Internet DRAFT - draft-safruti-httpbis-connection-reuse

draft-safruti-httpbis-connection-reuse






Network Working Group                                         I. Safruti
Internet-Draft                                                    Akamai
Intended status: Standards Track                           June 16, 2012
Expires: December 18, 2012


     Connection Reuse for Multiple Hostnames and for Fast Redirect
               draft-safruti-httpbis-connection-reuse-01

Abstract

   This document describes a suggested enhancement to HTTP, in which a
   user-agent and a server can use a single connection to exchange
   requests/responses for multiple requested hostnames for which the
   server is authorized to serve.  This enhancement suggests that user-
   agents will prefer to re-use an existing connection if it can be used
   to other hosts, and presents methods for a server to announce hosts
   that are served by it, as well as a mechanism for the user-agent to
   validate that the server is indeed trusted to serve this hosts.

   This is highly relevant when the server is actually a surrogate (like
   in a case of a CDN server), or in multi-hosts hosting environments,
   where the same server serves multiple hostnames/domains and can
   improve performance by the reuse of established and already optimized
   connections.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 18, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.




Safruti                 Expires December 18, 2012               [Page 1]

Internet-Draft              Connection Reuse                   June 2012


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Client Side Implementation . . . . . . . . . . . . . . . . . .  4
     2.1.  Address validation . . . . . . . . . . . . . . . . . . . .  4
     2.2.  Validate server certificate  . . . . . . . . . . . . . . .  4
   3.  Announcing permission to serve on behalf of a hostname . . . .  5
     3.1.  Trigger the UA to validate the hostname  . . . . . . . . .  5
     3.2.  Signing the domain . . . . . . . . . . . . . . . . . . . .  5
     3.3.  Announcement message format  . . . . . . . . . . . . . . .  6
     3.4.  Notes and comments . . . . . . . . . . . . . . . . . . . .  6
   4.  Reusing a single connection for multiple hosts over TLS  . . .  7
     4.1.  Using a surrogate certificate  . . . . . . . . . . . . . .  7
   5.  Redirect using a single connection . . . . . . . . . . . . . .  8
     5.1.  Background . . . . . . . . . . . . . . . . . . . . . . . .  8
     5.2.  Validate server hostname binding . . . . . . . . . . . . .  8
     5.3.  Reuse-Connection header  . . . . . . . . . . . . . . . . .  8
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12

















Safruti                 Expires December 18, 2012               [Page 2]

Internet-Draft              Connection Reuse                   June 2012


1.  Overview

   This document assumes that HTTP/2.0 will utilize some method of
   requests multiplexing on a single connection.  By enabling requests
   multiplexing we can utilize a single connection for the delivery of
   multiple requests at the same level of performance (or better),
   reducing the overall number of connections required.  Another benefit
   of a single connection is utilizing an established and optimized
   connection, and eliminating the overhead of connection setup.

   Most HTTP/1.1 user-agents will establish a separate connection
   according to the hostname and not only by the IP address the hostname
   resolves to.  In fact a user-agent will typically open up to 6
   different connections per hostname, to improve requests parallelism
   due to the way HTTP/1.1 is implemented.

   It is common that a single server, or IP address will serve multiple
   hosts, for instance in the case of CDNs, server farms, and when
   multiple servers are fronted by a load balancer.  It is also common
   for a standard page to include multiple resources that are loaded
   from different hosts forcing the user-agent to establish many
   connections to retrieve a page.  Splitting resources between multiple
   hostnames (also referred to as domain sharding) are a common practice
   with HTTP/1.1 due to the limitation of HTTP/1.1 (number of
   connections per domain, and serialization/blocking of HTTP requests).

   Utilizing a single optimized connection for multiple sites can reduce
   overhead of TCP connection setup, reduce load on server and client,
   and will speed the delivery of 3rd party and embedded objects if they
   are served from the same IP.

