t>
          </list>
        </t>
        <t>
          With these constraints, recipients can apply simple string comparison
          to match protocol identifiers.
        </t>
        <figure>
          <preamble>
            For example:
          </preamble>
          <artwork type="message/http; msgtype=&#34;request&#34;" x:indent-with="  ">
CONNECT www.example.com HTTP/1.1
Host: www.example.com
Tunnel-Protocol: h2, http%2F1.1
</artwork>
        </figure>
      </section>
    </section>

    <section anchor="IANA" title="IANA Considerations">
      <t>
        HTTP header fields are registered within the "Message Headers" registry
        maintained at <eref
        target="https://www.iana.org/assignments/message-headers"/>.  This
        document defines and registers the `Tunnel-Protocol` header field,
        according to <xref target="RFC3864"/> as follows:
        <list style="hanging">
          <t hangText="Header Field Name:">
            Tunnel-Protocol
          </t>
          <t hangText="Protocol:">
            http
          </t>
          <t hangText="Status:">
            Standard
          </t>
          <t hangText="Reference:">
            <xref target="tp"/>
          </t>
          <t hangText="Change Controller:">
            IETF (iesg@ietf.org) - Internet Engineering Task Force
          </t>
        </list>
      </t>
    </section>

    <section anchor="Security" title="Security Considerations">
      <t>
        In case of using HTTP CONNECT to a TURN server the security
        considerations of <xref target="RFC7231" x:fmt="of" x:sec="4.3.6"/>
        apply. It states that there "are significant risks in establishing a
        tunnel to arbitrary servers, particularly when the destination is a
        well-known or reserved TCP port that is not intended for Web
        traffic. Proxies that support CONNECT SHOULD restrict its use to a
        limited set of known ports or a configurable whitelist of safe request
        targets."
      </t>
      <t>
        The `Tunnel-Protocol` request header field described in this document is
        an optional header. Clients and HTTP Proxies could choose to not support
        the header and therefore fail to provide it, or ignore it when
        present. If the header is not available or ignored, a proxy cannot
        identify the purpose of the tunnel and use this as input to any
        authorization decision regarding the tunnel. This is indistinguishable
        from the case where either client or proxy does not support the
        `Tunnel-Protocol` header.
      </t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      &RFC2119;
      &RFC3864;
      &RFC3986;
      &RFC7230;
      &RFC7231;
      &RFC7301;
    </references>

   <references title="Informative References">
      &RFC5246;
    </references>
  </back>
</rfc>
