Cisco and Microsoft security experts make ALPN application protocol negotiation recommendation to the IETF TLS Working Group to help HTTP/2.0 effort
As part of the HTTP/2.0 effort, the industry is collaborating to reinforce Internet communication security in the IETF Transport Layer Security Working Group (TLS WG). Two security experts from Cisco and Microsoft Corp. have submitted ALPN-01 (Application Layer Protocol Negotiation), a safer and simpler application protocol negotiation approach, backed up by a new HTML5 Labs HTTP/2.0 prototype by Microsoft Open Technologies, Inc., incorporating an initial implementation of ALPN-01.
Stephan Friedl (Cisco) and Andrei Popov (Microsoft Corp.) co-authored the ALPN-01 Internet draft that is under discussion among the TLS WG mailing lists. This is in response to discussions at the IETF 85 meeting in Atlanta where the IETF TLS WG received a request from the HTTPBIS Working Group for “a mechanism that allows clients and servers to negotiate the particular application protocol to use once the session is established.” Currently, there are two proposals:
- ALPN http://tools.ietf.org/html/draft-friedl-tls-applayerprotoneg-01
- NPN http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04
The new ALPN-01 (Application Layer Protocol Negotiation) Internet draft proposes a protocol negotiation in accordance with established TLS architecture with the following benefits:
- ALPN places ownership of protocol selection on the server, not the client. This allows the server to select an appropriate certificate based on the application protocol, which is in line with existing TLS handshake extensions.
- ALPN performs protocol negotiation by default in the clear: in general there is no need for encrypted communication during the handshake. This permits servers to differentiate routing, QOS and firewalling by protocol.
- For use cases that can justify the tradeoff with additional latency, ALPN still retains support for confidential protocol negotiation through standard TLS renegotiation.
Thanks to these benefits, and because of its stricter adherence to established TLS design principles, ALPN represents the best choice to address the requirements articulated by the HTTBIS working group for HTTP/2.0 protocol negotiation.
Our HTML5 Labs prototype is the first implementation that is based on the ALPN-01 Internet draft. It is an evolution of earlier prototypes that couples a modified command-line C# client with a basic HTTP/2.0 server. We plan to further develop it in the coming weeks, and we look forward to your feedback both on the TLS WG mailing list and through Html5 Labs. We will gladly apply changes to the draft as well whenever applicable.
Go ahead and download the MS Open Tech HTTP/2.0 prototype using ALPN from HTML5 Labs! And please share your thoughts on this post below.