   Given that today web-sites are designed in a way that synthetically
   spread the resources on multiple hostnames, supporting multiple
   hostnames per single connection will be very helpful for the
   migrating from HTTP/1.1 to HTTP/2.0, with no application level
   change.

   It is important to note that HTTP/1.1 doesn't force a user-agent to
   establish a new connection for a different host, and it is perfectly
   valid to reuse a connection for multiple hosts if all hosts are
   resolved to the same IP address.  However, due to other limitations
   of HTTP/1.1 it is typically not implemented that way.









Safruti                 Expires December 18, 2012               [Page 3]

Internet-Draft              Connection Reuse                   June 2012


2.  Client Side Implementation

   Validate server address, and trust to serve hostname's content.

2.1.  Address validation

   When trying to establish a connection to a host, the user-agent will
   resolve the hostname to get an address (typically an IP address) to
   connect to.  At that point - if a connection to that address is
   already established, the user-agent should try and reuse that
   connection to send requests to the host.

2.2.  Validate server certificate

   In section 3 we describe a method for a server to sign/validate that
   it is trusted to serve on behalf of a hostname.  For the purpose of
   this section we assume that such a method exists, where the server
   declares it is trusted to serve a domain, and the user-agent can
   validate that.

   At the point where such a validation is done, the user-agent can now
   reuse the existing connection to that server to send over it requests
   intended to the hostname.

   The user agent should cache the hostname-server binding for the
   provided TTL.

























Safruti                 Expires December 18, 2012               [Page 4]

Internet-Draft              Connection Reuse                   June 2012


3.  Announcing permission to serve on behalf of a hostname

   Trusting DNS, or name resolution methods will not necessarily lead to
   the best outcome in means of performance.  For once, it requires the
   user-agent to perform a task of resolving the hostname address that
   typically will take an additional roundtrip.  The other issue is that
   as DNS is typically stateless, in case there are multiple servers
   serving this hostname, the user-agent may be assigned to a different
   server.

   This creates the need for a server to announce over an existing
   connection that it is also trusted to serve on behalf of other
   hostnames.  It is up to the server implementation to determine when
   it should announce that, and in case it serves multiple hostnames,
   which hostnames it should announce.

   The server should announce the supported hostname by sending a
   control message.  This assumes that HTTP will supports control
   messages, however, if it will not, HTTP headers can be used instead.

   We suggest 2 methods to sign or validate permission to handle the
   hostname.

3.1.  Trigger the UA to validate the hostname

   In this scenario the server announces support of the hostname or
   domain. by doing so, it calls the UA to validate that, using a
   standard TLS handshake with the server.  The UA sends a challenge to
   the server, and using the standard methods provided by TLS the
   validity of the certificate can be verified.  This calls for a simple
   implementation as it relies on standard TLS methods, however this
   method also adds roundtrips for the validation process.

3.2.  Signing the domain

   To eliminate the need for additional roundtrips, we are suggesting an
   additional method in which the server will send the validation for
   the domain as part of announcing the hostname.  As there is no
   challenge from the UA, the server should generating a message that
   will indicate that the specific server is trusted, for instance a
   message that includes the address of the server and the announced
   hostname, and signing it with the private key of the certificate,
   which could be easily validated with the public key of the
   certificate.







Safruti                 Expires December 18, 2012               [Page 5]

Internet-Draft              Connection Reuse                   June 2012


3.3.  Announcement message format

   The announcement of a hostname or domain should include the following
   3 elements:

   o  The announced hostname

   o  TTL for the assignment of the hostname to the specific server

   o  The verification, which can be provided as part of the message, or
      achieved by the client initiating the verification

3.4.  Notes and comments

   This document suggests using TLS methods to help validate and
   authenticate server permissions to serve specific hostnames.  This
   risks crossing between layers, and crossing the scope of HTTP,
   however this is required to enable more efficient connection reuse.
   One alternative could be to manage the act of the validation and
   certificate push as a TLS extension, and to provide the right hooks
   for HTTP to trigger such a task, either by the client (when receiving
   the announcement from the server), or by the server.

   It should also be noted that this section describes concept rather
   than specific implementation details, as these can be finalized if
   the concepts are agreed upon.

























Safruti                 Expires December 18, 2012               [Page 6]

Internet-Draft              Connection Reuse                   June 2012


4.  Reusing a single connection for multiple hosts over TLS

   In section 2 we describe a mechanism for the client to reuse a
   connection for multiple hosts served by the server.  This is good
   when not using TLS, on a non-encrypted connection.

   Once TLS is used, it is important to ensure the privacy and security
   of the different hosts, as typically each host is using a different
   certificate, we want to ensure that having control of one certificate
   will not enable you to decipher request and responses of another host
   on the same connection.

4.1.  Using a surrogate certificate

   In a case where the server would like to serve multiple hosts over
   TLS, the server should use a "neutral" certificate, namely a
   certificate issued for the surrogate.  When establishing the TLS
   connection the server will use the surrogate certificate and will
   immediately provide evidence that it is trusted to serve the
   requested hostname, signing a message in a manner similar to the
   signing above.

   In this specific case, the validating could be achieved by signing
   its own public key with the certificate of the requested host that
   should be validated.

   This method provides the privacy and security required by TLS, while
   enabling serving multiple hosts.  No single certificate owner can
   decipher the connection as the connection is encrypted using the
   surrogate certificate that is known only to the surrogate.





















Safruti                 Expires December 18, 2012               [Page 7]

Internet-Draft              Connection Reuse                   June 2012


5.  Redirect using a single connection

5.1.  Background

   Redirects are extremely common on today's sites.  In many cases the
   redirects are used for naming and brand reasons and SEO reasons, or
   to ease handling of requests (like the case for mobile sites), and
   not necessarily to hand over to a different server.  Where the
   redirected URL is served from the same server, the process of
   resolving the DNS record, and forcing a new connection is highly
   inefficient.

   We suggest a mechanism that will enable a server to indicate with a
   redirect response that the new URL can be requested over the existing
   connection.  By doing that, eliminating the need for additional
   round-trips and warming up new connections.

5.2.  Validate server hostname binding

   By utilizing the method above to validate the server is trusted to
   serve the redirected hostname, the user-agent can reuse the
   connection as detailed above.

5.3.  Reuse-Connection header

   The server can add a specific header "Reuse-Connection" on a redirect
   response to indicate that the redirect should reuse the same
   connection it is delivered on.  In that case the user-agent must
   validate that the server is trusted for that hostname and if valid
   should reuse the connection to send the redirected request.

   A sample response would look like this: server (www.example.com) -->
   UA

           HTTP/2.0 301 Moved Permanently
           Location: mobile.example.com
           Reuse-Connection: 1














Safruti                 Expires December 18, 2012               [Page 8]

Internet-Draft              Connection Reuse                   June 2012


6.  Security Considerations

   Announcing additional domains has a potential to break things, and
   add the risk of enabling hijack domains and sites, as well as getting
   access to domain specific data, such as user-agent's cookies.

   To prevent that, a strong validation is required, and we believe that
   TLS methods as described provides that requirement.











































Safruti                 Expires December 18, 2012               [Page 9]

Internet-Draft              Connection Reuse                   June 2012


7.  IANA Considerations

   ...
















































Safruti                 Expires December 18, 2012              [Page 10]

Internet-Draft              Connection Reuse                   June 2012


8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 2234, November 1997.

8.2.  Informative References

   [Fab1999]  Faber, T., Touch, J., and W. Yue, "The TIME-WAIT state in
              TCP and Its Effect on Busy Servers", 1999.





































Safruti                 Expires December 18, 2012              [Page 11]

Internet-Draft              Connection Reuse                   June 2012


Author's Address

   Ido Safruti
   Akamai Technologies















































Safruti                 Expires December 18, 2012              [Page 12]